Cellular Location Tracking with Changing Temporary Identifier B. - - PowerPoint PPT Presentation

cellular location tracking with
SMART_READER_LITE
LIVE PREVIEW

Cellular Location Tracking with Changing Temporary Identifier B. - - PowerPoint PPT Presentation

Sep 28, 2023 183 likes •535 views

GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier B. Hong, S. Bae, and Y. Kim NDSS 2018 Location Privacy Leaks on GSM We have the victims mobile phone number Can we detect if the victim is

slide-1
SLIDE 1

GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier

  • B. Hong, S. Bae, and Y. Kim

NDSS 2018

slide-2
SLIDE 2

Location Privacy Leaks on GSM

 We have the victim’s mobile phone number  Can we detect if the victim is in/out of an area of interest?

– Granularity? 100 km2? 1km2? Next door?

 No collaboration from service provider

– i.e. How much information leaks from the HLR over broadcast messages?

 Attacks by passively listening

– Paging channel – Random access channel

2

slide-3
SLIDE 3

Cellular Network

PSTN MSC BSC VLR ATR HLR

HSS

BTS

MS

GSM Air Interface

slide-4
SLIDE 4

Location Leaks on Cellular Network

 IMSI

– a unique # associated with all GSM

 TMSI

– Randomly assigned by the VLR – Updated in a new area

 PCCH

– Broadcast paging channel

 RACH

– Random Access Channel

 SDCCH

– Standalone Dedicated Control Cha nnel

 LAC has multiple cell towers that us es different ARFCN

BTS MS Paging Request PCCH Channel Request RACH Immediate Assignment PCCH Paging Response SDCCH Setup and Data

slide-5
SLIDE 5

Platform

Motorola C 118 ($30) VirtualBox runnin g Ubuntu and Os mosomBB softwa re (free) Serial cable and r eprogrammer cab le ($30) HTC Dream with c ustom Android Ke rnel ($100)

slide-6
SLIDE 6

Phone number-TMSI mapping

PSTN PCH Time dt dt

slide-7
SLIDE 7

Silent Paging

 Delay between the call initiation and the paging request: 3 sec  Median delay between call initiation and ring: 6 sec

2 4 6 8 10 Time/seconds 2 4 6 8 10 Time/seconds

slide-8
SLIDE 8

Immediate Assignment

 Is IA message sent to all towers in the same LAC?  How do we identify IA message?

– No identifiable information

 Check the correlation between IA and Paging request

same ARFCN diff ARFCN random 0.0 0.5 1.0 1.5 2.0 −

slide-9
SLIDE 9

Location Area Code (LAC)

slide-10
SLIDE 10

Hill Climbing to discover towers

slide-11
SLIDE 11

Mapping cell signal strength

slide-12
SLIDE 12

Coverage area with 1 antenna

Towers in this area are

  • bservable with a

rooftop 12 db gain antenna Observer Downtown Minneapolis John’s newly shaved head Yagi antenna

slide-13
SLIDE 13

Following a walking person

Observer Start End Approximate areas covered by towers to which the victim ’s phone was attac hed to

slide-14
SLIDE 14

GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier

Byeongdo Hong, Sangwook Bae, Yongdae Kim KAIST SysSec

  • Feb. 19, 2018

SysSec

System Security Lab.

slide-15
SLIDE 15

Paging Area in Cellular Network

15

Tracking Area

(radius < 10 km) Paging Request Paging Response

Paging: A method to find specific subscriber How? By using subscriber’s identifier

slide-16
SLIDE 16

Identifiers in Cellular Networks

 Permanent/Unique identifier

– IMSI (International Mobile Subscriber Identity)

  • Provisioned in the SIM card

 Temporary identifier

– Used to hide subscriber

  • TMSI (Temporary Mobile Subscriber Identity)
  • Used in 2G/3G
  • GUTI (Globally Unique Temporary Identity)
  • Used in LTE

16

slide-17
SLIDE 17

Location Tracking in Cellular Network

17

Location Area 1 Location Area 2

Victim Yongdae User B TMSI: 0xff123456 User C Attacker

slide-18
SLIDE 18

Phone number-Temporary ID mapping

 Traffic analysis to find the same TMSI (Kune et al. NDSS’12)

– Find intersects of identifier’s sets

 Using “Silent Call”

– Terminating call before ringing

 Same vulnerability in LTE - unchanged GUTI (Shaik et al. NDSS’16)

Attacker Paging Channel Time dt

Call trigger Observation Call trigger Call trigger

dt dt

19

slide-19
SLIDE 19

Defense of Location Tracking

 Temporary Identifier Reallocation

– GUTI Reallocation in LTE – To prevent between subscriber and ID mapping

  • Q. Is GUTI Reallocation the solution to existing attacks?
  • A. It is Yes

But simply changing is not a solution!

20

slide-20
SLIDE 20

Experiment Setup

Diagnostic Monitor

USRP B210

Antenna

Broadcast Channel Receiver

Device Analysis

21

Signaling Collection and Analysis Tool (SCAT) [1]

Broadcast Channel Analysis

srsLTE (open source) [1] B. Hong, S. Park, H. Kim, D. Kim, H. Hong, H. Choi, J.P. Seifert, S. Lee, Y. Kim, Peeking over the Cellular Walled Gardens - A Method for Closed Network Diagnosis -, IEEE Transactions on Mobile Computing.

slide-21
SLIDE 21

Worldwide Data Collection

Country # of OP. # of USIM # of signalings Country # of OP. # of USIM # of signalings U.S.A 3 22 763K U.K. 1 1 41K Austria 3 3 807K Spain 2 2 51K Belgium 3 3 372K Netherlands 3 3 946K Switzerland 3 3 559K Japan 1 2 37K Germany 4 19 841K South Korea 3 14 1.7M France 2 6 305K

※ OP: operator, USIM: Universal Subscriber Identity Module, Signaling: control plane message

22

Data summary

Collection Period: 2014. 11. ~ 2017. 7. # of countries: 11 # of operators: 28 # of USIMs: 78 # of voice calls: 58K # of signalings: 6.4M

slide-22
SLIDE 22

Same vs. Fingerprintable IDs

NDSS’12, ‘16: Same ID  Location Tracking!!

23

This work: ID Fingerprinting  Location Tracking!!

slide-23
SLIDE 23

Fixed Bytes in GUTI Reallocation

Allocation Pattern Operators Assigning the same GUTI BE-III, DE-II, FR-II, JP-I Three bytes fixed CH-II, DE-III, NL-I, NL-II Two bytes fixed BE-II, CH-I, CH-III, ES-I, FR-I, NL-III One bytes fixed AT-I, AT-II, AT-III, BE-I, DE-I

 19 operators have fixed bytes

AT: Austria, BE: Belgium, CH: Switzerland, DE: Germany, ES: Spain, FR: France, JP: Japan, NL: Netherlands

24

slide-24
SLIDE 24

25

64 128 192 10 20 30 Hexadecimal value # of call 64 128 192 10 20 30 Hexadecimal value # of call 64 128 192 10 20 30 Hexadecimal value # of call 4 8 12 10 20 30 Hexadecimal value # of call (a) 1st byte (b) 2nd byte (c) 3rd byte (d) 4th byte FF 40 80 C0 FF 40 80 C0 FF 40 80 C0 F 4 8 C

Case I: Netherlands (NL-I)

slide-25
SLIDE 25

Case I: Netherlands (NL-I)

26

64 128 192 10 20 30 Hexadecimal value # of call 64 128 192 10 20 30 Hexadecimal value # of call 64 128 192 10 20 30 Hexadecimal value # of call 4 8 12 10 20 30 Hexadecimal value # of call (a) 1st byte (b) 2nd byte (c) 3rd byte (d) 4th byte FF 40 80 C0 FF 40 80 C0 FF 40 80 C0 F 4 8 C

slide-26
SLIDE 26

Case II: Belgium (BE-II)

27

64 128 192 10 20 30 Hexadecimal value # of call 48 50 52 54 56 58 10 20 30 Hexadecimal value # of call 64 128 192 10 20 30 Hexadecimal value # of call 64 128 192 10 20 30 Hexadecimal value # of call (a) 1st byte (b) 2nd byte (c) 3rd byte (d) 4th byte 40 80 C0 FF 40 80 C0 FF 40 80 C0 30 32 34 36 38

slide-27
SLIDE 27

Case II: Belgium (BE-II)

28

64 128 192 10 20 30 Hexadecimal value # of call 48 50 52 54 56 58 10 20 30 Hexadecimal value # of call 64 128 192 10 20 30 Hexadecimal value # of call 64 128 192 10 20 30 Hexadecimal value # of call (a) 1st byte (b) 2nd byte (c) 3rd byte (d) 4th byte 40 80 C0 FF 40 80 C0 FF 40 80 C0 30 32 34 36 38

slide-28
SLIDE 28

Fixed Bytes in GUTI Reallocation

Allocation Pattern Operators Assigning the same GUTI BE-III, DE-II, FR-II, JP-I Three bytes fixed CH-II, DE-III, NL-I, NL-II Two bytes fixed BE-II, CH-I, CH-III, ES-I, FR-I, NL-III One bytes fixed AT-I, AT-II, AT-III, BE-I, DE-I

 19 operators have fixed bytes

AT: Austria, BE: Belgium, CH: Switzerland, DE: Germany, ES: Spain, FR: France, JP: Japan, NL: Netherlands

29

slide-29
SLIDE 29

Stress Testing

 No noticeable rule of GUTI Reallocation for some operators  Invoking voice call continuously with a short time

– Two types of test

  • Weak stress testing
  • Hard stress testing
  • Calls at shorter intervals than weak stress test

30

slide-30
SLIDE 30

Stress Testing Result

 Force the network to skip the GUTI reallocation

– Perform experiments on US and Korean operators

  • Two US and two Korean operators

31

Operator Weak Stress Testing Hard Stress Testing KR-I O O KR-II X O US-I X O US-II O O

O: Reuse GUTI X: No noticeable change

64 128 192 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 Hexadecimal value # of call 1st Byte 2nd Byte 3rd Byte 4th Byte Network skip GUTI Reallocation End weak stress testing FF 40 80 C0

slide-31
SLIDE 31

5 10 15 20 1 byte fixed 2 bytes fixed 3 bytes fixed

Call Trial

5 paging / sec 88 paging / sec 160 paging / sec

Success Rate of our Attack

 Required number of calls covering 99% success rate

slide-32
SLIDE 32

Location Tracking with GUTI

 Observation of broadcast channels after call invocation

– Pattern matching (fixed bytes, assigning same GUTI) – Location tracking (Tracking Area, Cell)

OpenSignal (at KAIST)

33

slide-33
SLIDE 33

Defenses + Requirements

 Frequent refreshing of temporary identifier – Per service request  Unpredictable identity allocation – Cryptographically secure pseudorandom number generation

  • Hash_DRBG can be used

 Collision avoidance  Stress-testing resistance  Low cost implementation

34

slide-34
SLIDE 34

Conclusion

 Predictable reallocation logic

– GUTI reallocation pattern

  • Fixed bytes (19 operators)

– Same GUTI

  • By stress test (4 test cases)
  • Assigning same GUTI

 Location tracking is still possible in cellular network!  Secure GUTI reallocation mechanism is required

35