Upload
ngohanh
View
222
Download
1
Embed Size (px)
Citation preview
Understanding IMSI Privacy!!Ravishankar Borgaonkar!TU Berlin!!Swapnil Udar!Aalto University!!Email: [email protected]!!!!
Blackhat USA 2014, Las Vegas, 7th August 2014
2
Overview!u Unresolved Privacy Issues ! ( IMSI catchers and Silent SMS )!
u Darshak- Privacy framework!
u Use-cases and demos!
u Future work !
!!
3
Unresolved Privacy Issues
4
Mobile Security Status!u Efforts from OS providers, Manufacturers, network operators u Efforts from researchers, startup companies u Devices are good but cellular network secure??? u Still all fail when Targeted Attacks u What is Targeted Attacks and who does it?
« IMSI catchers « Illegal entities? « Methods of doing?
5
Targeted Attacks!
u IMSI catchers !« Often used!« Exploits cellular weaknesses!« Location and interception!
!u Pegasus!
« Compromising with OTA update !« SIM toolkit? Like ANT!
!
IMSI catcher or compromising phone !
Sources: product manuals
6
Unsolved Security Questions!u Your last call was encrypted/authenticated?!
u Is someone tracking you?? No app for that!!u Can someone listen to your calls/SMS?!
« Besides legal entities!« Last call/SMS was encrypted?!
!u Are you a victim of IMSI catcher attack?!!u Is your mobile handset and operator using up-to-date
encryption standards?!!!
7
More ecosystem problems u 3GPP standard for mobile handset features u No API for Android, iOS, Windows, BB
- See issue* 5353: Ciphering Indicator (Android) u Flatrate calling/data/sms rates –
- you getting free calls?
* https://code.google.com/p/android/issues/detail?id=5353! !!
Source:wikipedia
8
Darshak Framework
Motivation!
u Research platform to collect GSM & 3G security relevant data!
u Easy to use cellular network security indicator!!!
9
Darshak* Framework !u Display (in) security capabilities of your cellular
network operator!u Android based framework!
« Detection!« Notification!« Intelligence!« Collection!
u Security features!« GSM and 3G networks!« Captures ‘silent sms’ and notifies user!« Alerts when operator not doing encryption?!« Displays suspicious activities!
!!* In ancient Indian language, Darshak means indicator!
10
Technical Details
u Running on Intel baseband devices Samsung S3, S2!u Primarily based on Xgoldmon idea!u Thanks to GSMMAP!u Device needs to be rooted !u Notifies sender's number - Silent SMS!u Classify security capabilities of 2G/3G networks A5/0,
A5/1,A5/3, (useful while roaming)!u Current TMSI after every event!u Displays authentication tokens (RAND, AUTN)!
11
Methodology
12
GSM background
13
GSM Security Issues
No Mutual Authentication!
GSM : BTS!MS!
Weak algorithms!
A5/2 broken, A5/1 weak!
Fake base station / MiTM!
BTS decides encryption!
Downgrading attacks!
14
GSM Security Issues
Plaintext over-the-air!
GSM : BTS!MS!
No authentication!
IMEI is not authenticated!
IMSI & TMSI!
Local regulations!
No upgrade, weak algorithms!
15
GSM badly broken !
u Proven experimentally by various researchers !
u Has it fixed and upgraded by your operator as per
GSMA guidelines? !
u Authentication!« Mobile originated – mostly performed!« Mobile terminated – not often!
u Encryption - A5/1 vs A5/3 vs A5/0!
u Threat model is not your government (lawful
interception) but other illegal entities!
!
16
Use-cases and Demos
17
GSM and 3G security indicators !
u Invokes at every incoming and outgoing radio event!
!
!
interception attack!
18
3G security indicators
19
Detecting silent SMS !
u Type 0 messages !
u Standard says mobiles must acknowledge receipt but
may discard contents!
u Mobiles do not display any notification to end users!
u Useful for police or other illegal agencies !
u HushSMS tool from @c0rnholio !
!
20
Detecting silent SMS - Demo !
u HushSMS allows!
« Ping 3 (0-byte WAP Push)!
« Ping 4 (Emtpy MMSN)!
u Detects, alerts with a notification!
u Option to turn on airplane mode ! (not useful until you control the baseband)!
!
21
IMSI Catcher Detection !
u Finding parameters to detect!
u Need lots of data from different operators!
u LAC or Cell id not enough!
!scanning first!
downgrading!jamming!
22
Finding parameters !
u System Information Type 3 messages!
- Layer 3 messages about GSM system configuration!
!
23
Finding parameters !
u Control Channel Description!« MSCR: shows current GSM network version!
« 0 – MSCR release version 98 or older!
« 1- MSC release version 99 or newer!
u Data from various operators and openBTS!
!
Telekom! O2! Vodafone! Play Network!
BSNL! Idea! OpenBTS!
MSCR! '99 onwards !
'99 onwards !
'99 onwards !
'98 or older ! '99 onwards !
'99 onwards !
'98 or older !
24
Finding parameters !
u Radio Link Timeout!« Counter value to judge downlink failure!
« Counter decrease when there is error!
« When 0 radio link failure!
u Data from various operators and openBTS!
!
Telekom! O2! Vodafone! Play Network!
BSNL! Idea! OpenBTS!
MSCR! 64! 24! 64! 64! 20! 40! 64!
25
Finding parameters !
u PWRC - power control indicator !!
u Data from various operators and openBTS!
!
Telekom! O2! Vodafone! Play Network!
BSNL! Idea! OpenBTS!
MSCR! Flase! True! False! Flase! True! False! False!
26
Building a profile !
u Tool collects such parameters !
u Very seldom change (no change in a week)!
u Build a profile per location : office-work-city!
u Work in progress!
!
27
Future work !
u Source code will be released (without IMSI catcher)!
u Support to other possible devices !
u Data upload functionality (anonymous data)!
u Building more profiles for IMSI catcher detection!
u Collecting and sharing data!
!
!
28
Thank you!