A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

of 19 /19
A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Matiaz Ouine : [email protected] Benoît Raymond : [email protected] ENSIMAG - 4MMSR : Network Security - Student Seminar 1 / 17 20/03/2012 Keywords : GPRS, EDGE, UMTS, BTS, MS, authentication, encryption David Perez - [email protected] Jose Pico - [email protected] Black Hat DC 2011 (Jan. 18-19)

Transcript of A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Page 1: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

A practical attack against

GPRS/EDGE/UMTS/HSPA mobile data

communications

Matiaz Ouine : [email protected]

Benoît Raymond : [email protected]

ENSIMAG - 4MMSR : Network Security - Student Seminar 1 / 17 20/03/2012

Keywords : GPRS, EDGE, UMTS, BTS, MS, authentication, encryption

David Perez - [email protected]

Jose Pico - [email protected]

Black Hat DC 2011 (Jan. 18-19)

Page 2: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Summary

● Background – Vocabulary

● Presentation of the talk

● Description of the GSM Architecture

● Vulnerabilities

● Attack implementation

● Possibilities offered by the attack

● Countermeasures

● Limitations

● Conclusion

● References

ENSIMAG - 4MMSR : Network Security - Student Seminar 2 / 17 20/03/2012

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 3: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Paper’s authors

• David Perez and Jose Pico

• Co-Founders and Senior Security analysts at Taddong

• Skills

• Network

• Web applications

• Mobile communications

• VoIP

• Etc.

• Last paper

• New attack scenarios with rogue base stations at RootedCON

2012 (3/03/2012)

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 3 / 17

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 4: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Background - Vocabulary

• Background of the talk

• Protocol stack

• Vocabulary

• GPRS = 2G EDGE = 2,5G

• UMTS = 3G HSPA = 3,5G (= 3G+)

• MS = Mobile Station (ex: phone, tablet computer, computer with 3G

modem, …)

• IMEI = unique identification number for 1 phone

• IMSI = unique identification number for 1 SIM card

• USIM key (Ki) = shared key between the SIM and the mobile phone

company

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 4 / 17

Access Layer in UMTS

Non Access Layer in UMTS

(Main subject of the talk)

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 5: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Presentation of the talk

● A practical attack against

GPRS/EDGE/UMTS/HSPA (2G/3G)

mobile data communications

● Budget < $10,000

● Exploitation of three vulnerabilities of 2G/3G

ENSIMAG - 4MMSR : Network Security - Student Seminar 5 / 17 20/03/2012

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 6: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Description of the GSM Architecture (1/2)

ENSIMAG - 4MMSR : Network Security - Student Seminar 6 / 17 20/03/2012

: Voice (ex : SMS/MMS/Voice Call)

: Data (ex : HTTP,DNS,VoIP,P2P,…)

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 7: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Description of the GSM Architecture (2/2)

• Circuit switched

• 2 communications channels

• Up and Down

• GSM medium access

• TDMA

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 7 / 17

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 8: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Vulnerabilities

● Lack of mutual authentication in GPRS/EDGE

● Unidirectional authentication

● MS (Mobile Station) authenticates to the BTS

● Encryption algorithm

● Negotiation of encryption algorithm

• MS indicates its supported encryption algorithms (ex : GEA-0, GEA-1,…)

• BTS chooses one of those algorithms

● Algorithm GEA-0 (= no encryption)

● Fall back to GPRS/EDGE

● UMTS/HSPA uses mutual authentication

● Back to GSM/GPRS/EDGE network when UMTS/HSPA network is not available

ENSIMAG - 4MMSR : Network Security - Student Seminar 8 / 17 20/03/2012

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 9: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Attack implementation (1/3)

● Experimental setup

ENSIMAG - 4MMSR : Network Security - Student Seminar 9 / 17 20/03/2012

- OpenBSC implements

the BSC, MSC and HLR

- OsmoSGSN implements

SGSN

- OpenGGSN implements

the GGSN

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 10: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Attack implementation (2/3) ● Description of each step

● Position of the attacker

• Be close enough to the target

● Listen radio spectrum

• Search a neighbour frequency of the real BTS frequencies

● Configure to emit at the chosen frequency

• Take the identity of the real BTS

● Set up BTS to accept connection of the target

• Identified by his IMSI / IMEI

● Working uplink to the Internet

● Configure OsmoSGSN, OpenGGSN, routing tables

● Power up BTS

● Read / Modify / Redirect IP paquet send and received by the victim

ENSIMAG - 4MMSR : Network Security - Student Seminar 10 / 17 20/03/2012

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 11: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Attack implementation (3/3)

● Extension to 3G

● Create interference in the UMTS frequency

bands

• Use a jammer

● UMTS spectrum allocation in France (900 MHz and 2100

MHz)

• Exploit the 3rd vulnerability

ENSIMAG - 4MMSR : Network Security - Student Seminar 11 / 17 20/03/2012

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 12: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Possibilities offered by the attack ● Possibilities

● Sniff traffic, redirecting traffic, compromising LAN, …

● Full man in the middle !

● Security properties that are violated on the transmitted data

● Confidentiality : attacker can read transmitted data

● Integrity : attacker can modify transmitted data

● Authenticity : message not from the assumed sender (man in the middle)

● Freshness : attacker can replay old transmitted data

● Security properties that are violated on the user identity

● Privacy : attacker can know victim’s private identity data

● Security properties that are violated on the communication system

● Availability : attacker can not serve all users

● Traceability : the mobile phone company will not be able to list your actions

ENSIMAG - 4MMSR : Network Security - Student Seminar 12 / 17 20/03/2012

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 13: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Countermeasures (1/2)

● Countermeasures

● Use protocol from upper layer for ensuring

endpoint authentication and encryption

● (ex : SSL, IPsec,..)

● Use only UMTS/HSPA

● Do not accept fall back to 2G

● iPhone : Jailbreak

● Android / Windows Mobile / Symbian : Parameters

(only WCDMA)

ENSIMAG - 4MMSR : Network Security - Student Seminar 13 / 17 20/03/2012

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Access Layer compromised

Must ensuring authentication

and encryption

Page 14: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

AUTN number of the assumed

HLR/BTS ?

YES => Step 3 NO => STOP

XRES = RES ?

YES => Authentication OK

NO => STOP

Countermeasures (2/2) • UMTS authentication

• Mutual authentication

• UMTS encryption

• Data : UMTS Encryption Algorithm1

(UEA1), based on KASUMI

• Symmetric encryption

• Word : 64 bits

• Key (=Ki=USIM Key) : 128 bits

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 14 / 17

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

• UMTS Integrity

• MAC (Message Authentication Code)

• Birthday paradox attack (2^33 paquets

need => not realistic in UMTS)

Page 15: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Limitations

● Limitations

● Be close enough to the target

● Have a budget of 10000$

● Know the target in advance (IMEI and/or IMSI)

● SMS/MMS/Voice call impossible

● Why ? The attacker is not connected to the RTCP

network

● Hypothesis : use VoIP to get around this problem

(forward SMS/MMS/Voice call)

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 15 / 17

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 16: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Conclusion

• GPRS/EDGE architecture is insecure

• Only client authentication

• Negotiation of encryption

• Be afraid of GPRS/EDGE data connections

• UMTS is not impacted by this attack

• Because of mutual authentication

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 16 / 17

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 17: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

References

• GSM architecture

• http://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-

Club_QoS_GPRS_12_03.ppt

• UMTS frequency bands

• https://en.wikipedia.org/wiki/UMTS_frequency_bands

• Security in UMTS

• Encryption in UMTS

• http://sebastien.mougel.free.fr/download/securite_UMTS.ppt

• Authentication and encryption in UMTS

• http://freesecure.info/doc/securite-UMTS.pdf

• http://www.tcs.hut.fi/Publications/knyberg/eccomas.pdf

• Paper of the talk

• http://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf

• Book (Spanish)

• Hacking y seguridad en comunicaciones móviles GSM/GPRS/UMTS/LTE, José Picó García

and David Pérez Conde

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 17 / 17

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]

Page 18: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Questions ?!?!

• Attack with the VoIP hypothesis

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 17-1 / 17

Appareil A

Appareil B

Case 1 :

A calls B, attacker forwards

the call into a VoIP call

=> Attack OK

Data : HTTP, …

SMS/MMS/Voice Call : Forward VoIP

Case 2 :

B calls A, RTCP can’t find A.

B hits the voice mail of A.

=> Attack KO

Page 19: A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

Questions ?!?!

• GSM Cells

• One cell has 1 frequency

• Neighbour cells have different frequencies

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 17-2 / 17

Cell A

GSM Neighbour Cell

of A