Putting LTE Security Functions to the Test: a Framework to Evaluate Implementation Correctness

Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness

David Rupprecht Kai Jansen Christina Pöpper Ruhr-University Bochum Ruhr-University Bochum NYU Abu Dhabi More than 8 billion mobile subscribers estimated for 2019 [1]

Image source: http://www.mypostcard.com/blog/wp-content/uploads/2015/06/mypostcard_app_iphone_reise_travel.jpg Image source: http://www.blogcdn.com/slideshows/images/slides/279/787/9/S2797879/slug/l/vacation-1.jpg 3 Eavesdropping of unencrypted data

4 LTE provides mutual authentication and encryption

5 Implementation flaw: Undermine LTE security 6 Putting LTE Security Functions to the Test

Implementation Eavesdropping Testing security flaws in LTE on private functions of devices information devices

7 LTE Architecture Communication Establishment and Security Algorithms LTE Architecture User Equipment

9 LTE Architecture

Evolved Node B

UE eNodeB

10 LTE Architecture

Mobility Management Entity

UE eNodeB

MME

11 LTE Architecture Home Subscriber Server

HSS

UE eNodeB

MME

12 LTE Architecture

E-UTRAN EPC

Internet HSS

UE eNodeB

MME

Access Stratum (AS) Non-Access Stratum (NAS) 13 Security Procedures

UE eNodeB MME HSS 1a. Authentication and Key Agreement 1b. Authentication Information Request 2. NAS Security Mode Command (EEAX, EIAX)

3. AS Security Mode Command (EEAX, EIAX)

14 Security Algorithms

UE eNodeB MME HSS 1a. Authentication and Key Agreement 1b. Authentication Information Request 2. NAS Security Mode Command (EEAX, EIAX)

3. AS Security Mode Command (EEAX, EIAX)

Security algorithms are selected by the provider

15 Security Algorithms

UE eNodeB MME HSS 1a. Authentication and Key Agreement 1b. Authentication Information Request 2. NAS Security Mode Command (EEAX, EIAX)

3. AS Security Mode Encoding Integrity Ciphering Algorithm Command (EEAX, EIAX) X000X000 EIA0 EEA0 NULL X001X001 128-EIA1 128-EEA1 SNOW3G Security algorithms are X010X010 128-EIA2 128-EEA2 AES selected by the provider X011X011 128-EIA3 128-EEA3 ZUC

16 Security Algorithms

UE eNodeB MME HSS 1a. Authentication andNullKey Agreement Algorithms1b. Authentication: Information Request 2. NAS Security Mode CommandNo (EEAX, SecurityEIAX)

17 NULL Algorithms

Null Integrity: Emergency calls even when no key is available

Encoding Integrity Ciphering Algorithm X000X000 EIA0 EEA0 NULL

Image source: https://www.percona.com/sites/default/files/icons/emergency.png 18 NULL Algorithms

Null Encryption: 1. Ciphering indicator 2. SIM card flag 3. User interface

Encoding Integrity Ciphering Algorithm X000X000 EIA0 EEA0 NULL

19 Framework Design and Tests Baseband

Security functions are implemented on the Baseband

• Processor for communication: Qualcomm, HiSilicon, Mediatek, Samsung • (Proprietary) Baseband is always exposed

21 Approach

Reverse Engineering

CMP r0, r1 ADDGE r2, r2, r3 ADDLT r2, r2, r4

22 Approach

Test Cases Test Cases Fuzzing of input Validation of output

Reverse Engineering

CMP r0, r1 ADDGE r2, r2, r3 ADDLT r2, r2, r4

23 Approach

Test Cases Test Cases Fuzzing of input Validation of output

Reverse Engineering Design Criteria • Low-cost CMP r0, r1 • Automated testing ADDGE r2, r2, r3 • Portability ADDLT r2, r2, r4

24 Approach

Fuzzing (our choice) Test Cases Test Cases Fuzzing of input Validation of output

Reverse Engineering Design Criteria • Low-cost CMP r0, r1 • Automated testing ADDGE r2, r2, r3 • Portability ADDLT r2, r2, r4

25 Tests

• Undefined Values • Sequence of Messages • Ciphering Indicator with Null Encryption

Encoding Integrity Ciphering Algorithm eNodeB MME UE X000X000 EIA0 EEA0 NULL 3. AS Security Mode Command (EEAX, EIAX) X011X011 128-EIA3 128-EEA3 ZUC 1. Authentication and Key Agreement X100X100 EIA4 EEA4 Not specified 2. NAS Security Mode Command (EEAX, EIAX) … … … …

26 Framework Architecture

27 Framework Architecture

28 Framework Architecture

29 Framework Architecture

30 Framework Architecture

Low-Cost Hardware • Ettus B2X0 • BladeRF • LimeSDR Evaluation Analysis Results Results None of the devices show the Ciphering Indicator

33 Results Null Integrity Algorithm: Normal data connections

34 Results

Commercial UE Attacker Network 1. Authentication and Key Agreement 1. Authentication and Key Agreement

2. NAS Security Mode Command (EEA0, EIA0)

3. AS Security Mode Command (EEA0, EIA0)

35 Conclusion Conclusion

Implementation Flaws can Undermine the LTE Security

• No Ciphering Indicator • Authentication procedure

Attacker

37 Conclusion

Implementation Flaws can LTE Security Testing Undermine the LTE Security Framework

• No Ciphering Indicator • Low-cost • Authentication procedure • Software Defined Radio • Automated testing • Logical implementation flaws

Attacker

38 Conclusion

Implementation Flaws can LTE Security Testing Standard Test of Security Undermine the LTE Security Framework Functions

• No Ciphering Indicator • Low-cost • Standard Radio Testing • Authentication procedure • Software Defined Radio • Standard Security Testing • Automated testing • Logical implementation flaws Test Cases Test Cases

Attacker

39 Thank You! Questions?

Implementation Flaws can LTE Security Testing Standard Test of Security Undermine the LTE Security Framework Functions

Attacker

40 UE HSS eNodeB MME K K

Attach Request (IMSI)

1. Authentication and Key Agreement 1. Authentication Information Request (IMSI) 2. Authentication Information Answer 3. Authentication Request (RAND, XRES, AUTN, K ) (RAND, AUTN) AMSE a) Check AUTN b) Compute RES c) Compute K AMSE 4.Authentication Response (RES) Check RES == XRES

2. NAS Security Mode Command 1. NAS Security Mode Command (EIA, EEA, MAC(EIA,EEA))

2. NAS Security Mode Complete MAC()

3. RRC Security Mode Command 1. Initial Context Setup 2. RRC Security Mode Command (KeNodeB) (EIA, EEA, MAC(EIA,EEA)) 3. RRC Security Mode Complete MAC()

Attach Accept Attach Complete Backup