cellular location tracking with
play

Cellular Location Tracking with Changing Temporary Identifier B. - PowerPoint PPT Presentation

Sep 28, 2023 •183 likes •532 views

GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier B. Hong, S. Bae, and Y. Kim NDSS 2018 Location Privacy Leaks on GSM We have the victims mobile phone number Can we detect if the victim is

  1. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier B. Hong, S. Bae, and Y. Kim NDSS 2018

  2. Location Privacy Leaks on GSM  We have the victim’s mobile phone number  Can we detect if the victim is in/out of an area of interest? – Granularity? 100 km 2 ? 1km 2 ? Next door?  No collaboration from service provider – i.e. How much information leaks from the HLR over broadcast messages?  Attacks by passively listening – Paging channel – Random access channel 2

  3. Cellular Network HSS GSM Air Interface ATR HLR BTS MS VLR PSTN MSC BSC

  4. Location Leaks on Cellular Network  IMSI BTS – a unique # associated with all GSM Paging Request  TMSI MS – PCCH Randomly assigned by the VLR – Updated in a new area Channel Request  RACH PCCH – Broadcast paging channel Immediate Assignment  RACH – PCCH Random Access Channel  SDCCH Paging Response – Standalone Dedicated Control Cha nnel SDCCH  LAC has multiple cell towers that us Setup and Data es different ARFCN

  5. Platform Serial cable and r VirtualBox runnin eprogrammer cab g Ubuntu and Os le ($30) mosomBB softwa re (free) HTC Dream with c ustom Android Ke Motorola C rnel ($100) 118 ($30)

  6. Phone number-TMSI mapping dt PSTN PCH Time dt

  7. Silent Paging  Delay between the call initiation and the paging request: 3 sec 2 4 6 8 10 Time/seconds  Median delay between call initiation and ring: 6 sec 2 4 6 8 10 Time/seconds

  8. Immediate Assignment  Is IA message sent to all towers 2.0 in the same LAC?  How do we identify IA message? 1.5 – No identifiable information 1.0  Check the correlation between − IA and Paging request 0.5 0.0 same ARFCN diff ARFCN random

  9. Location Area Code (LAC)

  10. Hill Climbing to discover towers

  11. Mapping cell signal strength

  12. Coverage area with 1 antenna Downtown Minneapolis Observer Yagi Towers in this area are antenna observable with a John’s newly rooftop 12 db gain antenna shaved head

  13. Following a walking person Observer End Start Approximate areas covered by towers to which the victim ’s phone was attac hed to

  14. SysSec System Security Lab. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier Byeongdo Hong, Sangwook Bae, Yongdae Kim KAIST SysSec Feb. 19, 2018

  15. Paging Area in Cellular Network Tracking Area Paging Request (radius < 10 km) Paging Response Paging: A method to find specific subscriber How? By using subscriber’s identifier 15

  16. Identifiers in Cellular Networks  Permanent/Unique identifier – IMSI (International Mobile Subscriber Identity)  Provisioned in the SIM card  Temporary identifier – Used to hide subscriber  TMSI (Temporary Mobile Subscriber Identity) • Used in 2G/3G  GUTI (Globally Unique Temporary Identity) • Used in LTE 16

  17. Location Tracking in Cellular Network Location Area 1 Victim Yongdae Location Area 2 TMSI : 0xff123456 Attacker User B User C 17

  18. Phone number-Temporary ID mapping  Traffic analysis to find the same TMSI (Kune et al. NDSS’12) – Find intersects of identifier’s sets Observation Call trigger Call trigger Call trigger Attacker dt dt dt Paging Channel Time  Using “Silent Call” – Terminating call before ringing  Same vulnerability in LTE - unchanged GUTI (Shaik et al. NDSS’16) 19

  19. Defense of Location Tracking  Temporary Identifier Reallocation – GUTI Reallocation in LTE – To prevent between subscriber and ID mapping Q. Is GUTI Reallocation the solution to existing attacks? A. It is Yes But simply changing is not a solution! 20

  20. Experiment Setup Broadcast Channel Analysis Device Analysis srsLTE (open source) Antenna USRP B210 Broadcast Channel Receiver Diagnostic Monitor Signaling Collection and Analysis Tool (SCAT) [1] [1] B. Hong, S. Park, H. Kim, D. Kim, H. Hong, H. Choi, J.P. Seifert, S. Lee, Y. Kim, Peeking over the Cellular Walled Gardens - A Method for Closed Network Diagnosis -, IEEE Transactions on Mobile Computing. 21

  21. Worldwide Data Collection Country # of # of # of Country # of # of # of OP. USIM signalings OP. USIM signalings U.S.A 3 22 763K U.K. 1 1 41K Austria 3 3 807K Spain 2 2 51K Belgium 3 3 372K Netherlands 3 3 946K Switzerland 3 3 559K Japan 1 2 37K Germany 4 19 841K South Korea 3 14 1.7M France 2 6 305K Data summary Collection Period: 2014. 11. ~ 2017. 7. # of countries: 11 # of operators: 28 # of USIMs: 78 # of voice calls: 58K # of signalings: 6.4M ※ OP: operator, USIM: Universal Subscriber Identity Module, Signaling: control plane message 22

  22. Same vs. Fingerprintable IDs NDSS’12, ‘16: Same ID  Location Tracking!! This work: ID Fingerprinting  Location Tracking!! 23

  23. Fixed Bytes in GUTI Reallocation  19 operators have fixed bytes Allocation Pattern Operators Assigning the same GUTI BE-III, DE-II, FR-II, JP-I Three bytes fixed CH-II, DE-III, NL-I, NL-II Two bytes fixed BE-II, CH-I, CH-III, ES-I, FR-I, NL-III One bytes fixed AT-I, AT-II, AT-III, BE-I, DE-I AT: Austria, BE: Belgium, CH: Switzerland, DE: Germany, ES: Spain, FR: France, JP: Japan, NL: Netherlands 24

  24. Case I: Netherlands (NL-I) F FF Hexadecimal value Hexadecimal value 12 C 192 C0 8 8 128 80 40 4 4 64 0 0 0 10 20 30 0 10 20 30 (a) 1st byte (b) 2nd byte # of call # of call FF FF Hexadecimal value Hexadecimal value 192 192 C0 C0 128 80 128 80 64 40 64 40 0 0 0 10 20 30 0 10 20 30 # of call # of call (c) 3rd byte (d) 4th byte 25

  25. Case I: Netherlands (NL-I) F FF Hexadecimal value Hexadecimal value 12 C 192 C0 8 8 128 80 40 4 4 64 0 0 0 10 20 30 0 10 20 30 (a) 1st byte (b) 2nd byte # of call # of call FF FF Hexadecimal value Hexadecimal value 192 192 C0 C0 128 80 128 80 64 40 64 40 0 0 0 10 20 30 0 10 20 30 # of call # of call (c) 3rd byte (d) 4th byte 26

  26. Case II: Belgium (BE-II) 58 Hexadecimal value Hexadecimal value 56 38 192 C0 36 54 128 80 34 52 64 40 32 50 0 48 30 0 10 20 30 0 10 20 30 # of call # of call (a) 1st byte (b) 2nd byte FF FF Hexadecimal value Hexadecimal value C0 C0 192 192 80 80 128 128 64 40 64 40 0 0 0 10 20 30 0 10 20 30 # of call # of call 27 (c) 3rd byte (d) 4th byte

  27. Case II: Belgium (BE-II) 58 Hexadecimal value Hexadecimal value 56 38 192 C0 36 54 128 80 34 52 64 40 32 50 0 48 30 0 10 20 30 0 10 20 30 # of call # of call (a) 1st byte (b) 2nd byte FF FF Hexadecimal value Hexadecimal value C0 C0 192 192 80 80 128 128 64 40 64 40 0 0 0 10 20 30 0 10 20 30 # of call # of call 28 (c) 3rd byte (d) 4th byte

  28. Fixed Bytes in GUTI Reallocation  19 operators have fixed bytes Allocation Pattern Operators Assigning the same GUTI BE-III, DE-II, FR-II, JP-I Three bytes fixed CH-II, DE-III, NL-I, NL-II Two bytes fixed BE-II, CH-I, CH-III, ES-I, FR-I, NL-III One bytes fixed AT-I, AT-II, AT-III, BE-I, DE-I AT: Austria, BE: Belgium, CH: Switzerland, DE: Germany, ES: Spain, FR: France, JP: Japan, NL: Netherlands 29

  29. Stress Testing  No noticeable rule of GUTI Reallocation for some operators  Invoking voice call continuously with a short time – Two types of test  Weak stress testing  Hard stress testing • Calls at shorter intervals than weak stress test 30

  30. Stress Testing Result  Force the network to skip the GUTI reallocation – Perform experiments on US and Korean operators  Two US and two Korean operators Network skip End weak GUTI Reallocation stress testing FF Operator Weak Stress Hard Stress Hexadecimal value 192 C0 Testing Testing KR-I O O 128 80 KR-II X O US-I X O 40 64 US-II O O 0 O: Reuse GUTI 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 X: No noticeable change # of call 1st Byte 2nd Byte 3rd Byte 4th Byte 31

  31. Success Rate of our Attack  Required number of calls covering 99% success rate 20 5 paging / sec 88 paging / sec 15 Call Trial 160 paging / sec 10 5 0 1 byte fixed 2 bytes fixed 3 bytes fixed

  32. Location Tracking with GUTI  Observation of broadcast channels after call invocation – Pattern matching (fixed bytes, assigning same GUTI) – Location tracking (Tracking Area, Cell) OpenSignal (at KAIST) 33

  33. Defenses + Requirements  Frequent refreshing of temporary identifier – Per service request  Unpredictable identity allocation – Cryptographically secure pseudorandom number generation  Hash_DRBG can be used  Collision avoidance  Stress-testing resistance  Low cost implementation 34

  34. Conclusion  Predictable reallocation logic – GUTI reallocation pattern  Fixed bytes (19 operators) – Same GUTI  By stress test (4 test cases)  Assigning same GUTI  Location tracking is still possible in cellular network!  Secure GUTI reallocation mechanism is required 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

T-110.456 Next generation cellular networks Location Services Based on Cellular Systems Alexei

T-110.456 Next generation cellular networks Location Services Based on Cellular Systems Alexei

T-110.456 Next generation cellular networks Location Services Based on Cellular Systems Alexei Semenov 06.04.2005 Agenda - Introduction - Location Service System Architecture - Mobile Location Protocol - Evolution of Location Services -

450 views • 17 slides
Location Services Based on Location Services Based on Cellular Networks Cellular Networks Mikko

Location Services Based on Location Services Based on Cellular Networks Cellular Networks Mikko

Location Services Based on Location Services Based on Cellular Networks Cellular Networks Mikko Voipio Next Generation Wireless Networks November 31, 2005 Background Background A lot of information is location based Location is,

509 views • 18 slides
Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location of one target in video starting from a bounding box in the first frame. When conceived as an instant learning problem, the task is to discriminate

651 views • 39 slides
CS 528 Mobile and Ubiquitous Computing Lecture 6: Tracking Location, Maps, Services, Audio/Video

CS 528 Mobile and Ubiquitous Computing Lecture 6: Tracking Location, Maps, Services, Audio/Video

CS 528 Mobile and Ubiquitous Computing Lecture 6: Tracking Location, Maps, Services, Audio/Video Playback, Presentation/Critique Guidelines Emmanuel Agu Tracking the Devices Location Location Tracking Outdoors: Uses GPS (More accurate)

955 views • 71 slides
Location tracking Location tracking Engineering &amp; Public Policy Lorrie Faith Cranor

Location tracking Location tracking Engineering &amp; Public Policy Lorrie Faith Cranor

CyLab Location tracking Location tracking Engineering &amp; Public Policy Lorrie Faith Cranor October 14, 2014 y &amp; c S a e v c i u r P r i t e y l b L a a s b U o 8-533 / 8-733 / 19-608 / 95-818: b r a a

893 views • 44 slides
Location tracking Location tracking Engineering &amp; Public Policy Lorrie Faith Cranor

Location tracking Location tracking Engineering &amp; Public Policy Lorrie Faith Cranor

CyLab Location tracking Location tracking Engineering &amp; Public Policy Lorrie Faith Cranor October 8, 2013 y &amp; c S a e v c i u r P r i t e y l b L a a s b U o 8-533 / 8-733 / 19-608 / 95-818: b r a a t

969 views • 48 slides
Secure Communications Center (SCC) Secure Messaging and Location Tracking Smartphones

Secure Communications Center (SCC) Secure Messaging and Location Tracking Smartphones

Secure Communications Center (SCC) Secure Messaging and Location Tracking Smartphones Information Technology Security Location User Messaging Tracking Network * CEO A. Baar Akbay CFO PDM M. Melih H. Hakan Deirmenci Kahraman

371 views • 36 slides
Cellular Automaton Tracking for VXD Cellular Automaton Tracking for VXD Cellular Automaton

Cellular Automaton Tracking for VXD Cellular Automaton Tracking for VXD Cellular Automaton

Cellular Automaton Tracking for VXD Cellular Automaton Tracking for VXD Cellular Automaton Tracking for VXD Cellular Automaton Tracking for VXD based on Mini Vectors based on Mini Vectors based on Mini Vectors based on Mini

361 views • 19 slides
Location Based Services for J2ME F. Ricci Content Location-based services What is a

Location Based Services for J2ME F. Ricci Content Location-based services What is a

Location Based Services for J2ME F. Ricci Content Location-based services What is a location How to obtain location data Satellites Cellular network Short range positioning beacons JSR 179 Location API

767 views • 59 slides
Variations in Tracking In Relation To Geographic Location Nathaniel Fruchter Hsin Miao Scott

Variations in Tracking In Relation To Geographic Location Nathaniel Fruchter Hsin Miao Scott

Variations in Tracking In Relation To Geographic Location Nathaniel Fruchter Hsin Miao Scott Stevenson Rebecca Balebako W2SP 2015 The short version An empirical, automated method of measuring web tracking across countries Deployed in

742 views • 56 slides
Variations in Tracking In Relation To Geographic Location Nathaniel Fruchter Hsin Miao Scott

Variations in Tracking In Relation To Geographic Location Nathaniel Fruchter Hsin Miao Scott

Variations in Tracking In Relation To Geographic Location Nathaniel Fruchter Hsin Miao Scott Stevenson Rebecca Balebako W2SP 2015 1 trampling on European privacy laws by tracking people online without their consent [the US]

928 views • 63 slides
Mobility Collector Battery Conscious Mobile Tracking Adrian C. Prelipcean , Gyz Gidfalvi

Mobility Collector Battery Conscious Mobile Tracking Adrian C. Prelipcean , Gyz Gidfalvi

Mobility Collector Battery Conscious Mobile Tracking Adrian C. Prelipcean , Gyz Gidfalvi Geoinformatics, Royal Institute of Technology KTH, Sweden Outline Spatial and temporal granularity in Location tracking location-dependant data

669 views • 51 slides
Optimizing base station location and configuration in 3G cellular (UMTS) networks Edoardo Amaldi

Optimizing base station location and configuration in 3G cellular (UMTS) networks Edoardo Amaldi

Optimizing base station location and configuration in 3G cellular (UMTS) networks Edoardo Amaldi Antonio Capone Dipartimento di Elettronica e Informazione Federico Malucelli Outline 1) Network planning for UMTS systems with CDMA interface

457 views • 30 slides
Location, Location, Location, Location, Location: Location: GPS and Google Earth GPS and

Location, Location, Location, Location, Location: Location: GPS and Google Earth GPS and

Location, Location, Location, Location, Location: Location: GPS and Google Earth GPS and Google Earth South Carolina Conference for the Social Studies October 5, 2007 Myrtle Beach, SC Julia Davis judavis@richlandone.org MaryAnn Sansonetti

395 views • 12 slides
GLANSER A Scalable Location &amp; Tracking System for First Responders Status Update

GLANSER A Scalable Location &amp; Tracking System for First Responders Status Update

GLANSER A Scalable Location &amp; Tracking System for First Responders Status Update Honeywell, Argon ST, TRX Systems August 6, 2012 Acknowledgments The GLANSER program is being supported by funding from the Department of Homeland

696 views • 33 slides
CA Tracking S.Gorbunov, I.Kisel, M.Pugach FIAS, Frankfurt am Main PANDA collaboration meeting

CA Tracking S.Gorbunov, I.Kisel, M.Pugach FIAS, Frankfurt am Main PANDA collaboration meeting

CA Tracking S.Gorbunov, I.Kisel, M.Pugach FIAS, Frankfurt am Main PANDA collaboration meeting Darmstadt , 7 June 2016 Outline Introduction Cellular Automaton tracking Current Status &amp; Results Summary &amp; Outlook 2

493 views • 11 slides
FRAME STRUCTURE &amp; TIMING ADVANCE IN IN GSM ECE 2526 MOBILE COMMUNICATION Monday, 20 May

FRAME STRUCTURE &amp; TIMING ADVANCE IN IN GSM ECE 2526 MOBILE COMMUNICATION Monday, 20 May

FRAME STRUCTURE &amp; TIMING ADVANCE IN IN GSM ECE 2526 MOBILE COMMUNICATION Monday, 20 May 2018 NUMBER OF CHANNELS IN GSM Freq. Carrier: 200 kHz TDMA: 8 time slots per freq carrier No. of carriers = 25 MHz / 200 kHz = 125

687 views • 20 slides
On the Kolmogorov Complexity of Continuous Real Functions Amin Farjudian Division of Computer

On the Kolmogorov Complexity of Continuous Real Functions Amin Farjudian Division of Computer

Kolmogorov Complexity: Finite Objects Non-Finite Objects Main Results Summary and Future Work On the Kolmogorov Complexity of Continuous Real Functions Amin Farjudian Division of Computer Science University of Nottingham Ningbo, China

497 views • 22 slides
Everything you need to know about Lossy Counter Machines Ph. Schnoebelen

Everything you need to know about Lossy Counter Machines Ph. Schnoebelen

Everything you need to know about Lossy Counter Machines Ph. Schnoebelen http://www.lsv.ens-cachan.fr/ phs Lab. Sp ecification et V erification (LSV) CNRS &amp; ENS de Cachan &amp; INRIA-Saclay Journ ee DOTS / Mar. 18th, 2010

947 views • 68 slides
A Miniaturized Predicativity slow growing analogues. Stanley S. Wainer 1 (Leeds

A Miniaturized Predicativity slow growing analogues. Stanley S. Wainer 1 (Leeds

A Miniaturized Predicativity slow growing analogues. Stanley S. Wainer 1 (Leeds UK) HAPPY BIRTHDAY GERHARD December 2013. 1 Earlier parts of this work were done jointly with Elliott Spoors and were partially supported by the 2012

312 views • 13 slides
Relating Tree Series Transducers and Weighted Tree Automata Andreas Maletti December 17, 2004

Relating Tree Series Transducers and Weighted Tree Automata Andreas Maletti December 17, 2004

Relating Tree Series Transducers and Weighted Tree Automata Andreas Maletti December 17, 2004 1. Motivation and Introductory Example 2. Semirings and DM-Monoids 3. Bottom-Up DM-Monoid Weighted Tree Automata 4. Establishing a Relationship 1

329 views • 22 slides
Android Sensing Tutorial Hasan Faik Alan 9/7/2017 Example Android Device CPU : Quad-core 2.5

Android Sensing Tutorial Hasan Faik Alan 9/7/2017 Example Android Device CPU : Quad-core 2.5

Android Sensing Tutorial Hasan Faik Alan 9/7/2017 Example Android Device CPU : Quad-core 2.5 GHz Krait 400 GPU : Adreno 330 Development - Getting Started http://developer.android.com/develop/ Development - Getting Started

581 views • 33 slides
Task Runner Winter Semester 2016/17 Juliane Franze

Task Runner Winter Semester 2016/17 Juliane Franze

Prac%cal Course: Web Development Task Runner Winter Semester 2016/17 Juliane Franze Ludwig-Maximilians-Universitt Mnchen Prac=cal Course Web Development WS

294 views • 10 slides
ECMASCRIPT HARMONY PlovdivConf 2015 https://github.com/ivanovyordan

ECMASCRIPT HARMONY PlovdivConf 2015 https://github.com/ivanovyordan

ECMASCRIPT HARMONY PlovdivConf 2015 https://github.com/ivanovyordan http://ivanovyordan.com ? http://kangax.github.io/compat-table/es6

642 views • 19 slides

More recommend