Professional Documents
Culture Documents
2
Security and Privacy Threats on
Cellular Network
IMSI
IMSI
No
No No
No
IMSI = International Mobile Subscriber Identity No
No
Service
Service
No
No
Service
Service
Service
Service Service
Service
3
Limitations of Existing Attack
Finding Strategies for Cellular
Networks
Detach VoLTE
Paging Handover
Man-in-the-Middle
Spurious billing Life threatening risks
Attacker
Challenges
Challenges 1
Preliminaries
Preliminaries
2
LTEInspector
LTEInspector 3
4 Findings
Findings&&
Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure 5
and
andImpact
Impact
6 Future
FutureWork
Work
Conclusion
Conclusion 7
6
Challenges
Stateful procedures and multiple
participants
Closed system
Proprietary
Legal barrier
Licensed spectrum
7
Challenges
Challenges 1
Preliminaries
Preliminaries
2
LTEInspector
LTEInspector 3
4 Findings
Findings&&
Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure 5
and
andImpact
Impact
6 Future
FutureWork
Work
Conclusion
Conclusion 7
8
Background: LTE Architecture
eNodeB
PGW
eNodeB
eNodeB
Background (Attach)
Security algorithm TMSI Exchange
Identification Authentication
negotiation
eNode Core
UE
B Network
Connection Setup
Attach Request (IMSI/IMEI, UE’s Security Capabilities)
Select the
Network accepts Security
attachChallenge
Algorithm (LTE:
(LTE:
and allocates Authentication
Security identity
temporary ModeRequest)
Command)
(LTE: Attach Accept)
Confirm
Response
Confirm(LTE:Attach and new temporary
Authentication
Security Algorithm Response)
(LTE: identity(LTE:
Security Attach Complete)
Mode Complete)
10
Background (Paging & Detach)
eNode
UE MME
B
paging_request
Paging
detach_request
detach_accept
11
Challenges
Challenges 1
Preliminaries
Preliminaries
2
LTEInspector
LTEInspector 3
4 Findings
Findings&&
Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure 5
and
andImpact
Impact
6 Future
FutureWork
Work
Conclusion
Conclusion 7
12
Adversary Model
Dolev-Yao model
Eavesdrop
Drop or modify
Inject
Adheres to cryptographic assumptions
13
Insight
Property characteristics
Temporal ordering of events
Cryptographic constructs
Linear integer arithmetic and other
predicates
temporal trace
Intuition: property Cryptographic
& Constructs
Model checker Linear integer
arithmetic
Cryptographic protocol verifier
UE state machine Core network state Adversarial model Threat instrumented abstract LTE
machine ecosystem model
Crypto.
protocol Model
verifier checker
Domain Desired
Testbed Counter-
knowledge properties from
example
Attacks standard
Abstract LTE Model
𝑎 𝑢𝑡h 𝑟𝑒𝑗𝑒𝑐𝑡 ∨ 𝑑𝑒𝑡𝑎𝑐h𝑟𝑒𝑞𝑢𝑒𝑠𝑡 ∕ —
6 auth_failure
auth_response
2 7
Standard m obile _ restart ∕ attach _ request
8
UE
UE UE
1
waits for 5 authenticates
disconnected
auth_request auth_response MME
4 9
3
Specification Model for NAS layer auth_failure
(UE-MME) interactions
Propositional logic level
Model message types only, not a uth _ failure ∕ —
2 5
message data
MME MME
Abstract away cryptographic disconnected
MME
1 waits for authenticates
constructs auth_response UE
Two unidirectional channels 3
4
6
16
Adversarial Model Instrumentor
attach_request Dolev Yao Attacker
auth_response adversary_tur
sec_mode_command n
attach_complete
= no_operation (drop)
𝑚
𝑈𝐸 = attach _ request = detach_request (inject)
auth_request
UE sec_mode_command
MME
attach_accept
paging_request
17
Model Checker
Temporal trace properties
Liveness – something good eventually happens Victim UE MME
Safety – nothing bad happens
NuSMV
: It is always the case that whenever UE is in the wait for
auth request, it will eventually authenticate MME.
attach_request
𝑎 𝑢𝑡h 𝑟𝑒𝑗𝑒𝑐𝑡 ∨ 𝑑𝑒𝑡𝑎𝑐h𝑟𝑒𝑞𝑢𝑒𝑠𝑡 ∕ —
6 auth_failure authentication_reject
auth_response
2 7
m obile _ restart ∕ attach _ request
8
UE
UE
UE
UE waits for
for 5
Emergency
1 waits authenticates
disconnected auth_request calls only
auth_request auth_response MME
4 9
3
auth_failure 18
Cryptographic Protocol Verifier
Injective-correspondence (authentication)
Every authentication_reject message received by UE must be sent by the core network
ProVerif
Secrecy
Authenticity
Observational equivalence
19
Testbed Validation
Malicious eNodeB setup (USRP,
OpenLTE, srsLTE)
COTS smartphones
Preliminaries
Preliminaries
2
LTEInspector
LTEInspector 3
Findings
Findings&&
4 Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure 5
and
andImpact
Impact
6 Future
FutureWork
Work
Conclusion
Conclusion 7
21
Findings
Uncovered 10 new attacks
Attack Procedures Responsible Notable Impacts
Auth Sync. Failure Attach 3GPP DoS
Traceability Attach carriers Coarse-grained location tracking
Numb using auth_reject Attach 3GPP, smartphones DoS
Authentication relay Attach 3GPP Location spoofing
Paging Channel Hijacking Paging 3GPP DoS
Stealthy Kicking-off Paging 3GPP DoS, coarse-grained location tracking
Panic Paging 3GPP Artificial chaos for terrorist activity
Energy Depletion Paging 3GPP Battery depletion/DoS
Linkability Paging 3GPP Coarse-grained location tracking
Targeted/Non-targeted Detach 3GPP DoS
Detach
Identified 9 prior attacks: IMSI-catching, DoS, Linkability, MitM in 3G and 2G, etc. 22
Authentication Synchronization
Failure Attack
Assumption:
Victim UE’s IMSI
Malicious UE setup
Malicious UE Victim UE Core Network
𝐼 𝑀𝑆𝐼
𝑆𝑄𝑁
𝑈𝐸 =𝑥 𝑆𝑄𝑁
𝐶𝑁 =𝑥
attach_request (IMSI)
attach_request (IMSI)
++
attach_request (IMSI)
++
….
++
attach_request (MSI)
++
UE and CN sequence numbers get desynchronized 23
Panic Attack
S)
TW
( E
n g
a gi
p
paging (ETWS)
24
Attack Chaining (Authentication
Relay or Mafia Attack)
Indiana
Connected
Authentication_response
Authentication_request
Attach_request
NID Authentication_response
Attach_request
Authentication_request
Authentication_re
Authentication
Attach_request
_request
sponse
Indiana California 25
Challenges
Challenges 1
Preliminaries
Preliminaries
2
LTEInspector
LTEInspector 3
Findings
Findings&&
4 Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure
and
andImpact
Impact 5
6 Future
FutureWork
Work
Conclusion
Conclusion 7
26
Responsible Disclosure and Impacts
Mobile network operators
27
Challenges
Challenges 1
Preliminaries
Preliminaries
2
LTEInspector
LTEInspector 3
Findings
Findings&&
4 Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure
and
andImpact
Impact 5
6 Future
FutureWork
Work
Conclusion
Conclusion 7
28
Future Work
UE eNodeB MME
NAS NAS
1
RRC RRC RRC RRC
PCCH-Message ::= SEQUENCE
+-message ::= CHOICE [c1]
+-c1 ::= CHOICE [paging]
+-paging ::= SEQUENCE [0110]
2 +-pagingRecordList ::= SEQUENCE OF OPTIONAL:Omit
+-systemInfoModification ::= ENUMERATED [true]
OPTIONAL:Exist
+-etws-Indication ::= ENUMERATED [true] OPTIONAL:Exist
+-nonCriticalExtension ::= SEQUENCE OPTIONAL:Omit
3
29
Challenges
Challenges 1
Preliminaries
Preliminaries
2
LTEInspector
LTEInspector 3
Findings
Findings&&
4 Attack
AttackValidation
Validation
Responsible
ResponsibleDisclosure
Disclosure
and
andImpact
Impact 5
6 Future
FutureWork
Work
Conclusion
Conclusion 7
30
Conclusion
Proposed a systematic approach for analyzing the
specification
https://github.com/relentless-warrior/LTEInspector
31
Questions
32
LTEInspector: A Systematic
Approach for Adversarial
Testing of 4G LTE
ProVerif
Secrecy
Authenticity
Observational equivalence
(hyper-properties)
Why not ProVerif only?
Rich temporal trace properties
Constraints on linear integer
arithmetic
34
Traceability attack
Assumption:
Victim UE’s IMSI
Malicious UE setup
secutity_mode_command
attach_request
….
security_mode_command (MAC, nonce)
….
attach_complete
security_mode_command security_mode_command
security_mode_reject security_mode_complete
35
Numb Attack
Assumption: malicious eNodeB setup
• Learn from SystemInformationBlock messages
authentication_reject
NID
Connected
tracking_area_update_request
Emergency
calls only
Background (Attach)
Security algorithm TMSI Exchange
Identification Authentication
negotiation
eNode
UE MME
B
Connection Setup
Attach Request (IMSI/IMEI, UE’s Security Capabilities)
Select the
Network accepts Security
attachChallenge
Algorithm (LTE:
(LTE:
and allocates Authentication
Security identity
temporary ModeRequest)
Command)
(LTE: Attach Accept)
Confirm
Response
Confirm(LTE:Attach and new temporary
Authentication
Security Algorithm Response)
(LTE: identity(LTE:
Security Attach Complete)
Mode Complete)
Time
Time
Time
37