In the following we will discuss some considerations about the use of the proposed roaming protocol suite, many of which are fundamental to all roaming schemes.
3.12.1 Access of the FN to Transmitted Plaintext
The roaming protocol suite prevents identification of the users by mechanisms re- quired during connection setup, payment, and clearing. However, as the FN routes the traffic between the MD and the Internet, the FN is able to read and possibly manipulate the traffic. Security and privacy critical Internet services can be pro- tected with TLS, tunnels, and similar means, but the protection of traffic exchanged between the mobile device and the Internet is out of scope in our roaming scenario.
3.12.2 Side Channel Attacks on Privacy and Confidentiality
The roaming protocol suite does not (and cannot) prevent attacks on the confiden- tiality of the data exchanged and so-called side channel attacks on the user’s privacy. In general, a side channel attack uses data leaked from a real-world system in an unintended way, e.g., traffic patterns, timing, and power use. In our protocols, the identity of the MD is hidden from the FN, and the MD is unlinkable to the FN (and the Hop). The unlinkability of the MD can be attacked using a number of attack vectors, as well as the confidentiality of MD’s traffic. These are not weaknesses in our protocol, but general issues with Internet access providers which will be briefly discussed here.
MAC Address of the Mobile Device
The most important and most obvious threat on unlinkability of the MD is the MAC address of MD’s wireless network interface. The MAC address is set by the manufacturer, globally unique, and usually never changes. Changing the MAC ad- dress is called MAC spoofing. MAC spoofing is sometimes used to bypass access control lists. A typical scenario is an open commercial WLAN network, where the automatic redirection to the login page is disabled for devices with registered MAC addresses. The attacker observers the traffic in the network until he has obtained the MAC address of a device with a lot of traffic to the access point. Then, the attacker spoofs its MAC address, thus obtaining access beyond the redirection page, usually to the Internet [108]. To avoid interference with the legit owner of the MAC address, the attack can be delayed until the legit user ceases activity.
There are no rules in the WLAN standard [1] about MAC spoofing. Therefore, we recommend privacy aware users to randomize their MAC address before each session, and before actively probing for available networks20. This prevents tracking of the MD based on the MAC address.
20
Probing can be done passively or actively to discover networks with hidden SSID. For the scope of this solution, no active probing is required.
3.12. Further Concerns 121
Host Names
The same ideas about MAC addresses also apply to host names of any kind. Host names are chosen by the user for his device, usually only once. There are many services capable of communicating a host name to other parties on the network, e.g., the Network Information Service (NIS), the Lightweight Directory Access Protocol (LDAP), the Domain Name System (DNS), the Server Message Block (SMB), and the Network Basic Input/Output System (NetBIOS)21. To facilitate unlinkability of
a mobile device to the FN, these services need to be disabled during WLAN sessions (or blocked using a firewall), or the host name must be chosen randomly before connecting to an access point operated by a foreign network.
TCP Timestamps
On the TCP layer, hosts can be identified by taking advantage of certain character- istics of TCP timestamps: The timestamp clock rate is constant for a given host. Therefore, the timestamp clock rate and boot time allow identification of the host [92]. The same mechanism can be used to recognize that the same host has used an access point before. This would allow tracking of the MD by the FN and the Hop, and is therefore an attack on unlinkability. However, the characteristics of the TCP timestamp depend on MD’s boot time. Therefore, an attacking FN cannot link the MD when it was rebooted between two service uses at the same FN/Hop.
Traffic Analysis
Traffic analysis is an attack on confidentiality by analyzing messages to recognize patterns within the communication without requiring the contents of the communi- cation [118]. Metadata like frequency, size, direction, and timing of packets can be used. Website fingerprinting is the application of traffic analysis to recognize web- sites accessed over an encrypted link. In the work of Herrmann et al. [76], previously generated profiles of public websites are compared to the data accessed by the user in an encrypted way. A detection rate exceeding 90% is achieved to recognize users accessing an encrypted site using OpenSSH, OpenVPN, Stunnel, Cisco IPsec-VPN, Tor, and JAP in a set of 775 previously selected web sites.
In our roaming scenario and any other Internet access service, this attack is possible for the Hop and the FN when the MD uses an encrypted connection, e.g., using IPsec or TLS. As a countermeasure, the MD can cause additional bogus traffic to other sites.
3.12.3 Lawful Data Retention
In many jurisdictions, Internet access operators are required by law to keep records of who accesses the Internet during which period of time using which IPs. This is
21
Not all of these services are present and enabled by default in common end users operating systems.
122 Chapter 3. Roaming in Wireless Networks
commonly called data retention or data preservation, or „Vorratsdatenspeicherung“ in Germany. In the European Union, data retention is required [60].
In Germany, it is currently unclear whether operators of WLANs are responsible for what visitors are doing [129]. This liability risk has lead to reluctance to provide WLAN at all in restaurants, coffee bars, etc.
In the roaming solution presented in this chapter, it is possible to support lawful data retention when the FN and the HN cooperate. In this case, the FNs need to keep lists of the IPs assigned during which time for each encrypted pseudonym
EKM H(ID(MD)) that was used. The HNs already need to keep track of ID(MD), KM H, and real identities for billing purposes.
When a court order is given to the FN to reveal the identity of the user behind a certain IP and time period, the FN looks up the EKM H(ID(MD)) that used the
IP during that time and returns it to law enforcement. Law enforcement forwards the request and EKM H(ID(MD)) to the HN. The HN discloses the real ID behind ID(MD) and the original query to the requesting agency.
When a court order is given to the HN to reveal the IPs used at a certain time by a certain user whose identity is known, the HN creates a list of EKM H(ID(MD)) values used by the user and a list of FNs with which it had roaming agreements during the period in question. These lists are sent back to law enforcement. Law enforcement forwards the list and the court order to all FNs listed by the HN. The FNs respond by sending time periods and IPs for connections using matching values of EKM H(ID(MD)) to the requesting agency.