Security of Cellular Networks: Man-in-the Middle Attacks

Mario agalj

University of Split

8.1.2013.

Security in the GSM system by Jeremy Quirke, 2004

Introduction
Nowadays, mobile phones are used by 80-90% of the

worlds population (billion of users) Evolution

1G: analog cellular networks
GSM security specifications

2G: digital cellular networks with GSM (Global System for Mobile

Communications) beign the most popular and the most widely used standard (circuit switching)
other 2G: technologies IS-95 CDMA based (US), PDC (Japan), etc.

2.5G: GPRS (General Packet Radio Service) packet switching

2.75G: EDGE faster data service

3G: UMTS (CDMA based), HSPA for data traffic (e.g., 5-10 Mbps)
other 3G: CDMA2000 (US, S. Korea)

4G: LTE (OFDM based), peak data rates of 100Mbps

Cellular Network Architecture

A high level view
Databases (e.g., Home Location Register)

Mobile Station

Base Station

Mobile Switching Center

External Network

Cellular Network
EPFL, JPH
3

Cellular Network Architecture

Registration Process

Nr: 079/4154678

Tune on the strongest signal EPFL, JPH

4

Cellular Network Architecture

Service Request

079/4154678 079/8132627

079/4154678 079/8132627

EPFL, JPH

Cellular Network Architecture

Paging Broadcast (locating a particular mobile station in case of mobile terminated call)

079/8132627?
079/8132627? 079/8132627?

079/8132627?

Note: paging makes sense only over a small area

EPFL, JPH
6

Cellular Network Architecture

Response

079/8132627

079/8132627

EPFL, JPH

Cellular Network Architecture

Channel Assignement

Channel 47

Channel 47

Channel 68

Channel 68

EPFL, JPH

Cellular Network Architecture

Conversation

EPFL, JPH

Cellular Network Architecture

Handover (or Handoff)

EPFL, JPH

10

Cellular Network Architecture

Message Sequence Chart
Caller
Base Station Switch Base Station Callee

Periodic registration

Periodic registration

Service request

Service request Page request Page request

Paging broadcast

Paging broadcast
Paging response Paging response Tune to Ch. 68

Tune to Ch.47 Ring indication Stop ring indication EPFL, JPH

Assign Ch. 47 Ring indication Stop ring indication

Assign Ch. 68

Alert tone
User response User response
11

GSM System Architecture

Based on Mobile Communications: Wireless Telecommunication Systems

Architecture of the GSM system

GSM is a PLMN (Public Land Mobile Network)
several providers setup mobile networks following the GSM

standard within each country components

MS (mobile station)

BS (base station)
MSC (mobile switching center) LR (location register)

subsystems RSS (radio subsystem): covers all radio aspects NSS (network and switching subsystem): call forwarding, handover, switching OSS (operation subsystem): management of the network
13

Please check http://gsmfordummies.com/architecture/arch.shtml

GSM: overview
OMC, EIR, AUC NSS with OSS VLR MSC HLR GMSC

fixed network
MSC

VLR

BSC BSC RSS

14

GSM: system architecture

radio subsystem MS MS ISDN PSTN MSC BTS BTS BSC EIR network and switching subsystem fixed networks

SS7

HLR

BTS BTS BSS BSC MSC IWF

VLR ISDN PSTN PSPDN CSPDN

15

System architecture: radio subsystem

radio subsystem MS MS network and switching subsystem

Components
MS (Mobile Station)
BSS (Base Station Subsystem):

consisting of
BTS (Base Transceiver Station):

BTS BTS BSC MSC

sender and receiver BSC (Base Station Controller): controlling several transceivers

BTS BTS BSS BSC

MSC

16

Radio subsystem
The Radio Subsystem (RSS) comprises the cellular mobile

network up to the switching centers Components

Base Station Subsystem (BSS): Base Transceiver Station (BTS): radio components including sender, receiver, antenna - if directed antennas are used one BTS can cover several cells Base Station Controller (BSC): switching between BTSs, controlling BTSs, managing of network resources, mapping of radio channels onto terrestrial channels Mobile Stations (MS)
17

GSM: cellular network

segmentation of the area into cells
possible radio coverage of the cell

cell

idealized shape of the cell

use of several carrier frequencies not the same frequency in adjoining cells cell sizes vary from some 100 m up to 35 km depending on user density,

geography, transceiver power etc. hexagonal shape of cells is idealized (cells overlap, shapes depend on geography) if a mobile user changes cells
handover of the connection to the neighbor cell
18

System architecture: network and switching subsystem

network subsystem fixed partner networks

Components MSC (Mobile Services Switching Center) IWF (Interworking Functions)

ISDN PSTN MSC

EIR SS7

ISDN (Integrated Services Digital Network) PSTN (Public Switched Telephone Network) PSPDN (Packet Switched Public Data Net.) CSPDN (Circuit Switched Public Data Net.)

HLR

VLR MSC IWF ISDN PSTN PSPDN CSPDN

Databases HLR (Home Location Register) VLR (Visitor Location Register) EIR (Equipment Identity Register)

19

Network and switching subsystem

NSS is the main component of the public mobile network GSM
switching, mobility management, interconnection to other networks,

system control

Components
Mobile Services Switching Center (MSC)

controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR)

central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)
Visitor Location Register (VLR)

local database for a subset of user data, including data about all user currently in the domain of the VLR
20

Mobile Services Switching Center

The MSC (mobile switching center) plays a central role in

GSM
switching functions additional functions for mobility support management of network resources

interworking functions via Gateway MSC (GMSC)

integration of several databases

21

Operation subsystem
The OSS (Operation Subsystem) enables centralized operation,

management, and maintenance of all GSM subsystems Components

Authentication Center (AUC)
generates user specific authentication parameters on request of a VLR authentication parameters used for authentication of mobile terminals and

encryption of user data on the air interface within the GSM system
Equipment Identity Register (EIR)
registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes even

localized
Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the network subsystem
22

Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml

Mobile Terminated Call

1: calling a GSM subscriber 2: forwarding call to GMSC
HLR

4 5 7

VLR

3: signal call setup to HLR

4, 5: request MSRN (roaming number) from VLR 6: forward responsible MSC to GMSC 7: forward call to current MSC 8, 9: get current status of MS 10, 11: paging of MS 12, 13: MS answers 14, 15: security checks 16, 17: set up connection
BSS calling station

3 6 1
PSTN

8 9 14 15
MSC

GMSC

10 11

10 13 16
BSS

10
BSS

11 11 12 17
MS

11

23

Mobile Originated Call

1, 2: connection request 3, 4: security check

5-8: check resources (free circuit)

9-10: set up call
PSTN

VLR

3 4 6 7
MS GMSC

5 8

MSC

2 9
1 10
BSS

24

Mobile Terminated and Mobile Originated Calls

MS

MTC
paging request channel request immediate assignment paging response authentication request

BTS

MS

MOC
channel request immediate assignment service request authentication request

BTS

authentication response
ciphering command ciphering complete setup call confirmed assignment command assignment complete alerting connect connect acknowledge data/speech exchange

authentication response
ciphering command ciphering complete setup call confirmed assignment command assignment complete alerting connect connect acknowledge data/speech exchange

25

Security in GSM
Based on:
Security in the GSM system by Jeremy Quirke
The GSM Standard (An overview of its security) by SANS Institute InfoSec Reading Room

Mobile Communications: Wireless Telecommunication Systems

Security Services in GSM

Access control/authentication
user <--x-- SIM (Subscriber Identity Module): secret PIN (personal

identification number) SIM <--x-- network: challenge response method

Confidentiality
voice and signaling encrypted on the wireless link (after successful

authentication)

Anonymity
temporary identity TMSI

(Temporary Mobile Subscriber Identity) newly assigned at each new location update (LUP) encrypted transmission
27

Security Services in GSM

Authentication

SIM (Subscriber Identity Module) card

smartcard inserted into a mobiel phone contains all necessary details to obtain access to an account
unique IMSI (International Mobile Subscriber Identity)
Ki - the individual subscriber authentication key (128bit, used to generate all

other encryption and authentication keying GSM material)

highly protected the mobile phone never learns this key, mobile only forwards any required material to the SIM known only to the SIM and network AUC (Authentication Center)

SIM unlocked using a PIN or PUK

authentication (A3 algorithm) and key generation (A8 algorithm)

is performed in the SIM

SIM contains a microprocessor
28

Security Services in GSM

Authentication

mobile network Ki AC 128 bit A3 RAND 128 bit RAND

SIM RAND 128 bit A3 SIM Ki 128 bit

SRES* 32 bit
SRES 32 bit

SRES 32 bit

MSC

SRES* =? SRES

SRES

Ki: individual subscriber authentication key SRES: signed response

29

Security Services in GSM

Authentication

Kc: Session encryption key generated together with SRES

30

Security Services in GSM

Encryption

mobile network (BTS)

MS with SIM RAND

Ki
AC 128 bit

RAND
128 bit A8

RAND
128 bit A8

Ki
128 bit SIM

cipher key BTS

Kc 64 bit data A5 encrypted data

Kc 64 bit SRES data MS A5 31

Security Services in GSM

Authentication and Encryption

A3 and A8 algorithms are both run in SIM at the same time on the

same input (RAND, Ki)

A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known) not used in UMTS

Encryption algorithm A5
symmetric encryption algorithm voice/data encryption performed by a phone using generated encryption key Kc

32

Security Services in GSM

Encryption

A5 algorithms
A5/0 no encryption used A5/1 and A5/2 developed far from public domain and later found

flawed
stream ciphers based on linear feedback shift registers A5/2 completely broken (not used anymore in GSM) A5/1 is a bit stronger but also broken by many researchers

A5/3 is a block cipher based on Kasumi encryption algorithm

used in UMTS, GSM, and GPRS mobile communications systems public and reasonably secure (at least at the moment)

33

Security Services in GSM

Summary

34

Security Weaknesess in GSM

A mobile phone does not authenticate the base station!
only mobile authenticate to BS (one-way authentication) fake BS and man-in-the middle attacks possible
attacker does not have to know authentication key Ki

A5/0 - No Encryption algorithm is a valid choice in GSM

for voice, SMS, GPRS, EDGE services

Many weaknesses in A5 family of encryption algorithms

35

Security Weaknesess in GSM

36

Security Services in GSM

Anonymity

Preventing eavesdropper (listening attacker) from determining if a

particular subscriber is/was in the given area

location privacy thanks to long ranges a very powerful attack attacker uses IMSI (International Mobile Subscriber Identity)
IMSI Catchers

To preserve location privacy GSM defines TMSI (Temporary Mobile

Subscriber Identity)
when a phone turned on, IMSI from SIM transmitted in clear to the AUC
after this TMSI is assigned to this user for location privacy after each location update or a predefined time out, a new TMSI is assigned to the

mobile phone a new TMSI is sent encrypted (whenever possible)

VLR database contains mapping TMSI to IMSI
37

Security Services in GSM

Anonymity

38

Security Services in GSM

Anonymity

39

Security Weaknesess in GSM

Attack Against the Anonymity Service

GSM provisions for situation when the network somhow

loses track of a particular TMSI

in this case the network must ask the subscriber its IMSI over the radio link

using the IDENTITY REQUEST and IDENTITY RESPONSE mechanism however, the connection cannot be encrypted if the network does not know the IMSI and so the IMSI is sent in plain text the attacker can use this to map known TMSI and unknown and user-specific IMSI

40

Countermeasures: UMTS
UMTS defines 2-way authentication and mandates the

use of stronger encryption and authentication primitives

prevents MITM attacks by a fake BS, but be cautious...

Still many reasons to worry about most mobiles support < 3G standards (GPRS, EDGE)
when signal is bad, hard to supprot UMTS rates mobile providers already invested a lot of money and do not give up upon

old BSS equippment femtocells

41

Many Reason to Worry About Your Privacy

http://www.theregister.co.uk/2008/05/20/tracking_phones/ http://www.theregister.co.uk/2011/10/31/met_police_datong_mo

bile_tracking/ (check also http://www.pathintelligence.com)

http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.black

hat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_PerezPico_Mobile_Attacks-Slides.pdf
http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-

labs.tu-berlin.de%2Fbh2011.pdf
42