Putting LTE Security Functions to the Test: A Framework to Evaluate ...

Putting LTE Security Functions to the Test:

A Framework to Evaluate Implementation Correctness

Kai Jansen

Ruhr-University Bochum

David Rupprecht

Ruhr-University Bochum

Christina Pöpper

NYU Abu Dhabi

More than 8 billion mobile subscribers

estimated for 2019 [1]

Image source: http://www.mypostcard.com/blog/wp-content/uploads/2015/06/mypostcard_app_iphone_reise_travel.jpg

3Image source: http://www.blogcdn.com/slideshows/images/slides/279/787/9/S2797879/slug/l/vacation-1.jpg

4

Eavesdropping of

unencrypted data

5

LTE provides

mutual authentication

and encryption

6

Implementation flaw:

Undermine LTE security

7

Implementation flaws in LTE

devices

Eavesdroppingon private information

Testing securityfunctions of

devices

Putting LTE Security Functions to the Test

LTE Architecture

Communication Establishment and Security Algorithms

9

LTE Architecture

User Equipment

UE

10

LTE Architecture

eNodeB

Evolved Node B

UE

11

LTE Architecture

Mobility Management Entity

eNodeB

MME

UE

12

LTE Architecture

eNodeB

Home Subscriber Server

HSS

MME

UE

13

LTE Architecture

E-UTRAN EPC

MME

HSS

eNodeB

Internet

Access Stratum (AS)Non-Access Stratum (NAS)

UE

14

Security Procedures

eNodeBUE HSSMME

1a. Authentication and Key Agreement

2. NAS Security Mode Command (EEAX, EIAX)

3. AS Security Mode

Command (EEAX, EIAX)

1b. Authentication

Information Request

15

Security Algorithms

eNodeBUE HSSMME1a. Authentication and Key Agreement


3. AS Security Mode


1b. Authentication

Information Request

Security algorithms are

selected by the provider

16

Security Algorithms



3. AS Security Mode


1b. Authentication

Information Request

Encoding Integrity Ciphering Algorithm

X000X000 EIA0 EEA0 NULL

X001X001 128-EIA1 128-EEA1 SNOW3G

X010X010 128-EIA2 128-EEA2 AES

X011X011 128-EIA3 128-EEA3 ZUC



17

Security Algorithms



3. AS Security Mode


1b. Authentication

Information Request



X001X001 128-EIA1 128-EEA1 SNOW3G

X010X010 128-EIA2 128-EEA2 AES

X011X011 128-EIA3 128-EEA3 ZUC

Null Algorithms:

No Security



18

NULL Algorithms



Null Integrity:

Emergency calls even

when no key is available

Image source: https://www.percona.com/sites/default/files/icons/emergency.png

19

NULL Algorithms



Null Encryption:

1. Ciphering indicator

2. SIM card flag

3. User interface

Framework

Design and Tests

21

Baseband

• Processor for communication: Qualcomm, HiSilicon, Mediatek, Samsung

• (Proprietary) Baseband is always exposed

Security functions are

implemented on the Baseband

22

Approach

Reverse Engineering

CMP r0, r1ADDGE r2, r2, r3ADDLT r2, r2, r4

23

Approach

Test Cases Test Cases

Fuzzing of input Validation of output

Reverse Engineering


24

Approach



Design Criteria

• Low-cost

• Automated testing

• Portability

Reverse Engineering


25

Approach



Reverse Engineering


Fuzzing (our choice)

Design Criteria

• Low-cost


• Portability

26

Tests



X011X011 128-EIA3 128-EEA3 ZUC

X100X100 EIA4 EEA4 Not specified

… … … …

• Undefined Values

• Sequence of Messages

• Ciphering Indicator with Null Encryption

eNodeBUE

MME

1. Authentication and Key Agreement


3. AS Security Mode


27

Framework Architecture

28


29


30



Low-Cost Hardware

• Ettus B2X0

• BladeRF

• LimeSDR

Evaluation

Analysis Results

33

ResultsNone of the devices show the

Ciphering Indicator

34

ResultsNull Integrity Algorithm:

Normal data connections

35

Results

CommercialNetworkUE


2. NAS Security Mode Command (EEA0, EIA0)

3. AS Security Mode Command (EEA0, EIA0)


Attacker

Conclusion

37

Conclusion

Implementation Flaws can

Undermine the LTE Security

• No Ciphering Indicator

• Authentication procedure

Attacker

38

Conclusion

LTE Security Testing

Framework

• Low-cost

• Software Defined Radio


• Logical implementation flaws





Attacker

39

Conclusion

Standard Test of Security

Functions

• Standard Radio Testing

• Standard Security Testing


Framework

• Low-cost








Attacker


40

Thank You! Questions?

Standard Test of Security

Functions

• Standard Radio Testing

• Standard Security Testing


Framework

• Low-cost








Attacker


UEK

MMEHSS

K

1. Authentication Information Request(IMSI)

2. Authentication Information Answer(RAND, XRES, AUTN, KAMSE)

a) Check AUTNb) Compute RESc) Compute K AMSE

Check RES == XRES

eNodeB


Attach Request(IMSI)

2. NAS Security Mode Command

3. RRC Security Mode Command

1. NAS Security Mode Command(EIA, EEA, MAC(EIA,EEA))

2. NAS Security Mode CompleteMAC()

3. Authentication Request(RAND, AUTN)

4.Authentication Response(RES)

1. Initial Context Setup(KeNodeB)2. RRC Security Mode Command

(EIA, EEA, MAC(EIA,EEA))

3. RRC Security Mode CompleteMAC()

Attach Accept

Attach Complete

Backup

Putting LTE Security Functions to the Test: A Framework to Evaluate ...

Documents

Transcript of Putting LTE Security Functions to the Test: A Framework to Evaluate ...