440 likes | 767 Views
Security of Cellular Network s : Man-in-the Middle Attacks. Mario Č agalj University of Split 201 3/2014. ‘ Security in the GSM system ’ by Jeremy Quirke, 2004. Introduction. Nowadays, mobile phones are used by 80-90% of the world’s population (billion of users) Evolution
E N D
Security of Cellular Networks: Man-in-the Middle Attacks MarioČagalj University of Split 2013/2014. ‘Security in the GSM system’ by Jeremy Quirke, 2004
Introduction • Nowadays, mobile phones are used by 80-90% of the world’s population (billion of users) • Evolution • 1G:analog cellular networks • 2G: digital cellular networks with GSM (Global System for Mobile Communications) beign the most popular and the most widely used standard (circuit switching) • other 2G: technologies IS-95 – CDMA based (US), PDC (Japan), etc. • 2.5G: GPRS (General Packet Radio Service) – packet switching • 2.75G: EDGE – faster data service • 3G: UMTS (CDMA based), HSPA for data traffic (e.g., 5-10 Mbps) • other 3G: CDMA2000 (US, S. Korea) • 4G: LTE (OFDM based), peak data rates of 100Mbps GSM security specifications
Cellular Network ArchitectureA high level view Databases(e.g., Home LocationRegister) External Network MobileStation BaseStation MobileSwitchingCenter Cellular Network EPFL, JPH
Nr: 079/4154678 Cellular Network ArchitectureRegistration Process Tune on the strongest signal EPFL, JPH
Cellular Network ArchitectureService Request 079/4154678 079/8132627 079/4154678 079/8132627 EPFL, JPH
Cellular Network ArchitecturePaging Broadcast (locating a particular mobile station in case of mobile terminated call) 079/8132627? 079/8132627? 079/8132627? 079/8132627? Note: paging makessenseonly over a small area EPFL, JPH
Cellular Network ArchitectureResponse 079/8132627 079/8132627 EPFL, JPH
Cellular Network ArchitectureChannel Assignement Channel 47 Channel 47 Channel 68 Channel 68 EPFL, JPH
Cellular Network ArchitectureHandover (or Handoff) EPFL, JPH
Periodic registration Paging response Paging response Tune to Ch. 68 Assign Ch. 68 User response User response Stop ring indication Stop ring indication Cellular Network ArchitectureMessage Sequence Chart Base Station Base Station Switch Callee Caller Periodic registration Service request Service request Page request Page request Paging broadcast Paging broadcast Assign Ch. 47 Tune to Ch.47 Alert tone Ring indication Ring indication EPFL, JPH
GSM System Architecture Based on ‘Mobile Communications: Wireless Telecommunication Systems’
Architecture of the GSM system • GSM is a PLMN (Public Land Mobile Network) • several providers setup mobile networks following the GSM standard within each country • components • MS (mobile station) • BS (base station) • MSC (mobile switching center) • LR (location register) • subsystems • RSS (radio subsystem): covers all radio aspects • NSS (network and switching subsystem): call forwarding, handover, switching • OSS (operation subsystem): management of the network
Please check http://gsmfordummies.com/architecture/arch.shtml GSM: overview OMC, EIR, AUC fixed network HLR GMSC NSS with OSS VLR MSC VLR MSC BSC BSC RSS
GSM: system architecture radiosubsystem network and switching subsystem fixednetworks MS MS ISDNPSTN MSC BTS BSC EIR BTS SS7 HLR VLR BTS ISDNPSTN BSC BTS MSC IWF BSS PSPDNCSPDN
Components MS (Mobile Station) BSS (Base Station Subsystem):consisting of BTS (Base Transceiver Station):sender and receiver BSC (Base Station Controller):controlling several transceivers System architecture: radio subsystem radiosubsystem network and switchingsubsystem MS MS BTS MSC BSC BTS BTS MSC BSC BTS BSS
Radio subsystem • The Radio Subsystem (RSS) comprises the cellular mobile network up to the switching centers • Components • Base Station Subsystem (BSS): • Base Transceiver Station (BTS): radio components including sender, receiver, antenna - if directed antennas are used one BTS can cover several cells • Base Station Controller (BSC): switching between BTSs, controlling BTSs, managing of network resources, mapping of radio channels onto terrestrial channels • Mobile Stations (MS)
cell GSM: cellular network segmentation of the area into cells • use of several carrier frequencies • not the same frequency in adjoining cells • cell sizes vary from some 100 m up to 35 km depending on user density, geography, transceiver power etc. • hexagonal shape of cells is idealized (cells overlap, shapes depend on geography) • if a mobile user changes cells • handover of the connection to the neighbor cell possible radio coverage of the cell idealized shape of the cell
System architecture: network and switching subsystem • Components • MSC (Mobile Services Switching Center) • IWF (Interworking Functions) • ISDN (Integrated Services Digital Network) • PSTN (Public Switched Telephone Network) • PSPDN (Packet Switched Public Data Net.) • CSPDN (Circuit Switched Public Data Net.) • Databases • HLR (Home Location Register) • VLR (Visitor Location Register) • EIR (Equipment Identity Register) networksubsystem fixed partnernetworks ISDNPSTN MSC EIR SS7 HLR VLR ISDNPSTN MSC IWF PSPDNCSPDN
Network and switching subsystem • NSS is the main component of the public mobile network GSM • switching, mobility management, interconnection to other networks, system control • Components • Mobile Services Switching Center (MSC)controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC • Databases (important: scalability, high capacity, low delay) • Home Location Register (HLR)central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs) • Visitor Location Register (VLR)local database for a subset of user data, including data about all user currently in the domain of the VLR
Mobile Services Switching Center • The MSC (mobile switching center) plays a central role in GSM • switching functions • additional functions for mobility support • management of network resources • interworking functions via Gateway MSC (GMSC) • integration of several databases
Operation subsystem • The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems • Components • Authentication Center (AUC) • generates user specific authentication parameters on request of a VLR • authentication parameters used for authentication of mobile terminals and encryption of user data on the air interface within the GSM system • Equipment Identity Register (EIR) • registers GSM mobile stations and user rights • stolen or malfunctioning mobile stations can be locked and sometimes even localized • Operation and Maintenance Center (OMC) • different control capabilities for the radio subsystem and the network subsystem
1: calling a GSM subscriber 2: forwarding call to GMSC 3: signal call setup to HLR 4, 5: request MSRN (roaming number) from VLR 6: forward responsible MSC to GMSC 7: forward call to current MSC 8, 9: get current status of MS 10, 11: paging of MS 12, 13: MS answers 14, 15: security checks 16, 17: set up connection PSTN Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml Mobile Terminated Call 4 HLR VLR 5 8 9 3 6 14 15 7 calling station GMSC MSC 1 2 10 13 10 10 16 BSS BSS BSS 11 11 11 11 12 17 MS
1, 2: connection request 3, 4: security check 5-8: check resources (free circuit) 9-10: set up call PSTN Mobile Originated Call VLR 3 4 6 5 GMSC MSC 7 8 2 9 1 MS BSS 10
MS MTC BTS MS MOC BTS paging request channel request channel request immediate assignment immediate assignment paging response service request authentication request authentication request authentication response authentication response ciphering command ciphering command ciphering complete ciphering complete setup setup call confirmed call confirmed assignment command assignment command assignment complete assignment complete alerting alerting connect connect connect acknowledge connect acknowledge data/speech exchange data/speech exchange Mobile Terminated and Mobile Originated Calls
Security in GSM Based on: ‘Security in the GSM system’ by Jeremy Quirke‘The GSM Standard (An overview of its security)’ by SANS Institute InfoSec Reading Room‘Mobile Communications: Wireless Telecommunication Systems’
Security Services in GSM • Access control/authentication • user <--x-- SIM (Subscriber Identity Module): secret PIN (personal identification number) • SIM <--x-- network: challenge response method • Confidentiality • voice and signaling encrypted on the wireless link (after successful authentication) • Anonymity • temporary identity TMSI (Temporary Mobile Subscriber Identity) • newly assigned at each new location update (LUP) • encrypted transmission
Security Services in GSM Authentication • SIM (Subscriber Identity Module) card • smartcard inserted into a mobiel phone • contains all necessary details to obtain access to an account • unique IMSI (International Mobile Subscriber Identity) • Ki - the individual subscriber authentication key (128bit, used to generate all other encryption and authentication keying GSM material) • highly protected – the mobile phone never learns this key, mobile only forwards any required material to the SIM • known only to the SIM and network AUC (Authentication Center) • SIM unlocked using a PIN or PUK • authentication (A3 algorithm) and key generation (A8 algorithm) is performed in the SIM • SIM contains a microprocessor
Security Services in GSM Authentication SIM mobile network RAND Ki RAND RAND Ki 128 bit 128 bit 128 bit 128 bit AC A3 A3 SIM SRES* 32 bit SRES 32 bit SRES SRES* =? SRES MSC SRES 32 bit Ki: individual subscriber authentication key SRES: signed response
Security Services in GSM Authentication Kc: Session encryption key generated together with SRES
Security Services in GSM Encryption MS with SIM mobile network (BTS) RAND Ki RAND RAND Ki AC SIM 128 bit 128 bit 128 bit 128 bit A8 A8 cipher key Kc 64 bit Kc 64 bit SRES data encrypteddata data BTS MS A5 A5
Security Services in GSM Authentication and Encryption • A3 and A8 algorithms are both run in SIM at the same time on the same input (RAND, Ki) • A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known) • not used in UMTS • Encryption algorithm A5 • symmetric encryption algorithm • voice/data encryption performed by a phone using generated encryption key Kc
Security Services in GSM Encryption • A5 algorithms • A5/0 – no encryption used • A5/1 and A5/2 developed far from public domain and later found flawed • stream ciphers based on linear feedback shift registers • A5/2 completely broken (not used anymore in GSM) • A5/1 is a bit stronger but also broken by many researchers • A5/3 – is a block cipher based on Kasumi encryption algorithm • used in UMTS, GSM, and GPRS mobile communications systems • public and reasonably secure (at least at the moment)
Security Weaknesess in GSM • A mobile phone does not authenticate the base station! • only mobile authenticate to BS (one-way authentication) • fake BS and man-in-the middle attacks possible • attacker does not have to know authentication key Ki • A5/0 - No Encryption algorithm is a valid choice in GSM • for voice, SMS, GPRS, EDGE services • Many weaknesses in A5 family of encryption algorithms
Security Services in GSM Anonymity • Preventing eavesdropper (listening attacker) from determining if a particular subscriber is/was in the given area • location privacy • thanks to long ranges a very powerful attack • attacker uses IMSI (International Mobile Subscriber Identity) • IMSI Catchers • To preserve location privacy GSM defines TMSI (Temporary Mobile Subscriber Identity) • when a phone turned on, IMSI from SIM transmitted in clear to the AUC • after this TMSI is assigned to this user for location privacy • after each location update or a predefined time out, a new TMSI is assigned to the mobile phone • a new TMSI is sent encrypted (whenever possible) • VLR database contains mapping TMSI to IMSI
Security Weaknesess in GSMAttack Against the Anonymity Service • GSM provisions for situation when the network somhow loses track of a particular TMSI • in this case the network must ask the subscriber its IMSI over the radio link using the IDENTITY REQUEST and IDENTITY RESPONSE mechanism • however, the connection cannot be encrypted if the network does not know the IMSI and so the IMSI is sent in plain text • the attacker can use this to map known TMSI and unknown and user-specific IMSI
Countermeasures: UMTS • UMTS defines 2-way authentication and mandates the use of stronger encryption and authentication primitives • prevents MITM attacks by a fake BS, but be cautious... • Still many reasons to worry about • most mobiles support < 3G standards (GPRS, EDGE) • when signal is bad, hard to supprot UMTS rates • mobile providers already invested a lot of money and do not give up upon ‘old’ BSS equippment • femtocells
Many Reason to Worry About Your Privacy • http://www.theregister.co.uk/2008/05/20/tracking_phones/ • http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/ (check also http://www.pathintelligence.com) • http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdf • http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdf