An Introduction
to Cellular Security

Joshua Franklin

Last Changed: 20140113

License

Intro

Creative Commons:
Attribution, Share-Alike
http://creativecommons.org/licenses/
by-sa/3.0/

2

Introduction

Intro

• Cellular networks are a dense subject
– This is not a deep dive

• The standards are large, complicated
documents
• Involves physics, telecommunications, politics,
geography, security...
• We will discuss older cellular networks first and
build upon this knowledge
• 3GPP standards are more or less backwards
compatible
– Major consideration during standards
development

3

Learning Objectives

Intro

This course will introduce you to:
• Spectrum allocation
• Types of antennas
• Popular cellular standards
• Threats to wireless technologies
• Cellular network topologies
• Security architecture of cellular networks

SIM/USIM/UICC
Authentication and Key Agreement (AKA)
Cryptographic algorithms and key hierarchy
Modern attacks
LTE security is the primary focus of this
SIM Hacking
presentation. It is the new standard moving
Femtocells
forward (a.k.a., the new hotness). Previous
Baseband Hacking
standards, GSM and UMTS, are being
phased out.
–
–
–
–

•
•
•

4

Excluded Topics

Intro

This class does not cover:
• Wireless physics
• Ancient wireless networks (AMPS, IMS, smoke signals )
• Wired systems (PSTN/POTS/DSL)
• Standards other GSM, UMTS, and LTE
– CDMA2000, EV-DO, WiMax

•
•
•
•
•

In-depth discussion of GPRS, EDGE, and HSPA variants
SMS and MMS
Mobile operating systems (iOS, Android, Windows Phone)
QoS , Mobility management, and VoLTE
Internetwork connections
Warning: This class is U.S.-centric but the standards are
used worldwide. The network operators, frequencies,
and implementations vary.
5

Terminology

Intro

• Cellular standards use jargon and abbreviations
frequently
–
–
–
–

LTE, EPS, BTS, K[ASME]
Nested acronyms are common
GERAN = GPRS Evolution Radio Access Network
LTE is often referred to as Evolved Packet System (EPS) in
technical situations

• Learn to be comfortable with the jargon and acronyms

– There is an associated glossary and cheatsheet
– If something needs to be added or modified, please let me
know
– Especially to improve the course and associated
documentation

6

Intro

Books
Wireless Crash Course
3rd edition

Easy Mode

LTE Security
2nd edition

LTE-Advanced for Mobile
Broadband - 2nd edition

Intermediate

God Mode

Note: Many papers and presentations were also
useful and are cited when necessary.
7

Prerequisites

Intro

• Basic understanding of:
– Cryptography
– Physics
– Networking

• Have made a phone call
• There are no hardware, software, or
labs in this class.

8

Overview
•
•
•
•

Intro

Wireless spectrum and cellular bands
Important cellular concepts
Overview of cellular standards
Discussion of the following for GSM, UMTS, and LTE:
– Network components
– Security architecture (hardware tokens,
authentication, cryptography)
– Threats to these technologies
– Notable attacks

• SIM Hacking
• Femtocells
• Baseband Hacking

9

What is LTE

Intro

LTE is Long Term Evolution
Fourth generation cellular technology standard from the 3rd
Generation Partnership Project (3GPP)
• Deployed worldwide and installations are increasing
• All implementations must meet baseline requirements
•
•

Increased Speed
Multiple Antennas (i.e., MIMO)
IP-based network (All circuits are gone/fried!)
New air interface: OFDMA (Orthogonal Frequency-Division
Multiple Access)
– Also includes duplexing, timing, carrier spacing, coding...
–
–
–
–

•

LTE is always evolving and 3GPP often drops new “releases”
– This class is modeled around LTE-Advanced, but we won’t dig
deep enough to tell

10

Intro

Cellular Network Operators
• Telecommunications company (telco)
– Purchases spectrum
– Builds out network (base stations and
backhaul network)
– Verizon, AT&T, T-Mobile, Sprint

• Mobile Virtual Network Operator (MVNO)
– Does not have to purchase spectrum
– Rents the towers but runs distinct backhaul
network
– Cricket, Ting, MetroPCS...
11

Radio Frequency Spectrum

Spectrum

• Describes a range of frequencies of
electromagnetic waves used for
communication and other purposes
• RF energy is alternating current that,
when channeled into an antenna,
generates a specific electromagnetic
field.
• This field is can be used for wireless
communication
• Cellular spectrum ranges from 300 MHz to
3 GHz
12

EM Spectrum

Thanks to Wikipedia

Spectrum

13

Wireless Spectrum

From an interactive map available via the FCC

Spectrum

14

Popular Cellular Bands

Spectrum

• 700 Mhz Band (Blocks A - E)

– Considered uniquely useful to cellular activities
– Verizon, US Cellular, AT&T and others own various
portions
– Will be used for 4G
– Includes reserved spectrum for public safety

• 850 MHz
• 1900 MHz band (PCS)
• 2100 MHZ (Blocks A - F)

– Mostly T-Mobile, but includes Cricket and MetroPCS

• This information changes periodically as spectrum
is purchased & released
15

Chipset

Spectrum

• Phones are manufactured to work on specific
radio frequencies
• A phone’s hardware is tied to a carrier based on
many things, but the major ones are the cellular
standard and frequencies the carrier uses
• In the yesteryear, a phone could only work on
one carrier
• Nowadays, phones concurrently operate on
many frequencies (and therefore networks)

– Wireless carriers artificially tie phones to their network
– “Unlocking” refers to removing this artificial tie

16

Channel Allocation

Spectrum

• Typically there is a downlink channel
and an uplink channel
• These channels needs to be spaced in
frequency sufficiently far so that they
do not interfere with each other
Uplink
Downlink

17

Antenna

Spectrum

• There are 2 main types of antennas,
each with unique properties
• Omnidirectional
– Emits energy in a spherical radius

• Directional
– Emits energy in the shape of the antenna
and in the direction and angle at which it
is pointed
18

Omnidirectional Antenna

Spectrum

19

Directional Antenna

Spectrum

20

UE Antenna

Spectrum

• There are multiple antenna in your
phone - although some are shared
• Designed to transceive at various
frequencies
– Cellular (300 MHz - 3 GHz)
– Wifi (2.4 GHz, 5 GHz) (there are other odd
frequencies used)
– Bluetooth (2400–2480 MHz)
– NFC (13.56 MHz)
21

1> Antenna

Spectrum

• LTE has a feature called Multiple-Input MultipleOutput (MIMO)
• Multiple antenna are used simultaneously to
transmit and receive
– Can significantly increase throughput

• Multiple types

– Spatial diversity
– Spatial multiplexing

• Further divided:
–
–
–
–

SISO - Single in, single out
SIMO - Single in, multiple out
MISO - Multiple in, single out
MIMO - Multiple in, multiple out
22

Important Cellular
Concepts

Concepts

Big Picture

Mobile devices (1) connect to a base
station (2) which connects to a
backhaul network (3), which connects
to the internet (4).

1

2

3

4
24

Network Components

Concepts

• Base stations and the backhaul network are
run by telco, but there are interconnections
and shared sites
– AT&T customers need to be able to contact
Verizon (vice versa)

• The network between mobile devices and
base stations as well, referred to as various
names such as Radio Access Network (RAN)
• Base stations often connect to backhaul via
wired technologies (i.e., fiber)
– Often communicate with each other via wireless
25

Mobile Device

Concepts

• These are the devices with wireless radios
that connect to cell towers
– Inside phones, tablets, laptops and a variety
of devices

• LTE uses the term User Equipment (UE),
previously ~ Mobile Station (MS)
• The parts of the UE we are concerned
with:

– The handset, aka the ME (Mobile Equipment)
– USIM (Universal SIM)
– Baseband processor
26

Baseband

Concepts

•

Typically a separate processor on the phone

•

Handles all of the telecommunications-related functions

•

Runs a real time operating system (RTOS)

•

Sometimes shares RAM with application processor (baseband
as a modem), sometimes each processor has distinct
RAM(shared architecture)

– From Qualcom, Infineon, etc.

– Sends, receives, processes signals
– Base station and backhaul network communication
– Has direct access to microphone, speakers…

– Performance matters!
– OSs include ThreadX, Qualcomm’s AMSS w/ REX kernel, OKL4

– In a shared configuration, the baseband is often the master

•

May be virtualized

27

Cell Tower

Concepts

• Permanent cellular sites often housing antennas
for multiple telcos that connect to a base station
and to a backhaul network
– Connects to backhaul via wired technologies (i.e.,
fiber)

• Run by telco, but there are interconnections

– AT&T customers need to be able to contact Verizon
(vice versa)

• There is a network between mobile devices and
base stations as well, typically called the Radio
Access Network (RAN)
– The RAN and Backhaul network are the two main
components of a cellular network

28

Backhaul Network

Concepts

• Mobile devices connect to a base
station which connects to a backhaul
network
• Connects to backhaul via wired
technologies (i.e., fiber)
• Connects to other carrier’s backhaul
networks
• Multiple systems (GSM, UMTS, LTE) are
collocated and run at the same time
29

Planes of Communication

Concepts

Many control systems divide communication into two planes one for processing information from users and another for how
to setup/breakdown the channel and other important
functions
• Think of this similar to how FTP uses two ports
•

– TCP port 21 - data
– TCP port 20 - control

•

Control Plane (CP)

•

User Plan (UP) signaling

•

Cellular networks use this design extensively

– A private communication channel that is distinct from data the
UE operator can influence
– Used to send control messages to components
– Mobile users should not be able to influence this in any way
– Voice and data information

30

Packets and Circuits

Concepts

• Pre-LTE, cellular networks used circuit switching
technology for voice
– LTE uses VoLTE which is VoIP over LTE
– Not implemented currently, calls fall back to
previous networks

• Data traffic is sent over nearly distinct
interconnected packet switching networks

– GSM first used GPRS, then moved to EDGE
– UMTS used HSPA technologies including HSPA+

• Since LTE is completely IP based, it does not
use circuits
• We’re not there yet, but soon.

31

Network Interconnection

Concepts

• Circuit switched networks need to be able to
connect with packet switched networks and
other distinct cellular networks
– The internet is a good example
– This is a complex process

• GPRS (General packet radio service)
– 2.5G packet switched technology

• EDGE (Enhanced Data Rates for GSM Evolution)
– 2.75G packet switched technology

• HSPA (High Speed Packet Access)

– 3.5/3.75 packet switched data technology
– There were a few quick iterations on this technology,
thus “variants”
32

Concepts

Attachment, Handoff, & Paging
• The first step in a mobile device connecting to a network
is referred to as network attachment
– Mobile devices request network access to a base station,
which passes this request onto the backhaul network
– Authentication of the mobile device is then performed

• If a mobile device is moving (such as on a freeway) a
call will need to be transferred from one base station to
another
– This is called handoff
– This is very common, yet is complex, process

• Paging is the process of how a backhaul network
locates and directs calls a mobile device
– Base stations provide a list of active devices to the
backhaul

33

Connection Management

Concepts

• EPS Connection Management (ECM)
• UE related information is released after
a certain period of time without use or
connection
• ECM-states
– ECM-CONNECTED
– ECM-IDLE

• TS 23.401for more information
34

Subscriber Identity

IMSI

• GSM, UMTS, and LTE all contain a unique ID for a cellular
subscriber
– International Mobile Subscriber Identity (IMSI)
– 15 digit number stored on the SIM

• Consists of 3 values: MCC, MNC, and MSIN
– Possibly a Software version number (SV)

•
•
•
•

Mobile Country Code (MCC) - Identifies the country
Mobile Network Code (MNC) - Identifies the network
Mobile Subscriber ID number (MSIN) - Identifies a user
Temporary identities also exist
– Temporary Mobile Subscriber Identity (TMSI)
– Globally Unique UE Identity (GUTI)

• This information is stored on the SIM/ICC, USIM/UICC

35

IMSI

IMSI Example
Mobile
Network
Code

310150123456789
Mobile
Country
Code

Subscriber ID

Thanks to Wikipedia for the sample IMSI

36

Terminal Identity

IMSI

• GSM, UMTS, and LTE all contain a unique
ID for a terminal ME/UE

– International Mobile Equipment Identity (IMEI)

• Consists of a single values

– Possibly a Software version number (SV)
– Referred to as IMEISV

• Temporary identities as well
• Dial *#06# to display your IMEI
• Illegal in some countries to change a
phone’s IEMI
37

SIM Cards

SIM

• A removable hardware token used for GSM,
UMTS, and LTE
– Verizon is changing to LTE and is also using the
hardware token

• Over 7 billion SIMs in circulation
• Houses a processor and runs an OS
• Java Card runs atop the OS, which is a of Java
Virtual Machine (JVM) for applications
• Stores cryptographic keys and sometimes SMSs
and contacts
• SIM application toolkit (STK) are used
• Modern term is USIM, and the USIM runs atop the
UICC
38

SIM

SIM Card
Full-size SIM
Micro-SIM
Mini-SIM

Nano-SIM

From left to right, we are only removing
plastic. The integrated circuit remains static.

39

Threats to Cellular Networks

Concepts

• There are unique threats to cellular networks, most
importantly because the communication medium is
open and accessible by all
– Jamming and other attacks on availability
– Lawful interception is built into LTE

• Copying a phone’s unique information to steal another
customer’s service
– Cloning is not as common today

• Cellular networks need, or be able to quickly locate,
where the a mobile device is at all times
– Threats to privacy

• Pay phones don’t need to be charged once a day
• There are many more threats to the mobile network
operator (AT&T/Verizon)
40

Jamming

Concepts

• Cellular devices send information via radio
transmissions

– Interrupting these transmissions is called jamming

• It is possible to jam a large frequency range, such
as all GSM traffic in an area, or only specific
frequencies, like those used for control signals
• 3GPP standards state that jamming attacks are
outside of their threat model
• You can buy jammers online, and depending on
the range and power requirements, they can be
quite cheap
– Beware the wrath of the FCC, other three letter
agencies, and your local law enforcement

41

Femtocells
•

Concepts

Femtocells are small extensions of the cellular network - often
for personal or business use
– Technically the standard refers to them as Home Node B (HNB)
– Limited range and relatively affordable

•

They may be provided by telcos if requested and of course
you pay for this convenience

– The purchaser (often the user) does not have full administrative
control of the device, similar to set-top boxes
– But the purchaser has complete physical access

In LTE, femtocells are routed through a new component, the
Security Gateway (SeGW)
• These devices introduce many new threats
•

–
–
–
–

Customers retain physical control and can perform offline attacks
Attacks on the core network through the femtocell
Jamming requires less power because an attacker can be closer
Attackers can quickly set one up in new location to attract UEs
42

Cellular Standards

3GPP

Standards

• An international standards body
• Evolves and/or standardizes GSM, UMTS, LTE among
others
• From their page:
The 3rd Generation Partnership Project (3GPP) unites [Six]
telecommunications standard development organizations
(ARIB, ATIS, CCSA, ETSI, TTA, TTC), known as “Organizational
Partners” and provides their members with a stable
environment to produce the highly successful Reports and
Specifications that define 3GPP technologies
• We will primarily discuss 3GPP standards
• Other standards exist from a distinct standards body
known as 3GPP2
– CMDA2000 and the now deprecated UMB

44

Standards

Major Standards
• Multiple standards
bodies involved
• Standards are
based on each
other

•
•
•
•
•
•

GSM
CDMA
UMTS
EV-DO
WiMAX
LTE

45

Standards

Cellular Standards
Generation

3GPP
Circuit
Switched

2G

GSM

3GPP2

Wimax
Forum

cdma
One
GPRS

2.5G
2.75G
3G

3GPP
Packet
Switched

EDGE
CDMA
2000

UMTS

3.5G

HSPA/+

CDMA
EV-DO

4G

LTE

UMB

WiMAX

46

A Note on 3GPP

Standards

• LTE is a 3GPP specification

– Therefore we will be discussing 3GPP
specifications in depth

• We will introduce GSM and associated
security issues
• We will then build on these concepts
from GSM to UMTS to LTE
• Packet switched technologies will be
discussed as well
• 3GPP2 and WiMax Forum standards are
not included
47

GSM

GSM

GSM

• Global System for Mobile Communications
• 2G digital voice
• Air interface: TDMA
– Multiple users on the same channel

• Operates at various spectrums worldwide
• There are 4 separate systems:
–
–
–
–

Base station subsystem (BSS)
Network subsystem (NSS)
Operations and support subsystem (OSS)
Mobile station subsystem (MSS)

• Each subsystem has a distinct purpose

49

GSM Component Description

GSM

• Mobile station subsystem (MSS)
– Mobile handset and SIM

• The base station subsystem BSS consists of a controller
and transceiver

– Base station transceiver (BTS) is the cell tower
– Base station controller (BSC) controls 1 or more BTSs
– Housed at the Mobile Telephone Switching Office (MTSO)

• Network subsystem (NSS):

– MSC (Mobile Switching Center) and MTSO
– MTSO-switch connects cell network to PSTN
– MTSO houses the HLR, which supports the AuC

• Operations and Support (OSS)

– Manages the network as a whole

50

GSM

GSM Architecture Diagram

BTS
Operations and Support
Subsystem

MS

MSC

Mobile Station
Subsystem
BSC
Base Station
Subsystem

HLR/
AuC

Network
Subsystem

51

GSM Security Design

GSM

• Meant to achieve equivalent or greater
security than wired telecommunications
systems
• Security mechanisms should not have a
negative impact on the system
• Primary security mechanisms:
– Subscriber authentication (AKA)
– Privacy achieved via temporary identities
– Encryption of the Radio Area Network and
backhaul
– ME to BTS and BTS to MMC - using Kc

52

GSM

GSM SIM
•
•
•
•

SIM card is technically the ICC
SIM is the application running on top of this
Tamper resistant hardware token
Stores 64-bit key, called Ki, which is used to derive
Kc
– Ki never leaves the card
– Also stored in AuC

• Contains key generation software
• Subscriber authentication by proving knowledge
of Ki

– How? The Authentication and Key Agreement (AKA)

53

GSM AKA

GSM

Challenge and response authentication protocol
Authentication is not mutual
• A ME’s IMSI is sent to the BTS, which is passed to the HLR/AuC
• The HLR/Auc sends the Kc, 128-bit random number, and an
Expected Response (XRES) to the BTS
– Kc is a session encryption key

The BTS passes the random number to the ME
The ME uses the Ki and the random number to arrive at Kc and
provides the BTS with an SRES
• The BTS checks if SRES is equal to XRES
•
•

– If so they subscriber is authenticated

•

The BTS provides the ME with an encrypted Temporary Mobile
Subscriber Identity (TMSI)
– Not always encrypted

54

GSM AKA Ladder Diagram
ME (with IMSI)
SIM (with Ki)

IMSI
Random

BTS

IMSI

GSM

Backhaul
AuC (with IMSI, Ki)

Random, XRES, Kc

A3(Random, Ki) = SRES
A8(Random, Ki) = Kc
SRES
SRES = XRES?

55

GSM Cryptographic Algorithms

GSM

• Families of algorithms: A3, A5, and A8
• A3 is used for subscriber authentication to derive XRES
• A5 is used to encrypt data in motion such as radio
encryption
–
–
–
–

ME to BTS
A5/1, A5/2, and A5/3 are 64-bit stream ciphers
A5/4 is a 128-bit stream cipher
An efficient attack exists against A5/2 and it is depreciated

• A8 is used to derive the 64-bit key Kc
• The A3 and A5 families are non-standardized as they
only need to on devices and equipment owned by the
carrier (USIM, BTS, backhaul)
– MILENAGE is provided if needed

Note: GPRS and EDGE use different algorithms
56

MILENAGE

GSM

• Set of five cryptographic one-way functions
specified by 3GPP
– Usage is optional as telecos can specify their
own
– Block ciphers with 128-bit key
– GSM, UMTS, and LTE

• Used during AKA for key and parameter
generation
– We will explore this further during the LTE segment

• These are the ‘f boxes’ (f1, f2, f3, f4, f5)
[Nyberg04]
57

Threats to GSM
•

GSM

Cryptography-based

– Short 64-bit keys
– A5/2 efficient attack
– A5/1 attack with large amounts of plaintext
• Implementation flaw exists [Hulton08]

•
•
•

Weak cipher renegotiation and null cipher attacks possible
SIM cloning
Man-in-the-Middle (MitM) attack via rogue base station
(femtocell)
– No network authentication in AKA

Only Radio Area traffic is encrypted - once information is in
the backhaul it is cleartext [Hulton08]
• IMSI sometimes sent in the clear [Hulton08]
• Some control signaling may be unprotected
•

58

Notable Attacks

GSM

• Steve Hulton et al, Blackhat 2008
– Showed how to intercept GSM signals with
software defined radio
– Showed a practical method to crack
A5/1

• Chris Paget, Defcon 2010
– Demonstrated a homegrown GSM BTS
– Intercepted calls

59

UMTS

UMTS

UMTS

• Universal Mobile Telecommunications
System
• 3G digital voice
• Air interface: W-CDMA
• Operates at various spectrums
worldwide

61

UMTS Components

UMTS

• Core network (CN), UTRAN, and UE
– UE
– Node B
– UTRAN

62

UMTS Architecture Diagram
BTS

BSC

Switch

UE

UE

UMTS

GMSC

HLR/
AuC

Node B

RNC

SGSN

GGSN

63

UMTS & GSM Compatibility

UMTS

• UMTS was designed to work
concurrently with GSM
• 2G SIMs were included
• Much of the terminology is slightly
modified
– BTS -> Node B

64

UMTS Security Design

UMTS

• Iterative enhancement on GSM
security
• Enhance AKA (network
authentication)
• New confidentiality and integrity
cryptographic algorithms
• Introduction on Network Domain
Security for IP-based protocols (NDS/IP)
– IPSec
65

UMTS Hardware Token

UMTS

• GSM SIM now is now USIM
– USIM application runs atop the UICC

• Contains a new hardware protected
128-bit key: K
– As in GSM, never moves from UICC and
HLR/AuC
– Keys are derived from K as needed
– AuC stores an IMSI with K
66

UMTS AKA

UMTS

• Similar to GSM - challenge response
–
–
–
–
–

UE proves knowledge of a key
UE somewhat authenticates the home network
Femtocells can still create a fake connection
New algorithms (f1 through f5 and f1* through f5*)
AKA algorithms are network specific and don’t need
to be standardized

• UE gains assurance that confidentiality key (CK)
and integrity key (IK) were generated by the
serving network
– Serving network authentication is not achieved
– MitM still possible

67

UMTS Cryptography

UMTS

• Completely public algorithms
• Increased key-length to 128-bits
– Yay!

• Two new families of algorithms
– UMTS Encryption Algorithm 1 and 2 (UEA1, UEA2)
– UMTS Integrity Algorithm 1 and 2 (UIA1, UIA2)

• UEA1 and UIA1 are based on KASUMI
– Block-cipher related to AES

• UEA1 and UEA2 are based on SNOW 3G
– Stream cipher
68

UMTS Data Encryption

UMTS

• What is this slide for?

69

UMTS NDS/IP

UMTS

• Provides protection for control-plane traffic,
including authentication and anti-replay
– Enter NDS/IP
– Typically does not aply to user plane traffic

• A security domain under control of mobile
network operator
• Certain connections between components
may not be protected due to optional
requirements in 3GPP standards
• Can internetwork with external NDS domains
70

Threats to UMTS

UMTS

• Cryptography-based

– There are many attacks against KASUMI [Kühn 2001,
Dunkelmann and Keller 2008, Jia et al. 2011,
Dunkelmann et al. 2010]
– Attacks against Snow 3G [Brumley et al. 2010,
Debraize and Corbella 2009]

• Backward compatibility

– When a GSM SIM is used in UMTS only 64-bit keys are
used

• IMSI catchers during AKA process
• U. Meyer and S. Wetzel, “A man-in-the-middle
attack on UMTS,” in ACM WiSec, 2004, pp. 90–97.

71

Notable Attacks

UMTS

72

LTE

LTE

LTE
•
•
•
•

Long Term Evolution or Evolved Packet System
4G data and voice technology
Air interface: OFDMA
3 main components:
– Evolved U-TRAN (E-UTRAN) - Radio Network
– Evolved Packet Core (EPC) - Backhaul
– IP Multimedia Subsystem (IMS) - Extended
backhaul functionality

• Currently - LTE fallsback to older networks
– Circuit-switched fallback

• VoLTE (voice over LTE) - in the works
74

LTE Security Requirements 1
•
•
•
•
•
•
•
•
•

LTE

EPS shall provide a high level of security
Any security lapse in one access technology must not
compromise other accesses
EPS should provide protection against threats and attacks
Appropriate traffic protection measures should be provided
EPS shall ensure that unauthorized users cannot establish
communications through the system
EPS shall allow a network to hide its internal structure from the
terminal
Security policies shall be under home operator control
Security solutions should not interfere with service delivery or
handovers in a way noticeable by end users
EPS shall provide support lawful interception

75

LTE

LTE Security Requirements 2
• Rel-99 (or newer) USIM is required for authentication of
the user towards EPS
• USIN shall not be required for re-authentication in
handovers 9or other changes) between EPS and other
3GPP systems, unless requested by the operator
• EPS shall support IMS emergency calls
• EPS shall provide several appropriate levels of user
privacy for communication, location and identity
• Communication contents, origin and destination shall be
protected against disclosure to unauthorized parties
• EPS shall be able to hide user identities from
unauthorized parties
• EPS shall be able to hide user location from unauthorized
parties, including another party with which the user is
communicating

76

High-Level Threats to LTE

LTE

• Tracking identity, privacy or devices
• Jamming handsets or network equipment or
other attacks on availability
• Physical attacks on base stations or network
equipment
• Manipulating control plane or user plane data
• Threats related to interaction between base
stations, or dropping to older standards or
other networks
Jamming attacks are not within the threat
model of LTE
77

LTE Components

LTE

User equipment (UE)
Evolved Node B (eNodeB)
Mobility Management Entity (MME)
Serving Gateway (S-GW)
Packet Data Network Gateway (PGW)
• Home Subscriber Server (HSS)
•
•
•
•
•

78

LTE/EPS Architecture Diagram
eNB

MME

LTE

EPC
HSS/
AuC

UE

S-GW

E-UTRAN

P-GW

IMS

79

Component Descriptions
•
•
•
•

•
•
•
•
•

LTE

User equipment (UE) – The LTE device
Evolved Node B (eNodeB) – An evolved Node B (BTS).
E-UTRAN - The radio network that exists between UEs and eNBs.
Mobility Management Entity (MME) - Signaling only node (no
user traffic). Large variation in functionality including
managing/storing UE contexts, creating temporary IDs,
sending pages, controlling authentication functions, and
selecting the S-GW and P-GWs
Serving Gateway (S-GW)- Anchors UEs for intra-eNB handoffs
and routes information between the P-GW and the E-UTRAN
Packet Data Network Gateway (P-GW)
Home Subscriber Server (HSS) - This is the master database with
subscriber data
AuC - The authentication center resides within the HSS and
maps an IMSI to K
IMS 80

LTE

Interfaces
• Interfaces are the communications paths
LTE components use to communicate
• Each one is provided with its own label
– There may be unique protocols between
various interfaces

• There are many interfaces - we are
discussing a subset
–
–
–
–

X2 - eNB to eNB
S1-U - eNB to S-GW
S1-MME (sometimes S1-C) - eNB to MME
S5/S8 - S-GW to P-GW
81

LTE

LTE/EPS Interface Diagram
MME

eNB

EPC

S1-MME

UE

X2

HSS/
AuC

S-GW

P-GW

IMS

S1-U
S5/S8

E-UTRAN

82

LTE

E-UTRAN & EPC Protocols
MME

eNB
Intercell RRM
RB Control
…
RRC
PDCP
RLC
MAC

NAS Security
Idle State Mgmt
EPS Bearer Control

S-GW

P-GW

Mobility Anchor

Adapted from 3GPP TS 36.300

IP Allocation
Packet Filtering

PHY

E-UTRAN

Green	
  boxes	
  depict	
  
the	
  radio	
  protocol	
  
layers.	
  White	
  boxes	
  
depict	
  the	
  func7onal	
  
en77es	
  of	
  the	
  control	
  
plane	
  	
  

EPC
83

LTE

UP Protocols

UE

eNB
PDCP

PDCP

RLC

RLC

MAC

MAC

PHY

PHY

Adapted from 3GPP TS 36.300

84

LTE

CP Protocols
UE

MME

eNB

NAS Security

NAS Security

RRC

RRC

PDCP

PDCP

RLC

RLC

MAC

MAC

PHY

PHY

Adapted from 3GPP TS 36.300

85

LTE Security Mechanisms

LTE

• Continue to use the USIM hardware module
• Subscriber and network authentication via
AKA
• Cryptography
–
–
–
–

Algorithms
Key hierarchy
Protected Interfaces
Protected Planes

• Independent Domains

– Access Stratum (AS)
– Non-access Stratum (NAS)

86

LTE

LTE AKA
• Very similar to GSM and UMTS AKA
– Anchored in hardware token (UICC/USIM)

• 2G SIMs are deprecated
– They are unable to authenticate to LTE
– UEs may drop down to UMTS or GSM

• We will discuss LTE AKA in detail
– Overall ladder diagram
– Generation of AKA security parameters
– Verification within the USIM
87

LTE

LTE AKA Discussion
• UMTS and LTE AKA are extremely similar
– Originally specified in TS 33.102
– So much so, the LTE standard doesn’t even fully
describe it (See TS 33.401)

• Largest update to AKA: network separation
– Prevents a breach on one telco’s network to spill
into another’s
– Network identity is bound to certain keys
– AKA directly authenticates network identity

• New key derivation function specified in LTE

88

LTE AKA Ladder Diagram
UE (with IMSI)
USIM (with K)
GUTI/IMSI

eNodeB

MME

LTE

HSS
AuC (with IMSI, K)
GUTI/IMSI, SN id

RAND, XRES

Generate Authentication
Vectors
XRES, AUTN,
RAND, K[ASME]

AUTN Verification
SRES Generation
SRES
SRES = XRES?
GUTI = Globally Unique Temporary Identity
Adatpted from 3GPP TS 33.102

89

LTE

AVs Generation
• The authentication vectors (AVs)are necessary to
perform AKA
• They are requested by the MEE
• Generated by the HSS/AuC
• LTE Authentication Vector = (XRES || AUTN || RAND ||
K[ASME])
• AK = Anonymity key
• AUTN = (SQN xor AK || AMF || MAC)
• CK = Cipher key
• IK = Integrity key
• KDF = Key derivation function
• MAC = A message authentication function
• SQN = Sequence Number
• XRES = Expected response

90

LTE

AVs Generation Diagram
SQN
AMF

Generate SQN
Generate RAND

RAND

K
f1

f2

f3

f4

f5

MAC

XRES

CK

IK

AK

SQN xor AK

Note: SQN and RAND are
generated in a nonstandardized manner.
Adatpted from 3GPP TS 33.401

KDF

SN id

KASME
91

USIM Verification

LTE

• To verify the AVs in the USM, the
authentication process is reversed
• The same functions f1 through f5 are
implemented in the USIM
• If XMAC != MAC then an
authentication failure occurs
– There is a distinct process for this

92

USIM Verification Diagram

LTE

AUTN = (SQN xor AK || AMF || MAC)

RAND

f5

AK

SQN

AMF
K
f1

f2

f3

f4

XMAC

RES

CK

IK
XMAC = MAC?

Adatpted from 3GPP TS 33.401

93

LTE

Cryptography in LTE
• Large change to cryptographic key
structure

– Introduced a new set of intermediate keys
– Unique keys for each connection/barrer large complicated hierarchy

• Similar to UMTS, we have 2 sets of
algorithms for confidentiality and integrity
– EEA1/EIA1 - based on SNOW 3G
– EEA2/EIA2 - based on AES
– EEA3/EIA3 - based on ZUC

• CP and UP may use different algorithms
94

LTE

Key Hierarchy
Stored	
  in	
  USIM	
  
Stored	
  in	
  UE	
  
Stored	
  in	
  UE	
  

K	
  

Stored	
  in	
  Auc	
  

CK,	
  IK	
  

Stored	
  in	
  HSS	
  

K	
  ASME	
  
	
  	
  

K	
  NASenc	
  

Stored	
  in	
  
UE	
  

K	
  NASint	
  

K	
  RRCint	
  

Adatpted from 3GPP TS 33.401

Stored	
  in	
  MME	
  
K	
  eNB	
  

K	
  RRCenc	
  

K	
  NASint	
  

Stored	
  in	
  
eNB	
  
K	
  NASenc	
  

95

LTE

Signaling Protection
•

Confidentiality and integrity are provided by LTE

•

UE creates encrypted channels per device it is signaling to, for
example:

– This is achieved via the secure domains

– UE and eNB communicate with a unique key
– UE and MME communicate with a unique key
– eNB and S-GW communicate with a unique key

There is algorithm negotiation before they are selected, similar
to SSL/TLS
• NAS security is always setup if a UE is registered to the Network
• AS security is setup as needed, such as needing to send data
• The security context refers to the security parameters needed
to securely communicate within the NAS or AS security
domains
•

– Stored in the MME

96

LTE

LTE Non-Access Stratum
• Security-related signaling between UE and the backhaul
– Algorithm selection occurs between and the MME
– MME contains a list of confidentiality and integrity
algorithms in a priority order

• NAS negotiation immediately follows completion of a
successful AKA run
• Negotiation begins when an MME sends an integrity
protected Security Mode Command to UE

– Contains evolved key set identifier (eKSI), list of security
capabilities and algorithms, IMSI request, and additional
cryptographic information

• The UE responds with an integrity protected encrypted
message called the NAS Security mode Complete
containing its IMEI and a MAC of the message

97

LTE

LTE NAS Negotiation
UE	
  

MME	
  
NAS	
  Security	
  Mode	
  Command	
  

Encrypted	
  with	
  
K	
  NASenc	
  
Protected	
  with	
  
K	
  NASint	
  

UE	
  capabili7es,	
  list	
  of	
  algorithms,	
  IMEI	
  
request,	
  eKSI,	
  cryptographic	
  informa7on	
  	
  
NAS	
  Security	
  Mode	
  Complete	
  
(IMEI,	
  NAS-­‐MAC)	
  

98

LTE Access Stratum

LTE

• Signaling between UE and eNB

– Algorithm selection occurs between these
components
– eNB contains a list of confidentiality and
integrity algorithms in a priority order

• More often referred to as the RRC
protocol
• AS and RRC signaling occur on the
Packet Data Convergence Protocol
(PDCP)
• AS encryption is optional

99

LTE

LTE AS Negotiation
UE	
  

MME	
  
AS	
  Security	
  Mode	
  Command	
  

Encrypted	
  with	
  
K	
   UPenc	
  
Protected	
  with	
  
K	
   UPint	
  

List	
  of	
  algorithms,	
  AS-­‐MAC	
  

AS	
  Security	
  Mode	
  Complete	
  
(AS-­‐MAC)	
  

100

Handover
• Unfortunately, UEs are constantly on the move
• This causes the need to be able to switch from
eNB to eNB, and possibly from network to network
• The procedures for this are quite complex as keys
and other protected information needs to be
transferred or renegotiated
– Or the cryptographic keys and encryption/integrity
algorithms will need to be changed
– Keep this in mind - but we’re not discussing this in
detail
– Refer to our LTE Security book for additional details

101

LTE

Security Contexts
• Security contexts are a collection of
security-related information
– Algorithms, keys, and other parameters

• Many contexts are defined:
– NAS and AS
– Current and non-current
– Native and mapped

• Depending on sensitivity they are
stored in the USIM or the RAM of the UE
102

LTE

Backwards Compatibility
• At times LTE service may be lossed and a 2G
or 3G system may be available
• Security Contexts are mapped from one
system to another
• A NAS security context is generated if moving
to LTE
• K[ASME] is used to derive GSM/UMTS security
contexts if needed
• Once mapping has occurred - a new native
security context is reestablished as soon as
possible
– AKA can be run again as well

103

Full Call Diagram

LTE

104

Interconnection Diagram

105

LTE

Lawful Interception
• Lawful interception is built into 3GPP standards required
lawful interception mechanisms for all features
• Call/message content and related data provided from
certain network elements to the law enforcement side
• Assumes typically that the content appears in clear in
the network element
• End-to-end encryption is still possible if keys are provided
• No weak algorithms introduced for LI purposes
• All 3GPP algorithms are publicly known
• National variations exist
• Specified in TSs 33.106-108

106

Notable Attacks

SIM Hacking
• SIMs can be locked using a PIN

– PIN is required on phone reboot
– If PIN is not provided a special code from the
telco is required (PUK)

• Stamped on most SIMs is the ICCID
(Integrated Circuit Card Identifier
– 18 digit unique identifier for the SIM

• SIMs are updated by over the air (OTA) text
messages never displayed to a user
• Rooting SIM Cards, Blackhat 2013
• SIM Forensics
– Exploring the OS of the SIM, looking for data

108

SIM Hacking
Metal Contact

0
8 9 9 11 0 1 2 0
003204510

109

SIM Hacking
Metal Contact

Chip

Plastic Card
Body
110

Femtocells
•

Often runs a Linux distro

– To be used maliciously, root access is required

Previous femtocell hacks exploit software vulnerabilities and
factory reset procedures
• Phones automatically attach to the tower with the strongest
signal, which is typically the closest tower
• IMSI-catcher – femtocell that is configured to look like a real
base station to steal IMSIs from nearby devices
•

– Often used by law enforcement
– IMSIs are important for device/subscriber tracking and call
interception

Femtocells: A poisonous needle in the operator’s hay stack,
Borgaonkar et al at Blackhat 2011
• Traffic Interception & Remote Mobile Phone Cloning with a
Compromised CDMA Femtocell,
Doug DePerry et al Defcon 21
•

111

HeNB

112

Baseband Hacking
•

Going through baseband, one can attack the cellular
software stack and the mobile operating system (i.e., Android,
iOS)
– Often leads to unlocking

•

Some cellular stacks significantly use legacy code

•

Allows injection of packets via the air interface

– Often missing ASLR, NX, heap protection
– Code not publicly available, reverse engineering of leaked
binaries necessary
– Often includes a femtocell

From the IMEISV + IMEI often identifies the baseband software
version
• You may need an external clock to assist with timing, as
precision is required
• Notable work includes R.-P. Weinmann 2010,
R.-P. Weignmann 2013, and Guillaume Delugre
•

113

Attacks on CDMA
• Traffic Interception & Remote Mobile
Phone Clonging with a Compromised
Femtocell, Blackhat 2013

114

Fin

In Conclusion
• More detailed security information can
be found within:

– LTE Security book,
– 3GPP Standards (TS 33.401 especially), and
– Various presentations and whitepapers
throughout the web.
– Security Investigation in 4G LTE Wireless
Networks
– Technical Overview of 3GPP LTE

• There’s a lot more than this presentation
– Study up!

116

Questions || Thoughts?
•

I want this presentation to be accurate

•

Cellular Security - Part 2 will include a much deeper analysis
of LTE networking protocols, crytpo, IMS, handover, network
interconnection, SIM forensics, and SIM/base band hacking

– Please report errors and omissions (acknowledgement will be
provided)
– All external documents are linked to my domain to ensure they
live on
– Many links went dark while developing this presentation
– All links are properly referenced in the final slide

– And other requested topics

Joshua Franklin
www.jfranklin.me
josh dot michael dot franklin at gmail

– @thejoshpit
117

Resources & References
•
•
•

•
•
•
•

[Hulton08] Hulton, Steve, Intercepting GSM Traffic, Blackhat 2008.
[Borgaonkar11] Borgaonkar, Nico, Redon,
Femtocells: a Poisonous Needle in the Operator's Hay Stack.
[Perez11] Perez, Pico,
A practical attack against GPRS/EDGE/UMTS/HSPA mobile data
communications, Blackhat DC 2011.
[Nyberg04] Cryptographic Algorithms for UMTS
Dr. Maode Ma, Security Investigation in 4G LTE Wireless Networks
Muyung, A Technical Overview of 3GPP LTE
Agilent,
LTE and the Evolution to 4G Wireless: Bonus Material: Security in the
LTE-SAE Network, Agilent

118