Security in cellular-radio access networks



Similar documents
LTE and IMSI catcher myths

Network Access Security in Mobile 4G LTE. Huang Zheng Xiong Jiaxi An Sihua

Mobile Security. Practical attacks using cheap equipment. Business France. Presented the 07/06/2016. For. By Sébastien Dudek

LTE Security How Good Is It?

Mobility Management. Sara Modarres Razavi

LTE security and protocol exploits

UMTS security. Helsinki University of Technology S Security of Communication Protocols

Practical Security Testing for LTE Networks BlackHat Abu Dhabi December 2012 Martyn Ruks & Nils

Mobile Devices Security: Evolving Threat Profile of Mobile Networks

Long-Term Evolution. Mobile Telecommunications Networks WMNet Lab

LTE Security. EventHelix.com. Encryption and Integrity Protection in LTE. telecommunication design systems engineering real-time and embedded systems

Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn Ruks & Nils

Architecture Overview NCHU CSE LTE - 1

Protocol Signaling Procedures in LTE

Long Term Evolution - LTE. A short overview

How to secure an LTE-network: Just applying the 3GPP security standards and that's it?

On LTE Security: Closing the Gap Between Standards and Implementation

LTE Mobility Enhancements

Defending mobile phones. Karsten Nohl, Luca Melette,

LTE X2 Handover Messaging

Optimization Handoff in Mobility Management for the Integrated Macrocell - Femtocell LTE Network

Single Radio Voice Call Continuity (SRVCC) Testing Using Spirent CS8 Interactive Tester

What is going on in Mobile Broadband Networks?

Security in the Evolved Packet System

NTT DOCOMO Technical Journal. Core Network Infrastructure and Congestion Control Technology for M2M Communications

LTE transport network security Jason S. Boswell Head of Security Sales, NAM Nokia Siemens Networks

introduction to femtocells

Security Analysis of LTE Access Network

Get the best performance from your LTE Network with MOBIPASS

Mobile Phone Network Security

LTE Performance and Analysis using Atoll Simulation

LTE Attach and Default Bearer Setup Messaging

GSM and UMTS security

Dirty use of USSD codes in cellular networks

SS7 & LTE Stack Attack

EETS 8316 Wireless Networks Fall 2013

LTE Control Plane on Intel Architecture

Understanding Mobile Terminated Call Failures

LTE Overview October 6, 2011

LTE protocol tests for IO(D)T and R&D using the R&S CMW500

House intercoms attacks

Mobile Devices Security: Evolving Threat Profile of Mobile Networks

Network Optimization based on performance and capacity criteria

3GPP LTE Channels and MAC Layer

3GPP Long Term Evolution: Architecture, Protocols and Interfaces

Worldwide attacks on SS7 network

3GPP Femtocells: Architecture and Protocols. by Gavin Horn

Delivering Network Performance and Capacity. The most important thing we build is trust

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

3GPP LTE Packet Data Convergence Protocol (PDCP) Sub Layer

Wireless Phone GSM tracking. Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim

Single Radio Voice Call Continuity. (SRVCC) with LTE. White Paper. Overview. By: Shwetha Vittal, Lead Engineer CONTENTS

Mobile Wireless Overview

Nokia Siemens Networks Flexi Network Server

Performance validation for the mobile core

Security Executive Summary. Securing LTE Radio Access Networks Effectively

Access to GSM and GPRS mobile services over unlicensed spectrum technologies through UMA

Delivery of Voice and Text Messages over LTE

1 Introduction Services and Applications for HSPA Organization of the Book 6 References 7

Mobile network security report: Poland

MNS Viewpoint: LTE EVOLUTION IN AFRICA 1. Introduction

Voice and SMS in LTE White Paper

Mobile network security report: Greece

How To Use A Femtocell (Hbn) On A Cell Phone (Hbt) On An Ipad Or Ipad (Hnt) On Your Cell Phone On A Sim Card (For Kids) On The Ipad/Iph

GSM Research. Chair in Communication Systems Department of Applied Sciences University of Freiburg 2010

Trends in Mobile Network Architectures 3GPP LTE Mobile WiMAX Next Generation Mobile Networks Dr.-Ing. Michael Schopp, Siemens Networks

Circuit-switched fallback. White Paper

Nokia Siemens Networks Flexi Network Gateway. Brochure

Product Description. HUAWEI E3372s-153 LTE USB Stick (Cat.4) HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Telesystem Innovations. LTE in a Nutshell: Protocol Architecture WHITE PAPER

A Vulnerability in the UMTS and LTE Authentication and Key Agreement Protocols

LTE and the Evolution to 4G Wireless

ehrpd Mike Keeley Market Segment Director

The future of mobile networking. David Kessens

Protocol log analysis with constraint programming. Kenneth Balck Mats Carlsson Olga Grinchtein Justin Pearson

Technical vulnerability of the E-UTRAN paging mechanism

2G/3G Mobile Communication Systems

Throughput for TDD and FDD 4 G LTE Systems

Contents. Preface. Acknowledgement. About the Author. Part I UMTS Networks

RBS 6000 Training Programs. Catalog of Course Descriptions

Oracle s Secure HetNet Backhaul Solution. A Solution Based on Oracle s Network Session Delivery and Control Infrastructure

ETSI TS V ( )

Overview of the Evolved packet core network

Cellular Analysis for Legal Professionals Larry E. Daniel Digital Forensic Examiner and Cellular Analyst EnCE, DFCP, BCE, ACE, CTNS, AME

Nationwide Interoperability Framework

Global System for Mobile Communication Technology

Analysis of CAPEX and OPEX Benefits of Wireless Access Virtualization

NSA LTE - Deep-Dive Monitoring of Wireless Uu and Wireline EPC Interfaces

Design and Implementation of a Distributed Mobility Management Entity (MME) on OpenStack

CC5500 Interceptor HSS DEVELOPMENT INC. HSS Development Inc. 75S Broadway White Plains, NY Tel: Fax:

Voice Quality with VoLTE

1 Introduction. 2 Assumptions. Implementing roaming for OpenBTS

Study of Long Term Evolution Network, its Architecture along with its Interfaces

An Oracle White Paper December The Value of Diameter Signaling in Security and Interworking Between 3G and LTE Networks

Long Term Evolution - LTE L10 Training Programs. Catalog of Course Descriptions

Product Description. HUAWEI E3276s-150 LTE USB Rotator HUAWEI TECHNOLOGIES CO., LTD. Issue 06. Date

DataSheet. A complete view of the customer. What is Accanto s icem?

SERVICE CONTINUITY. Ensuring voice service

INTERNATIONAL TELECOMMUNICATION UNION

Transcription:

Security in cellular-radio access networks Ravishankar Borgaonkar, Oxford University 5G Security Workshop Stockholm, Sweden 11 May 2016

Outline Radio Access Network Layered Security Emerging low cost attacks From 5G perspective Conclusion

Radio Access Network Connects mobile devices to the serving network Allow legitimate devices only Energy efficient Establish secure communication channel Needs protocol with tradeoff decisions Security vs availability vs performance vs functions Availability is vital critical services in recent Brussels attack

Radio Access Network 2G/3G/4G BSC/ RAN Core Network BTS/NodeB Evolved Packet Core Network Access Stratum enodeb Note: picture provides an abstract view only 4

LTE Architecture E-UTRAN Cell UE enodeb S1 MME I n t e r n e t Tracking Area enodeb: Evolved Node B ( base station ) E-UTRAN: Evolved Universal Terrestrial Access Network MME : Mobility Management Entity UE: User Equipment S1 : Interface 5

Security evolution in mobile networks no mutual authentication 2G Phone mutual authentication integrity protection mutual authentication deeper mandatory integrity protection 3G 4G Base Station decides encryption/authentication requests IMSI/IMEI 6

Security aspects Authentication Availability Confidentiality Integrity 7

Security aspects and attacks Authentication Availability Confidentiality Integrity Fake BTS DoS Interception Tracking Security tradeoffs play essential role in protocol design. 8

Low cost attacking infrastructure 2G/3G/4G* network setup cost < 1000 USD Open source software & hardware USRP, Osmocom, OpenBTS, OpenLTE, etc IMSI catcher device problem Targeted attacks from illegal actors Almost no detection capabilities for the end-users

Emerging attack examples

Implementation issues on RAN From TS 124.008 v11.8.0 : If MAC failure, then phone should not communication with BTS (2G) Table from the paper Implementing an Affordable and Effective GSM IMSI Catcher with 3G Authentication 11

IMSI catchers (1) Exploit weakness in authentication methods Location tracking and interception Protection for active attacks not considered Lack of security indicator implementation 12

3G AKA vulnerability(2) Linkability attack by Arpanis et al Affects in 4G as well 13

4G Feature: Reports from UE to enodeb (3) RRC protocol 3GPP TS 36.331 Measurement reports (handovers) List of visible enodebs, signal strengths, UE s GPS co-ordinates RLF Reports (radio link troubleshooting) 14

Vulnerabilities in the feature Specification UE measurement reports Requests not authenticated Reports are not encrypted Send me Measurement/RLF report active attacker Implementations RLF reports Requests not authenticated Reports are not encrypted All baseband vendors 15

3GPP Specification issues (1) RRC protocol 3GPP TS 36.331 UE Measurement Report messages Necessary for handovers & troubleshooting No authentication for messages Reports not encrypted 16

4G Feature: Mobility Management (4) EMM protocol 3GPP TS 36.331 Tracking Area Update (TAU) procedure During TAU, MME & UE agree on network mode (2G/3G/4G) TAU Reject used to reject some services services (e.g., 4G) to UE Specification vulnerability: Reject messages are not integrity protected 17

3GPP Specification issues (2) EMM protocol 3GPP TS 36.331 Tracking Area Update Reject messages Necessary for UE mobility No integrity protection for reject messages Recovery mechanism not effective 18

Practical Attacks

Location Leaks: tracking subscriber coarse level paging Target Target Semi-passive Attacker (TA/cell) Mapping GUTI to Social Identity Location Accuracy: 2 Sq. Km 20

DoS Attacks Exploiting specification vulnerability in EMM protocol! Downgrade to non-lte network services (2G/3G) Deny all services (2G/3G/4G) Deny selected services (block incoming calls) Persistent DoS Requires reboot/sim re-insertion 21

Reasons for vulnerabilities Trade of between security and Performance Phone restricts to connect to network- saving power Saving network signaling resources (avoid unsuccessful attach) Operator do not refresh temporary identifiers often Availability Operators require unprotected reports for troubleshooting Functionality Smartphone apps on generic platforms not mobile-network-friendly Attacking cost Active type of IMSI catcher attacks thought to be expensive 22

5G Networks Perspective Authentication Availability Asymmetric keys for IMSI protection Remove unnecessary protocol messages Improve AKA protocols Effective recovery mechanisms

5G Networks Perspective Confidentiality & Integrity Encryption Indicators & APIs Dynamic Policies

Conclusions Specification & implementation vulnerabilities Lead to attacks: Silent tracking DoS attacks are persistent & silent to users Design trade-offs made a decade ago no longer effective For 5G Networks: New trade-offs to tackle emerging attacks Protection for active type of fake BTS attacks Study for removing unwanted protocol messages from 2G/3G/4G 25

Thank You. Questions? Pic ref: https://twitter.com/zahidtg

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information