42
Mario Čagalj University of Split 2013/2014. Security of Cellular Networks: Man-in-the Middle Attacks ‘Security in the GSM system’ by Jeremy Quirke, 2004

Security of Cellular Network s : Man-in-the Middle Attacks

  • Upload
    satya

  • View
    33

  • Download
    0

Embed Size (px)

DESCRIPTION

Security of Cellular Network s : Man-in-the Middle Attacks. Mario Č agalj University of Split 201 3/2014. ‘ Security in the GSM system ’ by Jeremy Quirke, 2004. Introduction. Nowadays, mobile phones are used by 80-90% of the world’s population (billion of users) Evolution - PowerPoint PPT Presentation

Citation preview

Page 1: Security of  Cellular Network s :  Man-in-the Middle Attacks

Mario Čagalj

University of Split

2013/2014.

Security of Cellular Networks: Man-in-the Middle Attacks

‘Security in the GSM system’ by Jeremy Quirke, 2004

Page 2: Security of  Cellular Network s :  Man-in-the Middle Attacks

IntroductionNowadays, mobile phones are used by 80-90% of the

world’s population (billion of users)Evolution

1G: analog cellular networks2G: digital cellular networks with GSM (Global System for Mobile

Communications) beign the most popular and the most widely used standard (circuit switching) other 2G: technologies IS-95 – CDMA based (US), PDC (Japan), etc.

2.5G: GPRS (General Packet Radio Service) – packet switching 2.75G: EDGE – faster data service3G: UMTS (CDMA based), HSPA for data traffic (e.g., 5-10 Mbps)

other 3G: CDMA2000 (US, S. Korea)

4G: LTE (OFDM based), peak data rates of 100Mbps2

GSM security specifications

Page 3: Security of  Cellular Network s :  Man-in-the Middle Attacks

Cellular Network ArchitectureA high level view

3

ExternalNetwork

Cellular Network

MobileStation Base

StationMobileSwitchingCenter

Databases(e.g., Home Location Register)

EPFL, JPH

Page 4: Security of  Cellular Network s :  Man-in-the Middle Attacks

Cellular Network ArchitectureRegistration Process

4

Tune on the strongest signal

Nr: 079/4154678

EPFL, JPH

Page 5: Security of  Cellular Network s :  Man-in-the Middle Attacks

Cellular Network ArchitectureService Request

5

079/4154678079/8132627 079/4154678

079/8132627

EPFL, JPH

Page 6: Security of  Cellular Network s :  Man-in-the Middle Attacks

Cellular Network ArchitecturePaging Broadcast (locating a particular mobile station in case of mobile terminated call)

6

079/8132627?079/8132627?

079/8132627?

079/8132627?

Note: paging makes sense only over a small area

EPFL, JPH

Page 7: Security of  Cellular Network s :  Man-in-the Middle Attacks

Cellular Network ArchitectureResponse

7

079/8132627

079/8132627

EPFL, JPH

Page 8: Security of  Cellular Network s :  Man-in-the Middle Attacks

Cellular Network ArchitectureChannel Assignement

8

Channel47

Channel47 Channel

68

Channel68

EPFL, JPH

Page 9: Security of  Cellular Network s :  Man-in-the Middle Attacks

Cellular Network ArchitectureConversation

9EPFL, JPH

Page 10: Security of  Cellular Network s :  Man-in-the Middle Attacks

Cellular Network ArchitectureHandover (or Handoff)

10EPFL, JPH

Page 11: Security of  Cellular Network s :  Man-in-the Middle Attacks

Cellular Network ArchitectureMessage Sequence Chart

11

CallerBaseStation

Switch BaseStation Callee

Periodic registration Periodic registration

Service request Service request

Ring indicationRing indication

Page requestPage requestPaging broadcast Paging broadcast

Paging responsePaging response

Assign Ch. 47Tune to Ch.47

Assign Ch. 68 Tune to Ch. 68

Alert tone

User responseUser responseStop ring indicationStop ring indication

EPFL, JPH

Page 12: Security of  Cellular Network s :  Man-in-the Middle Attacks

GSM System Architecture

Based on ‘Mobile Communications: Wireless Telecommunication Systems’

Page 13: Security of  Cellular Network s :  Man-in-the Middle Attacks

Architecture of the GSM systemGSM is a PLMN (Public Land Mobile Network)

several providers setup mobile networks following the GSM standard within each country

componentsMS (mobile station)BS (base station)MSC (mobile switching center)LR (location register)

subsystemsRSS (radio subsystem): covers all radio aspectsNSS (network and switching subsystem): call forwarding, handover,

switchingOSS (operation subsystem): management of the network

13

Page 14: Security of  Cellular Network s :  Man-in-the Middle Attacks

GSM: overview

fixed network

BSC

BSC

MSC MSC

GMSC

OMC, EIR, AUC

VLR

HLRNSSwith OSS

RSS

VLR

14

Please check http://gsmfordummies.com/architecture/arch.shtml

Page 15: Security of  Cellular Network s :  Man-in-the Middle Attacks

BSS

radiosubsystem

MS MS

BTSBSC

BTS

BTSBSC

BTS

network and switching subsystem

MSC

MSC

fixednetworks

IWF

ISDNPSTN

PSPDNCSPDN

SS7

EIR

HLR

VLR

ISDNPSTN

GSM: system architecture

15

Page 16: Security of  Cellular Network s :  Man-in-the Middle Attacks

System architecture: radio subsystem

ComponentsMS (Mobile Station)BSS (Base Station Subsystem):

consisting of BTS (Base Transceiver Station):

sender and receiver BSC (Base Station Controller):

controlling several transceivers

BSS

radiosubsystem

network and switchingsubsystem

MS MS

BTSBSC MSC

BTS

BTSBSC

BTSMSC

16

Page 17: Security of  Cellular Network s :  Man-in-the Middle Attacks

Radio subsystemThe Radio Subsystem (RSS) comprises the cellular mobile

network up to the switching centersComponents

Base Station Subsystem (BSS):Base Transceiver Station (BTS): radio components including sender,

receiver, antenna - if directed antennas are used one BTS can cover several cells

Base Station Controller (BSC): switching between BTSs, controlling BTSs, managing of network resources, mapping of radio channels onto terrestrial channels

Mobile Stations (MS)

17

Page 18: Security of  Cellular Network s :  Man-in-the Middle Attacks

possible radio coverage of the cell

idealized shape of the cellcell

segmentation of the area into cellsGSM: cellular network

use of several carrier frequenciesnot the same frequency in adjoining cellscell sizes vary from some 100 m up to 35 km depending on user

density, geography, transceiver power etc.hexagonal shape of cells is idealized (cells overlap, shapes depend on

geography)if a mobile user changes cells

handover of the connection to the neighbor cell18

Page 19: Security of  Cellular Network s :  Man-in-the Middle Attacks

System architecture: network and switching subsystem

Components MSC (Mobile Services Switching Center) IWF (Interworking Functions)

ISDN (Integrated Services Digital Network) PSTN (Public Switched Telephone Network) PSPDN (Packet Switched Public Data Net.) CSPDN (Circuit Switched Public Data Net.)

Databases HLR (Home Location Register) VLR (Visitor Location Register) EIR (Equipment Identity Register)

networksubsystem

MSC

MSC

fixed partnernetworks

IWF

ISDNPSTN

PSPDNCSPDN

SS

7

EIR

HLR

VLR

ISDNPSTN

19

Page 20: Security of  Cellular Network s :  Man-in-the Middle Attacks

Network and switching subsystemNSS is the main component of the public mobile network GSM

switching, mobility management, interconnection to other networks, system control

ComponentsMobile Services Switching Center (MSC)

controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC

Databases (important: scalability, high capacity, low delay) Home Location Register (HLR)

central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)

Visitor Location Register (VLR)local database for a subset of user data, including data about all user currently in the domain of the VLR

20

Page 21: Security of  Cellular Network s :  Man-in-the Middle Attacks

Mobile Services Switching CenterThe MSC (mobile switching center) plays a central role in

GSMswitching functionsadditional functions for mobility supportmanagement of network resourcesinterworking functions via Gateway MSC (GMSC)integration of several databases

21

Page 22: Security of  Cellular Network s :  Man-in-the Middle Attacks

Operation subsystemThe OSS (Operation Subsystem) enables centralized operation,

management, and maintenance of all GSM subsystemsComponents

Authentication Center (AUC) generates user specific authentication parameters on request of a VLR authentication parameters used for authentication of mobile terminals and

encryption of user data on the air interface within the GSM system Equipment Identity Register (EIR)

registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes even

localizedOperation and Maintenance Center (OMC)

different control capabilities for the radio subsystem and the network subsystem

22

Page 23: Security of  Cellular Network s :  Man-in-the Middle Attacks

Mobile Terminated Call

PSTNcallingstation GMSC

HLR VLR

BSSBSSBSS

MSC

MS

1 2

3

45

6

7

8 9

10

11 12

1316

10 10

11 11 11

14 15

17

1: calling a GSM subscriber2: forwarding call to GMSC3: signal call setup to HLR4, 5: request MSRN (roaming number) from VLR6: forward responsible MSC to GMSC7: forward call to current MSC8, 9: get current status of MS10, 11: paging of MS12, 13: MS answers14, 15: security checks16, 17: set up connection

23

Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml

Page 24: Security of  Cellular Network s :  Man-in-the Middle Attacks

Mobile Originated Call

PSTN GMSC

VLR

BSS

MSC

MS 1

2

6 53 4

9

10

7 8

1, 2: connection request3, 4: security check5-8: check resources (free circuit)9-10: set up call

24

Page 25: Security of  Cellular Network s :  Man-in-the Middle Attacks

Mobile Terminated and Mobile Originated CallsBTSMS

paging request

channel request

immediate assignment

paging response

authentication request

authentication response

ciphering command

ciphering complete

setup

call confirmed

assignment command

assignment complete

alerting

connect

connect acknowledge

data/speech exchange

BTSMS

channel request

immediate assignment

service request

authentication request

authentication response

ciphering command

ciphering complete

setup

call confirmed

assignment command

assignment complete

alerting

connect

connect acknowledge

data/speech exchange

MTC MOC

25

Page 26: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security in GSM

Based on: ‘Security in the GSM system’ by Jeremy Quirke ‘The GSM Standard (An overview of its security)’ by SANS Institute InfoSec Reading Room

‘Mobile Communications: Wireless Telecommunication Systems’

Page 27: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSMAccess control/authentication

user <--x-- SIM (Subscriber Identity Module): secret PIN (personal identification number)

SIM <--x-- network: challenge response method

Confidentialityvoice and signaling encrypted on the wireless link (after successful

authentication)Anonymity

temporary identity TMSI (Temporary Mobile Subscriber Identity)newly assigned at each new location update (LUP)encrypted transmission

27

Page 28: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Authentication

SIM (Subscriber Identity Module) cardsmartcard inserted into a mobiel phonecontains all necessary details to obtain access to an account

unique IMSI (International Mobile Subscriber Identity)Ki - the individual subscriber authentication key (128bit, used to generate

all other encryption and authentication keying GSM material) highly protected – the mobile phone never learns this key, mobile only forwards

any required material to the SIM known only to the SIM and network AUC (Authentication Center)

SIM unlocked using a PIN or PUKauthentication (A3 algorithm) and key generation (A8 algorithm)

is performed in the SIMSIM contains a microprocessor 28

Page 29: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Authentication

A3

RANDKi

128 bit 128 bit

SRES* 32 bit

A3

RAND Ki

128 bit 128 bit

SRES 32 bit

SRES* =? SRES SRES

RAND

SRES32 bit

mobile network SIM

AC

MSC

SIM

Ki: individual subscriber authentication key SRES: signed response 29

Page 30: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Authentication

Kc: Session encryption key generated together with SRES 30

Page 31: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Encryption

A8

RANDKi

128 bit 128 bit

Kc

64 bit

A8

RAND Ki

128 bit 128 bit

SRES

RAND

encrypteddata

mobile network (BTS) MS with SIM

AC

BTS

SIM

A5

Kc

64 bit

A5MS

data data

cipherkey

31

Page 32: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Authentication and Encryption

A3 and A8 algorithms are both run in SIM at the same time on the same input (RAND, Ki)A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known)not used in UMTS

Encryption algorithm A5symmetric encryption algorithmvoice/data encryption performed by a phone using generated encryption key Kc

32

Page 33: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Encryption

A5 algorithmsA5/0 – no encryption usedA5/1 and A5/2 developed far from public domain and later found

flawed stream ciphers based on linear feedback shift registers A5/2 completely broken (not used anymore in GSM) A5/1 is a bit stronger but also broken by many researchers

A5/3 – is a block cipher based on Kasumi encryption algorithmused in UMTS, GSM, and GPRS mobile communications systemspublic and reasonably secure (at least at the moment)

33

Page 34: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Summary

34

Page 35: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Weaknesess in GSM

A mobile phone does not authenticate the base station!only mobile authenticate to BS (one-way authentication)fake BS and man-in-the middle attacks possible

attacker does not have to know authentication key Ki

A5/0 - No Encryption algorithm is a valid choice in GSM for voice, SMS, GPRS, EDGE services

Many weaknesses in A5 family of encryption algorithms35

Page 36: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Weaknesess in GSM

36

Page 37: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Anonymity

Preventing eavesdropper (listening attacker) from determining if a particular subscriber is/was in the given arealocation privacythanks to long ranges a very powerful attackattacker uses IMSI (International Mobile Subscriber Identity)

IMSI Catchers

To preserve location privacy GSM defines TMSI (Temporary Mobile Subscriber Identity)when a phone turned on, IMSI from SIM transmitted in clear to the AUC

after this TMSI is assigned to this user for location privacy after each location update or a predefined time out, a new TMSI is assigned to the

mobile phone a new TMSI is sent encrypted (whenever possible)

VLR database contains mapping TMSI to IMSI 37

Page 38: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Anonymity

38

Page 39: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Services in GSM Anonymity

39

Page 40: Security of  Cellular Network s :  Man-in-the Middle Attacks

Security Weaknesess in GSMAttack Against the Anonymity Service

GSM provisions for situation when the network somhow loses track of a particular TMSIin this case the network must ask the subscriber its IMSI over the radio link

using the IDENTITY REQUEST and IDENTITY RESPONSE mechanismhowever, the connection cannot be encrypted if the network does not know

the IMSI and so the IMSI is sent in plain textthe attacker can use this to map known TMSI and unknown and user-specific

IMSI

40

Page 41: Security of  Cellular Network s :  Man-in-the Middle Attacks

Countermeasures: UMTS

UMTS defines 2-way authentication and mandates the use of stronger encryption and authentication primitivesprevents MITM attacks by a fake BS, but be cautious...

Still many reasons to worry aboutmost mobiles support < 3G standards (GPRS, EDGE)

when signal is bad, hard to supprot UMTS ratesmobile providers already invested a lot of money and do not give up upon

‘old’ BSS equippment femtocells

41

Page 42: Security of  Cellular Network s :  Man-in-the Middle Attacks

Many Reason to Worry About Your Privacy

http://www.theregister.co.uk/2008/05/20/tracking_phones/

http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/ (check also http://www.pathintelligence.com)

http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdf

http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdf

42