Mobile Telephony Systems Security
Mobile Telephony Systems Security
Loretta Ilaria Mancini
School of Computer Science University of Birmingham
November 2015
L. I. Mancini Mobile Telephony Systems Security Motivation and Scope
What:
Security of the over-the-air interface in Mobile Telephony Systems
Why: wireless communications
mobile phones are always on and emitting their identity
answer without the agreement of their bearers
are pervasive
can collect personal data through a variety of sensors
L. I. Mancini Mobile Telephony Systems Security Motivation and Scope
Enemies of Security and Privacy by Design
Low cost Computational limitations Limited storage Battery life Functionality Market competition
L. I. Mancini Mobile Telephony Systems Security Summary
Introduction to Mobile Telephony Systems Basic protocols 2G Security Features 2G Security Weaknesses 3G Security Features 3G Security Weaknesses 4G Security Features 4G Security Weaknesses Emerging and Future Generations Conclusions
L. I. Mancini Mobile Telephony Systems Security Introduction to Mobile Telephony Systems
Cellular (Mobile Telephony) network: Radio network covering wide geographic areas divided in cells. Each cell is served by at least one base station. A cellular network enables a large number of radio transceivers (e.g. mobile phones) to communicate with each other and with fixed transceivers (e.g. fixed telephones) via the base station.
L. I. Mancini Mobile Telephony Systems Security Generations
Cellular communication is developed in generations: 0G (1970s) analog, did not support handover (i.e. user could not move from one cell to another while calling, devices built in car/truck or in a briefcase. 1G (1980s) mainly for voice services, no international roaming. 2G (1990) introduces: BSC to lighten MSC workload, encryption, mobile assisted handoff, data services, SMS, Internet, fax, picture sharing, international roaming. 3G (1995) offers: improved voice and data services including video call, higher speed internet access (up to 1Mbps), improved security. 4G (2006) aimed at boosting data services with increased data rate from 100Mbps to 1Gbps, based on IPv6. 5G (???)
L. I. Mancini Mobile Telephony Systems Security Mobile Telephony Systems Architecture
Note: this architecture is simplified and uses a 2G like terminology. Similar network elements with similar functions are found in 3G networks
L. I. Mancini Mobile Telephony Systems Security Protocol Stack
L. I. Mancini Mobile Telephony Systems Security Identity Management
IMSI is the long-term identity stored on the SIM card TMSI is a short-term identity reallocated periodically According to the standard at least at each change of location New TMSI should not be linkable with old one
L. I. Mancini Mobile Telephony Systems Security Identity Management
IMSI is the long-term identity stored on the SIM card TMSI is a short-term identity reallocated periodically According to the standard at least at each change of location New TMSI should not be linkable with old one
L. I. Mancini Mobile Telephony Systems Security Basic Protocols
L. I. Mancini Mobile Telephony Systems Security Basic Protocols: Identification Procedure
KIMSI , IMSI KIMSI , IMSI
IDENTITY_REQ, ID_TYPE
IDENTITY_RES, IMSI
initiated by the network on a dedicated channel usually when the MS first attaches trivially breaches anonymity
L. I. Mancini Mobile Telephony Systems Security Basic Protocols: TMSI Reallocation Procedure
KIMSI , IMSI, TMSI, CK KIMSI , IMSI, TMSI, CK
L3_MSG, TMSI
Management of means for ciphering: CK established
new newTMSI
r { TMSI_REALL_CMD, newTMSI,LAI}CK
r {TMSI_REALL_COMPLETE}CK
initiated by the network on a dedicated channel re-allocation message is encrypted should be periodically executed and should be executed at least at each change of location
L. I. Mancini Mobile Telephony Systems Security Basic Protocols: Paging Procedure
KIMSI , IMSI,TMSI KIMSI , IMSI
PAGING_REQ, IMSI
PAGING_RES, ID
the paging request is sent on a broadcast channel by the network in order to deliver a service to a MS the paging request is sent in all the most recently visited location areas the paging response is sent on a dedicated channel ID is IMSI in 2G, TMSI in 3G
L. I. Mancini Mobile Telephony Systems Security 2G Security
L. I. Mancini Mobile Telephony Systems Security 2G Security Features
2G networks aim to provide User Identity Confidentiality: to ensure privacy of the subscriber from third parties User Identity Authentication: to ensure that the subscriber is a legitimate one User Data Confidentiality
L. I. Mancini Mobile Telephony Systems Security 2G Authentication Protocol
2G Authentication Protocol: is always initiated by the network allows the network to establish that the subscriber is a legitimate one does not authenticate the network to the user is always executed after a dedicated channel is established and the MS sent its identity
L. I. Mancini Mobile Telephony Systems Security 2G Authentication Protocol
KIMSI , IMSI KIMSI , IMSI
generate RANDi compute XSRESi = A3(RANDi , KIMSI ) CKi = A8(RANDi , KIMSI ) AVi = (RANDi , XSRESi , CKi )
RANDi
compute SRESi = A3(RANDi , KIMSI )
SRESi
Compute and store if SRESi <> XSRESi then abort CKi = A8(RANDi , KIMSI )
L. I. Mancini Mobile Telephony Systems Security 2G Encryption
A5(enc)/A3(auth)/A8(key gen) algos are proprietary A5 has 3 variants: A5/1 is the most used A5/2 (weaker version of A5/1) is being phased out A5/3 (KASUMI) stronger but not yet widespread in 2G networks algos can be negotiated network can enforce no encryption often no indication is given to the user about the use of encryption
L. I. Mancini Mobile Telephony Systems Security 2G Security Weaknesses
lack of network authentication user identity secrecy breached by identification procedure no integrity protection no protection against replay attacks traffic encrypted only between MS and BTS not in the core network security through obscurity (A3, A5, A8 based on proprietary algos)
L. I. Mancini Mobile Telephony Systems Security 2G Offline attack
Threat: SIM Cloning Exploit: weaknesses in COMP128/COMP128-1 used by key gen (A8) and auth (A3) allow retrieval of the long term key KIMSI Requirements: physical access to original SIM card card reader/writer blank SIM card cracking software Effects: identity theft, available credit/allowance theft, DOS Mitigations: cloning can be detected SIM using COMP128-2/3 cannot be cloned
L. I. Mancini Mobile Telephony Systems Security Fake BS-based Attacks
(rely on lack of network authentication) Threat: IMSI Catcher Exploit: lack of network authentication Requirements: Fake BS (BS-like device) MS attaches to the BS with stronger signal the Fake BS sends an identification request message asking for the long term identity IMSI Effects: tracking the presence of a user in a given area Mitigations: IMSI Catcher-Catcher Fake BS considered too expensive until advent of USRP and short range BSs (femtocells) Protect the identification procedure using PKI
demo performed at DefCon18
L. I. Mancini Mobile Telephony Systems Security Fake BS-based Attacks
(rely on lack of network authentication) IMSI Catcher: Fake BS can induce MS to attach using stronger signal than legitimate BS and then trigger the identification procedure to breach user privacy
Over-the-air SIM cloning: due to weaknesses in COMP128 KIMSI can be retrieved over the air by sending selected challenges but it can take several hours. SIM cloning can be detected by the network. Fake BS can deactivate ciphering and force MS to send data in clear (most MS do not alert the user when no encryption is used). Services can be delivered either by using a MS connected to the real network or by routing the data through a VOIP connection.
L. I. Mancini Mobile Telephony Systems Security MS-based Attacks
Threat: Session key retrieval (one of many, live demo and cracking tool available) Exploit: weaknesses in A5/1, A5/2 Requirements: 64bits of known plaintext, e.g. control messages uses brute force-like attack based on rainbow tables (implemented in the Kraken tool) way of locating target user (eg. silent SMS/silent call locating attack) device to sniff traffic on dedicated channel (modified motorola phone) Effects: breach of phone call/SMS message confidentiality Mitigations: use stronger encryption algorithm
demo performed at CCC
L. I. Mancini Mobile Telephony Systems Security MS-based Attacks
Threat: Network DOS attack Exploit: channel request message, limited resources of BSC Requirements: MS-like device capable to send channel request messages Effects: saturation of BSC resources service unavailability
L. I. Mancini Mobile Telephony Systems Security MS-based Attacks
Threat: User De-registration DOS attack Exploit: lack of authentication of signalling messages Requirements: MS-like device programmed to send IMSI detach messages to the network Effects: user unreachable for mobile terminated services
L. I. Mancini Mobile Telephony Systems Security MS-based Attacks
Threat: Paging response DOS attack Exploit: lack of authentication of signalling messages Requirements: MS-like device programmed to send paging response messages to the network answer paging request faster than the victim phone Effects: incoming call dropped incoming call hijacked if attack performed in unencrypted network Mitigations: use of encryption, indication of no encryption on MS
L. I. Mancini Mobile Telephony Systems Security MS-based Attacks
Threat: User tracking Exploit: silent phone call/SMS, TMSI not updated often Requirements: MS-like device programmed to sniff signalling messages over dedicated channels Effects: breach of user privacy Mitigations: frequent change of TMSI
demo performed at CCC
L. I. Mancini Mobile Telephony Systems Security GSM Experimental Analysis and Hacking
Osmocom-bb OpenBSC (uses commercial BTS) OpenBTS (implements BTS using USRP and GNUradio) wireshark BladeRF HackRF
L. I. Mancini Mobile Telephony Systems Security Any Questions?
L. I. Mancini Mobile Telephony Systems Security 3G Security
L. I. Mancini Mobile Telephony Systems Security 3G Security Features
3G security mainly relies on the Authentication and Key Agreement (AKA) Protocol to provide: Mutual Authentication User Data Confidentiality User Identity Confidentiality (Anonymity) User Untraceability (Unlinkability)
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
Initiated by the network to: Authenticate a MS identity Authenticate the network identity Establish a ciphering key Establish an integrity key
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN]
AUTN = SQNHN ⊕ AK ||MAC
MAC = f 1K (SQNHN ||RAND)
XRES = f 2K (RAND)
CK = f 3K (RAND)
IK = f 4K (RAND)
AK = f 5K (RAND)
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC
MAC = f 1K (SQNHN ||RAND)
XRES = f 2K (RAND)
CK = f 3K (RAND)
IK = f 4K (RAND)
AK = f 5K (RAND)
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND)
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND) Check: MAC == XMAC
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND) ( ) Check: AUTH_FAILURE MAC MAC == XMAC
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND) Check: MAC == XMAC
Check: SQNHN >= SQNMS
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND) Check: MAC == XMAC
Check: AUTH_FAILURE(AUTS) SQNHN >= SQNMS
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND) Check: MAC == XMAC
Check: AUTH_FAILURE(AUTS) Resynch SQNHN >= SQNMS
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND) Check: MAC == XMAC
Check: SQNHN >= SQNMS
Calculate: RES = f 2K (RAND) CK = f 3K (RAND) IK = f 4K (RAND)
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND) Check: MAC == XMAC
Check: SQNHN >= SQNMS
Calculate: AUTH_RES(RES) RES = f 2K (RAND) CK = f 3K (RAND) IK = f 4K (RAND)
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND) Check: MAC == XMAC
Check: SQNHN >= SQNMS
AUTH_RES(RES) Calculate: Check: RES = f 2 (RAND) K XRES == RES CK = f 3K (RAND) IK = f 4K (RAND)
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: AKA Protocol
MS SN/HN
K ,SQNMS K ,SQNHN
Authentication Vector: AV = [RAND, XRES, CK , IK , AUTN] Compute: AUTH_REQ(RAND, AUTN) AUTN = SQNHN ⊕ AK ||MAC AK = f 5K (RAND) MAC = f 1K (SQNHN ||RAND) SQN = (SQN ⊕ AK ) ⊕ AK HN HN XRES = f 2K (RAND)
CK = f 3K (RAND) XMAC = f 1K (SQNHN ||RAND) IK = f 4K (RAND)
AK = f 5K (RAND) ( ) Check: AUTH_FAILURE MAC MAC == XMAC
Check: AUTH_FAILURE(AUTS) Resynch SQNHN >= SQNMS
AUTH_RES(RES) Calculate: Check: RES = f 2 (RAND) K XRES == RES CK = f 3K (RAND) IK = f 4K (RAND)
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: 3G AKA Protocol
3G crypto functions are open to public scrutiny no practical attacks found so far
L. I. Mancini Mobile Telephony Systems Security 3G Security Features: 3G AKA Protocol
3G crypto functions are open to public scrutiny no practical attacks found so far but 3G protocols have weaknesses
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
Threat: 2G downgrade attack Exploit: lack of authentication of serving network Requirements: Fake BS Effects: Fake BS forces downgrade to 2G Mitigations: set network connection on 3G only in MS settings
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
Threat: Redirection attack Exploit: lack of authentication of serving network Requirements: Fake BS and a MS connected to a real BS Effects: redirection of the communication to a chosen network perhaps one charging a higher rate or using weaker encryption
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
Threat: AKA linkability attack Exploit: AKA error messages Requirements: Fake BS-like device Effects: user tracking Mitigations: conceal the error message send generic error message no error handling
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
MS Attacker Network
K ,SQNMS K ,SQNHN
AUTH_REQ(RAND, AUTN)
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
MS Attacker Network
K ,SQNMS RAND, AUTN K ,SQNHN
AUTH_REQ(RAND, AUTN)
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
MS Attacker Network
K ,SQNMS RAND, AUTN K ,SQNHN
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
MS Attacker Network
K ,SQNMS RAND, AUTN K ,SQNHN
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
AUTH_REQ(RAND, AUTN)
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
MS Attacker Network
K ,SQNMS RAND, AUTN K ,SQNHN
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES) if RES=SYNCH_FAIL|| = ( ) RES f2KIMSI RAND then I know this MS!
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
MS Attacker Network
K ,SQNMS RAND, AUTN K ,SQNHN
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES) if RES=SYNCH_FAIL|| = ( ) RES f2KIMSI RAND then I know this MS! AUTH_REQ(RAND, AUTN)
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
MS Attacker Network
K ,SQNMS RAND, AUTN K ,SQNHN
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES)
AUTH_REQ(RAND, AUTN)
AUTH_RES(RES) if RES=SYNCH_FAIL|| = ( ) RES f2KIMSI RAND then I know this MS! AUTH_REQ(RAND, AUTN)
AUTH_RES(RES) if RES=MAC_FAIL then this is another MS
L. I. Mancini Mobile Telephony Systems Security 3G Attacks
Threat: Femtocell rooting Exploit: weaknesses in femtocell software/firmware Requirements: Femtocell Effects: breach of user confidentiality call/SMS interception breach of user privacy
L. I. Mancini Mobile Telephony Systems Security 4G Architecture
simplified architecture (less elements with more complex functions) all IP network interworking with non- 3GPP networks
L. I. Mancini Mobile Telephony Systems Security 4G Security aims
user identity confidentiality mutual authentication (including SN to MS) data confidentiality data integrity
L. I. Mancini Mobile Telephony Systems Security 4G security features
Re-use of UMTS Authentication and Key Agreement (AKA) Use of USIM required (GSM SIM excluded) 128 bit keys used but 256bit keys could be used as well Interworking security for non-3GPP networks Extended key hierarchy
L. I. Mancini Mobile Telephony Systems Security 4G AKA and keys hierarchy
establishes local master key between MME and MS KIMSI hierarchy of keys derived different keys used to protect user data and signalling data CK,IK fresh session keys can be generated without executing UE/MME KASME AKA
integrity protection is KeNB UE/eNB compulsory KNAS KNAS ciphering is optional enc int ciphering and integrity based K K K UPenc RRCenc RRCint on SNOW 3G and AES
L. I. Mancini Mobile Telephony Systems Security Beyond 4G
Cellular IoT (4.5G) aims at providing IoT services focuses on M2M communication deep coverage at lower speed 5G Aimed at even better data services with increased speed
L. I. Mancini Mobile Telephony Systems Security Conclusions
Mobile systems have been deployed for few decades security analysis has only recently opened to wider public scrutiny plenty of room for formal and experimental analysis technology in constant evolution reluctance towards PKI adoption for economical and historical reasons next generations will benefit building on the strength and avoiding mistakes of past generations.
L. I. Mancini Mobile Telephony Systems Security Thank You!
L. I. Mancini Mobile Telephony Systems Security