Transcript MSC
Security of Cellular Networks:
Man-in-the Middle Attacks
Mario Čagalj
University of Split
2013/2014.
‘Security in the GSM system’ by Jeremy Quirke, 2004
Introduction
Nowadays, mobile phones are used by 80-90% of the
world’s population (billion of users)
Evolution
1G: analog cellular networks
GSM security specifications
2G: digital cellular networks with GSM (Global System for Mobile
Communications) beign the most popular and the most widely used
standard (circuit switching)
other 2G: technologies IS-95 – CDMA based (US), PDC (Japan), etc.
2.5G: GPRS (General Packet Radio Service) – packet switching
2.75G: EDGE – faster data service
3G: UMTS (CDMA based), HSPA for data traffic (e.g., 5-10 Mbps)
other 3G: CDMA2000 (US, S. Korea)
4G: LTE (OFDM based), peak data rates of 100Mbps
2
Cellular Network Architecture
A high level view
Databases
(e.g., Home
Location Register)
Mobile
Station
Base
Station
Mobile
Switching
Center
External
Network
Cellular Network
EPFL, JPH
3
Cellular Network Architecture
Registration Process
Nr: 079/4154678
Tune on the strongest signal
EPFL, JPH
4
Cellular Network Architecture
Service Request
079/4154678
079/8132627
EPFL, JPH
079/4154678
079/8132627
5
Cellular Network Architecture
Paging Broadcast (locating a particular mobile station in case of mobile
terminated call)
079/8132627?
079/8132627?
079/8132627?
079/8132627?
Note: paging makes sense only over a small area
EPFL, JPH
6
Cellular Network Architecture
Response
079/8132627
079/8132627
EPFL, JPH
7
Cellular Network Architecture
Channel Assignement
Channel
47
Channel
47
Channel
68
Channel
68
EPFL, JPH
8
Cellular Network Architecture
Conversation
EPFL, JPH
9
Cellular Network Architecture
Handover (or Handoff)
EPFL, JPH
10
Cellular Network Architecture
Message Sequence Chart
Base
Station
Caller
Base
Station
Switch
Periodic registration
Service request
Paging broadcast
Tune to Ch.47
Ring indication
Stop ring indication
EPFL, JPH
Callee
Periodic registration
Service request
Page request
Page request
Paging broadcast
Assign Ch. 47
Paging response
Paging response
Assign Ch. 68
Tune to Ch. 68
Alert tone
Ring indication
Stop ring indication
User response
User response
11
GSM System Architecture
Based on ‘Mobile Communications: Wireless
Telecommunication Systems’
Architecture of the GSM system
GSM is a PLMN (Public Land Mobile Network)
several providers setup mobile networks following the GSM
standard within each country
components
MS (mobile station)
BS (base station)
MSC (mobile switching center)
LR (location register)
subsystems
RSS (radio subsystem): covers all radio aspects
NSS (network and switching subsystem): call forwarding, handover,
switching
OSS (operation subsystem): management of the network
13
Please check http://gsmfordummies.com/architecture/arch.shtml
GSM: overview
OMC, EIR,
AUC
HLR
NSS
with OSS
VLR
MSC
GMSC
VLR
fixed network
MSC
BSC
BSC
RSS
14
GSM: system architecture
radio
subsystem
MS
network and switching
subsystem
fixed
networks
MS
ISDN
PSTN
MSC
BTS
BSC
EIR
SS7
BTS
HLR
VLR
BTS
BSC
BTS
BSS
MSC
IWF
ISDN
PSTN
PSPDN
CSPDN
15
System architecture: radio subsystem
radio
subsystem
MS
network and switching
subsystem
Components
MS (Mobile Station)
MS
BSS (Base Station Subsystem):
consisting of
BTS (Base Transceiver Station):
BTS
BTS
BSC
MSC
BSC
MSC
BTS
BTS
sender and receiver
BSC (Base Station Controller):
controlling several transceivers
BSS
16
Radio subsystem
The Radio Subsystem (RSS) comprises the cellular mobile
network up to the switching centers
Components
Base Station Subsystem (BSS):
Base Transceiver Station (BTS): radio components including sender,
receiver, antenna - if directed antennas are used one BTS can cover
several cells
Base Station Controller (BSC): switching between BTSs, controlling BTSs,
managing of network resources, mapping of radio channels onto
terrestrial channels
Mobile Stations (MS)
17
GSM: cellular network
segmentation of the area into cells
possible radio coverage of the cell
cell
idealized shape of the cell
use of several carrier frequencies
not the same frequency in adjoining cells
cell sizes vary from some 100 m up to 35 km depending on user density,
geography, transceiver power etc.
hexagonal shape of cells is idealized (cells overlap, shapes depend on
geography)
if a mobile user changes cells
handover of the connection to the neighbor cell
18
System architecture: network and
switching subsystem
network
subsystem
fixed partner
networks
ISDN
PSTN
MSC
SS7
EIR
HLR
VLR
MSC
IWF
ISDN
PSTN
PSPDN
CSPDN
Components
MSC (Mobile Services Switching Center)
IWF (Interworking Functions)
ISDN (Integrated Services Digital Network)
PSTN (Public Switched Telephone Network)
PSPDN (Packet Switched Public Data Net.)
CSPDN (Circuit Switched Public Data Net.)
Databases
HLR (Home Location Register)
VLR (Visitor Location Register)
EIR (Equipment Identity Register)
19
Network and switching subsystem
NSS is the main component of the public mobile network GSM
switching, mobility management, interconnection to other networks,
system control
Components
Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile terminal
within the domain of the MSC - several BSC can belong to a MSC
Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR)
central master database containing user data, permanent and semi-permanent
data of all subscribers assigned to the HLR (one provider can have several HLRs)
Visitor Location Register (VLR)
local database for a subset of user data, including data about all user currently in
the domain of the VLR
20
Mobile Services Switching Center
The MSC (mobile switching center) plays a central role in
GSM
switching functions
additional functions for mobility support
management of network resources
interworking functions via Gateway MSC (GMSC)
integration of several databases
21
Operation subsystem
The OSS (Operation Subsystem) enables centralized operation,
management, and maintenance of all GSM subsystems
Components
Authentication Center (AUC)
generates user specific authentication parameters on request of a VLR
authentication parameters used for authentication of mobile terminals and
encryption of user data on the air interface within the GSM system
Equipment Identity Register (EIR)
registers GSM mobile stations and user rights
stolen or malfunctioning mobile stations can be locked and sometimes even
localized
Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the network subsystem
22
Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml
Mobile Terminated Call
1: calling a GSM subscriber
HLR
2: forwarding call to GMSC
3 6
3: signal call setup to HLR
4, 5: request MSRN (roaming
number) from VLR
calling
station
1
PSTN
2
GMSC
6: forward responsible
MSC to GMSC
7: forward call to
current MSC
8, 9: get current status of MS
10, 11: paging of MS
4
5
10
7
VLR
8 9
14 15
MSC
10 13
16
10
BSS
BSS
BSS
11
11
11
11 12
17
MS
12, 13: MS answers
14, 15: security checks
16, 17: set up connection
23
Mobile Originated Call
1, 2: connection request
3, 4: security check
VLR
5-8: check resources (free circuit)
9-10: set up call
3 4
PSTN
6
GMSC
7
5
8
MS
1
10
MSC
2 9
BSS
24
Mobile Terminated and Mobile Originated Calls
MS
MTC
BTS
MS
MOC
BTS
paging request
channel request
channel request
immediate assignment
immediate assignment
paging response
service request
authentication request
authentication request
authentication response
authentication response
ciphering command
ciphering command
ciphering complete
ciphering complete
setup
setup
call confirmed
call confirmed
assignment command
assignment command
assignment complete
assignment complete
alerting
alerting
connect
connect
connect acknowledge
connect acknowledge
data/speech exchange
data/speech exchange
25
Security in GSM
Based on:
‘Security in the GSM system’ by Jeremy Quirke
‘The GSM Standard (An overview of its security)’ by SANS Institute
InfoSec Reading Room
‘Mobile Communications: Wireless Telecommunication Systems’
Security Services in GSM
Access control/authentication
x
user <-- -- SIM (Subscriber Identity Module): secret PIN (personal
identification number)
x
SIM <-- -- network: challenge response method
Confidentiality
voice and signaling encrypted on the wireless link (after successful
authentication)
Anonymity
temporary identity TMSI (Temporary Mobile Subscriber Identity)
newly assigned at each new location update (LUP)
encrypted transmission
27
Security Services in GSM
Authentication
SIM (Subscriber Identity Module) card
smartcard inserted into a mobiel phone
contains all necessary details to obtain access to an account
unique IMSI (International Mobile Subscriber Identity)
Ki - the individual subscriber authentication key (128bit, used to generate all
other encryption and authentication keying GSM material)
highly protected – the mobile phone never learns this key, mobile only forwards
any required material to the SIM
known only to the SIM and network AUC (Authentication Center)
SIM unlocked using a PIN or PUK
authentication (A3 algorithm) and key generation (A8 algorithm)
is performed in the SIM
SIM contains a microprocessor
28
Security Services in GSM
Authentication
SIM
mobile network
Ki
AC
RAND
128 bit
RAND
128 bit
RAND
128 bit
A3
Ki
128 bit
A3
SIM
SRES* 32 bit
MSC
SRES* =? SRES
SRES 32 bit
SRES
32 bit
SRES
Ki: individual subscriber authentication key SRES: signed response
29
Security Services in GSM
Authentication
Kc: Session encryption key generated together with SRES
30
Security Services in GSM
Encryption
MS with SIM
mobile network (BTS)
Ki
AC
RAND
128 bit
RAND
128 bit
RAND
128 bit
A8
cipher
key
BTS
Ki
128 bit
SIM
A8
Kc
64 bit
Kc
64 bit
data
A5
encrypted
data
SRES
data
A5
MS
31
Security Services in GSM
Authentication and Encryption
A3 and A8 algorithms are both run in SIM at the same time on the
same input (RAND, Ki)
A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known)
not used in UMTS
Encryption algorithm A5
symmetric encryption algorithm
voice/data encryption performed by a phone using generated encryption key Kc
32
Security Services in GSM
Encryption
A5 algorithms
A5/0 – no encryption used
A5/1 and A5/2 developed far from public domain and later found
flawed
stream ciphers based on linear feedback shift registers
A5/2 completely broken (not used anymore in GSM)
A5/1 is a bit stronger but also broken by many researchers
A5/3 – is a block cipher based on Kasumi encryption algorithm
used in UMTS, GSM, and GPRS mobile communications systems
public and reasonably secure (at least at the moment)
33
Security Services in GSM
Summary
34
Security Weaknesess in GSM
A mobile phone does not authenticate the base station!
only mobile authenticate to BS (one-way authentication)
fake BS and man-in-the middle attacks possible
attacker does not have to know authentication key Ki
A5/0 - No Encryption algorithm is a valid choice in GSM
for voice, SMS, GPRS, EDGE services
Many weaknesses in A5 family of encryption algorithms
35
Security Weaknesess in GSM
36
Security Services in GSM
Anonymity
Preventing eavesdropper (listening attacker) from determining if a
particular subscriber is/was in the given area
location privacy
thanks to long ranges a very powerful attack
attacker uses IMSI (International Mobile Subscriber Identity)
IMSI Catchers
To preserve location privacy GSM defines TMSI (Temporary Mobile
Subscriber Identity)
when a phone turned on, IMSI from SIM transmitted in clear to the AUC
after this TMSI is assigned to this user for location privacy
after each location update or a predefined time out, a new TMSI is assigned to the
mobile phone
a new TMSI is sent encrypted (whenever possible)
VLR database contains mapping TMSI to IMSI
37
Security Services in GSM
Anonymity
38
Security Services in GSM
Anonymity
39
Security Weaknesess in GSM
Attack Against the Anonymity Service
GSM provisions for situation when the network somhow
loses track of a particular TMSI
in this case the network must ask the subscriber its IMSI over the radio link
using the IDENTITY REQUEST and IDENTITY RESPONSE mechanism
however, the connection cannot be encrypted if the network does not know
the IMSI and so the IMSI is sent in plain text
the attacker can use this to map known TMSI and unknown and user-specific
IMSI
40
Countermeasures: UMTS
UMTS defines 2-way authentication and mandates the
use of stronger encryption and authentication primitives
prevents MITM attacks by a fake BS, but be cautious...
Still many reasons to worry about
most mobiles support < 3G standards (GPRS, EDGE)
when signal is bad, hard to supprot UMTS rates
mobile providers already invested a lot of money and do not give up upon
‘old’ BSS equippment
femtocells
41
Many Reason to Worry About Your Privacy
http://www.theregister.co.uk/2008/05/20/tracking_phones/
http://www.theregister.co.uk/2011/10/31/met_police_datong_mo
bile_tracking/ (check also http://www.pathintelligence.com)
http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.black
hat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_PerezPico_Mobile_Attacks-Slides.pdf
http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-
labs.tu-berlin.de%2Fbh2011.pdf
42