Mobile Phone Network Security
Internet Security [1] VU
Adrian Dabrowski, Markus Kammerstetter,
Georg Merzdovnik, Stefan Riegler and Aljosha Judmayer inetsec@seclab.tuwien.ac.at
Mobile phone networks
– 1G • Not standardized – 2G (GSM) • From 1980es • Introduced SIM • Started as CS, now PS – 3G (UMTS) • From 1990es – 4G (LTE) • From 2000nd Planes – User Plane • Voice, Data, SMS – Signaling Plane • Call setup, ... – Management Plane • Network organizationStructure of a 2G/3G System
Legend
User Equipment (UE) → Radio Access Network (RAN) → Core Network (CN)
Universal Terrestrial Radio Access Network (UTRAN) GSM/EDGE Radio Access Network (GERAN)
GPRS Support Node (SGSN)
Gateway GPRS Support Node (GGSN) Mobile Switching Centre (MSC)
Radio Layer
Physical Channels != Logical Channels Broadcast Channels
– Carry “Beacon” Information
– Paging & signaling to idle devices – Unencrypted
Dedicated Channels
– Communication to a specific UE(ME). – Often encrypted
GSM Encryption
A5/0
– No encryption, banned from many networks (i.e. Tmobile Austria)
A5/1
– Standard today A5/2
– Export Version, broken 199 A5/3 + 4
IMEI – IMSI - TMSI
International Mobile Equipment Identifier – The phone
International Mobile Subscriber Identifier – The SIM card (i.e., the user)
Temporary Mobile Subscriber Identifier – A temporary UserID / SessionID
– (should) Prevent tracking since signaling plane is unencrypted
Attacks: TMSI deanonymization
– TMSI deanonymization • Record Paging Traffic
• Call known Number, hangup before full channel setup (=before starts ringing)
• Use set of recorded pages to filter candidates – Aka sieve
Attacks: Internet interconnectivity
– GPRS tunneling over Internet
• Publicly reachable tunnel endpoints have been found via port scanning at several Telcos
– DNS infrastructure,
Attacks: SIM Cloning
– COMP128 weakness
• Key derivation algorithm
• Secret key recovery by analyzing thousands of responses
• SIM card cloning
• Used via programmable multi-SIMs and development SIM cards
Attacks: Decryption
– GSM Cipher
• Rainbow tables available (~2TB)
• Decode session key (eavesdropping) • In seconds...
Attacks: SS7
– SS7 Attacks
• “Signaling System 7”
– Signaling Backbone within and between many Telcos
– Telcos fully trust each other • e.g. Anytime Interrogation
– Find cell ids (=location) of any phone • Share Session key in case of roaming, etc
Attacks: IMSI Catchers aka
Stingray
Used for
– Tracking users
– Eavesdropping calls, data, texts – Man-in-the-Middle
– Attack phone using operator system messages (e.g. Management Interface, reprogram APN, HTTP-Proxy, SMS/WAP-Server...)
– Attack SIM (c.f. SIM card rooting, otherwise filtered by most mobile carriers), Attack Baseband
– Geotargeting ads (e.g. SMS)
A Mobile Network
with a Mobile Station
A wild IMSI Catcher appears –
A Real Network
Cell tower density
“IMSI Catchers”
Identification only
Retrive
IMSI / IMEI / TMSI
Reject Location Update Tracking
Traffic Man-in-the-Middle
Hold in Cell
Actively intercept traffic
– Relay to real network – Active or passive
decryption
Hold but intercept passively
Imprison in cell, so phone is not lost to a neighbor cell UMTS downgrade Blocking UMTS transmission Spoofing System messages
“IMSI Catchers”
IC: Car Installation
IC: Car Installation
Car Installation
IC: Car Installation
IC: Car Installation
Body IMSI Catcher
Only for Law Enforcement?
Known Producers
– Rohde & Schwarz – Gamma Group – Ability – IAI Elta – Septier – Meganet – NeoSoft – Proximus – Cyttek – …
DIY – USRP based
– Kirstin Paget • DEFCON 19 • US$1,500 – D. Werhle • Master's Thesis • Freiburg – B. Postl • Master's Thesis • Vienna
How to catch an
IMSI Catcher?
Artifact: Frequency
Unused or guard channel
• Only found in Full Scan
Announced neighbor freq., but unused
• Careful not to create interference Detactability – Frequency plans • e.g. radio regulatory • Self created
Artifact: Cell ID
New CID/LAC needed – To provoke
“Location Update Request”
– Random?
– Use real one not used in that
geographical region
Detectability
– Cell IDs are very stable – Cell Database (local) • Also for frequencies – Correlation with GPS coordinates
Artifact: Location Update /
Register
Just providing a better signal Is not enough
– Timers, Hysteresis – Unpredictable
radio environment RF Jamming?
– Forcing full scan
Detectability:
– Watching noise levels
Artifact: UMTS handling
Downgrading to GSM – e.g. Mayer and
Wetzel, 2005 [1] • GSM layer in most deployed UMTS networks – (selectively) Jamming – Downgrade LUR – Others... Detectability:
– Noise and Signal levels – Database of regions where UMTS is available, and GSM usage is unlikely • Cell Database
[1] Mayer and Wetzel, “A man-in-the-middle attack on UMTS”, ACM Workshop on Wireless security, 2005
Downgrade 4G → 3G → 2G
Pre-authentication traffic is unprotected
- includes GET_IDENTITY (IMSI, IMEI)
Location Updates can be rejected unauthenticated
– Needed for Roaming case
– Reject cause: “You don't have a
subscription for this service”
Encryption
Older IMSI Catchers:
Downgrade encryption to 'none' (A5/0)
A5/1 and A5/2 can be decrypted with rainbow tables
– In realtime
A5/3 rolled out at the moment
– IC will have to do active MITM again
Detectability: – Cipher Indicator • Feature request in Android, 2009, assigned 2013 – Roaming!
Artifact: Cell Imprisonment
Networks provides up
to 32 neighbor
frequencies
– MS stores typ. 6+1 – Used for hand
overs, LAR, …
IC will likely provide an
empty (eq.) NL
– To not loose phone to a neighbor cell
Detectability:
Traffic forwarding
a) relay via other MS – Loose caller ID – No incoming calls b) via SS7 or similar – Caller ID correct – Loose incoming calls
c) recover secret SIM key
– Impersonate to
network with victims identity
Detectability:
Usage Pattern
Identification Mode – Short living cells MITM Mode
– Longer living cells
Both:
– Unusual locations for cells
Cell capabilities and parameter
fingerprinting
Cell capabilities & parameters
Organization of logical channels on physical channels
Timeout values
Can be different on each cell, but typically they are the
same over the whole network
– Differ between networks
Detectability:
– Cell and network database
Network Monitor Mode
Two approaches
Mobile IMSI Catcher Catcher – Standard Android API – No need to root phone – No need for a specific chipset (e.g. GoldX) – Easy Interface Stationary IMSI Catcher Catcher – Network of measuring stations – Good locations, larger coverage – Cheap • RaspberryPi based
Two approaches - Features
Mobile IMSI Catcher Catcher – GPS + Neighbor cell listing • Geographical correlation • Cell-IDs – Cell Capabilities – RF and NCL manipulations – Limited to NCL but mobile Stationary IMSI Catcher Catcher – Cell-ID mapping – Frequency usage – Cell lifetime – Cell capabilities, network parameters – Jamming
WIP: Network operator has no
global view
Currently in a project with a major Austrian carrier – Finding IMSI Catcher based on operator data Network operator has no global view
– Some transactions are designed decentralized – One transaction can leave trace on many
levels/protocols
– 2G/3G/4G interaction grown historically
– Monitoring solutions have to carry high load
• e.g. > 100K LUR/min
Work in Progress
Verified with USRP based IMSI Catcher
– Need commercial devices for testing Build dense measurement network – Goal: 20-40 stations Implement 3G + LTE Android-APP
– Fine tune ruleset for everyday situations – Problem zones:
• Tunnels
(Bachalor's and Master's)
Thesis' opportunities
– Port 2G broadcast sniffing to FPGA (BladeRF) – Implement 3G
• GNU Radio , SDR
– Implement 4G
• GNU Radio, SDR
– Implement client stack – More ideas?