4g and 5g networks
play

4G and 5G Networks Altaf af Shai aik (Technische Universitt - PowerPoint PPT Presentation

Dec 12, 2023 •564 likes •936 views

Exposing Device Features on KAITIAKI 4G and 5G Networks Altaf af Shai aik (Technische Universitt Berlin, Germany) Ravishankar Borgaonkar (SINTEF Digital, Norway) Hardware.io 2019, Netherlands 26.09.2019 1 5G? G? Human Communication

  1. Exposing Device Features on KAITIAKI 4G and 5G Networks Altaf af Shai aik (Technische Universität Berlin, Germany) Ravishankar Borgaonkar (SINTEF Digital, Norway) Hardware.io 2019, Netherlands 26.09.2019 1

  2. 5G? G? Human Communication Machine Communication 26.09.2019 2

  3. 5G G Sec.? LTE Security New Services New Networking Technologies Requirements + (Use Cases) NFV/SDN Enhancements 5G Security Requirements Source: https://www.informationsecuritybuzz.com/articles/security-challenges-next-generation-5g-mobile-networks/ 26.09.2019 3

  4. 5G G Securi rity y Elem emen ents Network Slicing Security/ Cell Authentication+/ Edge Cloud NFV/SDN Security/ Encryption/ Integrity+/ Central Cloud Privacy+/ Resilience+ Mobile Edge Computing/ Device identifiers/ Credentials/ 26.09.2019 4

  5. Securi rity Evo volution on (OTA) 26.09.2019 5

  6. IMSI SI Catcher ers in n 5G. G.? IMSI IMEI IMSI IMEI IMSI IMEI IMSI IMEI 26.09.2019 6

  7. 5G G Securi rity? y?  5G Security >> 4G ? (What’s new)  Same Protocols, Same security algorithms  Attacks in 4G/LTE fixed.?  Downgrade attacks, DoS attacks, Location tracking  What’s not fixed in 4G – copy paste to 5G 26.09.2019 7

  8. Capabilities es? UE Capabilities Core network Capabilities 1 Radio access Capabilities 2 (Security algorithms, voice (frequency bands, Rx & Tx calling support, V2V) features, MIMO, CA, Category) 1. 3GPP TS 24.301, 23.401, 24.008 2. 3GPP TS 36.331 26.09.2019 8

  9. Cor ore Capabilities es 26.09.2019 9

  10. Capabilities es 5G • V2X: Connected Cars • Prose (D2D): Location services • CIoT: IoT specific 26.09.2019 10

  11. Ra Radi dio o Capabilities es 26.09.2019 11

  12. LTE Reg egistration on Registration ( Core Network Capabilities )  UE Capabilities Authentication and Security  sent to network while registration Get capabilities  Stored at network for long periods Send Capabilities  visible in plain-text over-the-air Radio Access Capabilities Save all  Passive and active attacks Capabilities OTA Security Registration Success 26.09.2019 12

  13. Issu sue? e? UE Capabilities  Accessible by rogue base stations  Sent plain-text over the air  Standard + Implementation bugs 26.09.2019 13

  14. Attacks?  MNmap (active or passive)  Bidding down (MITM)  Battery Drain (MITM) 26.09.2019 14

  15. Set etup – LTE MitM attacker er  Hardware  2 X (USRP B210 + Laptops)  Phones, Quectel modems, cars, IoT devices, trackers, laptops, routers….  Software  SRSLTE  Attacks tested with real devices and commercial networks 26.09.2019 15

  16. 1. MNmap  ( Mobile Network Mapping ) similar to IP Nmap  Maker  Model  OS  Applications  Version 26.09.2019 17

  17. MNmap Baseband Vendor Name and Model Identify any Cellular device in the wild Cellular Cellular IoT Chip Maker, Phone Others NB-IoT LTE-M (Tablet) Device Model, Operating System, Asset Trackers Car Smart Meters Android iOS Railways Smart grid Application of device, Agriculture Sensors Baseband Software Version Router Samsung Iphone, Ipad Home automation USB dongle Huawei (with HTC Hotspots version) Laptops LG NOKIA Vending machines Wearables 26.09.2019 18

  18. Ide dentification n – How ow Baseband Vendors implement capabilities differently  For e.g., Qualcomm Chipsets always Disable EAI0  Many Capabilities are optional , (disabled/enabled) Each target Application requires different set of UE Capabilities  V2V for automated car  Voice calling and codec support for phone  GPS capability for tracker  Data only support for routers, USB data sticks (SMS only) 26.09.2019 19

  19. DUT 26.09.2019 20

  20. Ref ef model Devices • Baseband vendor • Application • Chipset name • 3GPP release 26.09.2019 21

  21. Fing nger erpri rints Implementation differences among Baseband vendors Capability Huawei Samsung Intel Mediatek Qualcomm CM Service 1 0 0 0 1 Prompt EIA0 1 1 1 1 0 Access class 0 1 0 1 1 controlfor CSFB Extended Measurement 0 0 0 1 0 Capability 26.09.2019 22

  22. Chi hipset inf nfo 26.09.2019 23

  23. Half-way 1. Baseband Maker 2. Baseband Model 3. List of supported devices for the chipset 4. Identify the right device and application 26.09.2019 24

  24. Fing nger erpri rints Difference b/w phone and other devices Capability Phone Others Difference b/w iOS and Android Capability Android iOS Voice or Not UE’s Usage setting Data present MS assisted GPS 1 0 CS Voice Voice domain Not or PS Voice over PS-HS- preference present 1 0 Voice UTRA-FDD-r9 UMTS AMR codec Present Not Phone and preferred Baseband Difference b/w cellular and cellular IoT Phone Baseband Capability Cellular IoT Cellular Huawei Huawei PSM Timer 1 0 Samsung Samsung T3412 ext period 1 0 Apple Intel or QCT TAU timer 26.09.2019 26

  25. MNmap issu sues es  SIM card can have affect on capabilities  enabled/disabled – operator setting, e.g., bands  IoT applications lte-M vs NB-IoT  Timer values (low for smart meters, high for asset trackers)  Success and failures in detecting (close to round off, multiple options) 26.09.2019 27

  26. Wha What nex next  Passive MNmap also works (active base station not required)  Privacy  Link IMSI to device capabilities on 4G  (associate device fingerprints to people)  Launch target specific attack  Open source MNmap : share traces and automated tool 26.09.2019 29

  27. 2. Bidd dding g do down Get capabilities Send Capabilities  Hijacking RELAY  Radio Capabilities Radio Radio Capabilities Capabilities  MitM relay before OTA Save all Security Capabilities  Network/Phone cannot OTA Security detect Registration Success 26.09.2019 30

  28. Bidd dding g do down  Radio Capabilities are modified  UE Category changed (Cat 12 -> Cat 1)  CA and MIMO are disabled  Frequency Bands are removed  VoLTE mandatory requirements are disabled  V2V capabilities can be removed 26.09.2019 31

  29. Tests with rea real ne networks  LTE service downgrade (with elite USIM)  Iphone 8 and LTE Netgear router (Qualcomm Basebands)  Data Rate (downlink) 48 Mbps to 2 Mbps (USA and Europe)  VoLTE calls are denied to UE (CSFB used)  Handovers to 2G/3G due to lack of band support – downgraded 26.09.2019 32 32

  30. Impact  22 out of 32 Tested LTE networks worldwide (Europe, Asia, NA) are affected (USA, Switzerland, France, Japan, Korea Netherlands, UK, Belgium, Iceland)  Persistent for 7 days  Capabilities are Cached at Core network  Restart device for normal operation  **Radio is bottleneck for speed data service 26.09.2019 33

  31. Wh Why y without ut/b /before e Secu ecurity ***T *To do early optimization fo for better service ce/connect ctivity 26.09.2019 34

  32. 3. Battery ery Drain Registration PSM_enable  NB-IoT (Narrow Band) Capabilities Capabilities PSM_disabled  Power Saving Mode (PSM) Authentication and Security  OFF when not in use Registration Success PSM_Not_enabled Battery_Drain 26.09.2019 35

  33. Tests  PSM disabled (UE and network don’t detect)  Continuous activity - Neighbor cell measurements  drains battery (10 year battery??)  Experiment with NB-IoT UE (Quectel BC68 modem)  Reconnects after 310 hours (13 days)  Battery lifetime reduced by 5 times  Persistent attack: restart required to restore 26.09.2019 36

  34. Vul ulner erability y Status  Reported to GSMA, 3GPP SA3 and other affected operators and vendors  Positive acknowledgement / could be implementation issues  Thanks to GSMA, SA3: 3GPP to add fixes  Core network capabilities are still unprotected  MNmap still possible on 5G : passive, active 26.09.2019 37

  35. Fixes es  Fixes in LTE release 14 for NB-IoT will be commercial soon  UE Capabilities should be security protected : accessible only after mutual authentication • Operators eNodeB implementation/configuration should be updated  Capabilities should be replayed to UE after NAS security setup for verification – Hash of them • V2V, Voice calling features, PSM timers, etc. 26.09.2019 38

  36. Thank you altaf329@sect.tu-berlin.de Ravi.borgaonkar@sintef.no Director@kaitiaki.in 26.09.2019 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Information Visualization networks without networks, couldn't have any of these: Dataset

Information Visualization networks without networks, couldn't have any of these: Dataset

Network data Applications of networks Information Visualization networks without networks, couldn't have any of these: Dataset Types model relationships Networks & Trees 1/2 between things Tables Networks Fields (Continuous)

263 views • 4 slides
Types of networks (social networks, computer networks, entity- relationship networks, )

Types of networks (social networks, computer networks, entity- relationship networks, )

Networks Types of networks (social networks, computer networks, entity- relationship networks, ) Node-link diagrams Layered Internet architecture (encapsulation) The Internet Structure of the Internet core

556 views • 16 slides
Social and Technological Networks: Review Rik Sarkar Networks Networks/graphs are

Social and Technological Networks: Review Rik Sarkar Networks Networks/graphs are

Social and Technological Networks: Review Rik Sarkar Networks Networks/graphs are fundamental in computer science And becoming more important As systems, people, computation become more interconnected Why study networks We

223 views • 21 slides
1 Hardware architectures Point-to-point networks Many different types of networks: One

1 Hardware architectures Point-to-point networks Many different types of networks: One

Networks in embedded systems Networking for Embedded Systems Why we use networks. Network abstractions. Example networks. initial processing more processing Properties of wireless networks. PE sensor PE PE actuator PEs

573 views • 7 slides
Current Network Structure for Pediatrics Hospital Networks Country, state, regional, Academic

Current Network Structure for Pediatrics Hospital Networks Country, state, regional, Academic

Current Network Structure for Pediatrics Hospital Networks Country, state, regional, Academic networks networks Sub-specialty NIH networks networks Foundation networks Trial recruitment networks Disease specific networks Networks for

361 views • 6 slides
Computer Networks I Computer Networks I Networks A networks connection structure is known as

Computer Networks I Computer Networks I Networks A networks connection structure is known as

Computer Networks I Computer Networks I Networks A networks connection structure is known as its network topology . Host nodes source and destination of messages Communication nodes where messages pass through; can be

304 views • 26 slides
NETWORKS Networks There are many types of networks and network effects Physical:

NETWORKS Networks There are many types of networks and network effects Physical:

NETWORKS Networks There are many types of networks and network effects Physical: computers, railways Social: online, family Network externalities: value depends on # users Different fields, different (overlapping) refs, focus

589 views • 36 slides
Topics ! Use of networks ! Network structure ! Implementation of networks Computer Networks

Topics ! Use of networks ! Network structure ! Implementation of networks Computer Networks

Topics ! Use of networks ! Network structure ! Implementation of networks Computer Networks Introduction Lets Get Started! Computer Networks: Our Definition ! Networking today: Where are they? An interconnected collection of

439 views • 8 slides
Routing in Ad-hoc networks P R E S E N T E D B Y - L E W I S T S E N G R A C H I T A G A R W A

Routing in Ad-hoc networks P R E S E N T E D B Y - L E W I S T S E N G R A C H I T A G A R W A

Routing in Ad-hoc networks P R E S E N T E D B Y - L E W I S T S E N G R A C H I T A G A R W A L Ad-hoc networks Infrastructure-less networks No fixed routers (potentially) mobile nodes Dynamically and arbitrarily located

1.15k views • 94 slides
Types of Biological Networks Many important biological networks are defined on molecules such as

Types of Biological Networks Many important biological networks are defined on molecules such as

Marinka Zitnik CS 224W: Biological Networks November 28, 2017 The study of biological networks, their analysis and modeling are important tasks in life sciences today. Most biological networks are still far from being complete and they are often

223 views • 9 slides
Mobility and cellular networks Mobility and cellular networks Cellular radio and PCS networks

Mobility and cellular networks Mobility and cellular networks Cellular radio and PCS networks

Wireless WANs Mobility and cellular networks Mobility and cellular networks Cellular radio and PCS networks Wireless data networks Satellite links and networks Mobility, etc.- 2 Basic concepts and directions in telecommunications

289 views • 7 slides
Networks in economics Lecture 1 - Measuring networks and finance What are networks and why study

Networks in economics Lecture 1 - Measuring networks and finance What are networks and why study

Networks in economics Lecture 1 - Measuring networks and finance What are networks and why study them? A network is a set of items (nodes) connected by edges or links. Units (nodes) Interaction Individuals Friendship Firms Trade Banks

486 views • 29 slides
CONVOLUTIONAL AND RECURRENT NEURAL NETWORKS Neural networks Fully connected networks

CONVOLUTIONAL AND RECURRENT NEURAL NETWORKS Neural networks Fully connected networks

CONVOLUTIONAL AND RECURRENT NEURAL NETWORKS Neural networks Fully connected networks Neuron Non-linearity Softmax layer DNN training Loss function and regularization SGD and backprop Learning rate Overfitting

1.8k views • 86 slides
Branching Networks Introduction River Networks Complex Networks, Course 295A, Spring, 2008

Branching Networks Introduction River Networks Complex Networks, Course 295A, Spring, 2008

Branching Networks Branching Networks Introduction River Networks Complex Networks, Course 295A, Spring, 2008 Definitions Allometry Laws Stream Ordering Hortons Laws Prof. Peter Dodds Tokunagas Law Horton Tokunaga Reducing

1.57k views • 110 slides
Architecture Perceptron Highway Networks Highway Networks Allows training very deep

Architecture Perceptron Highway Networks Highway Networks Allows training very deep

Highway Networks for Visual Question Answering Aaditya Prakash PhD advisor: James Storer Brandeis University Architecture Perceptron Highway Networks Highway Networks Allows training very deep networks Srivastava et al trained

174 views • 16 slides
Networks Eric McCreath Networks A communication networks provides the means by which computers

Networks Eric McCreath Networks A communication networks provides the means by which computers

Networks Eric McCreath Networks A communication networks provides the means by which computers can transfer information to and from other computing devices. The Internet has become the most extensive network for computers to communicated

635 views • 6 slides
Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security Dr. Christos Xenakis Dr. Christoforos Ntantogian Associate Professor, Department of Digital Systems School of Information and Communication

524 views • 26 slides
Efficient VLSI architectures for baseband signal processing in wireless base-station receivers

Efficient VLSI architectures for baseband signal processing in wireless base-station receivers

Efficient VLSI architectures for baseband signal processing in wireless base-station receivers Sridhar Rajagopal Srikrishna Bhashyam, Joseph R. Cavallaro, and Behnaam Aazhang This work is supported by Nokia, TI, TATP and NSF Motivation

282 views • 25 slides
Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM Protocol Stack Harald Krll, Christian Benkeser, Stefan Zwicky, Benjamin Weber, Qiuting Huang Integrated Systems Laboratory, ETH Zurich d S b i h

306 views • 26 slides
Welcome to the Mentoring Swimming Officials webinar. We appreciate that you have taken the

Welcome to the Mentoring Swimming Officials webinar. We appreciate that you have taken the

Welcome to the Mentoring Swimming Officials webinar. We appreciate that you have taken the time out of your day to participate and hope that you will learn some valuable tips from this program. Lets get started! 1 Develop Swim

610 views • 33 slides
Pilot-aided Direction of Arrival Estimation for mmWave Cellular Systems Mahbuba Sheba Ullah Dr.

Pilot-aided Direction of Arrival Estimation for mmWave Cellular Systems Mahbuba Sheba Ullah Dr.

Pilot-aided Direction of Arrival Estimation for mmWave Cellular Systems Mahbuba Sheba Ullah Dr. Ahmed Tewfik University of Texas at Austin March 23, 2016 Outline Motivation Prior work Pilot assisted, sub-sample based MUSIC

377 views • 14 slides
GTC 2019, San Jose Dr. Tim OShea, CTO : tim@deepsig.io 3100 Clarendon Blvd, Suite 200

GTC 2019, San Jose Dr. Tim OShea, CTO : tim@deepsig.io 3100 Clarendon Blvd, Suite 200

Realizing the full potential of data & learning within communications systems & wireless baseband GTC 2019, San Jose Dr. Tim OShea, CTO : tim@deepsig.io 3100 Clarendon Blvd, Suite 200 Arlington, VA 22201 www.deepsig.io Brief DeepSig

842 views • 28 slides
Autonomous Formation Flying (AFF) Sensor for Precision Formation Flying Missions MiMi Aung

Autonomous Formation Flying (AFF) Sensor for Precision Formation Flying Missions MiMi Aung

Autonomous Formation Flying (AFF) Sensor for Precision Formation Flying Missions MiMi Aung 11/21/02 Autonomous Formation Flying (AFF) Sensor Contributors to the AFF Sensor AFF Sensor PEM MiMi Aung (335) Jeff Srinivasan (335) StarLight AFF

365 views • 35 slides
Antennas for MIMO systems Brian Collins Antenova Ltd Something familiar Receiver 1 TX array

Antennas for MIMO systems Brian Collins Antenova Ltd Something familiar Receiver 1 TX array

Antennas for MIMO systems Brian Collins Antenova Ltd Something familiar Receiver 1 TX array Receiver 2 If the transmit antenna has sufficient resolution, different data streams can be sent to the two receivers using the same carrier

388 views • 37 slides

More recommend