LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE

Transcription

1 LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE Syed Rafiul Hussain*, Omar Chowdhury, Shagufta Mehnaz*, Elisa Bertino* Purdue University*, University of Iowa

2 Critical Infrastructure using Cellular Network 2

3 Security and Privacy Threats on Cellular Network IMSI IMSI = International Mobile Subscriber Identity No Service No Service No Service No Service 3

4 Limitations of Existing Attack Finding Strategies for Cellular Networks No Systematic Approach No adversary, just analyze the performance, and reliability q Is it possible to build a Systematic framework for adversarially analyzing the cellular network specification in order to find security and privacy related problems? 4

5 Scope Attach SMS Detach VoLTE Paging Handover Man-in-the-Middle Attacker Spurious billing Life threatening risks

6 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Conclusion Findings & Attack Validation Future Work 6

7 Challenges q Stateful procedures and multiple participants q 4G LTE lacks formal specification ü written in natural language q Closed system ü Proprietary q Legal barrier ü Licensed spectrum 7

8 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Conclusion Findings & Attack Validation Future Work 8

9 Background: LTE Architecture enodeb enodeb Evolved Packet Core (EPC) HSS PCRF enodeb enodeb UE enodeb MME SGW Internet enodeb PGW enodeb enodeb

10 Background (Attach) Identification Authentication Security algorithm negotiation TMSI Exchange UE enodeb Core Network Connection Setup Attach Request (IMSI/IMEI, UE s Security Capabilities) Network accepts the attach Select and Security allocates Algorithm Challenge temporary (LTE: identity Security Authentication (LTE: Mode Attach Command) Request) Accept) Confirm Response Attach Security (LTE: and Authentication Algorithm new temporary (LTE: Response) Security identity(lte: Mode Attach Complete) Complete) 10

11 Background (Paging & Detach) UE enodeb MME Paging paging_request detach_request detach_accept 11

12 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Conclusion Findings & Attack Validation Future Work 12

13 Adversary Model q Dolev-Yao model Ø Eavesdrop Ø Drop or modify Ø Inject Ø Adheres to cryptographic assumptions q Why Dolev-Yao model? Ø Powerful adversary Ø Automatic tools (ProVerif, Tamarin) can leverage 13

14 Insight q Property characteristics Temporal ordering of events Cryptographic constructs Linear integer arithmetic and other predicates q Intuition: ü Model checker ü Cryptographic protocol verifier temporal trace property & Linear integer arithmetic Cryptographic Constructs How can we leverage reasoning power of these two? 14

15 LTEInspector UE state machine Core network state machine Adversarial model Threat instrumented abstract LTE ecosystem model Crypto. protocol verifier Model checker Attacks Testbed Domain knowledge Counterexample Desired properties from standard

16 Abstract LTE Model Standard q Specification Model for NAS layer (UE-MME) interactions Propositional logic level Model message types only, not message data Abstract away cryptographic constructs Two unidirectional channels UE disconnected MME disconnected auth_request auth_reject detach_request auth_request 6 ( mac_failure (mac_failure 2 (UE_sqn xsqn 7 (UE_sqn mobile_restart attach_request 8 UE_sqn + xsqn UE_sqn + auth_request range)) UE_sqn = range)) UE auth_failure mobile_restart ( mac_failure xsqn + 1, UE auth_response 1 waits for 5 authenticates attach_request auth_request (UE_sqn MME auth_reject 4 xsqn UE_sqn 9 detach_request 3 + range)) auth_request mobile_restart (mac_failure (UE_sqn attach_request UE_sqn xsqn UE_sqn = xsqn + range)) + 1, auth_failure 2 attach_request MME_sqn = 1 MME_sqn + 1, auth_request 3 attach_request MME waits for auth_response 4 auth_failure auth_response 5 auth_response xres_matches_s res attach_request Security_mode MME_sqn = _command 6 MME_sqn + 1, auth_request MME authenticates UE 16

17 Adversarial Model Instrumentor attach_request auth_response sec_mode_command attach_complete Dolev Yao Attacker adversary_turn m adv = no_operation (drop) m UE = attach_request m adv = detach_request (inject) ΥΕ auth_request sec_mode_command attach_accept paging_request ΜΜΕ 17

18 Model Checker q Temporal trace properties Ø Liveness something good eventually happens Ø Safety nothing bad happens q NuSMV φ 1 : It is always the case that whenever UE is in the wait for auth request, it will eventually authenticate MME. auth_request auth_reject detach_request auth_request 6 ( mac_failure (mac_failure 2 (UE_sqn xsqn 7 (UE_sqn mobile_restart attach_request 8 UE_sqn + xsqn UE_sqn + auth_request range)) UE_sqn = range)) UE auth_failure mobile_restart ( mac_failure xsqn + 1, UE auth_response 1 waits for for 5 authenticates attach_request auth_request (UE_sqn MME auth_reject 4 xsqn UE_sqn 9 detach_request 3 + range)) auth_request mobile_restart (mac_failure (UE_sqn UE disconnected authentication_reject Victim UE Emergency calls only attach_request MME 18

19 Cryptographic Protocol Verifier q Injective-correspondence (authentication) Every authentication_reject message received by UE must be sent by the core network q ProVerif Secrecy Authenticity Observational equivalence 19

20 Testbed Validation q Malicious enodeb setup (USRP, OpenLTE, srslte) q Malicious UE setup (USRP, srsue) q COTS smartphones q SIM cards of four major US carriers q Custom-built core network q USRP, OpenLTE, srslte, and USIM 20

21 Challenges 1 2 Preliminaries LTEInspector 3 Responsible Disclosure and Impact Conclusion Findings & Attack Validation Future Work 21

22 Findings q Uncovered 10 new attacks Attack Procedures Responsible Notable Impacts Auth Sync. Failure Attach 3GPP DoS Traceability Attach carriers Coarse-grained location tracking Numb using auth_reject Attach 3GPP, smartphones DoS Authentication relay Attach 3GPP Location spoofing Paging Channel Hijacking Paging 3GPP DoS Stealthy Kicking-off Paging 3GPP DoS, coarse-grained location tracking Panic Paging 3GPP Artificial chaos for terrorist activity Energy Depletion Paging 3GPP Battery depletion/dos Linkability Paging 3GPP Coarse-grained location tracking Targeted/Non-targeted Detach Detach 3GPP DoS q Identified 9 prior attacks: IMSI-catching, DoS, Linkability, MitM in 3G and 2G, etc. 22

23 Authentication Synchronization Failure Attack q Assumption: Ø Victim UE s IMSI Ø Malicious UE setup Malicious UE Victim UE Core Network IMSI attach_request (IMSI) attach_request (IMSI) attach_request (IMSI). attach_request (MSI) SQN UE =x SQN CN =x SQN CN ++ SQN CN ++ SQN CN ++ SQN CN UE and CN sequence numbers get desynchronized ++ 23

24 Panic Attack paging (ETWS) 24

25 Attack Chaining (Authentication Relay or Mafia Attack) Indiana Connected Authentication_response Authentication_request Attach_request NID Attach_request Authentication_request Authentication_response Authentication_re Attach_request sponse Indiana California 25

26 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Findings & Attack Validation Future Work Conclusion 7 26

27 Responsible Disclosure and Impacts q Mobile network operators q Resolved the issue of using EEA0 (no encryption) q Other issues are in progress 27

28 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Findings & Attack Validation Future Work Conclusion 7 28

29 Future Work UE NAS enodeb MME NAS RRC RRC RRC RRC PCCH-Message ::= SEQUENCE +-message ::= CHOICE [c1] +-c1 ::= CHOICE [paging] +-paging ::= SEQUENCE [0110] +-pagingrecordlist ::= SEQUENCE OF OPTIONAL:Omit +-systeminfomodification ::= ENUMERATED [true] OPTIONAL:Exist +-etws-indication ::= ENUMERATED [true] OPTIONAL:Exist +-noncriticalextension ::= SEQUENCE OPTIONAL:Omit 29

30 Challenges 1 2 Preliminaries LTEInspector Responsible Disclosure and Impact Findings & Attack Validation Future Work Conclusion 7 30

31 Conclusion Proposed a systematic approach for analyzing the specification Uncovered 10 new attacks and 9 prior attacks Validated most of the attacks in a testbed 31

32 Questions 32

33 LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE Syed Rafiul Hussain*, Omar Chowdhury, Shagufta Mehnaz*, Elisa Bertino* Purdue University*, University of Iowa

34 Cryptographic Protocol Verifier q Injective-correspondence (authentication) Every authentication_reject message received by UE must be sent by the core network q ProVerif Secrecy Authenticity Observational equivalence (hyper-properties) q Why not ProVerif only? Rich temporal trace properties Constraints on linear integer arithmetic 34

35 Traceability attack q Assumption: Ø Victim UE s IMSI Ø Malicious UE setup Ø secutity_mode_command attach_request. security_mode_command (MAC, nonce) security_mode_command security_mode_command attach_complete. security_mode_reject security_mode_complete 35

36 Numb Attack q Assumption: malicious enodeb setup Learn from SystemInformationBlock messages Connected authentication_reject NID tracking_area_update_request Emergency calls only

37 Background (Attach) Identification Authentication Security algorithm negotiation TMSI Exchange UE enodeb MME Connection Setup Attach Request (IMSI/IMEI, UE s Security Capabilities) Network accepts the attach Select and Security allocates Algorithm Challenge temporary (LTE: identity Security Authentication (LTE: Mode Attach Command) Request) Accept) Confirm Response Attach Security (LTE: and Authentication Algorithm new temporary (LTE: Response) Security identity(lte: Mode Attach Complete) Complete) Time Time Time 37