Department of Computer Science

WiFi-BasedIMSICatcher

PiersO’HanlonRavishankar BorgaonkarBlackHat, London, 3rd November 2016

Overview

•WhatisanIMSI?• ConventionalIMSICatchers•WiFi-basedIMSICatcher• WiFi NetworkAuthentication💣• WiFi CallingAuthentication💣

• Operator/Vendor/OSMitigations• UserMitigations• Demo

WhatisanIMSI?• InternationalMobileSubscriberIdentity

• 15digitnumbere.g.234123456789012• Allowsformutualauthenticationofadevicetothenetwork

• UsingSIM’ssecretauthenticationKey(Ki)andfor3/4GtheSequenceNumber(SQN)• Storedintwoplaces:

• Inthe‘SIMCard’(USIM/UICC)• IMSIisaccessibleinreadonlysectionofSIM• Secretkey(Ki)andSQNarenotdirectlyreadable

• AttheOperator• IMSIindexesKi andSQNfromHSS/AuC Database

• Anidentifierthatcanbeusedfortracking• OneofafewlikeWiFi/Bluetooth/NFCHardwareaddress(e.g.MAC),IMEI,MSISDN(Phonenumber),etc.

ConventionalIMSICatchers• Typicalfeatures

• Tracking:IMSI/IMEI,Location• Interception:Call/SMS/Data

• OperatesonlicensedMobileBands:GSM/3G/4G• Actsasafakebasestationtolurenearbymobiledevices• Operatesintwomodes

• ‘Passive’- mainlyfortracking (interceptionwhenno/weakciphering)

• Active– interceptionandtracking• Cost

• Commercialsolutionsexpensive- butnowpossiblewithLaptop+SDR board

• Beenaroundsincetheearly1990s• PatentedinEuropein1993

TechniquesinConventionalIMSICatchers

• Exploitsprotocolflaws(nomutualauthentication..)

• Tracking&Interception

• Easilyavailabletobuyonline

• Useoffakebasestation

• Exploitsarchitectureissues(Basestation>UE..)

• Tracking&difficulttointercepttrafficw.r.t 2G

• Commercialproductsusuallydowngrades

• Useoflegitimatebasestationalsopossible

2G 3G/4G

http://www.epicos.com/EPCompanyProfileWeb/Content/Ability/EM_GSM.JPG http://edge.alluremedia.com.au/m/g/2016/05/nokia_ultra_compact_network.jpg

ProtectionagainstIMSICatchers

• Noprotectionforcommercialnon-rootedmobiledevices

• Specialphones(expensivethough)andappsforrootedphones

• TurnoffcellularconnectionoruseWiFi platformforsecurecalls/data??

WiFi-BasedIMSICatcher• Features

• Tracking:IMSI,Location• Nointerception(yet)

• OperatesinunlicensedISMBands:WiFi• Range- fewhundredmeters– canbeextended…• FakeAccessPoints• Redirect/Spoofsmobilepacketdatagateway• Exploitsprotocol&configurationweaknesses

• Basedontwoseparatetechniques[3GPPTS33.234]• WiFi NetworkAuthentication(‘WLANdirectIPaccess’)• WiFi-CallingAuthentication(‘WLAN3GPPIPaccess’)

• Cost• Low:VirtuallyanyWiFi capablecomputer

WiFi Networkattachment

• UnencryptedWiFi accesspoints• CaptivePortalapproaches

• WirelessInternetServiceProviderroaming(WiSPr)etc

• NormalEncryptedWiFi accesspoints• Pre-sharedpassword/credentials

• ‘AutoConnect’EncryptedWiFi accesspoints• WiFi keyisnegotiatedwithoutuserintervention• BasedoncredentialsintheUSIM/UICC(‘SIMCard’)• Controlledbyoperatorprovidedconfiguration

• Manual• Automatic/pre-installed

Automaticconfiguration• SomeAndroidandWindowsphonesautomaticallyconnectbasedonSIM• iOSconfiguresphonebasedoninsertedSIM• Activatesanoperatorspecific.mobileconfig file• Configuresarangeofoperatorspecificoptions

• IncludingalistofAuto/EAPsupportedWiFi SSIDs

• OuranalysisofiOS9profilesshowed• Morethan50profilesforAuto/EAPWiFi• Alsootherconfig info

‘Manual’Configuration• SomeAndroiddevicesrequireinitialmanualconfig• Afterwhichitautomaticallyconnects

• Instructionsonoperatorwebsites• Followsimplestepstosetup

• AndroidprovidesvariousCarriercontrolledmechanisms• Lollipop(v5.1MR1):UICCCarrierPrivileges• Marshmallow(v6.0):CarrierConfiguration

• “Privilegedapplicationstoprovidecarrier-specificconfigurationtotheplatform”

AutomaticWiFi Authentication• PortBasedNetworkAccessControl[IEEE802.1X]

• UsesExtensibleAuthenticationProtocol(EAP)[RFC3748]overLAN(EAPOL)overWiFi

• BasedupontwoEAPMethods• EAP-SIM[RFC4186]

• GSMbasedsecurity- Currentlymostwidelyused• EAP-AKA[RFC4187]

• 3Gbasedsecurity- Beingdeployed

• SupportinAndroid,iOS,WindowsMobile,andBlackberrydevices• We’vereportedtheissuetothemallandtooperators&GSMA

• Noprivacybounties😕• Appleincluded‘conservativepeer’supportduetoourwork

• Deployedinmanycountries– adoptiongrowing

EAP-SIM/AKAIdentities• Threebasicidentitytypesforauthentication• Permanent-identity(IMSI)

• Typicallyusedinitiallyafterwhichtemporaryidsareused• Pseudonymidentity

• ApseudonymfortheIMSIhaslimitedlifetime• Fastreauthentication-identity

• Loweroverheadre-attachmentafterinitialexchange

• Behaviouraffectedbypeerpolicy• “Liberal”peer- Currentdefault

• Respondstoanyrequestsforpermanentidentity• “Conservative”peer– Futuredeploymentoption

• OnlyrespondtorequestsforpermanentidentitywhennoPseudonymidentityavailable

EAP-SIM/AKAtransport• BasicEAPprotocolisnotencrypted• CurrentlyEAP-SIM/AKAinEAPOLisunencrypted• ThusIMSIisvisible(toapassiveattacker)whenpermanentidentityusedforfullauthentication😱• Alsoopentoactiveattacksbyrequestingfullauth😱

• WiFi Accesskeysnotcompromised• Allcontentstillprotected

• ThereareencryptedtunnelEAPmethods• EAP-TTLSv0,EAP-TLS…• ButsupportrequiredinbothmobileOSandoperator

WiFi-CallingConnection

• PhoneconnectstoEdgePacketDataGateway(EPDG)overWiFi• VoicecallsoverWiFi• Phoneconnectsonlow/nosignal

• AlsoconnectsinAirplanemode+WiFi …

• ConnectiontoEPDGusesIPsec• AuthenticatesusingInternetKeyExchangeProtocol(IKEv2)

• SupportedoniOS,Android,andWindowsdevices• WiFi-Callingavailableinanumberofcountries• TheissuealsobeenreportedtoOSmakersandOperators

IPsecbriefoverview• InternetProtocolSecurity

• Confidentiality,dataintegrity,accesscontrol,anddatasourceauthentication

• Recoveryfromtransmissionerrors:packetloss,packetreplay,andpacketforgery

• Authentication• AuthenticationHeader(AH)- RFC4302

• Confidentiality• EncapsulatingSecurityPayload(ESP)- RFC4303

• Keymanagement• InternetKeyExchangev2(IKEv2)- RFC7296

• Twomodes• Tunnel- usedforconnectiontoGateway(EPDG)• Transport

InternetKeyExchange(IKEv2)• Initiatesconnectionintwophases

• IKE_SA_INIT• Negotiatecryptographicalgorithms,exchangenonces,anddoaDiffie-Hellmanexchange

• IKE_AUTH• Authenticatethepreviousmessages,exchangeidentities(e.g.IMSI),andcertificates,andestablishthechildSecurityAssociation(s)(SA)

• IKE_AUTHusesEAP-AKA• IMSIexchangenotprotectedbyacertificate• OpentoMitM attacksonidentity(IMSI)😱

• IPsecESPkeysarenotcompromised• Callcontentstillsafe

Operator/VendorMitigations• DeprecateEAP-SIMinfavourofEAP-AKA

• EAP-SIMisweakerasitonlyusesGSMtriplets• DeployEAP-AKA/SIMwithconservativepeerpseudonym• DeployCertificatebasedapproach

• DeploycertificatesonsuitableAAAinfrastructure• DeploycertificateprotectedtunnelledEAP-AKAforWLANaccess

• E.g.EAP-TTLS+EAP-AKAon802.1X• DeploycertificateprotectedIPsec/IKEv2toEPDG

• E.g.EAP-TTLS+EAP-AKAforIKE_AUTH,ormultipleIKEv2auth exchange

• (Re)investigateotherpotentialsolutions• IMSIencryption– 5G-ENSUREprojecthasproposedan‘enabler’• E.g.3GPPPTDS3-030081– ‘Certificate-BasedProtectionofIMSIforEAP-SIM/AKA’

• Standardsbodiesshouldre-evaluateapproaches

MobileOSMitigations

• SupportconservativepeerforEAP-AKA/SIMwithpseudonymsupport• EmerginginsomeOses (e.g.iOS10)

• Certificatebasedapproach• SupportforEAP-TTLv0+EAP-AKAinIKEv2&EAPOL• Otherapproaches?

• AllowformoreuserchoicewithautomaticWiFinetworkaccess• Preferablyallowforeditingofallstoredassociations

UserMitigation• WiFi NetworkAccessControl

• iOS• Turnoff‘Auto-Join’toggleforAuto-WiFi networks

• Onlypossiblewhennetworkinrange• iOS10mayprovidebetterprotection(onceoperatorsdeploysupport)• Ithasconservativepeerpseudonymsupport– duetous😉

• Android• ‘Forget’Auto-WiFi profiles

• Dependingonversiononlypossiblewhennetworkinrange

• WiFi-Calling• Android/iOS:SelectivelydisableWiFi-Calling

• SwitchoffWiFi inuntrustedenvironments

Summary

• ExposedtwoIMSIcatchingnewtechniques• WiFi Networkauthenticationprotocols• WiFi-Callingauthenticationprotocols

• Mostoftheworld’ssmartphonesimplementtheseprotocols• Bothtechniquesrelyuponinstalledoperatorautomaticconfigurationforthesepopularservices

• We’vebeenworkingwithOperators/Vendors/OScompaniestofixtheissue• Butit’sacomplexissue

Conclusions&FutureWork

• InvestigatingotherusesofEAP-SIM/AKA• ExploringuseofUSIMcredentialsinotherWiFibasedprotocols• Continuingworkin5GENSURE.EU Project• SecurityArchitectureandenablers

DemoandQuestions…