Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness
David Rupprecht Kai Jansen Christina Pöpper Ruhr-University Bochum Ruhr-University Bochum NYU Abu Dhabi More than 8 billion mobile subscribers estimated for 2019 [1]
Image source: http://www.mypostcard.com/blog/wp-content/uploads/2015/06/mypostcard_app_iphone_reise_travel.jpg Image source: http://www.blogcdn.com/slideshows/images/slides/279/787/9/S2797879/slug/l/vacation-1.jpg 3 Eavesdropping of unencrypted data
4 LTE provides mutual authentication and encryption
5 Implementation flaw: Undermine LTE security 6 Putting LTE Security Functions to the Test
Implementation Eavesdropping Testing security flaws in LTE on private functions of devices information devices
7 LTE Architecture Communication Establishment and Security Algorithms LTE Architecture User Equipment
UE
9 LTE Architecture
Evolved Node B
UE eNodeB
10 LTE Architecture
Mobility Management Entity
UE eNodeB
MME
11 LTE Architecture Home Subscriber Server
HSS
UE eNodeB
MME
12 LTE Architecture
E-UTRAN EPC
Internet HSS
UE eNodeB
MME
Access Stratum (AS) Non-Access Stratum (NAS) 13 Security Procedures
UE eNodeB MME HSS 1a. Authentication and Key Agreement 1b. Authentication Information Request 2. NAS Security Mode Command (EEAX, EIAX)
3. AS Security Mode Command (EEAX, EIAX)
14 Security Algorithms
UE eNodeB MME HSS 1a. Authentication and Key Agreement 1b. Authentication Information Request 2. NAS Security Mode Command (EEAX, EIAX)
3. AS Security Mode Command (EEAX, EIAX)
Security algorithms are selected by the provider
15 Security Algorithms
UE eNodeB MME HSS 1a. Authentication and Key Agreement 1b. Authentication Information Request 2. NAS Security Mode Command (EEAX, EIAX)
3. AS Security Mode Encoding Integrity Ciphering Algorithm Command (EEAX, EIAX) X000X000 EIA0 EEA0 NULL X001X001 128-EIA1 128-EEA1 SNOW3G Security algorithms are X010X010 128-EIA2 128-EEA2 AES selected by the provider X011X011 128-EIA3 128-EEA3 ZUC
16 Security Algorithms
UE eNodeB MME HSS 1a. Authentication andNullKey Agreement Algorithms1b. Authentication: Information Request 2. NAS Security Mode CommandNo (EEAX, SecurityEIAX)
3. AS Security Mode Encoding Integrity Ciphering Algorithm Command (EEAX, EIAX) X000X000 EIA0 EEA0 NULL X001X001 128-EIA1 128-EEA1 SNOW3G Security algorithms are X010X010 128-EIA2 128-EEA2 AES selected by the provider X011X011 128-EIA3 128-EEA3 ZUC
17 NULL Algorithms
Null Integrity: Emergency calls even when no key is available
Encoding Integrity Ciphering Algorithm X000X000 EIA0 EEA0 NULL
Image source: https://www.percona.com/sites/default/files/icons/emergency.png 18 NULL Algorithms
Null Encryption: 1. Ciphering indicator 2. SIM card flag 3. User interface
Encoding Integrity Ciphering Algorithm X000X000 EIA0 EEA0 NULL
19 Framework Design and Tests Baseband
Security functions are implemented on the Baseband
• Processor for communication: Qualcomm, HiSilicon, Mediatek, Samsung • (Proprietary) Baseband is always exposed
21 Approach
Reverse Engineering
CMP r0, r1 ADDGE r2, r2, r3 ADDLT r2, r2, r4
22 Approach
Test Cases Test Cases Fuzzing of input Validation of output
Reverse Engineering
CMP r0, r1 ADDGE r2, r2, r3 ADDLT r2, r2, r4
23 Approach
Test Cases Test Cases Fuzzing of input Validation of output
Reverse Engineering Design Criteria • Low-cost CMP r0, r1 • Automated testing ADDGE r2, r2, r3 • Portability ADDLT r2, r2, r4
24 Approach
Fuzzing (our choice) Test Cases Test Cases Fuzzing of input Validation of output
Reverse Engineering Design Criteria • Low-cost CMP r0, r1 • Automated testing ADDGE r2, r2, r3 • Portability ADDLT r2, r2, r4
25 Tests
• Undefined Values • Sequence of Messages • Ciphering Indicator with Null Encryption
Encoding Integrity Ciphering Algorithm eNodeB MME UE X000X000 EIA0 EEA0 NULL 3. AS Security Mode Command (EEAX, EIAX) X011X011 128-EIA3 128-EEA3 ZUC 1. Authentication and Key Agreement X100X100 EIA4 EEA4 Not specified 2. NAS Security Mode Command (EEAX, EIAX) … … … …
26 Framework Architecture
27 Framework Architecture
28 Framework Architecture
29 Framework Architecture
30 Framework Architecture
Low-Cost Hardware • Ettus B2X0 • BladeRF • LimeSDR Evaluation Analysis Results Results None of the devices show the Ciphering Indicator
33 Results Null Integrity Algorithm: Normal data connections
34 Results
Commercial UE Attacker Network 1. Authentication and Key Agreement 1. Authentication and Key Agreement
2. NAS Security Mode Command (EEA0, EIA0)
3. AS Security Mode Command (EEA0, EIA0)
35 Conclusion Conclusion
Implementation Flaws can Undermine the LTE Security
• No Ciphering Indicator • Authentication procedure
Attacker
37 Conclusion
Implementation Flaws can LTE Security Testing Undermine the LTE Security Framework
• No Ciphering Indicator • Low-cost • Authentication procedure • Software Defined Radio • Automated testing • Logical implementation flaws
Attacker
38 Conclusion
Implementation Flaws can LTE Security Testing Standard Test of Security Undermine the LTE Security Framework Functions
• No Ciphering Indicator • Low-cost • Standard Radio Testing • Authentication procedure • Software Defined Radio • Standard Security Testing • Automated testing • Logical implementation flaws Test Cases Test Cases
Attacker
39 Thank You! Questions?
Implementation Flaws can LTE Security Testing Standard Test of Security Undermine the LTE Security Framework Functions
• No Ciphering Indicator • Low-cost • Standard Radio Testing • Authentication procedure • Software Defined Radio • Standard Security Testing • Automated testing • Logical implementation flaws Test Cases Test Cases
Attacker
40 UE HSS eNodeB MME K K
Attach Request (IMSI)
1. Authentication and Key Agreement 1. Authentication Information Request (IMSI) 2. Authentication Information Answer 3. Authentication Request (RAND, XRES, AUTN, K ) (RAND, AUTN) AMSE a) Check AUTN b) Compute RES c) Compute K AMSE 4.Authentication Response (RES) Check RES == XRES
2. NAS Security Mode Command 1. NAS Security Mode Command (EIA, EEA, MAC(EIA,EEA))
2. NAS Security Mode Complete MAC()
3. RRC Security Mode Command 1. Initial Context Setup 2. RRC Security Mode Command (KeNodeB) (EIA, EEA, MAC(EIA,EEA)) 3. RRC Security Mode Complete MAC()
Attach Accept Attach Complete Backup