imp4gt
play

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , - PowerPoint PPT Presentation

Apr 15, 2023 •603 likes •766 views

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and Christina Ppper 25.02.2020 NDSS Symposium, San Diego, USA Motivation: Internet Passes 2 LTE Security Aims Mutual Authentication Traffic

  1. IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and Christina Pöpper 25.02.2020 NDSS Symposium, San Diego, USA

  2. Motivation: Internet Passes 2

  3. LTE Security Aims Mutual Authentication Traffic Confidentiality Identity & Location Confidentiality 3

  4. Security Features Authentication and Key Agreement Connection 4

  5. Missing Integrity Protection Control User Plane Plane Encryption stream cipher Integrity Protection 5

  6. Malleable Encryption Stream Cipher 1 0 1 0 $10 0 1 0 1 $100 1 1 1 1 Decryption Encryption 6

  7. Already Known: Redirection Can it be worse? Yes, with IMP4GT /ˈɪmpækt/ Rupprecht, D., Kohls, K., Holz, T., & Pöpper, C. “ Breaking LTE on Layer 7 Two ”. In 2019 IEEE Symposium on Security and Privacy (SP)

  8. Impersonation in 4G Networks (IMP4GT) Uplink Breaks mutual authentication Downlink in both directions. Impersonation of a network Impersonation of a user towards towards the user on the user-plane the network on the user-plane 8

  9. The Basic Principle Encryption Oracle Malleable Encryption Decryption Oracle Impersonation Reflection 9

  10. Reflection: ICMP Ping IP / ICMP (ping) / Data IP / ICMP (ping) / Data 10

  11. Uplink Encryption Oracle Keystream Target Network Generation Server UE Relay Already Open. IP / UDP / Payload IP / UDP / Payload IP / PING Request / Payload IP / PING Reply / Payload IP (target_ip) / TCP / new Payload IP (target_ip) / TCP / new Payload Encrypted on the Radio Layer 11

  12. Uplink Enc + Downlink Dec = Full Impersonation Keystream Decryption Target Network Generation Server Server UE Relay Uplink Encryption Downlink Decryption Uplink Encryption Downlink Decryption 12

  13. Experiments • Commercial network and phone • Uplink impersonation • Visit a website only accessible by a victim: pass.telekom.de • Upload a 10KB file to a server • Downlink impersonation • TCP connection towards the phone • No interaction of the user • connectivitycheck.android.com • Checks if you have an Internet connection 13

  14. Consequences Providers Law Enforcement User • Over Billing • Lawful Interception • Privacy • Authorization • Lawful Disclosure • Firewall / NAT Process • IoT 14

  15. Conclusion: We need Integrity Protection! David Rupprecht Ruhr University Bochum david.rupprecht@rub.de https://imp4gt-attacks.net • Fully specified and deployed • Optional integrity protection • Unlikely… • Limited support in early implementations We emphasize the need for mandatory integrity protection. 15

Recommend

More recommend