Mobile network security report: Ukraine

Similar documents
GSM security country report: Estonia

GSM security country report: Thailand

Understanding IMSI Privacy!

Effective SS7 protection ITU Workshop on SS7 Security, June 29 th 2016

Ghost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI

Ghost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI

Mobile Security Fall 2013

Attacking Mobile-Terminated Services in GSM

Mobile Network A9ack Evolu=on

GPRS Intercept: Wardriving your country. Karsten Nohl, Luca Melette,

Questioning the Feasibility of UMTS GSM Interworking Attacks

Frequently Asked Questions WPA2 Vulnerability (KRACK)

LTE Network Automation under Threat

10 Call Set-up. Objectives After this chapter the student will: be able to describe the activities in the network during a call set-up.

ON THE IMPACT OF GSM ENCRYPTION AND MAN-IN-THE-MIDDLE ATTACKS ON THE SECURITY OF INTEROPERATING GSM/UMTS NETWORKS

2 Overview of existing cipher mode setting procedure

Pluggable Transports Roadmap

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

The telephone supports 2 SIM cards. All functions are available for both SIM cards and have independent settings.

Wireless Attacks and Countermeasures

1-7 Attacks on Cryptosystems

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

INSTITUTO DE MATEMÁTICA E ESTATÍSTICA UNIVERSIDADE DE SÃO PAULO. GSM Security. MAC Computação Móvel

Copyright

Cryptanalysis. Ed Crowley

Cryptography ThreeB. Ed Crowley. Fall 08

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Trojans in SS7 - how they bypass all security measures

Experimental Analysis of the Femtocell Location Verification Techniques

1.264 Lecture 26. Security protocols. Next class: Anderson chapter 4. Exercise due before class

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

La Science du Secret sans Secrets

Modern IP Communication bears risks

Mobile Security Fall 2013

GSM Open-source intelligence

Exam Advanced Network Security

GSM Security Overview

GSM Interception IMSI Catcher and Voice Interception

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

Achieving End-to-End Security in the Internet of Things (IoT)

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Symantec Ransomware Protection

Security functions in mobile communication systems

SECURE SHORT MESSAGE PEER-TO-PEER PROTOCOL

Security of Cellular Networks: Man-in-the Middle Attacks

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

MOBILE NETWORK SECURITY

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Integrated Access Management Solutions. Access Televentures

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

Chapter 3 GSM and Similar Architectures

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

Femtocell: Femtostep to the Holy Grail

Moving Forward on MEID. March, Contacts Bill Dahnke, David Crowe A RCA Webinar

Request for Comments: K. Norrman Ericsson June 2006

CSE 127: Computer Security Cryptography. Kirill Levchenko

THREATS TO PACKET CORE SECURITY OF 4G NETWORK

Wireless LAN Security (RM12/2002)

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

CONTENTS. Subscriber denial of service...9 Causes of vulnerabilities Recommendations for protection Conclusion... 13

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Femtocells: a Poisonous Needle in the Operator's Hay Stack

Chapter 13 Location Privacy

SOCIAL NETWORKING IN TODAY S BUSINESS WORLD

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Black Hat Europe 2009

Threat patterns in GSM system. Basic threat patterns:

NS-AKA: An Improved and Efficient AKA Protocol for 3G (UMTS) Networks

Machine Learning for 5G Self Organized Network

Recommendations for Device Provisioning Security

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

EFFECTIVE DEFENCE In a connected world. Philippe COTELLE, Airbus Defence and Space 2016, Nov 4th

Taking Over Telecom Networks

Femtocells: a Poisonous Needle in the Operator's Hay Stack

Advanced Security for Systems Engineering VO 10: Mobile Applications

Semi-Active GSM Monitoring System SCL-5020SE

Analysis of privacy in mobile telephony systems

Lure10: Exploiting Windows Automatic Wireless Association Algorithm

Wireless Network Security

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

A Better Space Mission Systems threat assessment by leveraging the National Cyber Range

Security Using Digital Signatures & Encryption

GSM Sniffing with OsmocomBB. Joshua Pereyda

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

City Research Online. Permanent City Research Online URL:

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

CSE Computer Security (Fall 2006)

Designing Authentication for Wireless Communication Security Protocol

What is Eavedropping?

[2017 TopN Security Threats and Preventive Measures for Mobile Networks]

Communication Networks 2 Signaling 2 (Mobile)

Endpoint Security - what-if analysis 1

Analysis of Privacy and Security Exposure in Mobile Dating Applications

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

CIS 4360 Secure Computer Systems Applied Cryptography

Chapter 6 Contemporary Symmetric Ciphers

Securing the Grid and Your Critical Utility Functions. April 24, 2017

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Transcription:

Mobile network security report: Ukraine GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin June 2017 Abstract. Mobile networks differ widely in their protection capabilities against common attacks. This report details the protection capabilities of two mobile networks in Ukraine. All 3G networks in Ukraine implement sufficient 3G intercept protection. Users of Kyivstar are not sufficiently protected from 2G intercept. In all 2G networks, user impersonation is possible with simple tools.

Contents 1 Overview 2 2 Protection measures 3 3 Attack scenarios 4 3.1 Passive intercept.................................. 4 3.2 Active intercept.................................. 5 3.3 Impersonation................................... 6 3.4 User tracking................................... 6 4 Conclusion 6 1 Overview Protection dimension (higher means better) Operator Intercept Impersonation Tracking Kyivstar 2G 49% 33% 3G 90% Vodafone 2G 52% 39% 3G 93% 84% 88% Table 1: Implemented protection features relative to 2014 best practices (according to SRLabs GSM metric v2.5) Disclaimer. This report was automatically generated using data submitted to gsmmap.org by volunteers. (Thank you!) The analysis does not claim accuracy. Please do not base far-reaching decisions on the conclusions provided herein, but instead verify them independently. If you detect inaccuracies, we are looking forward to hearing from you. This document provides a security analysis of Ukraine s two mobile networks, based on data collected between April 2013 and June 2017. The analysis is based on data samples submitted to the GSM Map project 1. It compares implemented protection features across networks. The GSM Map website reports protection features condensed into three dimensions as shown in Table 1. This report details the logic behind the analysis results, lists some of the implemented protection features, and maps the protection capabilities to popular attack tools. 1 GSM Map Project: https://gsmmap.org Mobile network security report: Ukraine Page 2

C The SRLabs network security metric condenses a7ack vectors and mi9ga9ons Risk category Risks Components Mitigations Intercept (2G) Impersonation (2G) Tracking Intercept voice Intercept SMS Make calls illegitimately Receive victim s calls Local tracking Global tracking Predict freq s Crack keys in real time Crack keys offline Reuse cracked keys Track IMSI/ TMSI HLR location finding SRLabs Metric v2.0 Hopping entropy A5/3 Padding randomization A5/3 Padding randomization SI randomization Update key in each transaction Update TMSI in each transaction Encrypt location updates (preferably with A5/3) Always encrypt IMSI Hide MSC and IMSI in HLR responses Figure 1: Best practice protection measures can mitigate three attack scenarios. 0 2 Protection measures The SRLabs GSM security metric is built on the understanding that mobile network subscribers are exposed to three main risks: Intercept. An adversary records calls and SMS from the air interface. Decryption can be done in real time or as a batch process after recording transactions in bulk. Impersonation. Calls or SMS are either spoofed or received using a stolen mobile identity. Tracking. Mobile subscribers are traced either globally using Internet-leaked information or locally by repeated TMSI pagings. The SRLabs metric traces these three risks to an extensive list of protection measures, some of which are listed in Figure 1. For 3G networks, GSMmap currently assesses intercept protection only. We understand that that the mandatory integrity checking in 3G protects from simple impersonation attacks. Table 2 details the implementation depth of some of the mitigation measures present in Ukraine s mobile networks. Mobile network security report: Ukraine Page 3

Attack vector Networks Kyivstar Vodafone 2G Over-the-air protection - Encryption algorithm A5/0 5% 0% A5/1 95% 100% - Require IMEI in CMC - Hopping entropy - Authenticate calls (MO) 22% 25% - Authenticate SMS (MO) 27% 21% - Authenticate paging (MT) 15% 41% - Authenticate LURs 50% 25% - Encrypt LURs 100% 100% - Update TMSI 42% 61% 3G Over-the-air protection - Encryption - Update TMSI 1% 30% HLR/VLR configuration - Mask MSC - Mask IMSI Table 2: Protection measures implemented in analyzed networks, compared to best practice references observed in 2014. 3 Attack scenarios The protection measures impact the effectiveness of common mobile network attack tools. 3.1 Passive intercept Passive 2G intercept requires two steps: First, all relevant data needs to be intercepted. This step cannot be prevented completely, but made more difficult by using less predictable frequency hopping sequences. Vodafone uses such less predictable hopping sequences. Regular rotation of the TMSI makes it harder to target a phone for intercept (Update TMSI). Secondly, the intercepted call and SMS traces need to be decrypted. In 2G networks, this can be prevented by hardening the A5/1 cipher or by upgrading to modern encryption algorithms. Currently, there is no publicly known cryptanalytic attack against the common 3G encryption algorithm, A5/3. All 3G networks in Ukraine use this encryption algorithm. Mobile network security report: Ukraine Page 4

Hardening the A5/1 cipher. The A5/1 cipher was developed in 1987 and is still the most common encryption algorithm for 2G calls. First weaknesses of this cipher were discussed in 1994 2, but it took until the mid-2000 s until successfull attacks on 2G were demonstrated publicly. These attacks exploit (partially) known plaintexts of the encrypted GSM messages to derive the encryption key. Consequently, countermeasures need to reduce the number of predictable bits in 2G frames. Nowadays, several generations of passive A5/1 decipher units exist, that attack different parts of the transaction. Early generations attack the Cipher Mode Complete message. All 2G networks in Ukraine are fully vulnerable (Require IMEI in CMC). More modern decipher units leverage predictable Null frames. These frames contain little to no relevant information and are filled up with a fixed uniform padding, facilitating known-plaintext attacks. These attacks can be prevented by using an unpredictable padding (Padding randomization). None of the networks in Ukraine have deployed protection from this type of attack. Recently updated intercept boxes further leverage System Information (SI) messages. These messages can be randomized, or not sent at all during encrypted transactions (SI randomization). None of the networks in Ukraine are protected from this type of attack. The randomization values cannot currently be measured using the SnoopSnitch software since the underlying Qualcomm chipsets do not disclose this level of information. We will continue to look for alternative measurement sources, but cannot currently measure whether networks in Ukraine use randomization. Upgrading to modern encryption algorithms. With the introduction of 3G mobile telecommunications technology, the A5/3 cipher was introduced to 2G. Only theoretical attacks on this cipher were so far presented publicly, none of which have practical significance. Modern phones can use this cipher for 2G communication, if the network supports it. In Ukraine, all 2G networks in Ukraine continue to mostly rely on outdated encryption. With passive intercept being prevented, attackers must use active intercept equipment, e.g. fake base stations, as described in Section 3.2. 3.2 Active intercept Attacks through fake 2G base stations can be prevented to different degrees, based on what the fake base station is used for: Location finding: In this attack scenario, a phone is lured onto a fake station so that the phone s exact location can be determined. This scenario occurs independent of the phone network and hence cannot be prevented through network protection measures. Outgoing call/sms intercept: A fake base station can proxy outgoing connections. In this attack, connectivity to the real network is not necessarily required, so no protection can be achieved from outside the phone. Encrypted call/sms intercept: Modern fake base stations execute full man-in-the-middle 2 See https://groups.google.com/forum/#!msg/uk.telecom/tkdcaytoeu4/mroy719hdroj Mobile network security report: Ukraine Page 5

attacks in which connections are maintained with both the phone and the real network. Networks can make such active attacks more difficult with a combination of two measures: First, by not allowing unencrypted calls. Secondly, by decreasing the authentication time given to an attacker to break the encryption key. This timeout can be as much as 12 seconds according to common standards. The GSM Map database currently lacks reliable data on authentication times in Ukraine. Vodafone ensures encryption in all 2G call and SMS transactions. All 3G networks in Ukraine encrypt relevant transactions. However, the GSMmap currently lacks data to decide whether the networks would accept subscriber-originated unencrypted transactions. 3.3 Impersonation Mobile identities can (temporarily) be hijacked using specific attack phones. These phones require the authentication key deciphered from one transaction. They use this key to start a subsequent transaction. The obvious way to prevent this attack scenario is by requiring a new key in each transaction (Authenticate calls/sms). In Ukraine, 2G call impersonation is possible against all 2G networks in Ukraine. The same is true for all SMS messages in Ukraine. 3G networks are generally protected from this type of impersonation attacks. 3.4 User tracking Mobile networks are regularly used to track people s whereabouts. Such tracking occurs at two different granularities: Global tracking: Internet-accessible services disclose the general location of GSM customers with granularity typically on a city level. The data is leaked to attackers as part of SMS delivery protocols in form of the MSC address (Mask MSC). All 2G networks in Ukraine suppress MSC information for their customers in Ukraine. In addition, users IMSI s can leak in HLR requests. All 2G networks in Ukraine protect this information. Local tracking: Based on TMSI identifiers, users association with location areas and specific cells can be tracked, providing a finer granularity than MSC-based tracking, but a less fine granularity than location finding with the help of fake base stations. IMSI-based tracking is made more difficult by changing the TMSI in each transaction (Update TMSI). Vodafone has implemented this feature. Kyivstar has not addressed this threat thoroughly. 4 Conclusion The mobile networks in Ukraine implement only few of the protection measures observed in other networks. Mobile network security report: Ukraine Page 6

All 2G networks in Ukraine are protecting their subscribers particularly well against tracking. The evolution of mobile network attack and defense techniques is meanwhile progressing further: Modern A5/1 deciphering units are harvesting the remaining non-randomized frames and thanks to faster computers are achieving high intercept rates again. The 3GPP, on the other hand, already completed standard extensions to reduce A5/1 attack surface to a minimum. These standards from 2009 are only hesitantly implemented by equipment manufacturers, leaving users exposed to phone intercept risks. The available protection methods even when implemented in full are barely enough to protect users sufficiently. A stronger push for implementing modern protection measures is needed to revert this erosion of mobile network security. Mobile network security report: Ukraine Page 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback