defeating imsi catchers
play

Defeating IMSI catchers CCS 2015 10-13-2015 Denver Fabian van den - PowerPoint PPT Presentation

Defeating IMSI catchers CCS 2015 10-13-2015 Denver Fabian van den Broek, Roel Verdult and Joeri de Ruiter IMSI catching For this talk: IMSI catching == catching IMSIs (and nothing else) IMSI catching For this talk: IMSI catching ==


  1. Defeating IMSI catchers CCS 2015 10-13-2015 Denver Fabian van den Broek, Roel Verdult and Joeri de Ruiter

  2. IMSI catching For this talk: IMSI catching == catching IMSIs (and nothing else)

  3. IMSI catching For this talk: IMSI catching == catching IMSIs (and nothing else) IMSI catching is an attack that works on all generations of mobile networks

  4. So, what is an IMSI?

  5. So, what is an IMSI? IMSI = International Mobile Subscriber Identity • unique identifier of a SIM • IMEI � = IMSI � = phone number •

  6. So, what is an IMSI? (II) 15 digits that identify: home country • home network • user • Example IMSI: 310030123456789

  7. So, what is an IMSI? (II) 15 digits that identify: home country • home network • user • Example IMSI: 310030123456789 The United States •

  8. So, what is an IMSI? (II) 15 digits that identify: home country • home network • user • Example IMSI: 310030123456789 The United States • AT&T •

  9. So, what is an IMSI? (II) 15 digits that identify: home country • home network • user • Example IMSI: 310030123456789 The United States • AT&T •

  10. And the IMSI is broadcasted in plain text!

  11. IMSI catchers passive • active •

  12. IMSI catchers passive • active • eavesdropping and insertion •

  13. IMSI catchers passive • active • eavesdropping and insertion • expensive and exclusively sold to governments •

  14. IMSI catchers passive • active • eavesdropping and insertion • expensive and exclusively sold to governments • or home made for $100,- •

  15. Why catch IMSIs? IMSIs reveal information •

  16. Why catch IMSIs? IMSIs reveal information • Attack location privacy •

  17. Why catch IMSIs? IMSIs reveal information • Attack location privacy • – Tracking

  18. Why catch IMSIs? IMSIs reveal information • Attack location privacy • – Tracking – Location monitoring

  19. Why catch IMSIs? IMSIs reveal information • Attack location privacy • – Tracking – Location monitoring Linking identities to devices •

  20. Why catch IMSIs? IMSIs reveal information • Attack location privacy • – Tracking – Location monitoring Linking identities to devices •

  21. Why catch IMSIs? IMSIs reveal information • Attack location privacy • – Tracking – Location monitoring Linking identities to devices •

  22. Why catch IMSIs? IMSIs reveal information • Attack location privacy • – Tracking – Location monitoring Linking identities to devices •

  23. 3G+4G authentication (simplified) IMSI , K , SQN IMSI → �K i , SQN i � Serving network SIM Home network identity request identity response ( IMSI ) IMSI 1 � RAND , AUTN , XRES , CK � authentication request ( RAND , AUTN ) 2 3 authentication response ( SRES ) verify SRES = XRES Location Update(IMSI) encrypted using CK

  24. Who is to blame?

  25. Who is to blame?

  26. Who is to blame?

  27. Our solution uses temporary pseudonyms: PMSIs • can be deployed by any Home network / provider • does not prevent IMSI catching, but hinders attack goals (e.g. • tracking, etc.) is formally verified using ProVerif • successor PMSIs are only known to SIM and Home network • the Home network generates successor PMSIs •

  28. Our solution uses temporary pseudonyms: PMSIs • can be deployed by any Home network / provider • does not prevent IMSI catching, but hinders attack goals (e.g. • tracking, etc.) is formally verified using ProVerif • successor PMSIs are only known to SIM and Home network • the Home network generates successor PMSIs, • but how to get them to the SIM?

  29. 3G+4G solution P , P ′ , κ, K , SQN PMSI → �P , P ′ , κ i , K i , SQN i � Serving network SIM Home network identity request P ← P ′ identity response ( P ) P 1 � RAND , AUTN , XRES , CK � authentication request ( RAND , AUTN ) 2 3 authentication response ( SRES ) verify SRES = XRES Location Update( P ) encrypted using CK

  30. 3G+4G solution

Recommend


More recommend