Related work - Mobile communication security

Hellman attack, with these parameters. The Rainbow Table attack probably has the least duplicates of all.

4.7 Related work

Some of the discussed TMTO methods have previously been compared with each other. Most of these publications compare the trade-off curves for these attacks [16, 45], which give the rate at which extra memory can be traded in for a reduced attack time. Such asM2T = N2for both the Hellman and Distinguished Point attack, with

Mthe memory cost,T the time cost of the online phase, andN the size of the search space. Our comparisons are not based on trade-off curves, because we feel that these curves hide too much of the real costs such attacks have, such as the seek times in the online attack, or the precomputation effort. Biryukov and Shamir compare Hellman’s attack with Distinguished Points [16] and Erguler et al. compare Hellman’s attack with Rainbow Tables in [45]. Barkan et al. [11] make a comparison within a new theoretic framework and ﬁnd the Distinguished Points attack better than the Rainbow Table attack, mainly based on the possibility to shorten the stored values of a Distinguished Points attack. In a more elaborate study Hong et al. ﬁnd the Rainbow Table attack to outperform the Distinguished Points attack by a small margin for single sample attacks [100]. These comparisons seem to contradict each other, though Hong provides an argumentation why the earlier result by Barkan et al. is faulty. Still, the question on which TMTO attack has the lowest costs, in terms of time and memory seems to still be open to debate.

In 2008 Hong et al. [99] already combined Distinguished Points with Rainbow Tables, but in a different way than with Fuzzy Rainbow Tables. Their combination does not improve on just Distinguished Points or Rainbow Table attacks.

We were unaware of any earlier analysis of the Fuzzy Rainbow Table attack at the time of our original publication that this chapter is based on. The attack had been considered in work by Krhovjak et al. [112], where they use it as a practical example for an attack against A5/1, but they provide no analysis and make no comparison with the earlier attacks. Shortly after our publication Hong et al. published an in-depth analysis of the Fuzzy Rainbow Table attack [110] based on an earlier eprint publication [109], where they compare the non-perfect Fuzzy Rainbow Table attack with both the perfect and non-perfect Rainbow Table attack. They ﬁnd that a Fuzzy Rainbow Table is better than a Rainbow Table on almost all fronts for low success rates. For higher success rates the difference is smaller, but remains in favour of Fuzzy Rain- bow Tables, though the Rainbow Table manages to achieve a higher maximum success rate than is possible with Fuzzy Rainbow Tables.

Though we share the conclusion of [110] that Fuzzy Rainbow Table are better than Rainbow Tables, we find the Distinguished Points attack to be better than both. This difference of findings can be partly explained by the somewhat arbitrary parameter choices for the comparison, such as the required chance of success, and our difference in focus; we focused on worst-case multi-sample attacks, while Hong et al. focused on average case single-sample attacks. Still, this would not seem to explain all differences and certainly the comparison by Hong et al. is more extensive than ours, incorporating for instance false alarm costs and storage benefits of the differ-

ent approaches. However, many more factors remain unresearched, such as possible parallelism beneﬁts for the different approaches, and the differences remain small enough that the particularities of speciﬁc attack situation could sway the choice in favour of any of the algorithms.

4.8 Conclusions

We have presented our analysis of the cost of the Fuzzy Rainbow Table TMTO attack. This attack is used to break GSM’s A5/1 cipher. We have also given a comparison of the costs of Fuzzy Rainbow Table and three older TMTO attacks: Hellman’s original attack, Distinguished Points, and Rainbow Tables.

Our comparison is more detailed than earlier work comparing these three older forms of attack. Most earlier work compared the trade-off curves of these well known attacks [16, 45]. This tells us the rate at which extra memory can be traded in for a reduced time, but completely ignores some important costs, namely the precomputation time, seek times, and the number of unique points covered by an attack. We do consider these costs in our comparison: for each attack we give the memory and time costs, split into precomputation time, online computation time, and number of disk seeks.

In our comparison in Section 4.4 the new Fuzzy Rainbow Table attack performed ﬁne, with the lowest memory cost of all attacks and the ability to identify chain merges as its major beneﬁts. Only Distinguished Points seems a better choice in comparison, having a higher memory cost, but the lowest online attack costs. The more well-known Rainbow Tables are only interesting for attacks were only a single sample of plaintext-ciphertext is available, as it is outperformed by Distinguished Points for multiple samples.

Another limitation of comparisons of trade-off curves for the different approaches is that these curves are invariably made under the assumption that the table sizes are always chosen so thatmt2= N. We see no convincing reason to constrain the choice in parameters in this way. Hellman used the constraintmt2 = N to compute a nice bound for the chance of success of his attack, but other choices formandtthat do not satisfy this constraint might perform better in concrete instances.

Since the publication of our research in 2013 [176], a more detailed analysis of TMTO attacks has been published by Hong et al. [110], which shows the Fuzzy Rain- bow Table attack to be the best choice for single sample attacks in the average case. Still, the difference between attacks remain marginal and there remain enough unresearched factors, such as possible parallelism beneﬁts, to keep the question on the best TMTO attack open.

We still abstract away from certain practical costs in our analysis. We count 2 words for each chain entry, while in practice an attacker can store less than this. Also, we count the number of disk seeks as single costs steps, which again in practice can be quite different due to caches. All of these abstractions would be interesting to consider in future work.

One factor that we still have not been able to quantify precisely in our comparison is the chance of duplicates during the precomputation of the tables. We conjecture that the effectiveness of the Fuzzy Rainbow Table attack is in fact lower than our

4.8 Conclusions

current results suggest when this number of duplicates values is taken into account. The informal analysis of the expected number of chain merges in Section 4.4 shows that Fuzzy Rainbow Table has a higher chance of chain merges than the other attacks when the number of rainbow colours in the Fuzzy Rainbow Table approach is chosen to achieve lower memory cost.

To compensate for this we attempted two ways to improve Fuzzy Rainbow Tables, which we dubbed thick Fuzzy Rainbow Tables and thin Fuzzy Rainbow Tables. How- ever, both our attempts did not improve on the Fuzzy Rainbow Table approach, in fact our attempts proved to only make matters worse.

Estimating the chance of duplicates during precomputation is the most difficult aspect in achieving a fair comparison. Over 29%of all chains created in the Fuzzy Rainbow Table tables used to break A5/1 ended up merging with existing chains, showing that chain merges can indeed be a significant factor when comparing TMTO attacks. We know no way to compute the expected number of chain merges for the general case, or indeed for any non-trivial practical cipher. Since theoretical analysis of the chance of duplicates seems very difficult, we think that further research which collects empirical data of practical experiments in constructing TMTO tables may be the best way to shed light on this.

Chapter5

Femtocell security

The previous two chapters looked into attacks on the wireless part of mobile telephony networks. Because of the nature of wireless broadcasts, it is usually easier (or at least less risky) to perform an attack on the wireless connection than attempting to compromise network equipment, which is usually securely stored in hard to reach places, e.g. on top of high masts or buildings. The scenario of attacking network equipment has become much more realistic with the introduction of femtocells. Femto- cells are low-powered cellular base stations for mobile telephone networks, meant for home use, but still managed by the provider. They are an increasingly popular solution, with the number of femtocells steadily rising to a market value of $1 billion USD in 2016 [155].

However, femtocells also introduce a number of security concerns. Several earlier femtocells have been hacked to varying degree and analysed. Naturally, the industry has responded and tries to create more secure femtocells.

Femtocells introduce a new attack vector into the mobile networks; one that is easier to exploit than traditional cell towers, but also provides slightly different priv- ileges to attackers. They are the most likely source of an attack, by our non-network attacker (Section 1.1.2) and as such warrant a thorough security analysis.

This chapter looks at what the theoretical security implications are when a pos- sibly compromised femtocell is introduced in a mobile telephony network. Further- more, this chapter details a practical experiment to assess the security measures modern femtocells take against attacks.

This chapter is based on the paper Femtocell Security in Theory and Practice, presen- ted at the 18Th Nordic Conference on Secure IT Systems, NordSec 2013 [178]. Besides some small changes to better embed the article within the rest of this thesis, the publication has been included as this chapter practically verbatim.

5.1 Introduction

In mobile telephony networks such as GSM, UMTS and EV-DO (an American coun- terpart to UMTS), service is provided through many antennae that each cover a geo- graphic area. These areas are called cells and can range in size based on the transmis- sion power of the signal and the available bandwidth. Within each cell the coverage is inﬂuenced differently by local propagation conditions which can result in blind spots where signal reception is so poor that no service is available. To solve this small cells can be created within these blind spots, with a low power antenna that operate on a different frequency from its containing cell.

Small cells can have different sizes, which are usually subdivided into microcell, nanocell and femtocell, from small to smallest. The normal, much larger, cell size is referred to as macrocell. The distinction between the types of small cells is not officially defined, but typically a microcell covers an area the size of a shopping mall or a transportation hub, a nanocell covers a small business or an office floor, and the femtocell a small house or several rooms [155].

Besides the coverage size there is a more important distinction between the femtocell and other small cells. The microcells and nanocells are installed and main- tained by the provider and connect directly to the provider’s core network, while the femtocell is a consumer-installed (and owned) device and connects to the core network of the provider through the consumer’s broadband connection. Naturally this introduces several new security risks for both provider and consumer, since a low- cost device is now placed at the consumer’s home, which has the ability to act as an authentic cell tower and to connect to the provider’s back end over an untrusted channel.

A femtocell device is a small box with a power and Ethernet connector and at least one antenna. Some of the femtocells have GPS unbar, to verify their geographical loc- ation. All of them can listen to neighbouring cells, in order to run on a non-interfering frequency. Usually femtocells contain a dedicated chip that is speciﬁcally made for femtocell devices. These chips consist of a base band processor1, some cryptographic processor and a general purpose processor. All of the femtocells analysed so far run some lightweight form of the Linux operating system.

The rest of this chapter is structured as follows. Section 5.2 gives an overview of femtocells within a cellular network. Section 5.3 gives an overview of the femtocell security model we assume and the most likely attack vectors. In Section 5.4 we discuss possible attacks offered by a compromised femtocell against the 3GPP security goals for UMTS and LTE. A practical security analysis is presented in Section 5.5 where we successfully compromise a modern femtocell (the Vodafone SignaalPlus Plug & Play). Finally, we discuss our conclusions and some ideas for future work.

Related work

3GPP, the standardisation body for the GSM, UMTS and LTE systems, has speciﬁed the use of femtocells within mobile telephony networks. Of these speciﬁcations 25-467 [64] and 33-320 [63] are the most interesting, and respectively detail the architecture of and the security architecture of the femtocell (called a Home NodeB or HNB).

In document Mobile communication security (Page 81-87)