Privacy through Pseudonymity in Mobile Telephony Systems

Size: px

Start display at page:

Download "Privacy through Pseudonymity in Mobile Telephony Systems"

Lesley Norris
6 years ago
Views:

1 Privacy through Pseudonymity in Mobile Telephony Systems Myrto Arapinis 1 Loretta Mancini 2 Eike Ritter 2 Mark Ryan 2 1 School of Informatics, University of Edinburgh 2 School of Computer Science, University of Birmingham NDSS / 24

2 Context 2 / 24

3 Law enforcement agencies track individuals 3 / 24

4 But also... private detectives, jealous partners, abusive bosses, nosy neighbors,... 4 / 24

5 But also... private detectives, jealous partners, abusive bosses, nosy neighbors,... retailers, shopping malls, airports, railway stations, museums, public areas,... 4 / 24

6 Privacy and the GSM/UMTS standards 5 / 24

7 Privacy is an explicit goal of GSM/UMTS GSM/UMTS aim at providing user untraceability from third parties GSM/UMTS specification ( )] [3GPP TS V9.3.0 An intruder cannot deduce whether different services are delivered to the same user. the user is identified by a pseudonym/temporary identity (TMSI) which should be periodically updated. 6 / 24

8 TMSI reallocation in the GSM/UMTS standards Initiated by the MS to update its location MS unique identity stored in the SIM card: IMSI The network assigns a temporary identity TMSI A new TMSI should be assigned at each change of location 7 / 24

9 TMSI reallocation in the GSM/UMTS standards Initiated by the MS to update its location MS unique identity stored in the SIM card: IMSI The network assigns a temporary identity TMSI A new TMSI should be assigned at each change of location 7 / 24

10 Analysis of TMSI reallocation 8 / 24

11 TMSI reallocation procedure 9 / 24

12 Our focus: correct usage of TMSIs Does TMSI reallocation really achieve privacy? 10 / 24

13 Our focus: correct usage of TMSIs Does TMSI reallocation really achieve privacy? What does periodically mean? 10 / 24

14 Our focus: correct usage of TMSIs Does TMSI reallocation really achieve privacy? What does periodically mean? Is a new TMSI assigned at each change of location as the standard specifies? 10 / 24

15 Our focus: correct usage of TMSIs Does TMSI reallocation really achieve privacy? What does periodically mean? Is a new TMSI assigned at each change of location as the standard specifies? Are session keys reused? 10 / 24

16 Experimental setup 11 / 24

use wireshark to analyse the communication OsmocomBB osmocon layer1 phone

17 Experimental setup Osmocom-BB project implements GSM mobile station controlled by host Radio communication executed via flashed firmware on mobile phone Can use wireshark to analyse the communication OsmocomBB osmocon layer1 phone Layer2/3 mobile wireshark ccch_scan layer1 network bcch_scan cbch_sniff cell_log 12 / 24

18 TMSI reallocation procedure rarely executed same TMSI allocated for hours and even days, independently of MS activity Observed for major operators in UK, France, Italy and Greece 13 / 24

Change of location without TMSI reallocation Change of location area does not imply a change of TMSI Example: couch journey between different cities in the UK First

19 Change of location without TMSI reallocation Change of location area does not imply a change of TMSI Example: couch journey between different cities in the UK First new TMSI assigned after about 45 min (53km) Second new TMSI assigned after about 60 min (70km) However: location update procedure performed every 5 min (3km) 14 / 24

20 Reuse of previous ciphering keys Previously established keys are reused for TMSI reallocation Observed for major UK and Italian network operators 15 / 24

21 Reuse of previous ciphering keys Previously established keys are reused for TMSI reallocation Observed for major UK and Italian network operators Gives rise to replay attack 15 / 24

22 Replay attack and fix 16 / 24

23 TMSI reallocation replay attack (1) 17 / 24

24 TMSI reallocation replay attack (2) 18 / 24

25 Fix for replay attack 19 / 24

26 Unlinkability UMTS specification [3GPP TS V9.3.0 ( )] An intruder cannot deduce whether different services are delivered to the same user. An attacker cannot distinguish two scenarios 20 / 24

27 Fixed TMSI reallocation satisfies unlinkability Formal model of fixed TMSI reallocation procedure in the applied pi calculus Formal proof of unlinkability νdck.(!(init MS)!SN) νdck.(!(init!ms)!sn) Proof works by constructing suitable bisimulation Key point: multiple sessions of same mobile phone can be simulated by multiple phones executing one session each 21 / 24

28 Conclusion 22 / 24

29 Summary of our results What does periodically mean? Is a new TMSI assigned at each change of location as the standard specifies? Are session keys reused? 1 23 / 24

30 Summary of our results What does periodically mean? locate a victim by paging it 1 RARELY Is a new TMSI assigned at each change of location as the standard specifies? Are session keys reused? 1 D. F. Kune et al. Location leaks over the GSM air interface, NDSS, K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, / 24

31 Summary of our results What does periodically mean? locate a victim by paging it 1 TMSI reallocation should be activity dependent RARELY Is a new TMSI assigned at each change of location as the standard specifies? Are session keys reused? 1 D. F. Kune et al. Location leaks over the GSM air interface, NDSS, K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, / 24

32 Summary of our results What does periodically mean? locate a victim by paging it 1 TMSI reallocation should be activity dependent RARELY Is a new TMSI assigned at each change of location as the standard specifies? tracking across different locations by passively sniffing NO Are session keys reused? 1 D. F. Kune et al. Location leaks over the GSM air interface, NDSS, K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, / 24

33 Summary of our results What does periodically mean? locate a victim by paging it 1 TMSI reallocation should be activity dependent RARELY Is a new TMSI assigned at each change of location as the standard specifies? NO tracking across different locations by passively sniffing TMSI reallocation should be executed at each change of location Are session keys reused? 1 D. F. Kune et al. Location leaks over the GSM air interface, NDSS, K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, / 24

34 Summary of our results What does periodically mean? locate a victim by paging it 1 TMSI reallocation should be activity dependent RARELY Is a new TMSI assigned at each change of location as the standard specifies? NO tracking across different locations by passively sniffing TMSI reallocation should be executed at each change of location Are session keys reused? replay attacks allowing phone tracking YES 1 D. F. Kune et al. Location leaks over the GSM air interface, NDSS, K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, / 24

35 Summary of our results What does periodically mean? locate a victim by paging it 1 TMSI reallocation should be activity dependent RARELY Is a new TMSI assigned at each change of location as the standard specifies? NO tracking across different locations by passively sniffing TMSI reallocation should be executed at each change of location Are session keys reused? YES replay attacks allowing phone tracking replay attacks can be avoided using a simple counter, or by forbidding the reuse of session keys 1 D. F. Kune et al. Location leaks over the GSM air interface, NDSS, K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, / 24

36 Thank you! 24 / 24

Analysis of privacy in mobile telephony systems

Int. J. Inf. Secur. (2017) 16:491 523 DOI 10.1007/s10207-016-0338-9 REGULAR CONTRIBUTION Analysis of privacy in mobile telephony systems Myrto Arapinis 1 Loretta Ilaria Mancini 2 Eike Ritter 2 Mark Dermot