cellular location tracking with
play

Cellular Location Tracking with Changing Temporary Identifier B. - PowerPoint PPT Presentation

GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier B. Hong, S. Bae, and Y. Kim NDSS 2018 Location Privacy Leaks on GSM We have the victims mobile phone number Can we detect if the victim is


  1. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier B. Hong, S. Bae, and Y. Kim NDSS 2018

  2. Location Privacy Leaks on GSM  We have the victim’s mobile phone number  Can we detect if the victim is in/out of an area of interest? – Granularity? 100 km 2 ? 1km 2 ? Next door?  No collaboration from service provider – i.e. How much information leaks from the HLR over broadcast messages?  Attacks by passively listening – Paging channel – Random access channel 2

  3. Cellular Network HSS GSM Air Interface ATR HLR BTS MS VLR PSTN MSC BSC

  4. Location Leaks on Cellular Network  IMSI BTS – a unique # associated with all GSM Paging Request  TMSI MS – PCCH Randomly assigned by the VLR – Updated in a new area Channel Request  RACH PCCH – Broadcast paging channel Immediate Assignment  RACH – PCCH Random Access Channel  SDCCH Paging Response – Standalone Dedicated Control Cha nnel SDCCH  LAC has multiple cell towers that us Setup and Data es different ARFCN

  5. Platform Serial cable and r VirtualBox runnin eprogrammer cab g Ubuntu and Os le ($30) mosomBB softwa re (free) HTC Dream with c ustom Android Ke Motorola C rnel ($100) 118 ($30)

  6. Phone number-TMSI mapping dt PSTN PCH Time dt

  7. Silent Paging  Delay between the call initiation and the paging request: 3 sec 2 4 6 8 10 Time/seconds  Median delay between call initiation and ring: 6 sec 2 4 6 8 10 Time/seconds

  8. Immediate Assignment  Is IA message sent to all towers 2.0 in the same LAC?  How do we identify IA message? 1.5 – No identifiable information 1.0  Check the correlation between − IA and Paging request 0.5 0.0 same ARFCN diff ARFCN random

  9. Location Area Code (LAC)

  10. Hill Climbing to discover towers

  11. Mapping cell signal strength

  12. Coverage area with 1 antenna Downtown Minneapolis Observer Yagi Towers in this area are antenna observable with a John’s newly rooftop 12 db gain antenna shaved head

  13. Following a walking person Observer End Start Approximate areas covered by towers to which the victim ’s phone was attac hed to

  14. SysSec System Security Lab. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier Byeongdo Hong, Sangwook Bae, Yongdae Kim KAIST SysSec Feb. 19, 2018

  15. Paging Area in Cellular Network Tracking Area Paging Request (radius < 10 km) Paging Response Paging: A method to find specific subscriber How? By using subscriber’s identifier 15

  16. Identifiers in Cellular Networks  Permanent/Unique identifier – IMSI (International Mobile Subscriber Identity)  Provisioned in the SIM card  Temporary identifier – Used to hide subscriber  TMSI (Temporary Mobile Subscriber Identity) • Used in 2G/3G  GUTI (Globally Unique Temporary Identity) • Used in LTE 16

  17. Location Tracking in Cellular Network Location Area 1 Victim Yongdae Location Area 2 TMSI : 0xff123456 Attacker User B User C 17

  18. Phone number-Temporary ID mapping  Traffic analysis to find the same TMSI (Kune et al. NDSS’12) – Find intersects of identifier’s sets Observation Call trigger Call trigger Call trigger Attacker dt dt dt Paging Channel Time  Using “Silent Call” – Terminating call before ringing  Same vulnerability in LTE - unchanged GUTI (Shaik et al. NDSS’16) 19

  19. Defense of Location Tracking  Temporary Identifier Reallocation – GUTI Reallocation in LTE – To prevent between subscriber and ID mapping Q. Is GUTI Reallocation the solution to existing attacks? A. It is Yes But simply changing is not a solution! 20

  20. Experiment Setup Broadcast Channel Analysis Device Analysis srsLTE (open source) Antenna USRP B210 Broadcast Channel Receiver Diagnostic Monitor Signaling Collection and Analysis Tool (SCAT) [1] [1] B. Hong, S. Park, H. Kim, D. Kim, H. Hong, H. Choi, J.P. Seifert, S. Lee, Y. Kim, Peeking over the Cellular Walled Gardens - A Method for Closed Network Diagnosis -, IEEE Transactions on Mobile Computing. 21

  21. Worldwide Data Collection Country # of # of # of Country # of # of # of OP. USIM signalings OP. USIM signalings U.S.A 3 22 763K U.K. 1 1 41K Austria 3 3 807K Spain 2 2 51K Belgium 3 3 372K Netherlands 3 3 946K Switzerland 3 3 559K Japan 1 2 37K Germany 4 19 841K South Korea 3 14 1.7M France 2 6 305K Data summary Collection Period: 2014. 11. ~ 2017. 7. # of countries: 11 # of operators: 28 # of USIMs: 78 # of voice calls: 58K # of signalings: 6.4M ※ OP: operator, USIM: Universal Subscriber Identity Module, Signaling: control plane message 22

  22. Same vs. Fingerprintable IDs NDSS’12, ‘16: Same ID  Location Tracking!! This work: ID Fingerprinting  Location Tracking!! 23

  23. Fixed Bytes in GUTI Reallocation  19 operators have fixed bytes Allocation Pattern Operators Assigning the same GUTI BE-III, DE-II, FR-II, JP-I Three bytes fixed CH-II, DE-III, NL-I, NL-II Two bytes fixed BE-II, CH-I, CH-III, ES-I, FR-I, NL-III One bytes fixed AT-I, AT-II, AT-III, BE-I, DE-I AT: Austria, BE: Belgium, CH: Switzerland, DE: Germany, ES: Spain, FR: France, JP: Japan, NL: Netherlands 24

  24. Case I: Netherlands (NL-I) F FF Hexadecimal value Hexadecimal value 12 C 192 C0 8 8 128 80 40 4 4 64 0 0 0 10 20 30 0 10 20 30 (a) 1st byte (b) 2nd byte # of call # of call FF FF Hexadecimal value Hexadecimal value 192 192 C0 C0 128 80 128 80 64 40 64 40 0 0 0 10 20 30 0 10 20 30 # of call # of call (c) 3rd byte (d) 4th byte 25

  25. Case I: Netherlands (NL-I) F FF Hexadecimal value Hexadecimal value 12 C 192 C0 8 8 128 80 40 4 4 64 0 0 0 10 20 30 0 10 20 30 (a) 1st byte (b) 2nd byte # of call # of call FF FF Hexadecimal value Hexadecimal value 192 192 C0 C0 128 80 128 80 64 40 64 40 0 0 0 10 20 30 0 10 20 30 # of call # of call (c) 3rd byte (d) 4th byte 26

  26. Case II: Belgium (BE-II) 58 Hexadecimal value Hexadecimal value 56 38 192 C0 36 54 128 80 34 52 64 40 32 50 0 48 30 0 10 20 30 0 10 20 30 # of call # of call (a) 1st byte (b) 2nd byte FF FF Hexadecimal value Hexadecimal value C0 C0 192 192 80 80 128 128 64 40 64 40 0 0 0 10 20 30 0 10 20 30 # of call # of call 27 (c) 3rd byte (d) 4th byte

  27. Case II: Belgium (BE-II) 58 Hexadecimal value Hexadecimal value 56 38 192 C0 36 54 128 80 34 52 64 40 32 50 0 48 30 0 10 20 30 0 10 20 30 # of call # of call (a) 1st byte (b) 2nd byte FF FF Hexadecimal value Hexadecimal value C0 C0 192 192 80 80 128 128 64 40 64 40 0 0 0 10 20 30 0 10 20 30 # of call # of call 28 (c) 3rd byte (d) 4th byte

  28. Fixed Bytes in GUTI Reallocation  19 operators have fixed bytes Allocation Pattern Operators Assigning the same GUTI BE-III, DE-II, FR-II, JP-I Three bytes fixed CH-II, DE-III, NL-I, NL-II Two bytes fixed BE-II, CH-I, CH-III, ES-I, FR-I, NL-III One bytes fixed AT-I, AT-II, AT-III, BE-I, DE-I AT: Austria, BE: Belgium, CH: Switzerland, DE: Germany, ES: Spain, FR: France, JP: Japan, NL: Netherlands 29

  29. Stress Testing  No noticeable rule of GUTI Reallocation for some operators  Invoking voice call continuously with a short time – Two types of test  Weak stress testing  Hard stress testing • Calls at shorter intervals than weak stress test 30

  30. Stress Testing Result  Force the network to skip the GUTI reallocation – Perform experiments on US and Korean operators  Two US and two Korean operators Network skip End weak GUTI Reallocation stress testing FF Operator Weak Stress Hard Stress Hexadecimal value 192 C0 Testing Testing KR-I O O 128 80 KR-II X O US-I X O 40 64 US-II O O 0 O: Reuse GUTI 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 X: No noticeable change # of call 1st Byte 2nd Byte 3rd Byte 4th Byte 31

  31. Success Rate of our Attack  Required number of calls covering 99% success rate 20 5 paging / sec 88 paging / sec 15 Call Trial 160 paging / sec 10 5 0 1 byte fixed 2 bytes fixed 3 bytes fixed

  32. Location Tracking with GUTI  Observation of broadcast channels after call invocation – Pattern matching (fixed bytes, assigning same GUTI) – Location tracking (Tracking Area, Cell) OpenSignal (at KAIST) 33

  33. Defenses + Requirements  Frequent refreshing of temporary identifier – Per service request  Unpredictable identity allocation – Cryptographically secure pseudorandom number generation  Hash_DRBG can be used  Collision avoidance  Stress-testing resistance  Low cost implementation 34

  34. Conclusion  Predictable reallocation logic – GUTI reallocation pattern  Fixed bytes (19 operators) – Same GUTI  By stress test (4 test cases)  Assigning same GUTI  Location tracking is still possible in cellular network!  Secure GUTI reallocation mechanism is required 35

Recommend


More recommend