TUTORIAL: LTE AND 5G PROTOCOL SECURITY PROCEDURES

5m ago
37 Views
0 Downloads
3.03 MB
67 Pages
Transcription

TUTORIAL:LTE AND 5G PROTOCOL SECURITY PROCEDURES ANDVULNERABILITY ANALYSES USING SOFTWARE RADIO TESTBEDSPART II – UPPER LAYERSVuk Marojevic, Roger Piqueras [email protected], [email protected] 30th 2018 Portions Copyright 2018 Bloomberg L.P.

ABOUT – ROGER PIQUERAS JOVER Recent dad who goes to a lot of live music shows, plays and watches too much soccer, anddoes some security research on the sideSecurity Researcher (aka Senior Security Architect), Office of the CTO at BloombergFormerly (5 years) Principal Member of Technical Staff at AT&T Security ResearchMobile/wireless network security research Mostly LTE PHY and upper layers If it communicates wirelessly, I am interested in its security BLE 802.11 Zigbee, Zigwave LoRaWAN More details http://rogerpiquerasjover.net/@rgoestotheshows Portions Copyright 2018 Bloomberg L.P.

EXPLORING MOBILE NETWORK PROTOCOL SECURITYThe first mobile networks were not designed with a strong security focus (no support forencryption in 1G!!!)“Old” encryptionNo BSauthenticationStrong tualauthenticationPKI for IMSIprotectionMore secure (?) Portions Copyright 2018 Bloomberg L.P.

LTE BASICS Portions Copyright 2018 Bloomberg L.P.

LTE MOBILE NETWORK ARCHITECTURE Portions Copyright 2018 Bloomberg L.P.

LTE CELL SELECTION AND CONNECTIONDecode PBCHRandomAccess Cell SearchProcedurePower onDecode PSS and SSS to synchronizein time and frequency.RACHExtractSystemConfigurationIdle stateRadio AccessBearer (Attach)ConnectedstateMobileconnectionSystem configuration––Decode Master Information Block (MIB) from PBCHDecode System Information Blocks (SIBs) from PDSCH Portions Copyright 2018 Bloomberg L.P.

LTE NAS ATTACH PROCEDURE Portions Copyright 2018 Bloomberg L.P.

MOBILE NETWORK USER/DEVICE IDENTIFIERSIMEI – “Serial number” of the deviceIMSI – secret id of the SIM that should never be disclosedTMSI – temporary id used by the network once it knows who you areMSISDN – Your phone number.XYZ-867-5309 Portions Copyright 2018 Bloomberg L.P.

LTE (IN)SECURITY RATIONALE Portions Copyright 2018 Bloomberg L.P.

LTE (IN)SECURITY RATIONALERACH handshakebetween UE and eNBRRC handshake betweenUE and eNBConnection setup(authentication, set-up ofencryption, tunnel set-up,etc)Encrypted traffic Portions Copyright 2018 Bloomberg L.P.

LTE (IN)SECURITY RATIONALEUnencrypted and unprotected. I cansniff these messages and I cantransmit them pretending to be alegitimate base station.Other things sent in the clear: Base station config (broadcastmessages) Measurement reports Measurement report requests (Sometimes) GPS coordinates HO related messages Paging messages Etc Portions Copyright 2018 Bloomberg L.P.

LTE (IN)SECURITY RATIONALERegardless of mutual authentication and strong encryption, a mobile device engages in asubstantial exchange of unprotected messages with *any* LTE base station (malicious ornot) that advertises itself with the right broadcast information.Spoiler alert – This also potentially applies to 5G. No viable solution proposed in the specifications yet.(more on this later) Portions Copyright 2018 Bloomberg L.P.

EXPLORING LTE SECURITY WITH SOFTWARE-RADIO Portions Copyright 2018 Bloomberg L.P.

TOOLSET LTE open source implementation (eNB UE) Modified OpenLTE - http://openlte.sourceforge.net/ Recent work with modified srsLTE – https://github.com/srsLTE First available UE stack implementation!!!!!! LTE sniffer Modifications to source for protocol exploit experimentation HW setup USRP B210/USRP mini for active rogue base station BUDGET: USRP B210 ( 1100) GPSDO ( 625) LTE Antenna (2x 30) 1785 Machine running UbunutuAll LTE active radio experiments MUST be performed inside a faraday cage!!! Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATION Base station configuration broadcasted in the clear in MIB and SIB messages.srsLTE AirScope Very useful information that could be leveraged by and adversary Dump everything on pcapOptimal tx power for a rogue base stationHigh priority frequencies to force priority cell reselectionTracking Area of the legitimate cell (use a different one in your rogue eNodeB to force TAU updatemessages)Mapping of signaling channelsPaging channel mapping and paging configurationBroadcast message scanning tools available in both srsLTEand openLTELTE/LTE-A Jamming, Spoofing and Sniffing: Threat Assessment andMitigation. Marc Lichtman, Roger Piqueras Jover, Mina Labib,Raghunandan Rao, Vuk Marojevic, Jeffrey H. Reed. IEEE CommunicationsMagazine. Special issue on Critical Communications and Public SafetyNetworks. April 2016. Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATIONTime: 00:02:10.087204 Frame: 93Subframe: 0BCCH-BCH-Messagemessagedl-Bandwidth: n50phich-Configphich-Duration: normalphich-Resource: onesystemFrameNumber: {8bits 0x17}spare: {10 bits 0x0000 RightAligned}LTE PBCH MIB packet Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATIONTime: 00:02:10.102204 Frame: 94 Subframe: dentityInfoplmn-IdentitymccMCC-MNC-Digit: 3MCC-MNC-Digit: 1MCC-MNC-Digit: 0mncMCC-MNC-Digit: 4MCC-MNC-Digit: 1MCC-MNC-Digit: 0cellReservedForOperatorUse: reservedtrackingAreaCode: {16 bits 0x2713}cellIdentity: {28 bits 0x0075400F Right Aligned}cellBarred: notBarredintraFreqReselection: allowedcsg-Indication: falsecellSelectionInfoq-RxLevMin: -60freqBandIndicator: 17schedulingInfoListSchedulingInfosi-Periodicity: rf8sib-MappingInfoSIB-Type: sibType3si-WindowLength: ms10systemInfoValueTag: 11PaddingMobile operatorLTE PDSCH SIB1 packetCell IDRX power to selectthat cell Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATIONRACH configPaging configEtc RRC timersLTE PDSCH SIB2/3 packetUser trafficconfig Portions Copyright 2018 Bloomberg L.P.

SNIFFING BASE STATION CONFIGURATION MIB/SIB messages are necessary for the operation of the network Some things must be sent in the clear (i.e. a device connecting for the first time) But perhaps not everything Things an attacker can learn from MIB and SIB messages Optimal tx power for a rogue base station (no need to set up your USRP to its max tx power) High priority frequencies to force priority cell reselection Mobile operator who owns that tower Tracking Area of the legitimate cell (use a different one in your rogue eNodeB to force TAU updatemessages) Mapping of signaling channels Paging channel mapping and paging configuration EtcLTE/LTE-A Jamming, Spoofing and Sniffing: Threat Assessment and Mitigation. Marc Lichtman, Roger Piqueras Jover, Mina Labib,Raghunandan Rao, Vuk Marojevic, Jeffrey H. Reed. IEEE Communications Magazine. Special issue on Critical Communications and PublicSafety Networks. April 2016. Portions Copyright 2018 Bloomberg L.P.

IMSI CATCHERS(STINGRAY) Active device that intercepts mobile devices Malicious base station advertising itself as legitimate Transmits the same configuration and broadcast information as real base station Forces all mobile devices in its range do disclose their IMSI in the clear After catching the IMSI, releases connection and mobile device reconnects to real base station Wrongly assumed to require downgrading to GSM Jam/block 3G and LTE signals Use GSM-based IMSI catcher Can be implemented easily using open source tools openBTS (GSM) srsLTE/OpenLTE (LTE) Portions Copyright 2018 Bloomberg L.P.

IMSI CATCHERS(STINGRAY) Portions Copyright 2018 Bloomberg L.P.

IMSI CATCHERS(STINGRAY)UnauthenticatedmessagesExtract IMSIfrom thesemessages Portions Copyright 2018 Bloomberg L.P.

LOW-COST LTE IMSI CATCHER (STINGRAY) Despite common assumptions, in LTE the IMSI is always transmitted in the clear at least once If the network has never seen that UE, it must use the IMSI to claim its identity A UE will trust *any* eNodeB that claims it has never seen that device (pre-authentication messages) IMSI can also be transmitted in the clear in error recovery situations (very rare) Implementation USRP B210 Ubuntu 14.10 gnuradio 3.7.2 LTE base station – OpenLTE’s LTE fdd eNodeB (slightly modified) Added feature to record IMSI from Attach Request messages Send attach reject after IMSI collection Stingrays also possible in LTE without need to downgrade connection to GSM Not possible to implement a MitM threat (mutual authentication) Portions Copyright 2018 Bloomberg L.P.

LOW-COST LTE IMSI CATCHER (STINGRAY)IMSI transmitted in the clear in anAttachRequest NAS message Portions Copyright 2018 Bloomberg L.P.

DEVICE AND SIM TEMPORARY LOCK Attach reject and TAU (Tracking Area Update) reject messages not encrypted/integrityprotectedSpoofing this messages one can trick a device to Believe it is not allowed to connect to the network (blocked) Believe it is supposed to downgrade to or only allowed to connect to GSMReal eNodeBThese are not the droids we are lookingfor. I am not allowed to connect to myprovider anymore, I won’t try again.REQUESTREJECTThese are not the droids you are looking for And you are notallowed to connect anymore to this network.Jover, Roger Piqueras. "LTE security, protocol exploits and location tracking experimentation with low-costsoftware radio." arXiv preprint arXiv:1607.05171 (2016).Rogue eNodeB Portions Copyright 2018 Bloomberg L.P.

SOFT DOWNGRADE TO GSM Use similar techniques to “instruct” the phone to downgrade to GSM Only GSM services allowed OR LTE and 3G not allowed Once at GSM, the phone to connects to your rogue base station Bruteforce the encryption Listen to phone calls, read text messages Man in the Middle A long list of other bad things (Much more dangerous)rogue GSM base stationI will remove these restraints andleave this cell with the door open and use only GSM from now on and I’ll drop my weapon.REQUESTREJECTYou will remove these restraints and leave this cell with thedoor open and use only GSM from now on.Rogue eNodeB Portions Copyright 2018 Bloomberg L.P.

DEVICE TEMPORARY LOCK AND SOFT DOWNGRADE Some results The blocking of the device/SIM is only temporary Device won’t connect until rebooted SIM won’t connect until reboot SIM/device bricked until timer T3245 expires (24 to 48 hours!) Downgrade device to GSM and get it to connect to a rogue BS If the target is an M2M device, it could be a semi-persistent attack Reboot M2M device remotely? Send a technician to reset SIM? Or just wait 48 hours for your M2M device to come back online Shaik, Altaf, et al. "Practical attacks against privacy and availability in 4G/LTE mobile communication systems."arXiv preprint arXiv:1510.07563 (2015). Portions Copyright 2018 Bloomberg L.P.

CONNECTION HIJACKING IN LTE LTE layer 2 encryption and integrity protection Packets with known structure AES Counter Mode (AES-CTR) 16 bit checksum in the IP-UDP DNS request packets Protocol exploit Track user (RNTI) Identify DNS requests MitM DNS requests (some “radio” challenges) Apply mask to flip bits on destination IP address Forward DNS requests to malicious DNS serverRupprecht, David, Katharina Kohls, Thorsten Holz, and Christina Pöpper. "Breaking LTE on Layer Two.“ To bepresented at IEEE Security and Privacy 2019. Portions Copyright 2018 Bloomberg L.P.

EXPLORING UPLINK PROTOCOL SECURITY Portions Copyright 2018 Bloomberg L.P.

SRSUE First open-source implementation of the mobile device stack https://github.com/srsLTE/srsLTE/tree/master/srsue First commit May 2017 Platform to experiment with UL pre-authentication messages Now researchers can analyze exploits in the eNodeB and the mobile core network Portions Copyright 2018 Bloomberg L.P.

CONNECTION DETACH HANDSHAKE Procedure through which the UE disconnects from the network Switch off UE Airplane mode Remove SIM Can be UE initiated and does not require ACK from network (!!!) Authentication/integrity protection (?) Portions Copyright 2018 Bloomberg L.P.

CONNECTION DETACH HANDSHAKE NAS detach request message Includes EPS mobile identity Can be GUTI or IMSI It can even be the IMEI In some cases it does not requireintegrity protection It can be spoofed!3GPP TS 24.301 V13.7.0 (2016-09)5.5.2.2.1 - UE initiated detach procedure initiationPage 1223GPP TS 24.301V13.7.0 (2016-09)4.4.4.3 - Integrity checking ofNAS signalling messages inthe MMEPage 47NAS Detach Request NOTintegrity protectedNAS Detach Request can be sent with TMSI and even just the IMEI Portions Copyright 2018 Bloomberg L.P.

THERE’S MORE 3GPP TS 24.301 V13.7.0 (2016-09)4.4.4.3 - Integrity checking of NAS signalling messages in the MMEBetween page 47 and 48Even NAS security context is active, MME will process a NAS DetachRequest with a MAC that fails integrity check or cannot be verified Portions Copyright 2018 Bloomberg L.P.

REMOTE DEVICE DETACH Set up Test smartphone (victim)Linux box #1 USRP B210 running srsUE (adversary) Linux box #2 USRP B210 running srsENB Open source LTE EPC Run RRC handshake and spoof Detach Request message with victim’s identity Knock out victim from network remotely Testing it in a real network would be easy Though in the lab it is not “remotely”But not legalNext tests commercial picocellMight not work in a real network if inter-layer integrity checks are well implementedRaza, Muhammad Taqi, Fatima Muhammad Anwar, and Songwu Lu. "Exposing LTE Security Weaknesses atProtocol Inter-Layer, and Inter-Radio Interactions." In International Conference on Security and Privacy inCommunication Systems, pp. 312-338. Springer, Cham, 2017. Portions Copyright 2018 Bloomberg L.P.

LTE LOCATION LEAKS Portions Copyright 2018 Bloomberg L.P.

LOCATION LEAKS AND DEVICE TRACKING - RNTI RNTI PHY layer id sent in the clear in EVERY SINGLE packet, both