Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group!...
Transcript of Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group!...
![Page 1: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/1.jpg)
Privacy Leaks on 4G/LTE networks
Altaf Shaik & Jean Pierre Seifert Ravishankar Borgaonkar N. Asokan Valtteri Niemi
TU Berlin & T-Labs Oxford University Aalto & Uni. of Helsinki Uni. of Helsinki
12 March 2016
Nullcon, Goa
![Page 2: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/2.jpg)
Outline
• Evolution of security in mobile networks
✓ 2G/GSM, 3G/UMTS, 4G/LTE
• Practical attacks against 4G/LTE
✓ Location and identity leaks
✓ Denial of service
• Vulnerabilities and attacks
• Impact
2
![Page 3: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/3.jpg)
Motivation
• Baseband - GPS access rights (no android or iOS)– user is unaware
• Platform for practical security research in LTE/4G– closed source telco industry– 2G, 3G open source available - osmocom
3
![Page 4: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/4.jpg)
Fake base-stations..1
• Used for: IMSI/IMEI/location tracking, call & data interception
• Exploit weaknesses in 2G & 3G (partially)
• Knows as IMSI Catchers, very expensive
• Difficult to detect on normal phones (Darshak, Cryptophone or Snoopsnitch)
4
![Page 5: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/5.jpg)
Fake base-stations..2
5
![Page 6: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/6.jpg)
LTE/4G
• Widely deployed, 1.37 billion users by end of 2015
• More secure than previous generations
• High speed data connection and quality of service
6
Fig. source: Wikipedia
![Page 7: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/7.jpg)
4G Architecture
7
E-UTRAN
eNodeB UE
Cell
S1
Tracking Area
MME
Internet
eNodeB: Evolved Node B (“base station” ) UE: User Equipment E-UTRAN: Evolved Universal Terrestrial Access Network S1 : InterfaceMME : Mobility Management Entity
![Page 8: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/8.jpg)
Security evolution in mobile networks
8
Base Station
Phone
no mutual authentication
mutual authenticationintegrity protection
mutual authenticationdeeper mandatory integrity protection
2G
3G
4G
decides encryption/authenticationrequests IMSI/IMEI
![Page 9: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/9.jpg)
Enhanced security in LTE
• Mutual authentication between base station & mobiles
• Mandatory integrity protection for signaling messages
• IMEI is not given in non-integrity messages
• Fake base-stations fail (partly)
• Stronger security algorithms (AES)
9
![Page 10: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/10.jpg)
Challenge
➢ Analysis of access network protocols and integrity protection in practice
➢ LTE fake base stations: thought to be complex* and less effective
➢ But in practice:
✓ Implementation/configuration flaws, specification/protocol deficiencies?
10
* https://insidersurveillance.com/rayzone-piranha-lte-imsi-catcher/
![Page 11: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/11.jpg)
Evaluating 4G Security: Experiment Set-up
• Hardware – USRP, 4G dongle, 4G phones
• Software – OpenLTE & srsLTE
• Base station and sniffer
Set-up cost - little over 1000 Euros!
11
Thanks to OpenLTE and srsLTE group!
![Page 12: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/12.jpg)
Results
• Vulnerabilities in 4G specifications and networks
• Demonstrating impact by practical attacks✓ Location and identity leaks✓ Denial-of-service
11
![Page 13: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/13.jpg)
Relevant 4G Features
• (Smart) Paging
• Diagnostic Reports from UE
• Mobility Management
13
![Page 14: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/14.jpg)
Feature: Paging in LTE
14
![Page 15: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/15.jpg)
Paging from base station
15
Paging Request
{404220522xxxxxx : A000FFFF }
IMSI = 404220522xxxxxx
“GUTI”= A000FFFF
Why: locate subscriber to deliver calls/messages
GUTI: Globally Unique Temporary IdentifierIMSI: International Mobile subscriber Identity
![Page 16: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/16.jpg)
Paging configuration vulnerabilities
16
passive attacker
Pagingbroadcast
Smart Paging✓ sent onto a small cell instead of a big tracking area✓ Allows attacker to locate 4G subscriber in a cell
GUTI persistence✓ MNOs don’t change GUTI sufficiently & frequently✓ MME configuration issues
![Page 17: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/17.jpg)
LTE Smart Paging
17
Cell 1
Cell 5 Cell 4
Cell 3
Cell 2
Tracking Area
![Page 18: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/18.jpg)
Feature: Reports from UE to eNodeB
• eNodeB can demand diagnostic reports from UE✓ List of visible eNodeBs, signal strengths, UE’s GPS co-ordinates
• UE Measurements reports✓ Necessary for smooth handovers
• Radio link failure (RLF) reports ✓ Necessary for troubleshooting failures
18
![Page 19: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/19.jpg)
Feature: Reports from UE to eNodeB
19
List of visible eNodeBs, signal strengths, UE’s GPS co-ordinates
RLF Reports (radio link troubleshooting)
Measurement reports (handovers)
![Page 20: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/20.jpg)
Vulnerabilities in the feature
20
active attacker
Send me Measurement/RLF report
Specification
UE measurement reports✓ Requests not authenticated✓ Reports are not encrypted
Implementations
RLF reports✓ Requests not authenticated✓ Reports are not encrypted✓ All baseband vendors
![Page 21: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/21.jpg)
Feature: Mobility Management in 4G
21
TAU request
Tracking Area Update (TAU) procedure✓ During TAU, MME & UE agree on network
mode (2G/3G/4G)✓ “TAU Reject” used to reject some services
services (e.g., 4G) to UE
Specification vulnerability: Reject messages are not integrity protected
![Page 22: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/22.jpg)
Feature: Mobility Management in 4G
22
Security Capabilities
Supported Networks
Attach Request (turn ON)
Integrity protected
Security Capabilities
Specification vulnerability: Network capabilities not protected
![Page 23: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/23.jpg)
IMEI leak : implementation vulnerability
• IMEI is leaked by popular phones
• Triggered by a special message
• Fixed now but still your device leak ;)
• IMEI request not authenticated correctly
TAU reject – special cause number!
23
![Page 24: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/24.jpg)
Discovered Vulnerabilities in 4G
Specification• UE measurement reports
✓ Requests not authenticated: reports are not encrypted
• Tracking Area Update (TAU) procedure✓ Reject messages are not integrity protected
• Attach procedure✓ Network capabilities are not protected against bidding down attacks
Implementations: (baseband vendors)• IMEI leak
• RLF reports✓ Requests not authenticated: reports are not encrypted
24
22
![Page 25: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/25.jpg)
Attacks: Location leaks
25
![Page 26: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/26.jpg)
Location Leaks: Coarse level
26
Semi-passive Attacker Locate inside (TA and cell)
paging
Target
to Target
Location Accuracy: 2 Sq. Km
Mapping GUTI to Social Identity
![Page 27: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/27.jpg)
Location Leaks: Precise level
27
Active attacker
Target
Measurement/RLF reports
Location Accuracy: 50 meters (or) GPS co-ordinates
![Page 28: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/28.jpg)
Attacks: Denial of service
28
![Page 29: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/29.jpg)
DoS
29
![Page 30: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/30.jpg)
DoS
Exploiting specification vulnerability in EMM protocol!
• Downgrade to non-LTE network services (2G/3G)
• Deny all services (2G/3G/4G)
• Deny selected services (block incoming calls)
• Persistent DoS
• Requires reboot/SIM re-insertion
30
![Page 31: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/31.jpg)
Impact
All (4) affected baseband manufacturers
✓ Responsible disclosure of bugs: acknowledged and patches released
✓ But OEMs do not yet have security updates to phones
Network operators
✓ Configuration issues were acknowledged and fixed
Standards organizations✓ Security issues presented at SA3 (in Anaheim, Nov 2015) and GSMA
✓ Changes into LTE specifications are in progress
Social network applications
✓ Facebook no longer supports completely silent messages
31
![Page 32: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/32.jpg)
Conclusions
• New vulnerabilities in 4G standards/chipsets
• Configuration by operators do not follow best practices
• Lead to attacks:
✓ Social applications used for silent tracking
✓ Locating 4G devices using trilateration , GPS co-ordinates!
✓ DoS attacks are persistent & silent to users
32
![Page 33: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/33.jpg)
Solution!
Use any old Nokia phone without battery and SIM card!
33
![Page 34: Nullcon, Goa 12 March 2016 · LTE/4G •Widely deployed ... Thanks to OpenLTE and srsLTE group! Results • Vulnerabilities in 4G specifications and networks • Demonstrating impact](https://reader031.fdocuments.in/reader031/viewer/2022020412/5afa76be7f8b9ad2208f4b3c/html5/thumbnails/34.jpg)
Thank You.
Questions?