Upload
abdo-baju
View
220
Download
0
Embed Size (px)
Citation preview
7/27/2019 GSM Toutorials
1/42
Mario agalj
University of Split
8.1.2013.
Security of Cellular Networks:
Man-in-the Middle Attacks
Security in the GSM system by Jeremy Quirke, 2004
7/27/2019 GSM Toutorials
2/42
Introduction
Nowadays, mobile phones are used by 80-90% of theworlds population (billion of users)
Evolution
1G:analog cellular networks
2G: digital cellular networks with GSM (Global System for Mobile
Communications) beign the most popular and the most widely used
standard (circuit switching)
other 2G: technologies IS-95 CDMA based (US), PDC (Japan), etc.
2.5G: GPRS (General Packet Radio Service) packet switching 2.75G: EDGE faster data service
3G: UMTS (CDMA based), HSPA for data traffic (e.g., 5-10 Mbps)
other 3G: CDMA2000 (US, S. Korea)
4G: LTE (OFDM based), peak data rates of 100Mbps2
GSM security specifications
7/27/2019 GSM Toutorials
3/42
Cellular Network ArchitectureA high level view
3
External
Network
Cellular Network
Mobile
Station Base
Station
Mobile
Switching
Center
Databases
(e.g., Home
Location Register)
EPFL, JPH
7/27/2019 GSM Toutorials
4/42
Cellular Network ArchitectureRegistration Process
4
Tune on the strongest signal
Nr: 079/4154678
EPFL, JPH
7/27/2019 GSM Toutorials
5/42
Cellular Network ArchitectureService Request
5
079/4154678
079/8132627 079/4154678
079/8132627
EPFL, JPH
7/27/2019 GSM Toutorials
6/42
Cellular Network ArchitecturePaging Broadcast (locating a particular mobile station in case of mobile
terminated call)
6
079/8132627?
079/8132627?
079/8132627?
079/8132627?
Note: paging makes sense only over a smallarea
EPFL, JPH
7/27/2019 GSM Toutorials
7/42
Cellular Network ArchitectureResponse
7
079/8132627
079/8132627
EPFL, JPH
7/27/2019 GSM Toutorials
8/42
Cellular Network ArchitectureChannel Assignement
8
Channel
47
Channel
47Channel
68
Channel
68
EPFL, JPH
7/27/2019 GSM Toutorials
9/42
Cellular Network ArchitectureConversation
9EPFL, JPH
7/27/2019 GSM Toutorials
10/42
Cellular Network ArchitectureHandover (or Handoff)
10EPFL, JPH
7/27/2019 GSM Toutorials
11/42
Cellular Network ArchitectureMessage Sequence Chart
11
Caller BaseStationSwitch Base
StationCallee
Periodic registration Periodic registration
Service request Service request
Ring indicationRing indication
Page requestPage requestPaging broadcast Paging broadcast
Paging responsePaging response
Assign Ch. 47Tune to Ch.47
Assign Ch. 68 Tune to Ch. 68
Alert tone
User responseUser responseStop ring indicationStop ring indication
EPFL, JPH
7/27/2019 GSM Toutorials
12/42
GSM System Architecture
Based on Mobile Communications: Wireless
Telecommunication Systems
7/27/2019 GSM Toutorials
13/42
Architecture of the GSM system
GSM is a PLMN (Public Land Mobile Network) several providers setup mobile networks following the GSM
standard within each country
components
MS (mobile station)
BS (base station)
MSC (mobile switching center)
LR (location register)
subsystems RSS (radio subsystem): covers all radio aspects
NSS (network and switching subsystem): call forwarding, handover,
switching
OSS (operation subsystem): management of the network
13
7/27/2019 GSM Toutorials
14/42
GSM: overview
fixed network
BSC
BSC
MSC MSC
GMSC
OMC, EIR,AUC
VLR
HLR
NSS
with OSS
RSS
VLR
14
Please check http://gsmfordummies.com/architecture/arch.shtml
7/27/2019 GSM Toutorials
15/42
BSS
radiosubsystem
MS MS
BTS
BSCBTS
BTS
BSCBTS
network and switchingsubsystem
MSC
MSC
fixednetworks
IWF
ISDN
PSTN
PSPDNCSPDN
SS7
EIR
HLR
VLR
ISDN
PSTN
GSM: system architecture
15
7/27/2019 GSM Toutorials
16/42
System architecture: radio subsystem
Components
MS (Mobile Station)
BSS (Base Station Subsystem):
consisting of
BTS (Base Transceiver Station):
sender and receiver
BSC(Base Station Controller):
controlling several transceivers
BSS
radiosubsystem
network and switchingsubsystem
MS MS
BTS
BSC MSCBTS
BTS
BSCBTS
MSC
16
7/27/2019 GSM Toutorials
17/42
Radio subsystem
The Radio Subsystem (RSS) comprises the cellular mobilenetwork up to the switching centers
Components
Base Station Subsystem (BSS):
Base Transceiver Station (BTS): radio components including sender,
receiver, antenna - if directed antennas are used one BTS can cover
several cells
Base Station Controller (BSC): switching between BTSs, controlling BTSs,
managing of network resources, mapping of radio channels onto
terrestrial channels
Mobile Stations (MS)
17
7/27/2019 GSM Toutorials
18/42
possible radio coverage of the cell
idealized shape of the cellcell
segmentation of the area into cells
GSM: cellular network
use of several carrier frequencies
not the same frequency in adjoining cells
cell sizes vary from some 100 m up to 35 km depending on user density,
geography, transceiver power etc. hexagonal shape of cells is idealized (cells overlap, shapes depend on
geography)
if a mobile user changes cells
handover of the connection to the neighbor cell
18
7/27/2019 GSM Toutorials
19/42
System architecture: network and
switching subsystemComponents
MSC(Mobile Services Switching Center)
IWF(Interworking Functions)
ISDN (Integrated Services Digital Network)
PSTN (Public Switched Telephone Network)
PSPDN (Packet Switched Public Data Net.)
CSPDN (Circuit Switched Public Data Net.)
Databases
HLR(Home Location
Register)
VLR (Visitor Location Register)
EIR (Equipment Identity Register)
networksubsystem
MSC
MSC
fixed partnernetworks
IWF
ISDN
PSTN
PSPDN
CSPDN
SS7
EIR
HLR
VLR
ISDN
PSTN
19
7/27/2019 GSM Toutorials
20/42
Network and switching subsystem
NSS is the main component of the public mobile network GSM switching, mobility management, interconnection to other networks,
system control
Components
Mobile Services Switching Center (MSC)controls all connections via a separated network to/from a mobile terminal
within the domain of the MSC - several BSC can belong to a MSC
Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR)
central master database containing user data, permanent and semi-permanentdata of all subscribers assigned to the HLR (one provider can have several HLRs)
Visitor Location Register (VLR)
local database for a subset of user data, including data about all user currently in
the domain of the VLR
20
7/27/2019 GSM Toutorials
21/42
Mobile Services Switching Center
The MSC (mobile switching center) plays a central role inGSM
switching functions
additional functions for mobility support
management of network resources
interworking functions via Gateway MSC (GMSC)
integration of several databases
21
7/27/2019 GSM Toutorials
22/42
Operation subsystem
The OSS (Operation Subsystem) enables centralized operation,management, and maintenance of all GSM subsystems
Components
Authentication Center (AUC)
generates user specific authentication parameters on request of a VLR
authentication parameters used for authentication of mobile terminals and
encryption of user data on the air interface within the GSM system
Equipment Identity Register (EIR)
registers GSM mobile stations and user rights
stolen or malfunctioning mobile stations can be locked and sometimes even
localized
Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the network subsystem
22
7/27/2019 GSM Toutorials
23/42
Mobile Terminated Call
PSTNcalling
stationGMSC
HLR VLR
BSSBSSBSS
MSC
MS
1 2
3
4
5
6
7
8 9
10
11 12
1316
10 10
11 11 11
14 15
17
1: calling a GSM subscriber2: forwarding call to GMSC
3: signal call setup to HLR
4, 5: request MSRN (roaming
number) from VLR
6: forward responsibleMSC to GMSC
7: forward call to
current MSC
8, 9: get current status of MS
10, 11: paging of MS
12, 13: MS answers
14, 15: security checks
16, 17: set up connection
23
Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml
7/27/2019 GSM Toutorials
24/42
Mobile Originated Call
PSTN GMSC
VLR
BSS
MSC
MS1
2
6 5
3 4
9
10
7 8
1, 2: connection request3, 4: security check
5-8: check resources (free circuit)
9-10: set up call
24
7/27/2019 GSM Toutorials
25/42
Mobile Terminated and Mobile Originated Calls
BTSMS
paging request
channel request
immediate assignment
paging response
authentication request
authentication response
ciphering command
ciphering complete
setup
call confirmed
assignment command
assignment complete
alerting
connect
connect acknowledge
data/speech exchange
BTSMS
channel request
immediate assignment
service request
authentication request
authentication response
ciphering command
ciphering complete
setup
call confirmed
assignment command
assignment complete
alerting
connect
connect acknowledge
data/speech exchange
MTC MOC
25
7/27/2019 GSM Toutorials
26/42
Security in GSM
Based on:Security in the GSM system by Jeremy Quirke
The GSM Standard (An overview of its security) by SANS InstituteInfoSec Reading Room
Mobile Communications: Wireless Telecommunication Systems
7/27/2019 GSM Toutorials
27/42
Security Services in GSM
Access control/authentication
user
7/27/2019 GSM Toutorials
28/42
Security Services in GSMAuthentication
SIM (Subscriber Identity Module) card
smartcard inserted into a mobiel phone
contains all necessary details to obtain access to an account
unique IMSI (International Mobile Subscriber Identity)
Ki - the individual subscriber authentication key (128bit, used to generate all
other encryption and authentication keying GSM material)
highly protected the mobile phone never learns this key, mobile only forwardsany required material to the SIM
known only to the SIM and network AUC (Authentication Center) SIM unlocked using a PIN or PUK
authentication (A3 algorithm) and key generation (A8 algorithm)
is performed in the SIM
SIM contains a microprocessor 28
7/27/2019 GSM Toutorials
29/42
Security Services in GSMAuthentication
A3
RANDKi
128 bit 128 bit
SRES* 32 bit
A3
RAND Ki
128 bit 128 bit
SRES 32 bit
SRES* =? SRES SRES
RAND
SRES
32 bit
mobile network SIM
AC
MSC
SIM
Ki: individual subscriber authentication key SRES: signed response 29
7/27/2019 GSM Toutorials
30/42
Security Services in GSMAuthentication
Kc: Session encryption key generated together with SRES 30
7/27/2019 GSM Toutorials
31/42
Security Services in GSMEncryption
A8
RANDKi
128 bit 128 bit
Kc64 bit
A8
RAND Ki
128 bit 128 bit
SRES
RAND
encrypted
data
mobile network (BTS) MS with SIM
AC
BTS
SIM
A5
Kc
64 bit
A5
MSdata data
cipherkey
31
7/27/2019 GSM Toutorials
32/42
Security Services in GSMAuthentication and Encryption
A3 and A8 algorithms are both run in SIM at the same time on the
same input (RAND, Ki)
A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known)
not used in UMTS
Encryption algorithm A5
symmetric encryption algorithm
voice/data encryption performed by a phone using generated encryption key Kc
32
7/27/2019 GSM Toutorials
33/42
Security Services in GSMEncryption
A5 algorithms
A5/0 no encryption used
A5/1 and A5/2 developed far from public domain and later found
flawed
stream ciphers based on linear feedback shift registers
A5/2 completely broken (not used anymore in GSM)
A5/1 is a bit stronger but also broken by many researchers
A5/3 is a block cipher based on Kasumi encryption algorithm used in UMTS, GSM, and GPRS mobile communications systems
public and reasonably secure (at least at the moment)
33
7/27/2019 GSM Toutorials
34/42
Security Services in GSMSummary
34
7/27/2019 GSM Toutorials
35/42
Security Weaknesess in GSM
A mobile phone does not authenticate the base station!
only mobile authenticate to BS (one-way authentication)
fake BS and man-in-the middle attacks possible
attacker does not have to know authentication key Ki
A5/0 - No Encryption algorithm is a valid choice in GSM
for voice, SMS, GPRS, EDGE services
Many weaknesses in A5 family of encryption algorithms
35
7/27/2019 GSM Toutorials
36/42
Security Weaknesess in GSM
36
7/27/2019 GSM Toutorials
37/42
Security Services in GSMAnonymity
Preventing eavesdropper (listening attacker) from determining if a
particular subscriber is/was in the given area
location privacy
thanks to long ranges a very powerful attack
attacker uses IMSI (International Mobile Subscriber Identity) IMSI Catchers
To preserve location privacy GSM defines TMSI (Temporary Mobile
Subscriber Identity)
when a phone turned on, IMSI from SIM transmitted in clear to the AUC
after this TMSI is assigned to this user for location privacy
after each location update or a predefined time out, a new TMSI is assigned to the
mobile phone
a new TMSI is sent encrypted (whenever possible)
VLR database contains mapping TMSI to IMSI37
7/27/2019 GSM Toutorials
38/42
Security Services in GSMAnonymity
38
7/27/2019 GSM Toutorials
39/42
Security Services in GSMAnonymity
39
7/27/2019 GSM Toutorials
40/42
Security Weaknesess in GSMAttack Against the Anonymity Service
GSM provisions for situation when the network somhow
loses track of a particular TMSI in this case the network must ask the subscriber its IMSI over the radio link
using the IDENTITY REQUEST and IDENTITY RESPONSE mechanism
however, the connection cannot be encrypted if the network does not knowthe IMSI and so the IMSI is sent in plain text
the attacker can use this to map known TMSI and unknown and user-specific
IMSI
40
7/27/2019 GSM Toutorials
41/42
Countermeasures: UMTS
UMTS defines 2-way authentication and mandates the
use of stronger encryption and authentication primitives
prevents MITM attacks by a fake BS, but be cautious...
Still many reasons to worry about
most mobiles support < 3G standards (GPRS, EDGE)
when signal is bad, hard to supprot UMTS rates
mobile providers already invested a lot of money and do not give up uponold BSS equippment
femtocells
41
7/27/2019 GSM Toutorials
42/42
Many Reason to Worry About Your Privacy
http://www.theregister.co.uk/2008/05/20/tracking_phones/
http://www.theregister.co.uk/2011/10/31/met_police_datong_mo
bile_tracking/ (check also http://www.pathintelligence.com)
http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.black
hat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-
Pico_Mobile_Attacks-Slides.pdf
http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-
labs.tu-berlin.de%2Fbh2011.pdf
http://www.theregister.co.uk/2008/05/20/tracking_phones/http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-labs.tu-berlin.de%2Fbh2011.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://docs.google.com/viewer?url=https%3A%2F%2Fmedia.blackhat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdfhttp://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/http://www.theregister.co.uk/2008/05/20/tracking_phones/