Mobile Telephony Systems Security

Loretta Ilaria Mancini

[email protected]

School of Computer Science University of Birmingham

November 2015

L. I. Mancini Mobile Telephony Systems Security Motivation and Scope

What:

Security of the over-the-air interface in Mobile Telephony Systems

Why: wireless communications

mobile phones are always on and emitting their identity

answer without the agreement of their bearers

are pervasive

can collect personal data through a variety of sensors

L. I. Mancini Mobile Telephony Systems Security Motivation and Scope

Enemies of Security and Privacy by Design

Low cost Computational limitations Limited storage Battery life Functionality Market competition

L. I. Mancini Mobile Telephony Systems Security Summary

Introduction to Mobile Telephony Systems Basic protocols 2G Security Features 2G Security Weaknesses 3G Security Features 3G Security Weaknesses 4G Security Features 4G Security Weaknesses Emerging and Future Generations Conclusions

L. I. Mancini Mobile Telephony Systems Security Introduction to Mobile Telephony Systems

Cellular (Mobile Telephony) network: Radio network covering wide geographic areas divided in cells. Each cell is served by at least one base station. A cellular network enables a large number of radio transceivers (e.g. mobile phones) to communicate with each other and with ﬁxed transceivers (e.g. ﬁxed telephones) via the base station.

L. I. Mancini Mobile Telephony Systems Security Generations

Cellular communication is developed in generations: 0G (1970s) analog, did not support handover (i.e. user could not move from one cell to another while calling, devices built in car/truck or in a briefcase. 1G (1980s) mainly for voice services, no international roaming. 2G (1990) introduces: BSC to lighten MSC workload, encryption, mobile assisted handoff, data services, SMS, Internet, fax, picture sharing, international roaming. 3G (1995) offers: improved voice and data services including video call, higher speed internet access (up to 1Mbps), improved security. 4G (2006) aimed at boosting data services with increased data rate from 100Mbps to 1Gbps, based on IPv6. 5G (???)

L. I. Mancini Mobile Telephony Systems Security Mobile Telephony Systems Architecture

Note: this architecture is simpliﬁed and uses a 2G like terminology. Similar network elements with similar functions are found in 3G networks

L. I. Mancini Mobile Telephony Systems Security Protocol Stack

L. I. Mancini Mobile Telephony Systems Security Identity Management

IMSI is the long-term identity stored on the SIM card TMSI is a short-term identity reallocated periodically According to the standard at least at each change of location New TMSI should not be linkable with old one

L. I. Mancini Mobile Telephony Systems Security Identity Management

L. I. Mancini Mobile Telephony Systems Security Basic Protocols

L. I. Mancini Mobile Telephony Systems Security Basic Protocols: Identiﬁcation Procedure

KIMSI , IMSI KIMSI , IMSI

IDENTITY_REQ, ID_TYPE

IDENTITY_RES, IMSI

initiated by the network on a dedicated channel usually when the MS ﬁrst attaches trivially breaches anonymity

L. I. Mancini Mobile Telephony Systems Security Basic Protocols: TMSI Reallocation Procedure

KIMSI , IMSI, TMSI, CK KIMSI , IMSI, TMSI, CK

L3_MSG, TMSI

Management of means for ciphering: CK established

new newTMSI

r { TMSI_REALL_CMD, newTMSI,LAI}CK

r {TMSI_REALL_COMPLETE}CK

initiated by the network on a dedicated channel re-allocation message is encrypted should be periodically executed and should be executed at least at each change of location

L. I. Mancini Mobile Telephony Systems Security Basic Protocols: Paging Procedure

KIMSI , IMSI,TMSI KIMSI , IMSI

PAGING_REQ, IMSI

PAGING_RES, ID

the paging request is sent on a broadcast channel by the network in order to deliver a service to a MS the paging request is sent in all the most recently visited location areas the paging response is sent on a dedicated channel ID is IMSI in 2G, TMSI in 3G

L. I. Mancini Mobile Telephony Systems Security 2G Security

L. I. Mancini Mobile Telephony Systems Security 2G Security Features

2G networks aim to provide User Identity Conﬁdentiality: to ensure privacy of the subscriber from third parties User Identity Authentication: to ensure that the subscriber is a legitimate one User Data Conﬁdentiality

L. I. Mancini Mobile Telephony Systems Security 2G Authentication Protocol

2G Authentication Protocol: is always initiated by the network allows the network to establish that the subscriber is a legitimate one does not authenticate the network to the user is always executed after a dedicated channel is established and the MS sent its identity

L. I. Mancini Mobile Telephony Systems Security 2G Authentication Protocol

KIMSI , IMSI KIMSI , IMSI

generate RANDi compute XSRESi = A3(RANDi , KIMSI ) CKi = A8(RANDi , KIMSI ) AVi = (RANDi , XSRESi , CKi )

RANDi

compute SRESi = A3(RANDi , KIMSI )

SRESi

Compute and store if SRESi <> XSRESi then abort CKi = A8(RANDi , KIMSI )

L. I. Mancini Mobile Telephony Systems Security 2G Encryption

A5(enc)/A3(auth)/A8(key gen) algos are proprietary A5 has 3 variants: A5/1 is the most used A5/2 (weaker version of A5/1) is being phased out A5/3 (KASUMI) stronger but not yet widespread in 2G networks algos can be negotiated network can enforce no encryption often no indication is given to the user about the use of encryption

L. I. Mancini Mobile Telephony Systems Security 2G Security Weaknesses

lack of network authentication user identity secrecy breached by identiﬁcation procedure no integrity protection no protection against replay attacks trafﬁc encrypted only between MS and BTS not in the core network security through obscurity (A3, A5, A8 based on proprietary algos)

L. I. Mancini Mobile Telephony Systems Security 2G Ofﬂine attack

Threat: SIM Cloning Exploit: weaknesses in COMP128/COMP128-1 used by key gen (A8) and auth (A3) allow retrieval of the long term key KIMSI Requirements: physical access to original SIM card card reader/writer blank SIM card cracking software Effects: identity theft, available credit/allowance theft, DOS Mitigations: cloning can be detected SIM using COMP128-2/3 cannot be cloned

L. I. Mancini Mobile Telephony Systems Security Fake BS-based Attacks

(rely on lack of network authentication) Threat: IMSI Catcher Exploit: lack of network authentication Requirements: Fake BS (BS-like device) MS attaches to the BS with stronger signal the Fake BS sends an identiﬁcation request message asking for the long term identity IMSI Effects: tracking the presence of a user in a given area Mitigations: IMSI Catcher-Catcher Fake BS considered too expensive until advent of USRP and short range BSs (femtocells) Protect the identiﬁcation procedure using PKI

demo performed at DefCon18

L. I. Mancini Mobile Telephony Systems Security Fake BS-based Attacks

(rely on lack of network authentication) IMSI Catcher: Fake BS can induce MS to attach using stronger signal than legitimate BS and then trigger the identiﬁcation procedure to breach user privacy

Over-the-air SIM cloning: due to weaknesses in COMP128 KIMSI can be retrieved over the air by sending selected challenges but it can take several hours. SIM cloning can be detected by the network. Fake BS can deactivate ciphering and force MS to send data in clear (most MS do not alert the user when no encryption is used). Services can be delivered either by using a MS connected to the real network or by routing the data through a VOIP connection.

L. I. Mancini Mobile Telephony Systems Security MS-based Attacks

Threat: Session key retrieval (one of many, live demo and cracking tool available) Exploit: weaknesses in A5/1, A5/2 Requirements: 64bits of known plaintext, e.g. control messages uses brute force-like attack based on rainbow tables (implemented in the Kraken tool) way of locating target user (eg. silent SMS/silent call locating attack) device to sniff traffic on dedicated channel (modified motorola phone) Effects: breach of phone call/SMS message confidentiality Mitigations: use stronger encryption algorithm

demo performed at CCC

L. I. Mancini Mobile Telephony Systems Security MS-based Attacks

Threat: Network DOS attack Exploit: channel request message, limited resources of BSC Requirements: MS-like device capable to send channel request messages Effects: saturation of BSC resources service unavailability

L. I. Mancini Mobile Telephony Systems Security MS-based Attacks

Threat: User De-registration DOS attack Exploit: lack of authentication of signalling messages Requirements: MS-like device programmed to send IMSI detach messages to the network Effects: user unreachable for mobile terminated services

L. I. Mancini Mobile Telephony Systems Security MS-based Attacks

Threat: Paging response DOS attack Exploit: lack of authentication of signalling messages Requirements: MS-like device programmed to send paging response messages to the network answer paging request faster than the victim phone Effects: incoming call dropped incoming call hijacked if attack performed in unencrypted network Mitigations: use of encryption, indication of no encryption on MS

L. I. Mancini Mobile Telephony Systems Security MS-based Attacks

Threat: User tracking Exploit: silent phone call/SMS, TMSI not updated often Requirements: MS-like device programmed to sniff signalling messages over dedicated channels Effects: breach of user privacy Mitigations: frequent change of TMSI

demo performed at CCC

L. I. Mancini Mobile Telephony Systems Security GSM Experimental Analysis and Hacking

Osmocom-bb OpenBSC (uses commercial BTS) OpenBTS (implements BTS using USRP and GNUradio) wireshark BladeRF HackRF

L. I. Mancini Mobile Telephony Systems Security Any Questions?

L. I. Mancini Mobile Telephony Systems Security 3G Security

L. I. Mancini Mobile Telephony Systems Security 3G Security Features

3G security mainly relies on the Authentication and Key Agreement (AKA) Protocol to provide: Mutual Authentication User Data Conﬁdentiality User Identity Conﬁdentiality (Anonymity) User Untraceability (Unlinkability)

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

Initiated by the network to: Authenticate a MS identity Authenticate the network identity Establish a ciphering key Establish an integrity key

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN]

AUTN = SQNHN ⊕ AK ||MAC

MAC = f 1K (SQNHN ||RAND)

XRES = f 2K (RAND)

CK = f 3K (RAND)

IK = f 4K (RAND)

AK = f 5K (RAND)

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC

MAC = f 1K (SQNHN ||RAND)

XRES = f 2K (RAND)

CK = f 3K (RAND)

IK = f 4K (RAND)

AK = f 5K (RAND)

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND)

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND) Check: MAC == XMAC

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND) ( ) Check: AUTH_FAILURE MAC MAC == XMAC

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND) Check: MAC == XMAC

Check: SQNHN >= SQNMS

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND) Check: MAC == XMAC

Check: AUTH_FAILURE(AUTS) SQNHN >= SQNMS

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND) Check: MAC == XMAC

Check: AUTH_FAILURE(AUTS) Resynch SQNHN >= SQNMS

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND) Check: MAC == XMAC

Check: SQNHN >= SQNMS

Calculate: RES = f 2K (RAND) CK = f 3K (RAND) IK = f 4K (RAND)

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND) Check: MAC == XMAC

Check: SQNHN >= SQNMS

Calculate: AUTH_RES(RES) RES = f 2K (RAND) CK = f 3K (RAND) IK = f 4K (RAND)

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND) Check: MAC == XMAC

Check: SQNHN >= SQNMS

AUTH_RES(RES) Calculate: Check: RES = f 2 (RAND) K XRES == RES CK = f 3K (RAND) IK = f 4K (RAND)

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol

MS SN/HN

K ,SQNMS K ,SQNHN

CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)

AK = f 5K (RAND) ( ) Check: AUTH_FAILURE MAC MAC == XMAC

Check: AUTH_FAILURE(AUTS) Resynch SQNHN >= SQNMS

AUTH_RES(RES) Calculate: Check: RES = f 2 (RAND) K XRES == RES CK = f 3K (RAND) IK = f 4K (RAND)

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: 3G AKA Protocol

3G crypto functions are open to public scrutiny no practical attacks found so far

L. I. Mancini Mobile Telephony Systems Security 3G Security Features: 3G AKA Protocol

3G crypto functions are open to public scrutiny no practical attacks found so far but 3G protocols have weaknesses

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

Threat: 2G downgrade attack Exploit: lack of authentication of serving network Requirements: Fake BS Effects: Fake BS forces downgrade to 2G Mitigations: set network connection on 3G only in MS settings

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

Threat: Redirection attack Exploit: lack of authentication of serving network Requirements: Fake BS and a MS connected to a real BS Effects: redirection of the communication to a chosen network perhaps one charging a higher rate or using weaker encryption

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

Threat: AKA linkability attack Exploit: AKA error messages Requirements: Fake BS-like device Effects: user tracking Mitigations: conceal the error message send generic error message no error handling

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

MS Attacker Network

K ,SQNMS K ,SQNHN

AUTH_REQ(RAND, AUTN)

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

MS Attacker Network

K ,SQNMS RAND, AUTN K ,SQNHN

AUTH_REQ(RAND, AUTN)

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

MS Attacker Network

K ,SQNMS RAND, AUTN K ,SQNHN

AUTH_REQ(RAND, AUTN)

AUTH_RES(RES)

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

MS Attacker Network

K ,SQNMS RAND, AUTN K ,SQNHN

AUTH_REQ(RAND, AUTN)

AUTH_RES(RES)

AUTH_REQ(RAND, AUTN)

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

MS Attacker Network

K ,SQNMS RAND, AUTN K ,SQNHN

AUTH_REQ(RAND, AUTN)

AUTH_RES(RES)

AUTH_REQ(RAND, AUTN)

AUTH_RES(RES) if RES=SYNCH_FAIL|| = ( ) RES f2KIMSI RAND then I know this MS!

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

MS Attacker Network

K ,SQNMS RAND, AUTN K ,SQNHN

AUTH_REQ(RAND, AUTN)

AUTH_RES(RES)

AUTH_REQ(RAND, AUTN)

AUTH_RES(RES) if RES=SYNCH_FAIL|| = ( ) RES f2KIMSI RAND then I know this MS! AUTH_REQ(RAND, AUTN)

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

MS Attacker Network

K ,SQNMS RAND, AUTN K ,SQNHN

AUTH_REQ(RAND, AUTN)

AUTH_RES(RES)

AUTH_REQ(RAND, AUTN)

AUTH_RES(RES) if RES=SYNCH_FAIL|| = ( ) RES f2KIMSI RAND then I know this MS! AUTH_REQ(RAND, AUTN)

AUTH_RES(RES) if RES=MAC_FAIL then this is another MS

L. I. Mancini Mobile Telephony Systems Security 3G Attacks

Threat: Femtocell rooting Exploit: weaknesses in femtocell software/ﬁrmware Requirements: Femtocell Effects: breach of user conﬁdentiality call/SMS interception breach of user privacy

L. I. Mancini Mobile Telephony Systems Security 4G Architecture

simpliﬁed architecture (less elements with more complex functions) all IP network interworking with non- 3GPP networks

L. I. Mancini Mobile Telephony Systems Security 4G Security aims

user identity conﬁdentiality mutual authentication (including SN to MS) data conﬁdentiality data integrity

L. I. Mancini Mobile Telephony Systems Security 4G security features

Re-use of UMTS Authentication and Key Agreement (AKA) Use of USIM required (GSM SIM excluded) 128 bit keys used but 256bit keys could be used as well Interworking security for non-3GPP networks Extended key hierarchy

L. I. Mancini Mobile Telephony Systems Security 4G AKA and keys hierarchy

establishes local master key between MME and MS KIMSI hierarchy of keys derived different keys used to protect user data and signalling data CK,IK fresh session keys can be generated without executing UE/MME KASME AKA

integrity protection is KeNB UE/eNB compulsory KNAS KNAS ciphering is optional enc int ciphering and integrity based K K K UPenc RRCenc RRCint on SNOW 3G and AES

L. I. Mancini Mobile Telephony Systems Security Beyond 4G

Cellular IoT (4.5G) aims at providing IoT services focuses on M2M communication deep coverage at lower speed 5G Aimed at even better data services with increased speed

L. I. Mancini Mobile Telephony Systems Security Conclusions

Mobile systems have been deployed for few decades security analysis has only recently opened to wider public scrutiny plenty of room for formal and experimental analysis technology in constant evolution reluctance towards PKI adoption for economical and historical reasons next generations will beneﬁt building on the strength and avoiding mistakes of past generations.

L. I. Mancini Mobile Telephony Systems Security Thank You!

L. I. Mancini Mobile Telephony Systems Security