fos lte imsi catchers - h.a.c.k.catching the imsi • no more key/security context in ue • ue will...

17

FOS LTE IMSI CATCHER DOMI

Upload: others

Post on 26-May-2020

22 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

FOSLTEIMSICATCHERDOMI

Page 2: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

WARNING!ThistalkwillbeaboutclassicIMSIcatchers– do

notexpectMITMcalls,dataetc.

Page 3: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

GSMIMSIcatcher- recap• CreateafakeBTSwith• highreselectionvalue(C1,C2)• randomlocationareacode

• PhoneswillconnectandinitiateLocationUpdate• ReplywithIdentityRequest(requestIMSI)• AftergettingtheIMSIsendLUReject– cause13oranyotherdependingonyourintention

Page 4: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Whycouldwedothis?Nomutualauthentication,thenetworkisalwaystrusted

Rejectmessagesneedtobeunencrypted

(Sh*tty ornullcryptoalsoleadtoMITMetc.)

Page 5: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

LTEArchitecture

EUTRANArchitecturebyCrati underCCBY-SA3.0

INTERNETPSTNPLMN

Page 6: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

ChangesinLTE•Mutualauthentication

• Integrityprotection

• Bettercrypto

Page 7: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Procedureimprovements•MostproceduresrequireASsecurityenabled(integrityprotection)• UEsdropnon-protectedmessagesoncetheyhaveestablishedsecuritycontext

•Shouldbefine,right?

Page 8: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Page 9: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Tinylittleprotocolproblem…

Page 10: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

TrackingAreaUpdateReject• UEsendsaTrackingAreaUpdateRequest• RogueeNodeB rejectsitwithcause9

3GPPTS24.301-5.5.3.2.5

Page 11: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

CatchingtheIMSI• Nomorekey/securitycontextinUE

• UEwillinitiateattach

• ItisallowedtoaskforitsIMSIinanIDENTITYREQUEST

• AftergettingitwesendanATTACHREJECTwithcause#12(TrackingAreanotallowed)

Page 12: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

HWandSW• USRPandlaptop•ManyopensourceLTEprojects(thisisAWESOMEbtw):•openLTE•OpenAirInterface• srsLTE andsrsUE• OwnimplementationofMME/corenetwork(pendingrequesttoopensourceit)

Page 13: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

RogueeNodeB• Needtosomehow‘lure’UEs• InGSMyoujustneededaneighborcell’sfrequency+highreselectionvalue• InLTEalistoffrequenciesarebroadcastedwiththeirpriorities–>youneedtodecodethelist,andselectthefrequencywiththehighestpriority

Page 14: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Page 15: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

ThesePeoplearegreat!*APPLAUSE*• Ravishankar Borgaonkar andAltaf ShaikfordiscoveringtheTAURejectvuln (andmanyotherproblems)inLTE• BenoitMichau forthelibrarymycorenetworkisbasedon• PhilippeLanglois andElvisPfützenreuter forpysctp

•MymentorsduringmyinternshipatQualcomm:KevinRedonandNicoGolde

Page 16: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Q&A

Page 17: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Thankyou!Key-ID:E2712651

Fingerprint:811C3FC3CFCB16E4BAEBF5FB7440DF59E2712651

IMSI catchers legal analysis - Privacy International...IMSI catcher use, including the extent that this surveillance technique interferes with human rights in a democratic society

Mobile Subscriber WiFiPrivacy - ieee-security.org •Mobile identifiers •IMSI Catchers/Trackers –Conventional –WiFi-based •WiFiauthentication flaws •EAP-SIM/AKA Formal Analysis

Catching IMSI-catcher-catchers: An e ectiveness … e ectiveness review of IMSI-catcher-catcher applications Author: ... In our research we take three well known and ... and the network

NEIGHBOURHOOD WATCHED · Body worn video cameras 7 Social media intelligence 7 IMSI catchers 8 ... Read our short explainers and learn more at: ... that the police are using in secret

Mobile network security - the need to measure security in ... · PDF fileSeminar on IMSI-catchers, Fornebu, 26Aug2015 Mobile network security - the need to measure security in the

THE PROBLEM OF PRIVATE IDENTIFICATION … · (Mobile Subscriber Identification Number) 4 LTE -Subscriber’s Identification Subscriber IMSI Identification UE eNodeB ... –Run eNodeB_Jammerusing

Polismyndighetens användning av IMSI- catchersuu.diva-portal.org/smash/get/diva2:1342523/FULLTEXT01.pdf2 IMSI-catchers 2.1 Inledning För att klargöra på vilket sätt och i vilken

Trashing IMSI Catchers in Mobile Networks · Trashing IMSI Catchers in Mobile Networks WiSec ’17 , July 18-20, 2017, Boston, MA, USA exclusive-or. The MAC is a message authentication

ACS IMSI Pool Configuration Mode Commands · ACS IMSI Pool Configuration Mode Commands TheACSIMSIPoolConfigurationModeisusedtodefineapoolofsubscriberInternationalMobileStation Identifier(IMSI

Catching IMSI Catchers

Peter Ney*, Ian Smith*, Gabriel Cadamuro, and Tadayoshi Kohno … · 2018-07-23 · 1 Introduction Cell-site simulators, also known as IMSI-catchers or stingrays, ... data sets in

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers · IMSI Catcher-like functionality to lock the radio channel. As IMSI Catchers perform an active radio attack, we put forward multiple

Defeating IMSI Catchers - Institute for Computing and ...fabianbr/Defeating_IMSI_Catchers.pdf · Defeating IMSI Catchers Fabian van den Broek Institute for Computing and Information

White-Stingray: Evaluating IMSI Catchers Detection Applications … · White-Stingray: Evaluating IMSI Catchers Detection Applications Ravishankar Borgaonkar, Andrew Martin Department

Catching IMSI-catcher-catchers: An e ectiveness …...Catching IMSI-catcher-catchers: An e ectiveness review of IMSI-catcher-catcher applications Author: Bauke Brenninkmeijer 4366298

Defeating IMSI Catchers - Institute for Computing and ...rverdult/Defeating_IMSI_Catchers-CCS_2015.pdf · Defeating IMSI Catchers Fabian van den Broek Institute for Computing and

An investigation into the claims of IMSI catchers use in ... · An investigation into the claims of IMSI catchers use in Oslo in late ... Technical overview Data set Analysis of Delma

Low Cost Stingrays (IMSI-Catchers) - CyberCamp · 2018. 12. 17. · Introducción #CyberCamp18 • An International Mobile Subscriber Identity-catcher, or IMSI-catcher, is a telephone

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers · Catcher will produce all of the artifacts described below. 4.1 Choosing a Frequency To increase signal quality, avoid radio interference,

CellScope: Automatically Specifying and Verifying …IMSI [1] A. Dabrowski etc. IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. ACSAC’14 [2] Guan-Hua Tu etc. Control-Plane Protocol

BOLSTERING DATA PRIVACY AND MOBILE …...2018/06/27 · IMSI catchers and rogue base stations, commonly known by their brand name ‘‘Stingray,’’ are devices used for intercepting

Spidey: Android-based Stingray Detector - GitHub Pagesjtwarren.github.io/files/spidey.pdf · Spidey: Android-based Stingray Detector ... IMSI catchers, meaning that people whose information

IMSI-Catch Me If You Can: IMSI-Catcher-CatchersIMSI-Catch Me If You Can: IMSI-Catcher-Catchers Adrian Dabrowski SBA ... therefore reduce the risk of tracking individual ... No other

Project Overwatch: Multi-National Effort to Combat IMSI ... · PDF fileSESSION ID: #RSAC Trent Smith. Project Overwatch: Multi-National Effort to Combat IMSI Catchers. MBS-F03. Director

IMSI catcher detection and evolution - Simula · B IMSI catcher detection pitfalls (2/3) False positive causes Femto cells behave very similar to IMSI catchers: a. Query IMSI + IMEI

Perspectives of Physical Layer Security (Physec) for the ... · hacking systems (such as advanced IMSI catchers for example [2]) that operate at the radio interface of wireless networks,

OSM#9 Hackfest · 2020. 6. 1. · Software Components: eNodeB + UE 16 Configuration: Information needed: Where is EPC Core Radio parameters (MCC, MNC, etc) UE parameters (IMSI, encryption

IMSI Catchers and Mobile Security...to prevent them from accessing the GSM network. Figure 2: Simplified GSM network architecture [9] 2.4.2 Authentication and Encryption When a Mobile

Trashing IMSI Catchers in Mobile Networks - Chris · PDF fileTrashing IMSI Catchers in Mobile Networks Mohammed Sha ul Alam Khan ISG, Royal Holloway, University of London Egham, Surrey

· PDF file11/17/2017 · posed by IMSI catchers and the steps DHS has taken to respond appropriately. To that end, please respond to the following questions: