Understanding IMSI Privacy!

Similar documents
Mobile network security report: Ukraine

GSM security country report: Estonia

GSM security country report: Thailand

Attacking Mobile-Terminated Services in GSM

Enabler Manual Security Indicator

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

Femtocell: Femtostep to the Holy Grail

Femtocells: a Poisonous Needle in the Operator's Hay Stack

Femtocells: a Poisonous Needle in the Operator's Hay Stack

GSMK CryptoPhone Baseband Firewall Technical Briefing

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

The telephone supports 2 SIM cards. All functions are available for both SIM cards and have independent settings.

Femtocells : Inexpensive devices to test UMTS security

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

Effective SS7 protection ITU Workshop on SS7 Security, June 29 th 2016

Security functions in mobile communication systems

Ghost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI

Security of Cellular Networks: Man-in-the Middle Attacks

Ghost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI

LTE Security How Good Is It?

LTE Network Automation under Threat

Mobile Security Fall 2013

Experimental Analysis of the Femtocell Location Verification Techniques

Threat patterns in GSM system. Basic threat patterns:

Semi-Active GSM Monitoring System SCL-5020SE

The Case for Secure Communications

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

Femtocells: a Poisonous Needle in the Operator's Hay Stack

Advanced Security for Systems Engineering VO 10: Mobile Applications

GSM Interception IMSI Catcher and Voice Interception

Mobile Network A9ack Evolu=on

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

INSTITUTO DE MATEMÁTICA E ESTATÍSTICA UNIVERSIDADE DE SÃO PAULO. GSM Security. MAC Computação Móvel

The Cellular Interceptor CC2800 Series

GSM Open-source intelligence

City Research Online. Permanent City Research Online URL:

New Privacy Issues in Mobile Telephony: Fix and Verification

10 Call Set-up. Objectives After this chapter the student will: be able to describe the activities in the network during a call set-up.

Mobile Security Fall 2013

Cellular Phone Control System for Prisons and Corrective Services Facilities

Design of a Routing Mechanism to Provide Multiple Mobile Network Service on a Single SIM Card Boobalan. P, Krishna. P, Udhayakumar. P, Santhosh.

IMSI/IMEI Catching & Localization System. (IMSI/IMEI Catcher + Direction Finder)

How to hack your way out of home detention!

Wireless Security Security problems in Wireless Networks

MDM Android Client x - User Guide 7P Mobile Device Management. Doc.Rel: 1.0/

Wireless and Mobile Network Investigation

Analysis of privacy in mobile telephony systems

EUROPEAN ETS TELECOMMUNICATION November 1996 STANDARD

Cell Catcher CC1900 3G Target Identifier + IMSI Catcher + Phone Tracking

Privacy through Pseudonymity in Mobile Telephony Systems

Securing SMS of a GSM Network Message Center Using Asymmetric Encryption Technique Algorithm.

Pertemuan 7 GSM Network. DAHLAN ABDULLAH

ON THE IMPACT OF GSM ENCRYPTION AND MAN-IN-THE-MIDDLE ATTACKS ON THE SECURITY OF INTEROPERATING GSM/UMTS NETWORKS

Chapter 6. Stream Cipher Design

Communication Networks 2 Signaling 2 (Mobile)

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

GPRS Intercept: Wardriving your country. Karsten Nohl, Luca Melette,

Questioning the Feasibility of UMTS GSM Interworking Attacks

Configuring Google Cloud Messaging Service for Android Devices

REFERENCE OFFER FOR DIRECT WHOLESALE ROAMING ACCESS

Copyright

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

Long Term Evolution (LTE) / Fifth Generation (5G) mobile networks for military use

Black Hat Europe 2009

Practical Operator Considerations Cellular Analog Cellular Rogue Base Station Tumbling Cloning

Cellular Communication

IOT CONNECTIVITY DISRUPTED. powred by

Request for Comments: Cisco Systems January 2006

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

HOLISTIC COMMUNICATIONS SECURITY

SYSTEM THREAT ANALYSIS FOR HIGH ASSURANCE SOFTWARE DEFINED RADIOS

Basics of GSM in depth

Mobility and Security Management in the GSM System

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Pegasus NetGuard Mobile Phone Counter Surveillance Systems

Telecoms: Generational Evolution of Attack Surfaces. HITB Beijing 2018

GSM Security Overview

GPRS Security for Smart Meters

What is Eavedropping?

C1: Define Security Requirements

ETSI TS V8.0.0 ( )

GSME proposals regarding mobile theft and IMEI security

Mobile Security Fall 2014

Guess Who s Texting You?

Mavenir Keynote. Think Smarter Secure communication Innovate Services. By Mohamed Issa Regional Head of Africa Sales

The Scenes of Cyber Crime

GSMA Security Group Update

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

MOBILE THREAT LANDSCAPE. February 2018

TLS connection management & application support. Giuseppe Bianchi

3GPP TS V9.4.0 ( )

GSM security. Christian Kröger. University of Twente P.O. Box 217, 7500AE Enschede The Netherlands

Chapter 3 GSM and Similar Architectures

Short Message Service (SMS)

IOT CONNECTIVITY DISRUPTED

Recommendations for Device Provisioning Security

OpenBTS Overview. مهند مصطفى أشرير

ETSI TS V (201

(Geo)Location, Location, Location.!! Matt Blaze University of Pennsylvania

Transcription:

Understanding IMSI Privacy Ravishankar Borgaonkar TU Berlin Swapnil Udar Aalto University Email: darshak@sec.t-labs.tu-berlin.de Blackhat USA 2014, Las Vegas, 7 th August 2014

Overview Unresolved Privacy Issues ( IMSI catchers and Silent SMS ) Darshak- Privacy framework Use-cases and demos Future work 2

Unresolved Privacy Issues 3

Mobile Security Status Efforts from OS providers, Manufacturers, network operators Efforts from researchers, startup companies Devices are good but cellular network secure??? Still all fail when Targeted Attacks What is Targeted Attacks and who does it? IMSI catchers Illegal entities? Methods of doing? 4

Targeted Attacks IMSI catcher or compromising phone IMSI catchers Often used Exploits cellular weaknesses Location and interception Pegasus Compromising with OTA update SIM toolkit? Like ANT Sources: product manuals 5

Unsolved Security Questions Your last call was encrypted/authenticated? Is someone tracking you?? No app for that Can someone listen to your calls/sms? Besides legal entities Last call/sms was encrypted? Are you a victim of IMSI catcher attack? Is your mobile handset and operator using up-to-date encryption standards? 6

More ecosystem problems 3GPP standard for mobile handset features No API for Android, ios, Windows, BB - See issue* 5353: Ciphering Indicator (Android) Flatrate calling/data/sms rates - you getting free calls? Source:wikipedia * https://code.google.com/p/android/issues/detail?id=5353 7

Darshak Framework Motivation Research platform to collect GSM & 3G security relevant data Easy to use cellular network security indicator 8

Darshak* Framework Display (in) security capabilities of your cellular network operator Android based framework Detection Notification Intelligence Collection Security features GSM and 3G networks Captures silent sms and notifies user Alerts when operator not doing encryption? Displays suspicious activities * In ancient Indian language, Darshak means indicator 9

Technical Details Running on Intel baseband devices Samsung S3, S2 Primarily based on Xgoldmon idea Thanks to GSMMAP Device needs to be rooted Notifies sender's number - Silent SMS Classify security capabilities of 2G/3G networks A5/0, A5/1,A5/3, (useful while roaming) Current TMSI after every event Displays authentication tokens (RAND, AUTN) 10

Methodology 11

GSM background 12

GSM Security Issues No Mutual Authentication Fake base station / MiTM Weak algorithms A5/2 broken, A5/1 weak MS GSM : BTS BTS decides encryption Downgrading attacks 13

GSM Security Issues Plaintext over-the-air IMSI & TMSI No authentication IMEI is not authenticated MS GSM : BTS Local regulations No upgrade, weak algorithms 14

GSM badly broken Proven experimentally by various researchers Has it fixed and upgraded by your operator as per GSMA guidelines? Authentication Mobile originated mostly performed Mobile terminated not often Encryption - A5/1 vs A5/3 vs A5/0 Threat model is not your government (lawful interception) but other illegal entities 15

Use-cases and Demos 16

GSM and 3G security indicators Invokes at every incoming and outgoing radio event interception attack 17

3G security indicators 18

Detecting silent SMS Type 0 messages Standard says mobiles must acknowledge receipt but may discard contents Mobiles do not display any notification to end users Useful for police or other illegal agencies HushSMS tool from @c0rnholio 19

Detecting silent SMS Demo HushSMS allows Ping 3 (0-byte WAP Push) Ping 4 (Emtpy MMSN) Detects, alerts with a notification Option to turn on airplane mode (not useful until you control the baseband) 20

IMSI Catcher Detection Finding parameters to detect Need lots of data from different operators LAC or Cell id not enough scanning first jamming downgrading 21

Finding parameters System Information Type 3 messages - Layer 3 messages about GSM system configuration 22

Finding parameters Control Channel Description MSCR: shows current GSM network version 0 MSCR release version 98 or older 1- MSC release version 99 or newer O2 Vodafone Play BSNL Idea DataTelekom from various operators and openbts MSCR OpenBTS Network '99 onwards '99 onwa rds '99 onwards '98 or older '99 '99 onward onward s s '98 or older 23

Finding parameters Radio Link Timeout Counter value to judge downlink failure Counter decrease when there is error When 0 radio link failure Telekom O2 Data64 from MSCR Vodafone Play Network BSNL Idea various operators 24 64 64 and openbts 20 40 OpenBTS 64 24

Finding parameters PWRC - power control indicator Data from various operators and openbts MSCR Telekom O2 Vodafone Play Network BSNL Idea OpenBTS Flase False True False True Flase False 25

Building a profile Tool collects such parameters Very seldom change (no change in a week) Build a profile per location : office-work-city Work in progress 26

Future work Source code will be released (without IMSI catcher) Support to other possible devices Data upload functionality (anonymous data) Building more profiles for IMSI catcher detection Collecting and sharing data 27

Thank you 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback