New Privacy Issues in Mobile Telephony: Fix and Verification

Transcription

1 New Privacy Issues in Mobile Telephony: Fix and Verification Myrto Arapinis, Loretta Mancini, Eike Ritter, Mark Ryan, Kevin Redon, Nico Golde, Ravi Borgaonkar CCS 2012, Raleigh, NC October 2012

2 In my bag 20 years ago M. Arapinis, L. Mancini, E. Ritter, M. Ryan, K. Redon, N. Golde, R. Borgaonkar New Privacy Issues in Mobile Telephony

3 In my bag today

4 Privacy Threats Wireless communications Always on and emitting their identity Answer without the agreement of their bearers

5 Privacy Threats Big brother Governments, national authorities (e.g., police) Middle brother Corporations and service providers, such as Google, Verizon, your ISP, your bank Little brother your neighbour, family, manager, colleague

6 Imagine an iphone app that locate any user!!! not just your Facebook or foursquare friends that have consented, but any user that you choose useful for stalkers, private investigators, ex-lovers, grudge-bearers, loan sharks.

7 Privacy and the UMTS standard

8 Privacy in the UMTS standard UMTS provides user untraceability from third parties UMTS specification [3GPP TS V9.3.0 ( )] An intruder cannot deduce whether different services are delivered to the same user. the user is identified by a temporary identity (TMSI) which should be periodically updated.

9 TMSI reallocation IMSI is the long-term identity stored on the SIM card TMSI is a short-term identity, that is reallocated periodically, particularly on change of location New TMSI should not be linkable with old one

10 Outline 1 Attacks 2 Mounting the attack in practice (Implementation) 3 Fixes 4 Formal Verification

11 Privacy Attacks Attacked property: Unlinkability Attacked protocol: Authentication and Key Agreement (AKA)

12 Privacy Attacks Attacked protocol: Authentication and Key Agreement (AKA) Initiated by the Network to mutually authenticate with a mobile station Based on a shared long term key K IMSI stored on the SIM card Allows Network and mobile station to establish shared session keys for encryption and integrity protection

13 Authentication and Key Agreement (AKA) Protocol K IMSI,IMSI,SQN MS AUTH_REQ, RAND, AUTN K IMSI,IMSI,SQN N new RAND AK f5 KIMSI (RAND) MAC f1 KIMSI (SQN N RAND) AUTN (SQN N AK ) MAC AK f5 KIMSI (RAND) XMSG XMAC AUTN XSQN XMSG AK MAC f1 KIMSI (XSQN RAND) if MAC XMAC then RES MAC_FAIL elseif XSQN < SQN MS then RES SYNCH_FAIL else RES f2 KIMSI (RAND) AUTH_RES, RES CK f3 K (RAND) IK f4 K (RAND) if RES = f2 KIMSI (RAND) then CK f3 KIMSI (RAND) IK f4 KIMSI (RAND) else Recover

14 AKA Protocol Attack K IMSI,SQN MS K IMSI,SQN N AUTH_REQ, RAND, AUTN

15 AKA Protocol Attack K IMSI,SQN MS RAND, AUTN K IMSI,SQN N AUTH_REQ, RAND, AUTN

16 AKA Protocol Attack K IMSI,SQN MS RAND, AUTN K IMSI,SQN N AUTH_REQ, RAND, AUTN AUTH_RES, RES

17 AKA Protocol Attack K IMSI,SQN MS RAND, AUTN K IMSI,SQN N AUTH_REQ, RAND, AUTN AUTH_RES, RES AUTH_REQ, RAND, AUTN

18 AKA Protocol Attack K IMSI,SQN MS RAND, AUTN K IMSI,SQN N AUTH_REQ, RAND, AUTN AUTH_RES, RES AUTH_REQ, RAND, AUTN AUTH_FAIL, SYNCH FAIL if RES=SYNCH_FAIL RES = f2 KIMSI (RAND) then I know this MS!

19 AKA Protocol Attack K IMSI,SQN MS RAND, AUTN K IMSI,SQN N AUTH_REQ, RAND, AUTN AUTH_RES, RES AUTH_REQ, RAND, AUTN AUTH_FAIL, SYNCH FAIL AUTH_REQ, RAND, AUTN if RES=SYNCH_FAIL RES = f2 KIMSI (RAND) then I know this MS!

20 AKA Protocol Attack K IMSI,SQN MS RAND, AUTN K IMSI,SQN N AUTH_REQ, RAND, AUTN AUTH_RES, RES AUTH_REQ, RAND, AUTN AUTH_FAIL, SYNCH FAIL AUTH_REQ, RAND, AUTN if RES=SYNCH_FAIL RES = f2 KIMSI (RAND) then I know this MS! AUTH_FAIL, MAC_FAIL if RES=MAC_FAIL then this is another MS

21 Mounting the attacks in Practice

22 Implementation: Femtocell Architecture Use a commercial femtocell MS attaches to the femtocell as to a normal BS The femtocell accesses the UMTS Control Network through the GANC gateway

23 Implementation: Compromising the femtocell Results: Hence: New firmware loaded GANC address set to point to a MitM GAN Proxy Traffic is redirected to a proxy acting as a MitM between the femtocell and the Network Messages to/from femtocell can be manipulated, injected, created Can perform all the attacks

24 Fixes

25 Solution 1 You have zero privacy anyway. Get over it. Scott McNealy, CEO Sun Microsystems, 1999

26 Solution 2 If you have something that you don t want anyone to know, maybe you shouldn t be doing it in the first place. Eric Schmidt, CEO Google, 2009

27 Solution 3 Encrypt privacy sensitive messages using randomized asymmetric encryption. Myrto Arapinis, Loretta Mancini, Eike Ritter, Mark Ryan, Kevin Redon, Nico Golde, Ravi Borgaonkar

28 Solution 3: Privacy Friendly Fixes Building blocks Light-weight PKI Network Operators have public/private key pairs Home network public key can be stored in the SIM No PKI needed on the MS side Encryption of privacy sensitive information Undistinguishable error messages

29 Authentication Procedure Fix K IMSI,IMSI,SQN MS K IMSI,IMSI,SQN N AUTH_REQ, RAND, AUTN newrand AK f5 KIMSI (RAND) MAC f1 KIMSI (SQN N RAND) AUTN (SQN N AK ) MAC AK f5 KIMSI (RAND) XMSG XMAC AUTN XSQN XMSG AK MAC f1 KIMSI (XSQN RAND) if MAC XMAC or XSQN < SQN MS then new rand UK f KIMSI (rand) RES AUTH_FAIL,{FAIL, IMSI, rand, {synch, SQN MS } r UK }r pbn else RES f2 KIMSI (RAND) AUTH_RES, RES CK f3 K (RAND) IK f4 K (RAND) if RES = f2 KIMSI (RAND) then CK f3 KIMSI (RAND) IK f4 KIMSI (RAND) else if RES = AUTH_FAIL, x then Recover

30 Authentication Procedure Fix K IMSI,IMSI,SQN MS K IMSI,IMSI,SQN N AUTH_REQ, RAND, AUTN newrand AK f5 KIMSI (RAND) MAC f1 KIMSI (SQN N RAND) AUTN (SQN N AK ) MAC AK f5 KIMSI (RAND) XMSG XMAC AUTN XSQN XMSG AK MAC f1 KIMSI (XSQN RAND) if MAC XMAC or XSQN < SQN MS then new rand UK f KIMSI (rand) RES AUTH_FAIL,{FAIL, IMSI, rand, {synch, SQN MS } r UK }r pbn else RES f2 KIMSI (RAND) AUTH_RES, RES CK f3 K (RAND) IK f4 K (RAND) if RES = f2 KIMSI (RAND) then CK f3 KIMSI (RAND) IK f4 KIMSI (RAND) else if RES = AUTH_FAIL, x then Recover

31 Authentication Procedure Fix K IMSI,IMSI,SQN MS K IMSI,IMSI,SQN N AUTH_REQ, RAND, AUTN newrand AK f5 KIMSI (RAND) MAC f1 KIMSI (SQN N RAND) AUTN (SQN N AK ) MAC AK f5 KIMSI (RAND) XMSG XMAC AUTN XSQN XMSG AK MAC f1 KIMSI (XSQN RAND) if MAC XMAC or XSQN < SQN MS then new rand UK f KIMSI (rand) RES AUTH_FAIL,{FAIL, IMSI, rand, {synch, SQN MS } r UK }r pbn else RES f2 KIMSI (RAND) AUTH_RES, RES CK f3 K (RAND) IK f4 K (RAND) if RES = f2 KIMSI (RAND) then CK f3 KIMSI (RAND) IK f4 KIMSI (RAND) else if RES = AUTH_FAIL, x then Recover

32 Formal Verification

33 Unlinkability From 3GPP TS : The property that an intruder cannot deduce whether different services are delivered to the same user by eavesdropping on the radio access link Formally: Unlinkability [Arapinis, Chothia, Ritter, Ryan]

34 Unlinkability From 3GPP TS : The property that an intruder cannot deduce whether different services are delivered to the same user by eavesdropping on the radio access link Formally: Unlinkability [Arapinis, Chothia, Ritter, Ryan]!(νimsi.νk.!(νsqn.MS main ) SN)!(νimsi.νk.νsqn.MS main SN)

35 Anonymity From 3GPP TS : The property that the permanent user identity of a user to whom a service is delivered cannot be eavesdropped on the radio access link. Formally: Anonymity [Arapinis, Chothia, Ritter, Ryan]

36 Anonymity From 3GPP TS : The property that the permanent user identity of a user to whom a service is delivered cannot be eavesdropped on the radio access link. Formally: Anonymity [Arapinis, Chothia, Ritter, Ryan] (νk.νsqn.ms main { w / imsi } SN)!(νimsi.νk.!(νsqn.MS main ) SN)!(νimsi.νk.!(νsqn.MS main ) SN)

37 Automatic Verification Tool: Proverif Cons: - Abstractions - False Attacks - Requires symmetric process structure Pros: + Automatic verification of observational equivalence (Strong version) + Soundness (No false proofs) + Counter examples (attack traces) are provided

38 Automatic Verification Results UMTS Procedures Properties Identification Paging AKA Unlinkability Anonymity Fixed Procedures Properties Identification Paging AKA Unlinkability Anonymity Secrecy IMSI K NA CK, IK NA NA confidential NA NA information Authentication NA NA Integrity NA NA

39 Conclusions In summary: Mobile systems do not provide sufficient users privacy guaranties: AKA attack/imsi Paging Procedure Attack Active attacks should be considered Implementation Privacy friendly procedure can be designed Light-weight PKI Fixes: AKA Protocol, IMSI Paging Procedure, Identification Procedure High confidence can be given through automatic verification Unlinkability and Anonymity Verification using ProVerif

40 Thank You!