Femtocells : Inexpensive devices to test UMTS security
Transcription
Femtocells : Inexpensive devices to test UMTS security
. . Kévin Redon, Ravishankar Borgaonkar Technische Universität Berlin, SecT kredon/ravii@sec.t-labs.tu-berlin.de Hackito Ergo Sum 2011, 8 April 2011 . . .. . Femtocells : Inexpensive devices to test UMTS security ✆ mobile telecommunication singularity ⚛ femtocells ☠ owning it ⚔ analyzing 3G security big bang cyberspace telephony telegraph invented in the early 1800s idea of a "speaking telegraph" emerges in 1844 patent for "voice through a telegraphic circuit" filed in 1876 application : speaking instantaneously over long distances R. Borgaonkar, K. Redon HNB.secured?(UMTS) 2 / 37 ✆ mobile telecommunication singularity ⚛ femtocells ☠ owning it ⚔ analyzing 3G security big bang cyberspace 0G/1G need for business people to be reachable at any time, anywhere 0G - 1950 : not so handy. proprietary attempts 1G - 1980 : similar to 2G, but with analog voice (like in PSTN) R. Borgaonkar, K. Redon HNB.secured?(UMTS) 3 / 37 ✆ mobile telecommunication ⚛ femtocells singularity ☠ owning it ⚔ analyzing 3G security big bang cyberspace 2G : Global System for Mobile Communications (GSM) mobile standard developed in France in 1991 (Groupe Spécial Mobile) very popular, unexpected by the telcos now used world wide R. Borgaonkar, K. Redon HNB.secured?(UMTS) 4 / 37 ✆ mobile telecommunication singularity ⚛ femtocells ☠ owning it big bang ⚔ analyzing 3G security cyberspace 2G : GSM now broken infrastructure elements now available to the public IMSI catching possible (no network authentication) sniffing possible (A5/1 encryption algorithm broken) MitM possible (A5/2 encryption algorithm broken) R. Borgaonkar, K. Redon HNB.secured?(UMTS) 5 / 37 ✆ mobile telecommunication singularity ⚛ femtocells ☠ owning it big bang ⚔ analyzing 3G security cyberspace 2G+ : data over mobile 2G : "Internet" access with WAP 2.5G : GPRS. Packet Switching capability 2.75G : EDGE. Faster, but still too slow R. Borgaonkar, K. Redon HNB.secured?(UMTS) 6 / 37 ✆ mobile telecommunication ⚛ femtocells singularity ☠ owning it ⚔ analyzing 3G security big bang cyberspace 3G : Universal Mobile Telecommunications System (UMTS) appeared in 2002 voice and data communication the phone becomes a network device required and supported by smartphones R. Borgaonkar, K. Redon HNB.secured?(UMTS) 7 / 37 ✆ mobile telecommunication singularity ⚛ femtocells ☠ owning it big bang ⚔ analyzing 3G security cyberspace 3G+ : usable Internet 3.5G : HSDPA, faster download 3.75G : HSUPA, faster upload 3.9G : LTE/WiMAX attempts R. Borgaonkar, K. Redon HNB.secured?(UMTS) 8 / 37 ✆ mobile telecommunication UMTS architecture ⚛ femtocells ☠ owning it Home Node B (HNB) ⚔ analyzing 3G security HNB Subsystem (HNS) UMTS architecture (complex) R. Borgaonkar, K. Redon HNB.secured?(UMTS) 9 / 37 ✆ mobile telecommunication UMTS architecture ⚛ femtocells ☠ owning it Home Node B (HNB) ⚔ analyzing 3G security HNB Subsystem (HNS) UMTS architecture (simplified) R. Borgaonkar, K. Redon HNB.secured?(UMTS) 10 / 37 ✆ mobile telecommunication UMTS architecture ⚛ femtocells ☠ owning it Home Node B (HNB) ⚔ analyzing 3G security HNB Subsystem (HNS) cells R. Borgaonkar, K. Redon HNB.secured?(UMTS) 11 / 37 ✆ mobile telecommunication ⚛ femtocells UMTS architecture ☠ owning it ⚔ analyzing 3G security Home Node B (HNB) HNB Subsystem (HNS) technology What is a femtocell : it's an access point (sometimes called FAP) it connects the mobile phone to the 3G/UMTS network compatible with every UMTS capable mobile phone small cell, with a coverage of less than 20m low power device easy to install, you only have provide power and Internet access technical name : Home Node B (HNB) R. Borgaonkar, K. Redon HNB.secured?(UMTS) 12 / 37 ✆ mobile telecommunication UMTS architecture ⚛ femtocells ☠ owning it Home Node B (HNB) ⚔ analyzing 3G security HNB Subsystem (HNS) user advantages advantages provided to the users : can be installed at home to provide coverage (if not available) provides high bandwidth (not shared with the public) can provide location based services (kids arrived at home) but nothing Wifi can not provide for free, except you don't have to configure the phone. R. Borgaonkar, K. Redon HNB.secured?(UMTS) 13 / 37 ✆ mobile telecommunication UMTS architecture ⚛ femtocells ☠ owning it Home Node B (HNB) ⚔ analyzing 3G security HNB Subsystem (HNS) operator advantages advantages for the operator : extended coverage, near to the users traffic offloads from their public infrastructure cheap hardware, that the user even has to buy no installation cost no maintenance cost new revenue possibilities IP connectivity conclusion : femtocells are a great opportunity for the operators. R. Borgaonkar, K. Redon HNB.secured?(UMTS) 14 / 37 ✆ mobile telecommunication UMTS architecture ⚛ femtocells ☠ owning it Home Node B (HNB) ⚔ analyzing 3G security HNB Subsystem (HNS) HNB in UMTS network R. Borgaonkar, K. Redon HNB.secured?(UMTS) 15 / 37 ✆ mobile telecommunication UMTS architecture ⚛ femtocells ☠ owning it Home Node B (HNB) ⚔ analyzing 3G security HNB Subsystem (HNS) HNB Subsystem R. Borgaonkar, K. Redon HNB.secured?(UMTS) 16 / 37 ✆ mobile telecommunication ordering ⚛ femtocells location verification ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing requirements How to get a femtocell : choose a country from the 12 which deploy them get an address and IP from this country, because usage in only allowed within the country select an operator from the 18 which offer them get a mobile phone subscription from this operator, required to get the femtocell service gently ask for a femtocell get it for free, one time payment, or monthly fee enjoy ☺ R. Borgaonkar, K. Redon HNB.secured?(UMTS) 17 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing purpose operators have to verify where the femtocell is, for several reasons: prevent you to avoid roaming costs in foreign countries UMTS uses the 2.1 GHz freq. band, a licensed spectrum band. The operators own the radio licenses for the femtocell only for their country location of the users is required for lawful interception R. Borgaonkar, K. Redon HNB.secured?(UMTS) 18 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing techniques How to find were the femtocell is located : IP : geoIP, even knowing the ISP is enough GNSS : Global Navigation Satellite System (often GPS) macrocell : cells periodically send country, network, and location information (MCC, MNC, LAC) R. Borgaonkar, K. Redon HNB.secured?(UMTS) 19 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing attacks R. Borgaonkar, K. Redon HNB.secured?(UMTS) 20 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing final solution R. Borgaonkar, K. Redon HNB.secured?(UMTS) 21 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing under the hood R. Borgaonkar, K. Redon HNB.secured?(UMTS) 22 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing first approach sniffing : only DHCP and NTP, then everything goes over IPsec probing ports (nmap) : only port 80 is open (linux has been detected, but the source code is not available) web interface available : protected access, no documentation, even the customer service was unaware serial port : found on PCB, but login prompt is disabled First impression : the device is secure. ☹ But the first impression is not the last impression. ☺ R. Borgaonkar, K. Redon HNB.secured?(UMTS) 23 / 37 ✆ mobile telecommunication ordering ⚛ femtocells location verification ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing recovery mode and purpose remember : keep femtocells cheap no maintenance cost no local support if something does not work right, do a factory reset. for that, the recovery procedure has been created. this is a critical point R. Borgaonkar, K. Redon HNB.secured?(UMTS) 24 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing process overview R. Borgaonkar, K. Redon HNB.secured?(UMTS) 25 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing flaws and exploits R. Borgaonkar, K. Redon HNB.secured?(UMTS) 26 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing reconfigure the parameter list contains some interesting values : the login prompt or the serial port can be enabled (the root password is the same then in the recovery image, stored in md5) it includes the public key used to verify the signatures it's possible to clone femtocells (except the SIM) [General] pcbid=P04S... imei=357539... mac=00:1B:67:... hwflag=2 serial=P04S... [BootSigning] pubkey=EE:17:C5:F2:... R. Borgaonkar, K. Redon HNB.secured?(UMTS) 27 / 37 ✆ mobile telecommunication ordering location verification ⚛ femtocells ☠ owning it blind dating ⚔ analyzing 3G security recovery to failure customizing reflash the firmware list contains all needed informations : the URLs, encryption keys and signatures are in there you can use the previously obtained images, and modify them you can provide the modified images now it's possible to install anything R. Borgaonkar, K. Redon HNB.secured?(UMTS) 28 / 37 ✆ mobile telecommunication ⚛ femtocells authentication & encryption ☠ owning it ⚔ analyzing 3G security en garde the end testing 3G security features femtocells can be used to check various classmarks supported by mobiles R. Borgaonkar, K. Redon HNB.secured?(UMTS) 29 / 37 ✆ mobile telecommunication ⚛ femtocells authentication & encryption ☠ owning it ⚔ analyzing 3G security en garde the end authentication tuples information in the authentication tuples (RAND, XRES, IK, CK, AUTN) : collect RAND and AUTN check randomness of RAND U. Meyer and S. Wetzel, A man-in-the-middle attack on UMTS, in Proceeding of The ACM Workshop on Wireless Security (WiSe 2004), October 2004 R. Borgaonkar, K. Redon HNB.secured?(UMTS) 30 / 37 ✆ mobile telecommunication ⚛ femtocells authentication & encryption ☠ owning it ⚔ analyzing 3G security en garde the end encryption calls are encrypted ... ... up to the antenna then communication is clear text like everything else is telecommunication network R. Borgaonkar, K. Redon HNB.secured?(UMTS) 31 / 37 ✆ mobile telecommunication authentication & encryption ⚛ femtocells ☠ owning it ⚔ analyzing 3G security en garde the end phone capabilities encryption over-the-air can even be turned off helps to identify which phone indicating it (just a few) R. Borgaonkar, K. Redon HNB.secured?(UMTS) 32 / 37 ✆ mobile telecommunication authentication & encryption ⚛ femtocells ☠ owning it en garde ⚔ analyzing 3G security the end the beginning of a story R. Borgaonkar, K. Redon HNB.secured?(UMTS) 33 / 37 ✆ mobile telecommunication ⚛ femtocells authentication & encryption ☠ owning it ⚔ analyzing 3G security en garde the end episode 1 femtocells is an effective technology in terms of offloading the traffic and of new business cases but ... the operators need to start thinking about security follow the specifications closely, secure the device and networks some serious threats (ongoing work) : test core network build a MitM test 3G phones R. Borgaonkar, K. Redon HNB.secured?(UMTS) 34 / 37 ✆ mobile telecommunication authentication & encryption ⚛ femtocells ☠ owning it ⚔ analyzing 3G security en garde the end episode 2 4G (LTE Advanced) is coming all IP infrastructure very closely connected elements the network needs to be compatible with old technology HeNB (evolved) are also on the way ☺ R. Borgaonkar, K. Redon HNB.secured?(UMTS) 35 / 37 ✆ mobile telecommunication ⚛ femtocells authentication & encryption ☠ owning it en garde ⚔ analyzing 3G security the end thanks Thanks to : Nico Golde, TU Berlin Collin Mulliner, TU Berlin Prof. Jean-Pierre Seifert, TU Berlin Benjamin Michéle, TU Berlin R. Borgaonkar, K. Redon HNB.secured?(UMTS) 36 / 37 ✆ mobile telecommunication ⚛ femtocells authentication & encryption ☠ owning it en garde ⚔ analyzing 3G security the end questions Merci Questions ? R. Borgaonkar, K. Redon HNB.secured?(UMTS) 37 / 37