cellular network security part 2
TRANSCRIPT
Cellular Network Security Part 2
1
Recapfromlastweek
Basicconceptsofmobiletelephonybull CallspagingHLRVLRSS7operatorsSIMcardscryptohellip
Commonthemesecurityvsperformancevscostbull 1Gmdashnosecuritybull 2GmdashauthenEcaEonandencrypEonbutweakcryptobull SS7mdashaFacksdueopeninterfacesbull 3GmdashstrongercryptoandnewAKAprotocol
Remainingissuesbull LimitedidenEfier(IMSITMSI)leakagemdashgttrackingbull FakebasestaEonmdashgtdowngradingbull PhysicallayermdashgtintegrityviolaEondenialofservicehellip
2
4G
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
3
1980rsquos 1990rsquos 2000rsquos 2010rsquos
4Goverview
KnownalsoasLTE(Long-TermEvoluEon)bull Introducedaround2008
Updatedarchitecturebull Fullypacket-switchedbull CorenetworkcalledEvolvedPacketCore(EPC)bull RadionetworkcalledEvolved-UTRAN(E-UTRAN)bull Interoperablewithlegacysystems
Newphysicallayerbull OrthogonalfrequencydivisionmulEplex(OFDM)bull MulEpleantennatechniqueslikeMIMObull 300Mbpsdownlink70Mbpsuplink5mslatency
4
LTEarchitectureandterminology
devices while still using similar techniques Notably we showhow popular social network messaging applications (eg Face-book messenger [3] and WhatsApp [4]) can be used in suchattacks Our third attack allows an active attacker exploitingvulnerabilities in the specification and implementation of LTERadio Resource Control (RRC) protocol [5] to accuratelypinpoint the target user via GPS co-ordinates or trilaterationusing base station signal strengths as observed by that UE Webelieve that all LTE devices in the market are vulnerable tothis attack
In the second class we describe three further attacks wherean active attacker can cause persistent denial of service againsta target UE In the first the target UE will be forced into using2G or 3G networks rather than LTE networks which can thenmake it possible to mount 2G3G-specific attacks against thatUE In the second the target UE will be denied access to allnetworks In the last attack the attacker can selectively limit aUE only to some types of services (eg no voice calls) Theattacks are persistent and silent devices require explicit useraction (such as rebooting the device) to recover
We have implemented all our attacks (except one) andconfirmed their effectiveness using commercial LTE devicesfrom several vendors and real LTE networks of several carriersThe equipment needed for the attacks is inexpensive andreadily available We reported our attacks to the manufacturersand carriers concerned as well as to the standardization body(3GPP) Remedial actions are under way while writing
Specification of a large system like LTE is a complexendeavor involving many trade-offs among conflicting require-ments Rather than merely report on LTE vulnerabilities andattacks we also discuss possible considerations that may haveled to the vulnerabilities in the first place Based on this wesuggest some general guidelines for future standardization aswell as specific fixes for our attacks
bull Fine-grained location leaks New passive and activetechniques to link usersrsquo real identities to LTE tem-porary identities assigned to them and to track user
locations and movements to much higher levels
of granularity than was previously thought possible(Section V)
bull Denial-of-Service (DoS) Attacks New active DoS
attacks that can silently and persistently down-
grade LTE devices by preventing their access toLTE networks (limiting them to less secure 2G3Gnetworks or denying network access altogether) orlimiting them to a subset of LTE services (Section VI)
bull Implementation amp Evaluation Inexpensive software
and hardware framework to implement the attacksbased on srsLTE OpenLTE and Universal SoftwareRadio Peripherals (USRP) (Section IV) and evalua-tion of the attacks using commercially available LTEphones in real networks (Sections VndashVII)
bull Security Analysis Discussion outlining possible un-
derlying reasons for the vulnerabilities includingperceived or actual trade-offs between securityprivacyand other criteria like availability performance andfunctionality as well as recommending fixes (Sec-tion VIII)
II OVERVIEW OF LTE ARCHITECTURE
We briefly describe LTE infrastructure as well as securityand paging mechanisms to assist readers in understanding thevulnerabilities and attacks we present in this paper
A LTE infrastructure
We consider a simplified LTE architecture involving com-ponents required to set up access network protocols betweena base station and mobile devices We hide other details ofthe architecture which are not relevant from the point of viewof understanding our attacks Figure 1 depicts this simplifiedarchitecture which contains three main components UserEquipment (UE) Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) and Evolved Packet Core (EPC) Allthree components are collectively referred to as Evolved PacketSystem (EPS) according to 3GPP terminology In the interestof simplicity throughout this paper we refer to the wholesystem as LTE The three components are described below(A list of common acronyms related to LTE appear in the fullversion of this paper [6])
Fig 1 LTE system architecture
User Equipment UE refers to the actual communicationdevice which can be for example a smartphone A UEcontains a USIM (Universal Subscriber Identity Module)[7]which represents the IMSI and stores the corresponding au-thentication credentials [8] This IMSI is used to identify anLTE user (generally referred to as ldquosubscriberrdquo in 3GPP ter-minology) uniquely The USIM participates in LTE subscriberauthentication protocol and generates cryptographic keys thatform the basis for the key hierarchy subsequently used toprotect signaling and user data communication between theUE and base stations over the radio interface
E-UTRAN E-UTRAN consists of base stations It managesthe radio communication with the UE and facilitates commu-nication between the UE and EPC In LTE a base stationis technically referred as ldquoevolved NodeB (eNodeB)rdquo TheeNodeB uses a set of access network protocols called AccessStratum (AS) for exchanging signaling messages with its UEsThese AS messages include Radio Resource control (RRC)protocol messages Other functions of eNodeB include pagingUEs over-the-air security physical layer data connectivity andhandovers Each eNodeB is connected to the EPC through aninterface named S1
MME in EPC EPC provides core network functionalities bya new all-IP mobile core network designed for LTE systems Itconsists of several new elements as defined in [9] However for
2
RSAC
LTE Network
12
bull UEUserEquipment(MS)bull eNBenhancedNodeB(BS)bull E-UTRANEvolvedUniversalTerrestrialRadioAccessNetworkbull MMEMobilityManagementEnEty(MSC)bull HSSHomeSubscriberServer(HLR)bull S-GWServingGatewaybull P-GWPacketGateway
5
SomeLTEphysicallayerdetails
OFDMdownlinkbull MulEplenarrowsub-carriersspreadoverawidechannelbandwidthbull Sub-carriersmutuallyorthogonalinthefrequencydomainbull MiEgatesinter-symbolinterferenceallowsflexibleuElizaEonofspectrum
SC-FDMAuplinkbull Single-carrierFDMA
6
Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
LTEnetworkprotocols
bull MAClayerbull managesaccesstoradioresources
bull RLC(RadioLinkControl)bull errorcorrecEonsegmentaEonordering
bull PDCP(PacketDataConvergenceProtocol)bull compressionencrypPonintegrity
bull RRC(RadioResourceControl)bull systeminformaEonbroadcastAKA
bull NAS(Non-AccessStratum)bull mobilitymanagementwiththe
corenetwork
7
Source NIST Guide to LTE Security 2017
User plane
Control plane
LTEsecurityoverview
SimilarAuthenEcaEonandKeyAgreement(AKA)asin3Gbull MutualauthenEcaEonSQNusedforreplayprotecEon
Newcryptoalgorithms(3variants)bull EEA=encrypEonEIA=integritybull EEA1andEIA1basedonSnow(similartoKASUMI)bull EEA2isAES-CTRandEIA2isAES-CMACbull EEA3andEIA3basedonZUC
Othersecurityupdatesbull ExtendedKeyHierarchybull Possibilityforlongerkeys(256bits)bull X2handover(betweeneNodeBs)bull Backhaul(S1)protecEon
8
Control plane User plane
Encryption operator option(often used)
operator option(often used)
Integrity mandatory operator option(often not used)
LTEKeyHierarchy
K=masterkey(128bitssharedbetweenHSSandUSIM)CK=confidenEalitykey(128bits)IK=integritykey(128bits)K_ASME=MMEbasekey(256bits)andsoonhellip
9
Source NIST Guide to LTE Security 2017
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
Recapfromlastweek
Basicconceptsofmobiletelephonybull CallspagingHLRVLRSS7operatorsSIMcardscryptohellip
Commonthemesecurityvsperformancevscostbull 1Gmdashnosecuritybull 2GmdashauthenEcaEonandencrypEonbutweakcryptobull SS7mdashaFacksdueopeninterfacesbull 3GmdashstrongercryptoandnewAKAprotocol
Remainingissuesbull LimitedidenEfier(IMSITMSI)leakagemdashgttrackingbull FakebasestaEonmdashgtdowngradingbull PhysicallayermdashgtintegrityviolaEondenialofservicehellip
2
4G
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
3
1980rsquos 1990rsquos 2000rsquos 2010rsquos
4Goverview
KnownalsoasLTE(Long-TermEvoluEon)bull Introducedaround2008
Updatedarchitecturebull Fullypacket-switchedbull CorenetworkcalledEvolvedPacketCore(EPC)bull RadionetworkcalledEvolved-UTRAN(E-UTRAN)bull Interoperablewithlegacysystems
Newphysicallayerbull OrthogonalfrequencydivisionmulEplex(OFDM)bull MulEpleantennatechniqueslikeMIMObull 300Mbpsdownlink70Mbpsuplink5mslatency
4
LTEarchitectureandterminology
devices while still using similar techniques Notably we showhow popular social network messaging applications (eg Face-book messenger [3] and WhatsApp [4]) can be used in suchattacks Our third attack allows an active attacker exploitingvulnerabilities in the specification and implementation of LTERadio Resource Control (RRC) protocol [5] to accuratelypinpoint the target user via GPS co-ordinates or trilaterationusing base station signal strengths as observed by that UE Webelieve that all LTE devices in the market are vulnerable tothis attack
In the second class we describe three further attacks wherean active attacker can cause persistent denial of service againsta target UE In the first the target UE will be forced into using2G or 3G networks rather than LTE networks which can thenmake it possible to mount 2G3G-specific attacks against thatUE In the second the target UE will be denied access to allnetworks In the last attack the attacker can selectively limit aUE only to some types of services (eg no voice calls) Theattacks are persistent and silent devices require explicit useraction (such as rebooting the device) to recover
We have implemented all our attacks (except one) andconfirmed their effectiveness using commercial LTE devicesfrom several vendors and real LTE networks of several carriersThe equipment needed for the attacks is inexpensive andreadily available We reported our attacks to the manufacturersand carriers concerned as well as to the standardization body(3GPP) Remedial actions are under way while writing
Specification of a large system like LTE is a complexendeavor involving many trade-offs among conflicting require-ments Rather than merely report on LTE vulnerabilities andattacks we also discuss possible considerations that may haveled to the vulnerabilities in the first place Based on this wesuggest some general guidelines for future standardization aswell as specific fixes for our attacks
bull Fine-grained location leaks New passive and activetechniques to link usersrsquo real identities to LTE tem-porary identities assigned to them and to track user
locations and movements to much higher levels
of granularity than was previously thought possible(Section V)
bull Denial-of-Service (DoS) Attacks New active DoS
attacks that can silently and persistently down-
grade LTE devices by preventing their access toLTE networks (limiting them to less secure 2G3Gnetworks or denying network access altogether) orlimiting them to a subset of LTE services (Section VI)
bull Implementation amp Evaluation Inexpensive software
and hardware framework to implement the attacksbased on srsLTE OpenLTE and Universal SoftwareRadio Peripherals (USRP) (Section IV) and evalua-tion of the attacks using commercially available LTEphones in real networks (Sections VndashVII)
bull Security Analysis Discussion outlining possible un-
derlying reasons for the vulnerabilities includingperceived or actual trade-offs between securityprivacyand other criteria like availability performance andfunctionality as well as recommending fixes (Sec-tion VIII)
II OVERVIEW OF LTE ARCHITECTURE
We briefly describe LTE infrastructure as well as securityand paging mechanisms to assist readers in understanding thevulnerabilities and attacks we present in this paper
A LTE infrastructure
We consider a simplified LTE architecture involving com-ponents required to set up access network protocols betweena base station and mobile devices We hide other details ofthe architecture which are not relevant from the point of viewof understanding our attacks Figure 1 depicts this simplifiedarchitecture which contains three main components UserEquipment (UE) Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) and Evolved Packet Core (EPC) Allthree components are collectively referred to as Evolved PacketSystem (EPS) according to 3GPP terminology In the interestof simplicity throughout this paper we refer to the wholesystem as LTE The three components are described below(A list of common acronyms related to LTE appear in the fullversion of this paper [6])
Fig 1 LTE system architecture
User Equipment UE refers to the actual communicationdevice which can be for example a smartphone A UEcontains a USIM (Universal Subscriber Identity Module)[7]which represents the IMSI and stores the corresponding au-thentication credentials [8] This IMSI is used to identify anLTE user (generally referred to as ldquosubscriberrdquo in 3GPP ter-minology) uniquely The USIM participates in LTE subscriberauthentication protocol and generates cryptographic keys thatform the basis for the key hierarchy subsequently used toprotect signaling and user data communication between theUE and base stations over the radio interface
E-UTRAN E-UTRAN consists of base stations It managesthe radio communication with the UE and facilitates commu-nication between the UE and EPC In LTE a base stationis technically referred as ldquoevolved NodeB (eNodeB)rdquo TheeNodeB uses a set of access network protocols called AccessStratum (AS) for exchanging signaling messages with its UEsThese AS messages include Radio Resource control (RRC)protocol messages Other functions of eNodeB include pagingUEs over-the-air security physical layer data connectivity andhandovers Each eNodeB is connected to the EPC through aninterface named S1
MME in EPC EPC provides core network functionalities bya new all-IP mobile core network designed for LTE systems Itconsists of several new elements as defined in [9] However for
2
RSAC
LTE Network
12
bull UEUserEquipment(MS)bull eNBenhancedNodeB(BS)bull E-UTRANEvolvedUniversalTerrestrialRadioAccessNetworkbull MMEMobilityManagementEnEty(MSC)bull HSSHomeSubscriberServer(HLR)bull S-GWServingGatewaybull P-GWPacketGateway
5
SomeLTEphysicallayerdetails
OFDMdownlinkbull MulEplenarrowsub-carriersspreadoverawidechannelbandwidthbull Sub-carriersmutuallyorthogonalinthefrequencydomainbull MiEgatesinter-symbolinterferenceallowsflexibleuElizaEonofspectrum
SC-FDMAuplinkbull Single-carrierFDMA
6
Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
LTEnetworkprotocols
bull MAClayerbull managesaccesstoradioresources
bull RLC(RadioLinkControl)bull errorcorrecEonsegmentaEonordering
bull PDCP(PacketDataConvergenceProtocol)bull compressionencrypPonintegrity
bull RRC(RadioResourceControl)bull systeminformaEonbroadcastAKA
bull NAS(Non-AccessStratum)bull mobilitymanagementwiththe
corenetwork
7
Source NIST Guide to LTE Security 2017
User plane
Control plane
LTEsecurityoverview
SimilarAuthenEcaEonandKeyAgreement(AKA)asin3Gbull MutualauthenEcaEonSQNusedforreplayprotecEon
Newcryptoalgorithms(3variants)bull EEA=encrypEonEIA=integritybull EEA1andEIA1basedonSnow(similartoKASUMI)bull EEA2isAES-CTRandEIA2isAES-CMACbull EEA3andEIA3basedonZUC
Othersecurityupdatesbull ExtendedKeyHierarchybull Possibilityforlongerkeys(256bits)bull X2handover(betweeneNodeBs)bull Backhaul(S1)protecEon
8
Control plane User plane
Encryption operator option(often used)
operator option(often used)
Integrity mandatory operator option(often not used)
LTEKeyHierarchy
K=masterkey(128bitssharedbetweenHSSandUSIM)CK=confidenEalitykey(128bits)IK=integritykey(128bits)K_ASME=MMEbasekey(256bits)andsoonhellip
9
Source NIST Guide to LTE Security 2017
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
4G
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
3
1980rsquos 1990rsquos 2000rsquos 2010rsquos
4Goverview
KnownalsoasLTE(Long-TermEvoluEon)bull Introducedaround2008
Updatedarchitecturebull Fullypacket-switchedbull CorenetworkcalledEvolvedPacketCore(EPC)bull RadionetworkcalledEvolved-UTRAN(E-UTRAN)bull Interoperablewithlegacysystems
Newphysicallayerbull OrthogonalfrequencydivisionmulEplex(OFDM)bull MulEpleantennatechniqueslikeMIMObull 300Mbpsdownlink70Mbpsuplink5mslatency
4
LTEarchitectureandterminology
devices while still using similar techniques Notably we showhow popular social network messaging applications (eg Face-book messenger [3] and WhatsApp [4]) can be used in suchattacks Our third attack allows an active attacker exploitingvulnerabilities in the specification and implementation of LTERadio Resource Control (RRC) protocol [5] to accuratelypinpoint the target user via GPS co-ordinates or trilaterationusing base station signal strengths as observed by that UE Webelieve that all LTE devices in the market are vulnerable tothis attack
In the second class we describe three further attacks wherean active attacker can cause persistent denial of service againsta target UE In the first the target UE will be forced into using2G or 3G networks rather than LTE networks which can thenmake it possible to mount 2G3G-specific attacks against thatUE In the second the target UE will be denied access to allnetworks In the last attack the attacker can selectively limit aUE only to some types of services (eg no voice calls) Theattacks are persistent and silent devices require explicit useraction (such as rebooting the device) to recover
We have implemented all our attacks (except one) andconfirmed their effectiveness using commercial LTE devicesfrom several vendors and real LTE networks of several carriersThe equipment needed for the attacks is inexpensive andreadily available We reported our attacks to the manufacturersand carriers concerned as well as to the standardization body(3GPP) Remedial actions are under way while writing
Specification of a large system like LTE is a complexendeavor involving many trade-offs among conflicting require-ments Rather than merely report on LTE vulnerabilities andattacks we also discuss possible considerations that may haveled to the vulnerabilities in the first place Based on this wesuggest some general guidelines for future standardization aswell as specific fixes for our attacks
bull Fine-grained location leaks New passive and activetechniques to link usersrsquo real identities to LTE tem-porary identities assigned to them and to track user
locations and movements to much higher levels
of granularity than was previously thought possible(Section V)
bull Denial-of-Service (DoS) Attacks New active DoS
attacks that can silently and persistently down-
grade LTE devices by preventing their access toLTE networks (limiting them to less secure 2G3Gnetworks or denying network access altogether) orlimiting them to a subset of LTE services (Section VI)
bull Implementation amp Evaluation Inexpensive software
and hardware framework to implement the attacksbased on srsLTE OpenLTE and Universal SoftwareRadio Peripherals (USRP) (Section IV) and evalua-tion of the attacks using commercially available LTEphones in real networks (Sections VndashVII)
bull Security Analysis Discussion outlining possible un-
derlying reasons for the vulnerabilities includingperceived or actual trade-offs between securityprivacyand other criteria like availability performance andfunctionality as well as recommending fixes (Sec-tion VIII)
II OVERVIEW OF LTE ARCHITECTURE
We briefly describe LTE infrastructure as well as securityand paging mechanisms to assist readers in understanding thevulnerabilities and attacks we present in this paper
A LTE infrastructure
We consider a simplified LTE architecture involving com-ponents required to set up access network protocols betweena base station and mobile devices We hide other details ofthe architecture which are not relevant from the point of viewof understanding our attacks Figure 1 depicts this simplifiedarchitecture which contains three main components UserEquipment (UE) Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) and Evolved Packet Core (EPC) Allthree components are collectively referred to as Evolved PacketSystem (EPS) according to 3GPP terminology In the interestof simplicity throughout this paper we refer to the wholesystem as LTE The three components are described below(A list of common acronyms related to LTE appear in the fullversion of this paper [6])
Fig 1 LTE system architecture
User Equipment UE refers to the actual communicationdevice which can be for example a smartphone A UEcontains a USIM (Universal Subscriber Identity Module)[7]which represents the IMSI and stores the corresponding au-thentication credentials [8] This IMSI is used to identify anLTE user (generally referred to as ldquosubscriberrdquo in 3GPP ter-minology) uniquely The USIM participates in LTE subscriberauthentication protocol and generates cryptographic keys thatform the basis for the key hierarchy subsequently used toprotect signaling and user data communication between theUE and base stations over the radio interface
E-UTRAN E-UTRAN consists of base stations It managesthe radio communication with the UE and facilitates commu-nication between the UE and EPC In LTE a base stationis technically referred as ldquoevolved NodeB (eNodeB)rdquo TheeNodeB uses a set of access network protocols called AccessStratum (AS) for exchanging signaling messages with its UEsThese AS messages include Radio Resource control (RRC)protocol messages Other functions of eNodeB include pagingUEs over-the-air security physical layer data connectivity andhandovers Each eNodeB is connected to the EPC through aninterface named S1
MME in EPC EPC provides core network functionalities bya new all-IP mobile core network designed for LTE systems Itconsists of several new elements as defined in [9] However for
2
RSAC
LTE Network
12
bull UEUserEquipment(MS)bull eNBenhancedNodeB(BS)bull E-UTRANEvolvedUniversalTerrestrialRadioAccessNetworkbull MMEMobilityManagementEnEty(MSC)bull HSSHomeSubscriberServer(HLR)bull S-GWServingGatewaybull P-GWPacketGateway
5
SomeLTEphysicallayerdetails
OFDMdownlinkbull MulEplenarrowsub-carriersspreadoverawidechannelbandwidthbull Sub-carriersmutuallyorthogonalinthefrequencydomainbull MiEgatesinter-symbolinterferenceallowsflexibleuElizaEonofspectrum
SC-FDMAuplinkbull Single-carrierFDMA
6
Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
LTEnetworkprotocols
bull MAClayerbull managesaccesstoradioresources
bull RLC(RadioLinkControl)bull errorcorrecEonsegmentaEonordering
bull PDCP(PacketDataConvergenceProtocol)bull compressionencrypPonintegrity
bull RRC(RadioResourceControl)bull systeminformaEonbroadcastAKA
bull NAS(Non-AccessStratum)bull mobilitymanagementwiththe
corenetwork
7
Source NIST Guide to LTE Security 2017
User plane
Control plane
LTEsecurityoverview
SimilarAuthenEcaEonandKeyAgreement(AKA)asin3Gbull MutualauthenEcaEonSQNusedforreplayprotecEon
Newcryptoalgorithms(3variants)bull EEA=encrypEonEIA=integritybull EEA1andEIA1basedonSnow(similartoKASUMI)bull EEA2isAES-CTRandEIA2isAES-CMACbull EEA3andEIA3basedonZUC
Othersecurityupdatesbull ExtendedKeyHierarchybull Possibilityforlongerkeys(256bits)bull X2handover(betweeneNodeBs)bull Backhaul(S1)protecEon
8
Control plane User plane
Encryption operator option(often used)
operator option(often used)
Integrity mandatory operator option(often not used)
LTEKeyHierarchy
K=masterkey(128bitssharedbetweenHSSandUSIM)CK=confidenEalitykey(128bits)IK=integritykey(128bits)K_ASME=MMEbasekey(256bits)andsoonhellip
9
Source NIST Guide to LTE Security 2017
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
4Goverview
KnownalsoasLTE(Long-TermEvoluEon)bull Introducedaround2008
Updatedarchitecturebull Fullypacket-switchedbull CorenetworkcalledEvolvedPacketCore(EPC)bull RadionetworkcalledEvolved-UTRAN(E-UTRAN)bull Interoperablewithlegacysystems
Newphysicallayerbull OrthogonalfrequencydivisionmulEplex(OFDM)bull MulEpleantennatechniqueslikeMIMObull 300Mbpsdownlink70Mbpsuplink5mslatency
4
LTEarchitectureandterminology
devices while still using similar techniques Notably we showhow popular social network messaging applications (eg Face-book messenger [3] and WhatsApp [4]) can be used in suchattacks Our third attack allows an active attacker exploitingvulnerabilities in the specification and implementation of LTERadio Resource Control (RRC) protocol [5] to accuratelypinpoint the target user via GPS co-ordinates or trilaterationusing base station signal strengths as observed by that UE Webelieve that all LTE devices in the market are vulnerable tothis attack
In the second class we describe three further attacks wherean active attacker can cause persistent denial of service againsta target UE In the first the target UE will be forced into using2G or 3G networks rather than LTE networks which can thenmake it possible to mount 2G3G-specific attacks against thatUE In the second the target UE will be denied access to allnetworks In the last attack the attacker can selectively limit aUE only to some types of services (eg no voice calls) Theattacks are persistent and silent devices require explicit useraction (such as rebooting the device) to recover
We have implemented all our attacks (except one) andconfirmed their effectiveness using commercial LTE devicesfrom several vendors and real LTE networks of several carriersThe equipment needed for the attacks is inexpensive andreadily available We reported our attacks to the manufacturersand carriers concerned as well as to the standardization body(3GPP) Remedial actions are under way while writing
Specification of a large system like LTE is a complexendeavor involving many trade-offs among conflicting require-ments Rather than merely report on LTE vulnerabilities andattacks we also discuss possible considerations that may haveled to the vulnerabilities in the first place Based on this wesuggest some general guidelines for future standardization aswell as specific fixes for our attacks
bull Fine-grained location leaks New passive and activetechniques to link usersrsquo real identities to LTE tem-porary identities assigned to them and to track user
locations and movements to much higher levels
of granularity than was previously thought possible(Section V)
bull Denial-of-Service (DoS) Attacks New active DoS
attacks that can silently and persistently down-
grade LTE devices by preventing their access toLTE networks (limiting them to less secure 2G3Gnetworks or denying network access altogether) orlimiting them to a subset of LTE services (Section VI)
bull Implementation amp Evaluation Inexpensive software
and hardware framework to implement the attacksbased on srsLTE OpenLTE and Universal SoftwareRadio Peripherals (USRP) (Section IV) and evalua-tion of the attacks using commercially available LTEphones in real networks (Sections VndashVII)
bull Security Analysis Discussion outlining possible un-
derlying reasons for the vulnerabilities includingperceived or actual trade-offs between securityprivacyand other criteria like availability performance andfunctionality as well as recommending fixes (Sec-tion VIII)
II OVERVIEW OF LTE ARCHITECTURE
We briefly describe LTE infrastructure as well as securityand paging mechanisms to assist readers in understanding thevulnerabilities and attacks we present in this paper
A LTE infrastructure
We consider a simplified LTE architecture involving com-ponents required to set up access network protocols betweena base station and mobile devices We hide other details ofthe architecture which are not relevant from the point of viewof understanding our attacks Figure 1 depicts this simplifiedarchitecture which contains three main components UserEquipment (UE) Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) and Evolved Packet Core (EPC) Allthree components are collectively referred to as Evolved PacketSystem (EPS) according to 3GPP terminology In the interestof simplicity throughout this paper we refer to the wholesystem as LTE The three components are described below(A list of common acronyms related to LTE appear in the fullversion of this paper [6])
Fig 1 LTE system architecture
User Equipment UE refers to the actual communicationdevice which can be for example a smartphone A UEcontains a USIM (Universal Subscriber Identity Module)[7]which represents the IMSI and stores the corresponding au-thentication credentials [8] This IMSI is used to identify anLTE user (generally referred to as ldquosubscriberrdquo in 3GPP ter-minology) uniquely The USIM participates in LTE subscriberauthentication protocol and generates cryptographic keys thatform the basis for the key hierarchy subsequently used toprotect signaling and user data communication between theUE and base stations over the radio interface
E-UTRAN E-UTRAN consists of base stations It managesthe radio communication with the UE and facilitates commu-nication between the UE and EPC In LTE a base stationis technically referred as ldquoevolved NodeB (eNodeB)rdquo TheeNodeB uses a set of access network protocols called AccessStratum (AS) for exchanging signaling messages with its UEsThese AS messages include Radio Resource control (RRC)protocol messages Other functions of eNodeB include pagingUEs over-the-air security physical layer data connectivity andhandovers Each eNodeB is connected to the EPC through aninterface named S1
MME in EPC EPC provides core network functionalities bya new all-IP mobile core network designed for LTE systems Itconsists of several new elements as defined in [9] However for
2
RSAC
LTE Network
12
bull UEUserEquipment(MS)bull eNBenhancedNodeB(BS)bull E-UTRANEvolvedUniversalTerrestrialRadioAccessNetworkbull MMEMobilityManagementEnEty(MSC)bull HSSHomeSubscriberServer(HLR)bull S-GWServingGatewaybull P-GWPacketGateway
5
SomeLTEphysicallayerdetails
OFDMdownlinkbull MulEplenarrowsub-carriersspreadoverawidechannelbandwidthbull Sub-carriersmutuallyorthogonalinthefrequencydomainbull MiEgatesinter-symbolinterferenceallowsflexibleuElizaEonofspectrum
SC-FDMAuplinkbull Single-carrierFDMA
6
Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
LTEnetworkprotocols
bull MAClayerbull managesaccesstoradioresources
bull RLC(RadioLinkControl)bull errorcorrecEonsegmentaEonordering
bull PDCP(PacketDataConvergenceProtocol)bull compressionencrypPonintegrity
bull RRC(RadioResourceControl)bull systeminformaEonbroadcastAKA
bull NAS(Non-AccessStratum)bull mobilitymanagementwiththe
corenetwork
7
Source NIST Guide to LTE Security 2017
User plane
Control plane
LTEsecurityoverview
SimilarAuthenEcaEonandKeyAgreement(AKA)asin3Gbull MutualauthenEcaEonSQNusedforreplayprotecEon
Newcryptoalgorithms(3variants)bull EEA=encrypEonEIA=integritybull EEA1andEIA1basedonSnow(similartoKASUMI)bull EEA2isAES-CTRandEIA2isAES-CMACbull EEA3andEIA3basedonZUC
Othersecurityupdatesbull ExtendedKeyHierarchybull Possibilityforlongerkeys(256bits)bull X2handover(betweeneNodeBs)bull Backhaul(S1)protecEon
8
Control plane User plane
Encryption operator option(often used)
operator option(often used)
Integrity mandatory operator option(often not used)
LTEKeyHierarchy
K=masterkey(128bitssharedbetweenHSSandUSIM)CK=confidenEalitykey(128bits)IK=integritykey(128bits)K_ASME=MMEbasekey(256bits)andsoonhellip
9
Source NIST Guide to LTE Security 2017
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LTEarchitectureandterminology
devices while still using similar techniques Notably we showhow popular social network messaging applications (eg Face-book messenger [3] and WhatsApp [4]) can be used in suchattacks Our third attack allows an active attacker exploitingvulnerabilities in the specification and implementation of LTERadio Resource Control (RRC) protocol [5] to accuratelypinpoint the target user via GPS co-ordinates or trilaterationusing base station signal strengths as observed by that UE Webelieve that all LTE devices in the market are vulnerable tothis attack
In the second class we describe three further attacks wherean active attacker can cause persistent denial of service againsta target UE In the first the target UE will be forced into using2G or 3G networks rather than LTE networks which can thenmake it possible to mount 2G3G-specific attacks against thatUE In the second the target UE will be denied access to allnetworks In the last attack the attacker can selectively limit aUE only to some types of services (eg no voice calls) Theattacks are persistent and silent devices require explicit useraction (such as rebooting the device) to recover
We have implemented all our attacks (except one) andconfirmed their effectiveness using commercial LTE devicesfrom several vendors and real LTE networks of several carriersThe equipment needed for the attacks is inexpensive andreadily available We reported our attacks to the manufacturersand carriers concerned as well as to the standardization body(3GPP) Remedial actions are under way while writing
Specification of a large system like LTE is a complexendeavor involving many trade-offs among conflicting require-ments Rather than merely report on LTE vulnerabilities andattacks we also discuss possible considerations that may haveled to the vulnerabilities in the first place Based on this wesuggest some general guidelines for future standardization aswell as specific fixes for our attacks
bull Fine-grained location leaks New passive and activetechniques to link usersrsquo real identities to LTE tem-porary identities assigned to them and to track user
locations and movements to much higher levels
of granularity than was previously thought possible(Section V)
bull Denial-of-Service (DoS) Attacks New active DoS
attacks that can silently and persistently down-
grade LTE devices by preventing their access toLTE networks (limiting them to less secure 2G3Gnetworks or denying network access altogether) orlimiting them to a subset of LTE services (Section VI)
bull Implementation amp Evaluation Inexpensive software
and hardware framework to implement the attacksbased on srsLTE OpenLTE and Universal SoftwareRadio Peripherals (USRP) (Section IV) and evalua-tion of the attacks using commercially available LTEphones in real networks (Sections VndashVII)
bull Security Analysis Discussion outlining possible un-
derlying reasons for the vulnerabilities includingperceived or actual trade-offs between securityprivacyand other criteria like availability performance andfunctionality as well as recommending fixes (Sec-tion VIII)
II OVERVIEW OF LTE ARCHITECTURE
We briefly describe LTE infrastructure as well as securityand paging mechanisms to assist readers in understanding thevulnerabilities and attacks we present in this paper
A LTE infrastructure
We consider a simplified LTE architecture involving com-ponents required to set up access network protocols betweena base station and mobile devices We hide other details ofthe architecture which are not relevant from the point of viewof understanding our attacks Figure 1 depicts this simplifiedarchitecture which contains three main components UserEquipment (UE) Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) and Evolved Packet Core (EPC) Allthree components are collectively referred to as Evolved PacketSystem (EPS) according to 3GPP terminology In the interestof simplicity throughout this paper we refer to the wholesystem as LTE The three components are described below(A list of common acronyms related to LTE appear in the fullversion of this paper [6])
Fig 1 LTE system architecture
User Equipment UE refers to the actual communicationdevice which can be for example a smartphone A UEcontains a USIM (Universal Subscriber Identity Module)[7]which represents the IMSI and stores the corresponding au-thentication credentials [8] This IMSI is used to identify anLTE user (generally referred to as ldquosubscriberrdquo in 3GPP ter-minology) uniquely The USIM participates in LTE subscriberauthentication protocol and generates cryptographic keys thatform the basis for the key hierarchy subsequently used toprotect signaling and user data communication between theUE and base stations over the radio interface
E-UTRAN E-UTRAN consists of base stations It managesthe radio communication with the UE and facilitates commu-nication between the UE and EPC In LTE a base stationis technically referred as ldquoevolved NodeB (eNodeB)rdquo TheeNodeB uses a set of access network protocols called AccessStratum (AS) for exchanging signaling messages with its UEsThese AS messages include Radio Resource control (RRC)protocol messages Other functions of eNodeB include pagingUEs over-the-air security physical layer data connectivity andhandovers Each eNodeB is connected to the EPC through aninterface named S1
MME in EPC EPC provides core network functionalities bya new all-IP mobile core network designed for LTE systems Itconsists of several new elements as defined in [9] However for
2
RSAC
LTE Network
12
bull UEUserEquipment(MS)bull eNBenhancedNodeB(BS)bull E-UTRANEvolvedUniversalTerrestrialRadioAccessNetworkbull MMEMobilityManagementEnEty(MSC)bull HSSHomeSubscriberServer(HLR)bull S-GWServingGatewaybull P-GWPacketGateway
5
SomeLTEphysicallayerdetails
OFDMdownlinkbull MulEplenarrowsub-carriersspreadoverawidechannelbandwidthbull Sub-carriersmutuallyorthogonalinthefrequencydomainbull MiEgatesinter-symbolinterferenceallowsflexibleuElizaEonofspectrum
SC-FDMAuplinkbull Single-carrierFDMA
6
Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
LTEnetworkprotocols
bull MAClayerbull managesaccesstoradioresources
bull RLC(RadioLinkControl)bull errorcorrecEonsegmentaEonordering
bull PDCP(PacketDataConvergenceProtocol)bull compressionencrypPonintegrity
bull RRC(RadioResourceControl)bull systeminformaEonbroadcastAKA
bull NAS(Non-AccessStratum)bull mobilitymanagementwiththe
corenetwork
7
Source NIST Guide to LTE Security 2017
User plane
Control plane
LTEsecurityoverview
SimilarAuthenEcaEonandKeyAgreement(AKA)asin3Gbull MutualauthenEcaEonSQNusedforreplayprotecEon
Newcryptoalgorithms(3variants)bull EEA=encrypEonEIA=integritybull EEA1andEIA1basedonSnow(similartoKASUMI)bull EEA2isAES-CTRandEIA2isAES-CMACbull EEA3andEIA3basedonZUC
Othersecurityupdatesbull ExtendedKeyHierarchybull Possibilityforlongerkeys(256bits)bull X2handover(betweeneNodeBs)bull Backhaul(S1)protecEon
8
Control plane User plane
Encryption operator option(often used)
operator option(often used)
Integrity mandatory operator option(often not used)
LTEKeyHierarchy
K=masterkey(128bitssharedbetweenHSSandUSIM)CK=confidenEalitykey(128bits)IK=integritykey(128bits)K_ASME=MMEbasekey(256bits)andsoonhellip
9
Source NIST Guide to LTE Security 2017
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
SomeLTEphysicallayerdetails
OFDMdownlinkbull MulEplenarrowsub-carriersspreadoverawidechannelbandwidthbull Sub-carriersmutuallyorthogonalinthefrequencydomainbull MiEgatesinter-symbolinterferenceallowsflexibleuElizaEonofspectrum
SC-FDMAuplinkbull Single-carrierFDMA
6
Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
LTEnetworkprotocols
bull MAClayerbull managesaccesstoradioresources
bull RLC(RadioLinkControl)bull errorcorrecEonsegmentaEonordering
bull PDCP(PacketDataConvergenceProtocol)bull compressionencrypPonintegrity
bull RRC(RadioResourceControl)bull systeminformaEonbroadcastAKA
bull NAS(Non-AccessStratum)bull mobilitymanagementwiththe
corenetwork
7
Source NIST Guide to LTE Security 2017
User plane
Control plane
LTEsecurityoverview
SimilarAuthenEcaEonandKeyAgreement(AKA)asin3Gbull MutualauthenEcaEonSQNusedforreplayprotecEon
Newcryptoalgorithms(3variants)bull EEA=encrypEonEIA=integritybull EEA1andEIA1basedonSnow(similartoKASUMI)bull EEA2isAES-CTRandEIA2isAES-CMACbull EEA3andEIA3basedonZUC
Othersecurityupdatesbull ExtendedKeyHierarchybull Possibilityforlongerkeys(256bits)bull X2handover(betweeneNodeBs)bull Backhaul(S1)protecEon
8
Control plane User plane
Encryption operator option(often used)
operator option(often used)
Integrity mandatory operator option(often not used)
LTEKeyHierarchy
K=masterkey(128bitssharedbetweenHSSandUSIM)CK=confidenEalitykey(128bits)IK=integritykey(128bits)K_ASME=MMEbasekey(256bits)andsoonhellip
9
Source NIST Guide to LTE Security 2017
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LTEnetworkprotocols
bull MAClayerbull managesaccesstoradioresources
bull RLC(RadioLinkControl)bull errorcorrecEonsegmentaEonordering
bull PDCP(PacketDataConvergenceProtocol)bull compressionencrypPonintegrity
bull RRC(RadioResourceControl)bull systeminformaEonbroadcastAKA
bull NAS(Non-AccessStratum)bull mobilitymanagementwiththe
corenetwork
7
Source NIST Guide to LTE Security 2017
User plane
Control plane
LTEsecurityoverview
SimilarAuthenEcaEonandKeyAgreement(AKA)asin3Gbull MutualauthenEcaEonSQNusedforreplayprotecEon
Newcryptoalgorithms(3variants)bull EEA=encrypEonEIA=integritybull EEA1andEIA1basedonSnow(similartoKASUMI)bull EEA2isAES-CTRandEIA2isAES-CMACbull EEA3andEIA3basedonZUC
Othersecurityupdatesbull ExtendedKeyHierarchybull Possibilityforlongerkeys(256bits)bull X2handover(betweeneNodeBs)bull Backhaul(S1)protecEon
8
Control plane User plane
Encryption operator option(often used)
operator option(often used)
Integrity mandatory operator option(often not used)
LTEKeyHierarchy
K=masterkey(128bitssharedbetweenHSSandUSIM)CK=confidenEalitykey(128bits)IK=integritykey(128bits)K_ASME=MMEbasekey(256bits)andsoonhellip
9
Source NIST Guide to LTE Security 2017
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LTEsecurityoverview
SimilarAuthenEcaEonandKeyAgreement(AKA)asin3Gbull MutualauthenEcaEonSQNusedforreplayprotecEon
Newcryptoalgorithms(3variants)bull EEA=encrypEonEIA=integritybull EEA1andEIA1basedonSnow(similartoKASUMI)bull EEA2isAES-CTRandEIA2isAES-CMACbull EEA3andEIA3basedonZUC
Othersecurityupdatesbull ExtendedKeyHierarchybull Possibilityforlongerkeys(256bits)bull X2handover(betweeneNodeBs)bull Backhaul(S1)protecEon
8
Control plane User plane
Encryption operator option(often used)
operator option(often used)
Integrity mandatory operator option(often not used)
LTEKeyHierarchy
K=masterkey(128bitssharedbetweenHSSandUSIM)CK=confidenEalitykey(128bits)IK=integritykey(128bits)K_ASME=MMEbasekey(256bits)andsoonhellip
9
Source NIST Guide to LTE Security 2017
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LTEKeyHierarchy
K=masterkey(128bitssharedbetweenHSSandUSIM)CK=confidenEalitykey(128bits)IK=integritykey(128bits)K_ASME=MMEbasekey(256bits)andsoonhellip
9
Source NIST Guide to LTE Security 2017
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LTEbackhaulandEPCprotecEon
Backhaul(S1)protecPonbull PhysicalprotecEon(difficultforlongdistances)bull StandardIPsecurity(VPNIPsecPKIhellip)
EPCprotecPonbull SpecisvagueldquoPhysicalandlogicaldivisiontosecuritydomainsrdquobull LikelypracEcestandardIPsecurity
10
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LTEhandoversandkeyupdates
HUT 2009-12-09 LTE Security Tutorial Dan Forsberg 37 54
KDF
KDF
Keys in LTE Handovers (HO) bull LTE Security reduces the key
scope and lifetime to minimize the threat of key compromise
1 Forward key separation bull New KeNB key (called NH) from
MME 2 Backward key separation
bull Key chaining with one way hash function
3 Key separation for different target eNBscells bull Phycal cell id (PCI) and
frequency bindings
1 Forward Key Separation
2 Backward Key Separation
3 ldquoKey Separation
Source eNB Target eNB
Source eNB
Target eNB
Target eNB
Target eNB
Target eNB
KeNBA
KeNBB
KeNBC
KeNBD
11
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LTEsecurityresearch
Letrsquoslookatthreerecentresearchexamplesbull TrackingShaiketalPracEcalAFacksAgainstPrivacyand
Availabilityin4GLTEMobileCommunicaEonSystemsNDSSrsquo16
bull ManinthemiddleRupprechtetalBreakingLTEonLayerTwoSampPrsquo19
bull JammingLichtmanetalLTELTE-AJammingSpoofingandSniffingThreatAssessmentandMiEgaEonIEEECommunicaEons2016
Otherresearchbull SignalinjecPonYangetalldquoHidinginPlainSignalPhysical
SignalOvershadowingAFackonLTErdquoUSENIXSecurityrsquo19
12
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LocaEontrackingmdashBackground
TheserviceareaofoperatordividedintoTrackingAreas(TAs)bull containsagroupofcellseachcontrolledbyaneNodeB
eNodeBbroadcastsoperator-specificinformaEonbull TrackingAreacodeMobileNetworkcodecellID
UEsendsIMSIinfirstAFachrequestbull operatorassignstemporaryidenPfier(TMSIGUTI)bull usedforsubsequentaFachandpaging
13
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LocaEontrackingmdashAdversary
AdversarycapabiliEesbull whocanreceiveandsendover-the-airbull possiblewithinexpensiveequipment
Adversarygoalbull learnuserrsquoslocaEon
AFack-enablingobservaEonsbull GUTIreallocaPondepends
onoperatorbull ExamplesameGUTIfor3days
14
Adversary with Universal Software Radio Peripheral (USRP)
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LocaEontrackingmdashAFack
Step1SetupfakeBSbull BroadcastvalidTAcodenetworkcodewithhigherpower(orpriority)
Step2LearnuserpresenceinTrackingArea(TA)bull RepeatedshortVoiceoverLTE(VoLTE)callsorsocialmediamessagesbull AdversarymonitoranycellwithinTrackingAreabull SomeintersecEonanalysishellip(detailsskipped)
Step3LearnpreciselocaPonbull FakeBSsendsunprotectedldquoRRCConnecEon
Reconfigrdquomessagesbull UEcomputessignalpowerfor
neighboringcellsandrespondswithaldquoMeasurementreportrdquo
bull MeasurementreportcontainUErsquosGPScoordinates
15
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
LocaEontrackingmdashAnalysis
Allsignaling(controlmessages)shouldbeintegrity-protectedhellipbull Sohowisthispossible
AFackrootcausebull LTEspecallowsunprotectedRRCmeasurementreportsbull ThisisanexplicitexcepEontogeneralpolicybull BenignuseconnecEontroubleshooEng
Likelyreasonforsuchdesigndecisionbull Availabilitywasseenmoreimportantthanprivacyinthis
parEcularcase
HowsignificantissuchaFackinpracEce
16
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
ManinthemiddlemdashBackground
MAClayereachUEmustbeuniquelydisEnguishableandneedsaRadioNetworkTemporaryIden6ty(RNTI)
eNodeBuElizesDownlinkControlInforma6on(DCI)tonoEfywhenradioresourcesareavailableondownlinkanduplink
RecallthatLTEencrypEonusingAES-CTRbull XORkeystreamwithplaintext
17
RTNI
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
ManinthemiddlemdashAFack
Aackermodellow-budgetsotware-definedradio
Step1Learnuserfromencryptedtrafficbull exploittemporaryidenEfieronMAClayerbull observeconnecEonestablishmentbull learnbothTMSIandRTNI(fewdetailsskipped)bull usepagingtomapTMSItophonenumber
18
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
Enables traffic profiling
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
Maninthemiddle(34)
Step2ModifyencryptedtrafficmdashgtredirecPonbull UEsendencryptedpackettointendedDNSserverbull AdversarycapturesDNSrequestandapplies
ldquomanipulaEonmaskrdquobull Adversaryforwardsthemanipulatedpacketbull PacketgetdecryptedanddeliveredtofalseDNSserver
19
Source Rupprecht et al Breaking LTE on Layer Two SampPrsquo19
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
ManinthemiddlemdashAnalysis
Aackrootcausesbull IdenEfiersonlowerstacklevels(RTNIonMAClayer)while
encrypEondoneonhigherlevels(PDCP)bull IntegrityprotecEonopEonal
20
From LTE specification
Threats were well-known some 10 years agohellip
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
Jamming
TargetedjammingofdifferentcontrolchannelsandsignalshavedifferentdifficultyandeffecEvenesshellip
Bruteforcealwayspossiblehellip
21Source Lichtman et al LTELTE-A Jamming Spoofing and Sniffing Threat Assessment and Mitigation IEEE Communications 2016
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
4GLTEsecuritysummary
Securityupdatesbull Newcryptoalgorithms(SnowandAES)bull Newcorenetwork(EPC)bull Minorsecurityupdateslikeextendedkeyhierarchy
handoverprotecEonbackhaulprotecEonhellip
Remainingissuesbull Limitedusertrackingbull MinorintegrityviolaEonbull Usertrafficprofiling
22
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
FithgeneraEon
23
5
Powered by evolving mobile technologies for better experiences
NA lt05 Mbps1 63+ Mbps2 300+ Mbps3
Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Mobile 2G D-AMPS GSMGPRS
cdmaOne
Mobile 3G CDMA2000EV-DO
WCDMAHSPA+ TD-SCDMA
Mobile 4G LTE LTE LTE Advanced
Mobile 1G AMPS NMT TACS
Richer Content (Video)
More Connections
1 Peak data rate for GSMGPRS latest Evolved EDGE has peak DL data rates capable of up to 12 Mbps 2 Peak data rate for HSPA+ DL 3-carrier CA HSPA+ specification includes additional potential CA + use of multiple antennas but no announcements to date 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA LTE specification includes additional potential CA + additional use of multiple antennas but no announcements to date
5G
1980rsquos 1990rsquos 2000rsquos 2010rsquos 2020rsquos
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
5Goverview
Deploymentsplannedtostartldquosoonldquo
Radiolink5GNewRadio(NR)bull Fastereg10Gbpswith2mslatencybull OpEmizedOFDMbull MassiveMIMObull Twofrequencyranges
bull FR1(below6Ghz)andFR2(above24GhzmmWave)bull Variouscellsizesbull BeFersupportfordifferentQoSrequirements
Suggestedusagesbull IoTARVRentertainmenthomebroadbandhellip
24
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
Some5Gphysicallayerfeatures
BeammanagementusingldquomassiveMIMOrdquo
Higherfrequenciesbull cannotpenetratesolidobjectsbull shorterrangesbull lessinferencebull moredevicesperm2
Celltypesmicromacropico
25
Source Native Instruments 5G New Radio White Paper
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
5Gsecurityoverview
Cryptoalgorithmsmostlythesame
AKAprotocolminorimprovementsbull beFerreplayprotecEonasSIMcangeneratenonces
Usertrackingminorupdatesbull SIMscanencryptIMSITMSIforhomeoperatorrsquospublickeybull MorestrictpoliciesforupdaEngtemporaryIDslikeTMSI
FakebasestaEondetecEonmdashheurisEcslikeexpectedsignalstrengthshellip
26
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
Examplesof5Gsecurityresearch
BasinetalAFormalAnalysisof5GAuthenEcaEonCCSrsquo18bull FormalmodelingandverificaEonof5GAKAbull Foundminorinconsistenciesinthespec
Hussainetal5GReasonerAProperty-DirectedSecurityandPrivacyAnalysisFrameworkfor5GCellularNetworkProtocolCCSrsquo19bull Cross-layermodelingandanalysisbull FindingsminorvulnerabiliEesinRRCandNASlayertolearn
thevicEmsTMSI
HussainetalPrivacyAFackstothe4Gand5GCellularPagingProtocolsUsingSideChannelInformaEonNDSSrsquo19bull MulEplepagingmessagesmayenabletrackingevenifTMSIis
changedfrequently27
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
From1Gto5G
28
1G 2G 3G 4G 5G
crypto algorithms none weak strong strong strong
AKA none one-way mutual mutual mutual
core network SS7 SS7 SS7 EPC EPC
tracking easy limited limited limited more limited
fake BS easy easy limited limited challenging
jamming DoS possible possible possible possible possible
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30
Discussion
29
Lectureend
Summarybull CellularsecurityevoluEonfrom1Gto5Gbull Radiolinkcorenetworkcryptoprotocolsmanagementhellipbull CommonthemesecurityvsfuncEonalityandcostbull RisksofglobalcommunicaEonsystemsmorebroadly
Readingmaterialbull RupprechtetalBreakingLTEonLayerTwoSampPrsquo19
30