Exposing Device Features on KAITIAKI 4G and 5G Networks Altaf af Shai aik (Technische Universität Berlin, Germany) Ravishankar Borgaonkar (SINTEF Digital, Norway) Hardware.io 2019, Netherlands 26.09.2019 1
5G? G? Human Communication Machine Communication 26.09.2019 2
5G G Sec.? LTE Security New Services New Networking Technologies Requirements + (Use Cases) NFV/SDN Enhancements 5G Security Requirements Source: https://www.informationsecuritybuzz.com/articles/security-challenges-next-generation-5g-mobile-networks/ 26.09.2019 3
5G G Securi rity y Elem emen ents Network Slicing Security/ Cell Authentication+/ Edge Cloud NFV/SDN Security/ Encryption/ Integrity+/ Central Cloud Privacy+/ Resilience+ Mobile Edge Computing/ Device identifiers/ Credentials/ 26.09.2019 4
Securi rity Evo volution on (OTA) 26.09.2019 5
IMSI SI Catcher ers in n 5G. G.? IMSI IMEI IMSI IMEI IMSI IMEI IMSI IMEI 26.09.2019 6
5G G Securi rity? y? 5G Security >> 4G ? (What’s new) Same Protocols, Same security algorithms Attacks in 4G/LTE fixed.? Downgrade attacks, DoS attacks, Location tracking What’s not fixed in 4G – copy paste to 5G 26.09.2019 7
Capabilities es? UE Capabilities Core network Capabilities 1 Radio access Capabilities 2 (Security algorithms, voice (frequency bands, Rx & Tx calling support, V2V) features, MIMO, CA, Category) 1. 3GPP TS 24.301, 23.401, 24.008 2. 3GPP TS 36.331 26.09.2019 8
Cor ore Capabilities es 26.09.2019 9
Capabilities es 5G • V2X: Connected Cars • Prose (D2D): Location services • CIoT: IoT specific 26.09.2019 10
Ra Radi dio o Capabilities es 26.09.2019 11
LTE Reg egistration on Registration ( Core Network Capabilities ) UE Capabilities Authentication and Security sent to network while registration Get capabilities Stored at network for long periods Send Capabilities visible in plain-text over-the-air Radio Access Capabilities Save all Passive and active attacks Capabilities OTA Security Registration Success 26.09.2019 12
Issu sue? e? UE Capabilities Accessible by rogue base stations Sent plain-text over the air Standard + Implementation bugs 26.09.2019 13
Attacks? MNmap (active or passive) Bidding down (MITM) Battery Drain (MITM) 26.09.2019 14
Set etup – LTE MitM attacker er Hardware 2 X (USRP B210 + Laptops) Phones, Quectel modems, cars, IoT devices, trackers, laptops, routers…. Software SRSLTE Attacks tested with real devices and commercial networks 26.09.2019 15
1. MNmap ( Mobile Network Mapping ) similar to IP Nmap Maker Model OS Applications Version 26.09.2019 17
MNmap Baseband Vendor Name and Model Identify any Cellular device in the wild Cellular Cellular IoT Chip Maker, Phone Others NB-IoT LTE-M (Tablet) Device Model, Operating System, Asset Trackers Car Smart Meters Android iOS Railways Smart grid Application of device, Agriculture Sensors Baseband Software Version Router Samsung Iphone, Ipad Home automation USB dongle Huawei (with HTC Hotspots version) Laptops LG NOKIA Vending machines Wearables 26.09.2019 18
Ide dentification n – How ow Baseband Vendors implement capabilities differently For e.g., Qualcomm Chipsets always Disable EAI0 Many Capabilities are optional , (disabled/enabled) Each target Application requires different set of UE Capabilities V2V for automated car Voice calling and codec support for phone GPS capability for tracker Data only support for routers, USB data sticks (SMS only) 26.09.2019 19
DUT 26.09.2019 20
Ref ef model Devices • Baseband vendor • Application • Chipset name • 3GPP release 26.09.2019 21
Fing nger erpri rints Implementation differences among Baseband vendors Capability Huawei Samsung Intel Mediatek Qualcomm CM Service 1 0 0 0 1 Prompt EIA0 1 1 1 1 0 Access class 0 1 0 1 1 controlfor CSFB Extended Measurement 0 0 0 1 0 Capability 26.09.2019 22
Chi hipset inf nfo 26.09.2019 23
Half-way 1. Baseband Maker 2. Baseband Model 3. List of supported devices for the chipset 4. Identify the right device and application 26.09.2019 24
Fing nger erpri rints Difference b/w phone and other devices Capability Phone Others Difference b/w iOS and Android Capability Android iOS Voice or Not UE’s Usage setting Data present MS assisted GPS 1 0 CS Voice Voice domain Not or PS Voice over PS-HS- preference present 1 0 Voice UTRA-FDD-r9 UMTS AMR codec Present Not Phone and preferred Baseband Difference b/w cellular and cellular IoT Phone Baseband Capability Cellular IoT Cellular Huawei Huawei PSM Timer 1 0 Samsung Samsung T3412 ext period 1 0 Apple Intel or QCT TAU timer 26.09.2019 26
MNmap issu sues es SIM card can have affect on capabilities enabled/disabled – operator setting, e.g., bands IoT applications lte-M vs NB-IoT Timer values (low for smart meters, high for asset trackers) Success and failures in detecting (close to round off, multiple options) 26.09.2019 27
Wha What nex next Passive MNmap also works (active base station not required) Privacy Link IMSI to device capabilities on 4G (associate device fingerprints to people) Launch target specific attack Open source MNmap : share traces and automated tool 26.09.2019 29
2. Bidd dding g do down Get capabilities Send Capabilities Hijacking RELAY Radio Capabilities Radio Radio Capabilities Capabilities MitM relay before OTA Save all Security Capabilities Network/Phone cannot OTA Security detect Registration Success 26.09.2019 30
Bidd dding g do down Radio Capabilities are modified UE Category changed (Cat 12 -> Cat 1) CA and MIMO are disabled Frequency Bands are removed VoLTE mandatory requirements are disabled V2V capabilities can be removed 26.09.2019 31
Tests with rea real ne networks LTE service downgrade (with elite USIM) Iphone 8 and LTE Netgear router (Qualcomm Basebands) Data Rate (downlink) 48 Mbps to 2 Mbps (USA and Europe) VoLTE calls are denied to UE (CSFB used) Handovers to 2G/3G due to lack of band support – downgraded 26.09.2019 32 32
Impact 22 out of 32 Tested LTE networks worldwide (Europe, Asia, NA) are affected (USA, Switzerland, France, Japan, Korea Netherlands, UK, Belgium, Iceland) Persistent for 7 days Capabilities are Cached at Core network Restart device for normal operation **Radio is bottleneck for speed data service 26.09.2019 33
Wh Why y without ut/b /before e Secu ecurity ***T *To do early optimization fo for better service ce/connect ctivity 26.09.2019 34
3. Battery ery Drain Registration PSM_enable NB-IoT (Narrow Band) Capabilities Capabilities PSM_disabled Power Saving Mode (PSM) Authentication and Security OFF when not in use Registration Success PSM_Not_enabled Battery_Drain 26.09.2019 35
Tests PSM disabled (UE and network don’t detect) Continuous activity - Neighbor cell measurements drains battery (10 year battery??) Experiment with NB-IoT UE (Quectel BC68 modem) Reconnects after 310 hours (13 days) Battery lifetime reduced by 5 times Persistent attack: restart required to restore 26.09.2019 36
Vul ulner erability y Status Reported to GSMA, 3GPP SA3 and other affected operators and vendors Positive acknowledgement / could be implementation issues Thanks to GSMA, SA3: 3GPP to add fixes Core network capabilities are still unprotected MNmap still possible on 5G : passive, active 26.09.2019 37
Fixes es Fixes in LTE release 14 for NB-IoT will be commercial soon UE Capabilities should be security protected : accessible only after mutual authentication • Operators eNodeB implementation/configuration should be updated Capabilities should be replayed to UE after NAS security setup for verification – Hash of them • V2V, Voice calling features, PSM timers, etc. 26.09.2019 38
Thank you altaf329@sect.tu-berlin.de Ravi.borgaonkar@sintef.no Director@kaitiaki.in 26.09.2019 39
Recommend
More recommend