4g and 5g networks
play

4G and 5G Networks Altaf af Shai aik (Technische Universitt - PowerPoint PPT Presentation

Exposing Device Features on KAITIAKI 4G and 5G Networks Altaf af Shai aik (Technische Universitt Berlin, Germany) Ravishankar Borgaonkar (SINTEF Digital, Norway) Hardware.io 2019, Netherlands 26.09.2019 1 5G? G? Human Communication


  1. Exposing Device Features on KAITIAKI 4G and 5G Networks Altaf af Shai aik (Technische Universität Berlin, Germany) Ravishankar Borgaonkar (SINTEF Digital, Norway) Hardware.io 2019, Netherlands 26.09.2019 1

  2. 5G? G? Human Communication Machine Communication 26.09.2019 2

  3. 5G G Sec.? LTE Security New Services New Networking Technologies Requirements + (Use Cases) NFV/SDN Enhancements 5G Security Requirements Source: https://www.informationsecuritybuzz.com/articles/security-challenges-next-generation-5g-mobile-networks/ 26.09.2019 3

  4. 5G G Securi rity y Elem emen ents Network Slicing Security/ Cell Authentication+/ Edge Cloud NFV/SDN Security/ Encryption/ Integrity+/ Central Cloud Privacy+/ Resilience+ Mobile Edge Computing/ Device identifiers/ Credentials/ 26.09.2019 4

  5. Securi rity Evo volution on (OTA) 26.09.2019 5

  6. IMSI SI Catcher ers in n 5G. G.? IMSI IMEI IMSI IMEI IMSI IMEI IMSI IMEI 26.09.2019 6

  7. 5G G Securi rity? y?  5G Security >> 4G ? (What’s new)  Same Protocols, Same security algorithms  Attacks in 4G/LTE fixed.?  Downgrade attacks, DoS attacks, Location tracking  What’s not fixed in 4G – copy paste to 5G 26.09.2019 7

  8. Capabilities es? UE Capabilities Core network Capabilities 1 Radio access Capabilities 2 (Security algorithms, voice (frequency bands, Rx & Tx calling support, V2V) features, MIMO, CA, Category) 1. 3GPP TS 24.301, 23.401, 24.008 2. 3GPP TS 36.331 26.09.2019 8

  9. Cor ore Capabilities es 26.09.2019 9

  10. Capabilities es 5G • V2X: Connected Cars • Prose (D2D): Location services • CIoT: IoT specific 26.09.2019 10

  11. Ra Radi dio o Capabilities es 26.09.2019 11

  12. LTE Reg egistration on Registration ( Core Network Capabilities )  UE Capabilities Authentication and Security  sent to network while registration Get capabilities  Stored at network for long periods Send Capabilities  visible in plain-text over-the-air Radio Access Capabilities Save all  Passive and active attacks Capabilities OTA Security Registration Success 26.09.2019 12

  13. Issu sue? e? UE Capabilities  Accessible by rogue base stations  Sent plain-text over the air  Standard + Implementation bugs 26.09.2019 13

  14. Attacks?  MNmap (active or passive)  Bidding down (MITM)  Battery Drain (MITM) 26.09.2019 14

  15. Set etup – LTE MitM attacker er  Hardware  2 X (USRP B210 + Laptops)  Phones, Quectel modems, cars, IoT devices, trackers, laptops, routers….  Software  SRSLTE  Attacks tested with real devices and commercial networks 26.09.2019 15

  16. 1. MNmap  ( Mobile Network Mapping ) similar to IP Nmap  Maker  Model  OS  Applications  Version 26.09.2019 17

  17. MNmap Baseband Vendor Name and Model Identify any Cellular device in the wild Cellular Cellular IoT Chip Maker, Phone Others NB-IoT LTE-M (Tablet) Device Model, Operating System, Asset Trackers Car Smart Meters Android iOS Railways Smart grid Application of device, Agriculture Sensors Baseband Software Version Router Samsung Iphone, Ipad Home automation USB dongle Huawei (with HTC Hotspots version) Laptops LG NOKIA Vending machines Wearables 26.09.2019 18

  18. Ide dentification n – How ow Baseband Vendors implement capabilities differently  For e.g., Qualcomm Chipsets always Disable EAI0  Many Capabilities are optional , (disabled/enabled) Each target Application requires different set of UE Capabilities  V2V for automated car  Voice calling and codec support for phone  GPS capability for tracker  Data only support for routers, USB data sticks (SMS only) 26.09.2019 19

  19. DUT 26.09.2019 20

  20. Ref ef model Devices • Baseband vendor • Application • Chipset name • 3GPP release 26.09.2019 21

  21. Fing nger erpri rints Implementation differences among Baseband vendors Capability Huawei Samsung Intel Mediatek Qualcomm CM Service 1 0 0 0 1 Prompt EIA0 1 1 1 1 0 Access class 0 1 0 1 1 controlfor CSFB Extended Measurement 0 0 0 1 0 Capability 26.09.2019 22

  22. Chi hipset inf nfo 26.09.2019 23

  23. Half-way 1. Baseband Maker 2. Baseband Model 3. List of supported devices for the chipset 4. Identify the right device and application 26.09.2019 24

  24. Fing nger erpri rints Difference b/w phone and other devices Capability Phone Others Difference b/w iOS and Android Capability Android iOS Voice or Not UE’s Usage setting Data present MS assisted GPS 1 0 CS Voice Voice domain Not or PS Voice over PS-HS- preference present 1 0 Voice UTRA-FDD-r9 UMTS AMR codec Present Not Phone and preferred Baseband Difference b/w cellular and cellular IoT Phone Baseband Capability Cellular IoT Cellular Huawei Huawei PSM Timer 1 0 Samsung Samsung T3412 ext period 1 0 Apple Intel or QCT TAU timer 26.09.2019 26

  25. MNmap issu sues es  SIM card can have affect on capabilities  enabled/disabled – operator setting, e.g., bands  IoT applications lte-M vs NB-IoT  Timer values (low for smart meters, high for asset trackers)  Success and failures in detecting (close to round off, multiple options) 26.09.2019 27

  26. Wha What nex next  Passive MNmap also works (active base station not required)  Privacy  Link IMSI to device capabilities on 4G  (associate device fingerprints to people)  Launch target specific attack  Open source MNmap : share traces and automated tool 26.09.2019 29

  27. 2. Bidd dding g do down Get capabilities Send Capabilities  Hijacking RELAY  Radio Capabilities Radio Radio Capabilities Capabilities  MitM relay before OTA Save all Security Capabilities  Network/Phone cannot OTA Security detect Registration Success 26.09.2019 30

  28. Bidd dding g do down  Radio Capabilities are modified  UE Category changed (Cat 12 -> Cat 1)  CA and MIMO are disabled  Frequency Bands are removed  VoLTE mandatory requirements are disabled  V2V capabilities can be removed 26.09.2019 31

  29. Tests with rea real ne networks  LTE service downgrade (with elite USIM)  Iphone 8 and LTE Netgear router (Qualcomm Basebands)  Data Rate (downlink) 48 Mbps to 2 Mbps (USA and Europe)  VoLTE calls are denied to UE (CSFB used)  Handovers to 2G/3G due to lack of band support – downgraded 26.09.2019 32 32

  30. Impact  22 out of 32 Tested LTE networks worldwide (Europe, Asia, NA) are affected (USA, Switzerland, France, Japan, Korea Netherlands, UK, Belgium, Iceland)  Persistent for 7 days  Capabilities are Cached at Core network  Restart device for normal operation  **Radio is bottleneck for speed data service 26.09.2019 33

  31. Wh Why y without ut/b /before e Secu ecurity ***T *To do early optimization fo for better service ce/connect ctivity 26.09.2019 34

  32. 3. Battery ery Drain Registration PSM_enable  NB-IoT (Narrow Band) Capabilities Capabilities PSM_disabled  Power Saving Mode (PSM) Authentication and Security  OFF when not in use Registration Success PSM_Not_enabled Battery_Drain 26.09.2019 35

  33. Tests  PSM disabled (UE and network don’t detect)  Continuous activity - Neighbor cell measurements  drains battery (10 year battery??)  Experiment with NB-IoT UE (Quectel BC68 modem)  Reconnects after 310 hours (13 days)  Battery lifetime reduced by 5 times  Persistent attack: restart required to restore 26.09.2019 36

  34. Vul ulner erability y Status  Reported to GSMA, 3GPP SA3 and other affected operators and vendors  Positive acknowledgement / could be implementation issues  Thanks to GSMA, SA3: 3GPP to add fixes  Core network capabilities are still unprotected  MNmap still possible on 5G : passive, active 26.09.2019 37

  35. Fixes es  Fixes in LTE release 14 for NB-IoT will be commercial soon  UE Capabilities should be security protected : accessible only after mutual authentication • Operators eNodeB implementation/configuration should be updated  Capabilities should be replayed to UE after NAS security setup for verification – Hash of them • V2V, Voice calling features, PSM timers, etc. 26.09.2019 38

  36. Thank you altaf329@sect.tu-berlin.de Ravi.borgaonkar@sintef.no Director@kaitiaki.in 26.09.2019 39

Recommend


More recommend