security of cellular network s : man-in-the middle attacks
DESCRIPTION
Security of Cellular Network s : Man-in-the Middle Attacks. Mario Č agalj University of Split 201 3/2014. ‘ Security in the GSM system ’ by Jeremy Quirke, 2004. Introduction. Nowadays, mobile phones are used by 80-90% of the world’s population (billion of users) Evolution - PowerPoint PPT PresentationTRANSCRIPT
Mario Čagalj
University of Split
2013/2014.
Security of Cellular Networks: Man-in-the Middle Attacks
‘Security in the GSM system’ by Jeremy Quirke, 2004
IntroductionNowadays, mobile phones are used by 80-90% of the
world’s population (billion of users)Evolution
1G: analog cellular networks2G: digital cellular networks with GSM (Global System for Mobile
Communications) beign the most popular and the most widely used standard (circuit switching) other 2G: technologies IS-95 – CDMA based (US), PDC (Japan), etc.
2.5G: GPRS (General Packet Radio Service) – packet switching 2.75G: EDGE – faster data service3G: UMTS (CDMA based), HSPA for data traffic (e.g., 5-10 Mbps)
other 3G: CDMA2000 (US, S. Korea)
4G: LTE (OFDM based), peak data rates of 100Mbps2
GSM security specifications
Cellular Network ArchitectureA high level view
3
ExternalNetwork
Cellular Network
MobileStation Base
StationMobileSwitchingCenter
Databases(e.g., Home Location Register)
EPFL, JPH
Cellular Network ArchitectureRegistration Process
4
Tune on the strongest signal
Nr: 079/4154678
EPFL, JPH
Cellular Network ArchitectureService Request
5
079/4154678079/8132627 079/4154678
079/8132627
EPFL, JPH
Cellular Network ArchitecturePaging Broadcast (locating a particular mobile station in case of mobile terminated call)
6
079/8132627?079/8132627?
079/8132627?
079/8132627?
Note: paging makes sense only over a small area
EPFL, JPH
Cellular Network ArchitectureResponse
7
079/8132627
079/8132627
EPFL, JPH
Cellular Network ArchitectureChannel Assignement
8
Channel47
Channel47 Channel
68
Channel68
EPFL, JPH
Cellular Network ArchitectureConversation
9EPFL, JPH
Cellular Network ArchitectureHandover (or Handoff)
10EPFL, JPH
Cellular Network ArchitectureMessage Sequence Chart
11
CallerBaseStation
Switch BaseStation Callee
Periodic registration Periodic registration
Service request Service request
Ring indicationRing indication
Page requestPage requestPaging broadcast Paging broadcast
Paging responsePaging response
Assign Ch. 47Tune to Ch.47
Assign Ch. 68 Tune to Ch. 68
Alert tone
User responseUser responseStop ring indicationStop ring indication
EPFL, JPH
GSM System Architecture
Based on ‘Mobile Communications: Wireless Telecommunication Systems’
Architecture of the GSM systemGSM is a PLMN (Public Land Mobile Network)
several providers setup mobile networks following the GSM standard within each country
componentsMS (mobile station)BS (base station)MSC (mobile switching center)LR (location register)
subsystemsRSS (radio subsystem): covers all radio aspectsNSS (network and switching subsystem): call forwarding, handover,
switchingOSS (operation subsystem): management of the network
13
GSM: overview
fixed network
BSC
BSC
MSC MSC
GMSC
OMC, EIR, AUC
VLR
HLRNSSwith OSS
RSS
VLR
14
Please check http://gsmfordummies.com/architecture/arch.shtml
BSS
radiosubsystem
MS MS
BTSBSC
BTS
BTSBSC
BTS
network and switching subsystem
MSC
MSC
fixednetworks
IWF
ISDNPSTN
PSPDNCSPDN
SS7
EIR
HLR
VLR
ISDNPSTN
GSM: system architecture
15
System architecture: radio subsystem
ComponentsMS (Mobile Station)BSS (Base Station Subsystem):
consisting of BTS (Base Transceiver Station):
sender and receiver BSC (Base Station Controller):
controlling several transceivers
BSS
radiosubsystem
network and switchingsubsystem
MS MS
BTSBSC MSC
BTS
BTSBSC
BTSMSC
16
Radio subsystemThe Radio Subsystem (RSS) comprises the cellular mobile
network up to the switching centersComponents
Base Station Subsystem (BSS):Base Transceiver Station (BTS): radio components including sender,
receiver, antenna - if directed antennas are used one BTS can cover several cells
Base Station Controller (BSC): switching between BTSs, controlling BTSs, managing of network resources, mapping of radio channels onto terrestrial channels
Mobile Stations (MS)
17
possible radio coverage of the cell
idealized shape of the cellcell
segmentation of the area into cellsGSM: cellular network
use of several carrier frequenciesnot the same frequency in adjoining cellscell sizes vary from some 100 m up to 35 km depending on user
density, geography, transceiver power etc.hexagonal shape of cells is idealized (cells overlap, shapes depend on
geography)if a mobile user changes cells
handover of the connection to the neighbor cell18
System architecture: network and switching subsystem
Components MSC (Mobile Services Switching Center) IWF (Interworking Functions)
ISDN (Integrated Services Digital Network) PSTN (Public Switched Telephone Network) PSPDN (Packet Switched Public Data Net.) CSPDN (Circuit Switched Public Data Net.)
Databases HLR (Home Location Register) VLR (Visitor Location Register) EIR (Equipment Identity Register)
networksubsystem
MSC
MSC
fixed partnernetworks
IWF
ISDNPSTN
PSPDNCSPDN
SS
7
EIR
HLR
VLR
ISDNPSTN
19
Network and switching subsystemNSS is the main component of the public mobile network GSM
switching, mobility management, interconnection to other networks, system control
ComponentsMobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC
Databases (important: scalability, high capacity, low delay) Home Location Register (HLR)
central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)
Visitor Location Register (VLR)local database for a subset of user data, including data about all user currently in the domain of the VLR
20
Mobile Services Switching CenterThe MSC (mobile switching center) plays a central role in
GSMswitching functionsadditional functions for mobility supportmanagement of network resourcesinterworking functions via Gateway MSC (GMSC)integration of several databases
21
Operation subsystemThe OSS (Operation Subsystem) enables centralized operation,
management, and maintenance of all GSM subsystemsComponents
Authentication Center (AUC) generates user specific authentication parameters on request of a VLR authentication parameters used for authentication of mobile terminals and
encryption of user data on the air interface within the GSM system Equipment Identity Register (EIR)
registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes even
localizedOperation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the network subsystem
22
Mobile Terminated Call
PSTNcallingstation GMSC
HLR VLR
BSSBSSBSS
MSC
MS
1 2
3
45
6
7
8 9
10
11 12
1316
10 10
11 11 11
14 15
17
1: calling a GSM subscriber2: forwarding call to GMSC3: signal call setup to HLR4, 5: request MSRN (roaming number) from VLR6: forward responsible MSC to GMSC7: forward call to current MSC8, 9: get current status of MS10, 11: paging of MS12, 13: MS answers14, 15: security checks16, 17: set up connection
23
Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml
Mobile Originated Call
PSTN GMSC
VLR
BSS
MSC
MS 1
2
6 53 4
9
10
7 8
1, 2: connection request3, 4: security check5-8: check resources (free circuit)9-10: set up call
24
Mobile Terminated and Mobile Originated CallsBTSMS
paging request
channel request
immediate assignment
paging response
authentication request
authentication response
ciphering command
ciphering complete
setup
call confirmed
assignment command
assignment complete
alerting
connect
connect acknowledge
data/speech exchange
BTSMS
channel request
immediate assignment
service request
authentication request
authentication response
ciphering command
ciphering complete
setup
call confirmed
assignment command
assignment complete
alerting
connect
connect acknowledge
data/speech exchange
MTC MOC
25
Security in GSM
Based on: ‘Security in the GSM system’ by Jeremy Quirke ‘The GSM Standard (An overview of its security)’ by SANS Institute InfoSec Reading Room
‘Mobile Communications: Wireless Telecommunication Systems’
Security Services in GSMAccess control/authentication
user <--x-- SIM (Subscriber Identity Module): secret PIN (personal identification number)
SIM <--x-- network: challenge response method
Confidentialityvoice and signaling encrypted on the wireless link (after successful
authentication)Anonymity
temporary identity TMSI (Temporary Mobile Subscriber Identity)newly assigned at each new location update (LUP)encrypted transmission
27
Security Services in GSM Authentication
SIM (Subscriber Identity Module) cardsmartcard inserted into a mobiel phonecontains all necessary details to obtain access to an account
unique IMSI (International Mobile Subscriber Identity)Ki - the individual subscriber authentication key (128bit, used to generate
all other encryption and authentication keying GSM material) highly protected – the mobile phone never learns this key, mobile only forwards
any required material to the SIM known only to the SIM and network AUC (Authentication Center)
SIM unlocked using a PIN or PUKauthentication (A3 algorithm) and key generation (A8 algorithm)
is performed in the SIMSIM contains a microprocessor 28
Security Services in GSM Authentication
A3
RANDKi
128 bit 128 bit
SRES* 32 bit
A3
RAND Ki
128 bit 128 bit
SRES 32 bit
SRES* =? SRES SRES
RAND
SRES32 bit
mobile network SIM
AC
MSC
SIM
Ki: individual subscriber authentication key SRES: signed response 29
Security Services in GSM Authentication
Kc: Session encryption key generated together with SRES 30
Security Services in GSM Encryption
A8
RANDKi
128 bit 128 bit
Kc
64 bit
A8
RAND Ki
128 bit 128 bit
SRES
RAND
encrypteddata
mobile network (BTS) MS with SIM
AC
BTS
SIM
A5
Kc
64 bit
A5MS
data data
cipherkey
31
Security Services in GSM Authentication and Encryption
A3 and A8 algorithms are both run in SIM at the same time on the same input (RAND, Ki)A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known)not used in UMTS
Encryption algorithm A5symmetric encryption algorithmvoice/data encryption performed by a phone using generated encryption key Kc
32
Security Services in GSM Encryption
A5 algorithmsA5/0 – no encryption usedA5/1 and A5/2 developed far from public domain and later found
flawed stream ciphers based on linear feedback shift registers A5/2 completely broken (not used anymore in GSM) A5/1 is a bit stronger but also broken by many researchers
A5/3 – is a block cipher based on Kasumi encryption algorithmused in UMTS, GSM, and GPRS mobile communications systemspublic and reasonably secure (at least at the moment)
33
Security Services in GSM Summary
34
Security Weaknesess in GSM
A mobile phone does not authenticate the base station!only mobile authenticate to BS (one-way authentication)fake BS and man-in-the middle attacks possible
attacker does not have to know authentication key Ki
A5/0 - No Encryption algorithm is a valid choice in GSM for voice, SMS, GPRS, EDGE services
Many weaknesses in A5 family of encryption algorithms35
Security Weaknesess in GSM
36
Security Services in GSM Anonymity
Preventing eavesdropper (listening attacker) from determining if a particular subscriber is/was in the given arealocation privacythanks to long ranges a very powerful attackattacker uses IMSI (International Mobile Subscriber Identity)
IMSI Catchers
To preserve location privacy GSM defines TMSI (Temporary Mobile Subscriber Identity)when a phone turned on, IMSI from SIM transmitted in clear to the AUC
after this TMSI is assigned to this user for location privacy after each location update or a predefined time out, a new TMSI is assigned to the
mobile phone a new TMSI is sent encrypted (whenever possible)
VLR database contains mapping TMSI to IMSI 37
Security Services in GSM Anonymity
38
Security Services in GSM Anonymity
39
Security Weaknesess in GSMAttack Against the Anonymity Service
GSM provisions for situation when the network somhow loses track of a particular TMSIin this case the network must ask the subscriber its IMSI over the radio link
using the IDENTITY REQUEST and IDENTITY RESPONSE mechanismhowever, the connection cannot be encrypted if the network does not know
the IMSI and so the IMSI is sent in plain textthe attacker can use this to map known TMSI and unknown and user-specific
IMSI
40
Countermeasures: UMTS
UMTS defines 2-way authentication and mandates the use of stronger encryption and authentication primitivesprevents MITM attacks by a fake BS, but be cautious...
Still many reasons to worry aboutmost mobiles support < 3G standards (GPRS, EDGE)
when signal is bad, hard to supprot UMTS ratesmobile providers already invested a lot of money and do not give up upon
‘old’ BSS equippment femtocells
41
Many Reason to Worry About Your Privacy
http://www.theregister.co.uk/2008/05/20/tracking_phones/
http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/ (check also http://www.pathintelligence.com)
http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdf
http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdf
42