Femtocells : Inexpensive devices to test UMTS security

Transcription

Femtocells : Inexpensive devices to test UMTS security
.
.
Kévin Redon, Ravishankar Borgaonkar
Technische Universität Berlin, SecT
kredon/ravii@sec.t-labs.tu-berlin.de
Hackito Ergo Sum 2011, 8 April 2011
.
.
..
.
Femtocells : Inexpensive devices to test
UMTS security
✆ mobile telecommunication
singularity
⚛ femtocells
☠ owning it
⚔ analyzing 3G security
big bang
cyberspace
telephony
telegraph invented in the early 1800s
idea of a "speaking telegraph" emerges in 1844
patent for "voice through a telegraphic circuit" filed
in 1876
application : speaking instantaneously over long
distances
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
2 / 37
✆ mobile telecommunication
singularity
⚛ femtocells
☠ owning it
⚔ analyzing 3G security
big bang
cyberspace
0G/1G
need for business people to be reachable at any
time, anywhere
0G - 1950 : not so handy. proprietary attempts
1G - 1980 : similar to 2G, but with analog voice
(like in PSTN)
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
3 / 37
✆ mobile telecommunication
⚛ femtocells
singularity
☠ owning it
⚔ analyzing 3G security
big bang
cyberspace
2G : Global System for Mobile Communications (GSM)
mobile standard developed in France in 1991
(Groupe Spécial Mobile)
very popular, unexpected by the telcos
now used world wide
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
4 / 37
✆ mobile telecommunication
singularity
⚛ femtocells
☠ owning it
big bang
⚔ analyzing 3G security
cyberspace
2G : GSM now broken
infrastructure elements now available to the public
IMSI catching possible (no network authentication)
sniffing possible (A5/1 encryption algorithm broken)
MitM possible (A5/2 encryption algorithm broken)
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
5 / 37
✆ mobile telecommunication
singularity
⚛ femtocells
☠ owning it
big bang
⚔ analyzing 3G security
cyberspace
2G+ : data over mobile
2G : "Internet" access with WAP
2.5G : GPRS. Packet Switching capability
2.75G : EDGE. Faster, but still too slow
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
6 / 37
✆ mobile telecommunication
⚛ femtocells
singularity
☠ owning it
⚔ analyzing 3G security
big bang
cyberspace
3G : Universal Mobile Telecommunications System (UMTS)
appeared in 2002
voice and data communication
the phone becomes a network device
required and supported by smartphones
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
7 / 37
✆ mobile telecommunication
singularity
⚛ femtocells
☠ owning it
big bang
⚔ analyzing 3G security
cyberspace
3G+ : usable Internet
3.5G : HSDPA, faster download
3.75G : HSUPA, faster upload
3.9G : LTE/WiMAX attempts
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
8 / 37
✆ mobile telecommunication
UMTS architecture
⚛ femtocells
☠ owning it
Home Node B (HNB)
⚔ analyzing 3G security
HNB Subsystem (HNS)
UMTS architecture (complex)
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
9 / 37
✆ mobile telecommunication
UMTS architecture
⚛ femtocells
☠ owning it
Home Node B (HNB)
⚔ analyzing 3G security
HNB Subsystem (HNS)
UMTS architecture (simplified)
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
10 / 37
✆ mobile telecommunication
UMTS architecture
⚛ femtocells
☠ owning it
Home Node B (HNB)
⚔ analyzing 3G security
HNB Subsystem (HNS)
cells
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
11 / 37
✆ mobile telecommunication
⚛ femtocells
UMTS architecture
☠ owning it
⚔ analyzing 3G security
Home Node B (HNB)
HNB Subsystem (HNS)
technology
What is a femtocell :
it's an access point (sometimes called FAP)
it connects the mobile phone to the 3G/UMTS
network
compatible with every UMTS capable mobile phone
small cell, with a coverage of less than 20m
low power device
easy to install, you only have provide power and
Internet access
technical name : Home Node B (HNB)
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
12 / 37
✆ mobile telecommunication
UMTS architecture
⚛ femtocells
☠ owning it
Home Node B (HNB)
⚔ analyzing 3G security
HNB Subsystem (HNS)
user advantages
advantages provided to the users :
can be installed at home to provide coverage (if not
available)
provides high bandwidth (not shared with the
public)
can provide location based services (kids arrived at
home)
but nothing Wifi can not provide for free, except you
don't have to configure the phone.
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
13 / 37
✆ mobile telecommunication
UMTS architecture
⚛ femtocells
☠ owning it
Home Node B (HNB)
⚔ analyzing 3G security
HNB Subsystem (HNS)
operator advantages
advantages for the operator :
extended coverage, near to the users
traffic offloads from their public infrastructure
cheap hardware, that the user even has to buy
no installation cost
no maintenance cost
new revenue possibilities
IP connectivity
conclusion : femtocells are a great opportunity for the
operators.
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
14 / 37
✆ mobile telecommunication
UMTS architecture
⚛ femtocells
☠ owning it
Home Node B (HNB)
⚔ analyzing 3G security
HNB Subsystem (HNS)
HNB in UMTS network
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
15 / 37
✆ mobile telecommunication
UMTS architecture
⚛ femtocells
☠ owning it
Home Node B (HNB)
⚔ analyzing 3G security
HNB Subsystem (HNS)
HNB Subsystem
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
16 / 37
✆ mobile telecommunication
ordering
⚛ femtocells
location verification
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
requirements
How to get a femtocell :
choose a country from the 12 which deploy them
get an address and IP from this country, because
usage in only allowed within the country
select an operator from the 18 which offer them
get a mobile phone subscription from this operator,
required to get the femtocell service
gently ask for a femtocell
get it for free, one time payment, or monthly fee
enjoy ☺
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
17 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
purpose
operators have to verify where the femtocell is, for
several reasons:
prevent you to avoid roaming costs in foreign
countries
UMTS uses the 2.1 GHz freq. band, a licensed
spectrum band. The operators own the radio
licenses for the femtocell only for their country
location of the users is required for lawful
interception
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
18 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
techniques
How to find were the femtocell is located :
IP : geoIP, even knowing the ISP is enough
GNSS : Global Navigation Satellite System (often
GPS)
macrocell : cells periodically send country, network,
and location information (MCC, MNC, LAC)
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
19 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
attacks
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
20 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
final solution
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
21 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
under the hood
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
22 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
first approach
sniffing :
only DHCP and NTP, then everything goes over
IPsec
probing ports (nmap) :
only port 80 is open (linux has been detected, but
the source code is not available)
web interface available :
protected access, no documentation, even the
customer service was unaware
serial port :
found on PCB, but login prompt is disabled
First impression : the device is secure. ☹
But the first impression is not the last impression. ☺
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
23 / 37
✆ mobile telecommunication
ordering
⚛ femtocells
location verification
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
recovery mode and purpose
remember :
keep femtocells cheap
no maintenance cost
no local support
if something does not work right, do a factory reset.
for that, the recovery procedure has been created.
this is a critical point
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
24 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
process overview
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
25 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
flaws and exploits
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
26 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
reconfigure
the parameter list contains some interesting values :
the login prompt or the serial port can be enabled
(the root password is the same then in the recovery
image, stored in md5)
it includes the public key used to verify the
signatures
it's possible to clone femtocells (except the SIM)
[General]
pcbid=P04S...
imei=357539...
mac=00:1B:67:...
hwflag=2
serial=P04S...
[BootSigning]
pubkey=EE:17:C5:F2:...
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
27 / 37
✆ mobile telecommunication
ordering
location verification
⚛ femtocells
☠ owning it
blind dating
⚔ analyzing 3G security
recovery to failure
customizing
reflash
the firmware list contains all needed informations :
the URLs, encryption keys and signatures are in
there
you can use the previously obtained images, and
modify them
you can provide the modified images
now it's possible to install anything
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
28 / 37
✆ mobile telecommunication
⚛ femtocells
authentication & encryption
☠ owning it
⚔ analyzing 3G security
en garde
the end
testing 3G security features
femtocells can be used to check various classmarks
supported by mobiles
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
29 / 37
✆ mobile telecommunication
⚛ femtocells
authentication & encryption
☠ owning it
⚔ analyzing 3G security
en garde
the end
authentication tuples
information in the authentication tuples (RAND, XRES,
IK, CK, AUTN) :
collect RAND and AUTN
check randomness of RAND
U. Meyer and S. Wetzel, A man-in-the-middle attack
on UMTS, in Proceeding of The ACM Workshop on
Wireless Security (WiSe 2004), October 2004
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
30 / 37
✆ mobile telecommunication
⚛ femtocells
authentication & encryption
☠ owning it
⚔ analyzing 3G security
en garde
the end
encryption
calls are encrypted ...
... up to the antenna
then communication is clear text
like everything else is telecommunication network
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
31 / 37
✆ mobile telecommunication
authentication & encryption
⚛ femtocells
☠ owning it
⚔ analyzing 3G security
en garde
the end
phone capabilities
encryption over-the-air can even be turned off
helps to identify which phone indicating it (just a
few)
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
32 / 37
✆ mobile telecommunication
authentication & encryption
⚛ femtocells
☠ owning it
en garde
⚔ analyzing 3G security
the end
the beginning of a story
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
33 / 37
✆ mobile telecommunication
⚛ femtocells
authentication & encryption
☠ owning it
⚔ analyzing 3G security
en garde
the end
episode 1
femtocells is an effective technology in terms of
offloading the traffic and of new business cases
but ... the operators need to start thinking about
security
follow the specifications closely, secure the device
and networks
some serious threats (ongoing work) :
test core network
build a MitM
test 3G phones
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
34 / 37
✆ mobile telecommunication
authentication & encryption
⚛ femtocells
☠ owning it
⚔ analyzing 3G security
en garde
the end
episode 2
4G (LTE Advanced) is coming
all IP infrastructure
very closely connected elements
the network needs to be compatible with old
technology
HeNB (evolved) are also on the way ☺
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
35 / 37
✆ mobile telecommunication
⚛ femtocells
authentication & encryption
☠ owning it
en garde
⚔ analyzing 3G security
the end
thanks
Thanks to :
Nico Golde, TU Berlin
Collin Mulliner, TU Berlin
Prof. Jean-Pierre Seifert, TU Berlin
Benjamin Michéle, TU Berlin
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
36 / 37
✆ mobile telecommunication
⚛ femtocells
authentication & encryption
☠ owning it
en garde
⚔ analyzing 3G security
the end
questions
Merci
Questions ?
R. Borgaonkar, K. Redon
HNB.secured?(UMTS)
37 / 37