Lessons learned from 2G,3G,4G what we need to fix in 5G ETSI Security Week G Security Adrian Dabrowski

Transcription

1 Lessons learned from 2G,3G,4G what we need to fix in 5G ETSI Security Week G Security Adrian Co-Authors: David Rupprecht, Thorsten Holz, Edgar Weippl, Christina Pöpper

2 What are the lessons from the past? What is the future of mobile network security research?

3

4 Numerous publicaions towards individual quesions. We need the big picture to shape future research!

5 Numerous publicaions towards individual quesions. We need the big picture to shape future research!

6 Systematization Methodology How to get the big picture?

7 Methodology Literatur e Defenses Defense Characteristi cs Security Requirement s Aims s Flaws s Root s Challenges, Research Questions Characteristi cs 7

8 Security Requirements and Aims Security Requirement Security Requirement s s Literat Literat ure ure Aims Aims Defenses Defenses Flaws Flaws Defense Characteristics Defense Characteristics Root Root Challenges, Challenges, Research Research Questions Questions Characteristics Characteristics Security requirements for the system Each attack aim challenges a security requirement Aims: s on Privacy s on Secrecy Denial of Service s on Integrity Fraud s 8

9 s, Characteristics and Flaws Security Requirement Security Requirement s s Literat Literat ure ure Aims Aims Defenses Defenses Flaws Flaws Defense Characteristics Defense Characteristics Root Root Challenges, Challenges, Research Research Questions Questions Characteristics Characteristics s the act of assailing the system with a deinite attack aim. An attack exploits on distinct law of the system Impact analyses based on attack characteristics Target Technology (2G/3G/4G) er capabilities SS7 9

10 Defenses and Defense Characteristics Security Requirement Security Requirement s s Literat Literat ure ure Aims Aims Defenses Defenses Flaws Flaws Defense Characteristics Defense Characteristics Root Root Challenges, Challenges, Research Research Questions Questions Characteristics Characteristics Impact and feasibility of defenses Defense Characteristics Type of Defense Detection or Mitigation Realization Method Speciication or Research Status Vague Proposal or Evaluated Proposal 10

11 s and Root s Literat Literat ure ure Defenses Defenses Defense Characteristics Defense Characteristics Security Requirement Security Requirement s s Aims Aims Flaws Flaws Root Root Challenges, Challenges, Research Research Questions Questions Characteristics Characteristics From the concrete to the abstract Flaws that have similar technical are grouped by a common cause Root causes are the underlying reason for certain cause 11

12 Research Questions and Challenges Security Requirement Security Requirement s s Literat Literat ure ure Aims Aims Defenses Defenses Flaws Flaws Defense Characteristics Defense Characteristics Root Root Challenges, Challenges, Research Research Questions Questions Characteristics Characteristics Research Questions Shortcomings of existing work Shortcomings of new technologies Challenges of a cause s Flaws Defense s Challenges and Research Questions 12

13 Assessment Root Challenges and Research Questions Challenges and Research Questions Challenges and Research Questions

14 Scope 14

15 Systematization The big picture!

16

17

18 Root s Issue Speciication Issue Wireless Channel Protocol Context Discrepancy 18

19 Overview Issue Speciication Issue Wireless Channel Protocol Context Discrepancy Insecure Leaky Unsecured Preauthentication Traic Non-Existing Mutual Authentication Weak Crypto Insecure Internetwork Protocols Resource Usage Asymmetry Wireless Channel Cross-Layer Information Loss Routing Coniguration Accounting Policy Inconsistency

20 Issue

21 Issue Deinition Mistakes in the implementation Deviations from the speciication Issue Insecure Leaky s Insecure Leaky 21

22 Insecure Example: Baseband exploits Others: SMS of Death, ASN.1 decoder heap, Crypto State Machine Aim: Integrity, Secrecy Issue Insecure Leaky 22

23 Defenses Intermediate defenses Filtering SMS for SMS attacks Detection of vulnerabilities: Issue Insecure Leaky Automated detecion Manual detecion Test Cases Test Cases Reverse Engineering CMP r0, r1 ADDGE r2, r2, r3 ADDLT r2, r2, r4 23

24 Challenges Detection of vulnerabilities Existing testing frameworks focus on one particular type of law and do not exhaust all laws Manual detection for memory bugs Automated testing of baseband is not recommend Reliable detection of vulnerabilities is needed Decoding function of messages and protocol state machine Research Scope: mobile phone vs. mobile network Issue Insecure Leaky 24

25 Challenges of countermeasures Classical system security Memory safe languages ASLR (Address Space Layout Randomization) CFI (Control Flow Integrity) Hard to realize Closed basebands Real-time capability Issue Insecure Leaky 25

26 Speciication Issue

27 Speciication Issue Deinition Security implications in speciication Protocols and state machines s Unsecured pre-authentication traic Non-existing mutual authentication Weak Cryptography Insecure Inter-network protocols Resource Usage asymmetry Speciication Issue Unsecured Preauthentication Traic Non-Existing Mutual Authentication Weak Crypto Insecure Internetwork Protocols Resource Usage Asymmetry 27

28 Unsecured Pre-authentication Traic Speciication Issue Example: Downgrade s and IMSI Request Unsecured Preauthentication Traic Non-Existing Mutual Authentication Weak Crypto Insecure Internetwork Protocols Resource Usage Asymmetry The phone cannot verify the authenticity of the network before authentication and key agreement run 28

29 Unsecured Pre-authentication Traic Speciication Issue Detection Mapping and probing Behavioral analysis Baseband irewall Mitigations: Proposal for specialized protocol changes for certain attacks ephemeral Identiiers (e.g., P-IMSI) PKI TESLA Unsecured Preauthentication Traic Non-Existing Mutual Authentication Weak Crypto Insecure Internetwork Protocols Resource Usage Asymmetry 30

30 Challenges How to secure the pre-authentication traic? Shortcoming: speciic protocol changes No sustainable solution for all attacks vectors (some messages are needed) We are keeping inding new excessive functionality that actually should be authenticated Shouldn t we look for a generic solution? Encrypt also the broadcast traic? Speciication Issue Unsecured Preauthentication Traic Non-Existing Mutual Authentication Weak Crypto Insecure Internetwork Protocols Resource Usage Asymmetry 31

31 Challenges How to secure the pre-authentication traic? Concrete Challenge: General solution to secure pre-authentication traic: What exactly should be secured: Protect pre-authentication traic towards the phone! Optional pre-authentication traic towards the network? Suggestion: PKI and TELSA Certain constraints Speciication Issue Unsecured Preauthentication Traic Non-Existing Mutual Authentication Weak Crypto Insecure Internetwork Protocols Resource Usage Asymmetry Limited bandwidth (specs such as NB LTE?) => And on which layers? Resource constrained devices Focus on availability 32

32 Ressource Usage Asymmetry : An cheap operation on one side triggers an expensive operation on the other. e.g., HLR updates, resource allocation Mostly used for DoS s, resource exhaustion Challenges: Prove of commitment protocols e.g., prove of work such as Merkle puzzles,... Speciication Issue Unsecured Preauthentication Traic Non-Existing Mutual Authentication Weak Crypto Insecure Internetwork Protocols Resource Usage Asymmetry 33

33 Protocol Context Discrepancy

34 Protocol Context Discrepancy Deinition Telcos impose (legacy) billing methods on IP data that was never meant for that purpose Translation between IP data identity, the radio layer identity and service billing identity. Protocol Context Discrepancy Cross-Layer Information Loss Routing Coniguration Accounting Policy Inconsistency s Cross-Layer Information Loss Routing Coniguration Accounting Policy Inconsistency 41

35 Cross-Layer Information Loss Example: IMS based SMS spooing Several options IMS proves identity based on SIM with AKA protocol Transport layer security (ipsec) provides no protection against data manipulation on the client E.g., spooing SIP headers Changing caller-ids Protocol Mobile Network Context Discrepancy Cross-Layer Information Loss Routing Coniguration Accounting Policy Inconsistency Additional problems: RTP-streams do not pass IMS 42

36 Conclusion The big picture!

37 Conclusion Issue Speciication Issue Wireless Channel Protocol Context Discrepancy Insecure Leaky Unsecured Preauthentication Traic Non-Existing Mutual Authentication Weak Crypto Insecure Internetwork Protocols Resource Usage Asymmetry Wireless Channel Cross-Layer Information Loss Routing Coniguration Accounting Policy Inconsistency

38 Thank You! Questions?

39 Contacts Adrian David Rupprecht 46

40 47