Transcription
New Vulnerabilities in5G NetworksAltaf Shaik(Technische Universität Berlin, Germany)Ravishankar Borgaonkar(SINTEF Digital, Norway)07.08.2019Blackhat 2019, USA1
Identity catchingIMSI IMEIIMSI IMEIIMSI IMEIIMSI IMEI07.08.2019New Vulnerabilities in 5G Networks2
5G?07.08.2019New Vulnerabilities in 5G Networks3
5G Security? 5G Security 4G ? (What’s new) Same Protocols, Same security algorithms Attacks in 4G/LTE fixed.? Downgrade attacks, DoS attacks, Location tracking What’s not fixed in 4G – copypaste to 5G07.08.2019New Vulnerabilities in 5G Networks4
Mobile networkRadio NetworkCoreCellMobileDeviceBase Station07.08.2019New Vulnerabilities in 5G Networks5
Capabilities?UECapabilities1.2.Core network Capabilities1Radio access Capabilities2(Security algorithms, voicecalling support, V2V)(frequency bands, Rx & Txfeatures, MIMO, CA, Category)3GPP TS 24.301, 23.401, 24.0083GPP TS 36.33107.08.2019New Vulnerabilities in 5G Networks6
Core Capabilities07.08.2019New Vulnerabilities in 5G Networks7
Capabilities 5G V2X: Connected Cars Prose (D2D): Location services CIoT: IoT specific07.08.2019New Vulnerabilities in 5G Networks8
Radio Capabilities07.08.2019New Vulnerabilities in 5G Networks9
LTE RegistrationRegistration(Core Network Capabilities) UE Capabilities sent to network while registration Stored at network for long periods visible in plain-text over-the-airAuthentication and SecurityGet capabilitiesSend CapabilitiesRadio AccessCapabilitiesOTA SecuritySave allCapabilitiesRegistration Success07.08.2019New Vulnerabilities in 5G Networks10
Issue?UECapabilities Accessible by rogue base stations Sent plain-text over the air Standard Implementation bugs07.08.2019New Vulnerabilities in 5G Networks11
Attacks? MNmap (active or passive) Bidding down (MITM) Battery Drain (MITM)07.08.2019New Vulnerabilities in 5G Networks12
Setup – LTE MitM attacker Hardware 2 X (USRP B210 Laptops) Phones, Quectel modems,cars, IoT devices, trackers,laptops, routers . Software SRSLTE Attacks tested with realdevices and commercialnetworks07.08.2019New Vulnerabilities in 5G Networks13
1. MNmap (Mobile Network Mapping)similar to IP Nmap MakerModelOSApplicationsVersion07.08.2019New Vulnerabilities in 5G Networks14
1. MNmapBasebandVendor Name andModelIdentify any Cellulardevice in the wildChip Maker,Device Model,Operating System,Application of device,Baseband Software CLGNOKIACellular IoTOthersiOSIphone, Ipad(withversion)CarRailwaysNB-IoTSmart MetersSmart gridSensorsRouterUSB dongleHotspotsLaptopsLTE-MAsset TrackersAgricultureHome automationVending machinesWearables07.08.2019New Vulnerabilities in 5G Networks16
Identification – HowBaseband Vendors implement capabilities differently For e.g., Qualcomm Chipsets always Disable EAI0 Many Capabilities are optional, (disabled/enabled)Each target Application requires different set of UE Capabilities 07.08.2019V2V for automated carVoice calling and codec support for phoneGPS capability for trackerData only support for routers, USB data sticks (SMS only)New Vulnerabilities in 5G Networks17
DUT07.08.2019New Vulnerabilities in 5G Networks18
Ref modelDevices Baseband vendor Application Chipset name 3GPP release07.08.2019New Vulnerabilities in 5G Networks19
FingerprintsImplementation differences among Baseband vendorsCapability07.08.2019Huawei Samsung Intel Mediatek QualcommCM ServicePrompt10001EIA011110Access classcontrol for CSFB01011ExtendedMeasurementCapability00010New Vulnerabilities in 5G Networks20
Chipset info07.08.2019New Vulnerabilities in 5G Networks21
Half-way1. Baseband Maker2. Baseband Model3. List of supported devices for the chipset4. Identify the right device and application07.08.2019New Vulnerabilities in 5G Networks22
FingerprintsDifference b/w phone and other devicesCapabilityPhoneOthersUE’s Usage settingVoice orDataNotpresentVoice domainpreferenceCS Voiceor PSVoiceNotpresentUMTS AMR codecPresentNotDifference b/w iOS and AndroidCapabilityAndroidiOSMS assisted GPS10Voice over PS-HSUTRA-FDD-r910Phone and preferred le07.08.2019Difference b/w cellular and cellular IoTIntel or QCTNew Vulnerabilities in 5G NetworksCapabilityCellular IoTCellularPSM Timer10T3412 ext periodTAU timer1024
MNmap issues SIM card can have affect on capabilities enabled/disabled – operator setting, e.g., bands IoT applications lte-M vs NB-IoT Timer values (low for smart meters, high for asset trackers) Success and failures in detecting (close to round off, multiple options)07.08.2019New Vulnerabilities in 5G Networks25
Zero Encryptionfor IoT Integrity protected andpartially ciphered EEA0 for NAS by some Xoperator IoT devices depend onAir interface security Device details in clear07.08.2019New Vulnerabilities in 5G Networks26
What next Passive MNmap also works (active base station not required) Privacy Link IMSI to device capabilities on 4G (associate device fingerprints to people) Launch target specific attack Open source MNmap : share traces with interested researchers07.08.2019New Vulnerabilities in 5G Networks27
2. Bidding downGet capabilitiesSend Capabilities HijackingRELAY Radio Capabilities MitM relay before OTASecurityRadioCapabilitiesRadioCapabilitiesSave allCapabilities Network cannot detectOTA SecurityRegistration Success07.08.2019New Vulnerabilities in 5G Networks28
Bidding down Radio Capabilities are modified UE Category changed (Cat 12 - Cat 1) CA and MIMO are disabled Frequency Bands are removed VoLTE mandatory requirements are disabled V2V capabilities can be removed07.08.2019New Vulnerabilities in 5G Networks29
Tests with real networks LTE service downgrade (with elite USIM) Iphone 8 and LTE Netgear router (Qualcomm Basebands) Data Rate (downlink) 48 Mbps to 2 Mbps (USA and Europe) VoLTE calls are denied to UE (CSFB used) Handovers to 2G/3G due to lack of band support – downgraded07.08.2019New Vulnerabilities in 5G Networks3030
Impact 22 out of 32 Tested LTE networks worldwide (Europe, Asia, NA) areaffected (USA, Switzerland, France, Japan, Korea Netherlands, UK, Belgium, Iceland) Persistent for 7 days Capabilities are Cached at Core network Restart device for normal operation **Radio is bottleneck for speed data service07.08.2019New Vulnerabilities in 5G Networks31
3. Battery DrainRegistrationPSM enable NB-IoT (Narrow Band)Capabilities Power Saving Mode (PSM) OFF when not in useCapabilitiesPSM disabledAuthentication and SecurityRegistration SuccessPSM Not enabledBattery Drain07.08.2019New Vulnerabilities in 5G Networks32
Tests PSM disabled (UE and network don’t detect) Continuous activity - Neighbor cell measurements drains battery (10 year battery?) Experiment with NB-IoT UE (Quectel BC68 modem) Reconnects after 310 hours (13 days) Battery lifetime reduced by 5 times Persistent attack: restart required to restore07.08.2019New Vulnerabilities in 5G Networks33
Vulnerability Status Reported to GSMA, 3GPP SA3 and other affected operatorsand vendors Positive acknowledgement / could be implementation issues GSMA sent a LS (Liaison statement) to 3GPP to add fixes Core network capabilities are still unprotected MNmap still possible on 5G07.08.2019New Vulnerabilities in 5G Networks34
Why without/before Security***To do early optimization for better service/connectivity07.08.2019New Vulnerabilities in 5G Networks35
Fixes Fixes in LTE release 14 for NB-IoT will be commercial soon UE Capabilities should be security protected : accessible only aftermutual authentication Operators eNodeB implementation/configuration should beupdated Important Capabilities should be replayed to UE after NAS securitysetup for verification V2V, Voice calling features, PSM timers, etc.07.08.2019New Vulnerabilities in 5G Networks36
Thank New Vulnerabilities in 5G Networks37
(Security algorithms, voice calling support, V2V) Radio access Capabilities2 (frequency bands, Rx & Tx features, MIMO, CA, Category) Capabilities? 1. 3GPP TS 24.301, 23.401, 24.008 2. 3GPP TS 36.331 07.08.2019 New Vulnerabilities in 5G Networks 6
