IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , - - PowerPoint PPT Presentation

imp4gt
SMART_READER_LITE
LIVE PREVIEW

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , - - PowerPoint PPT Presentation

Apr 15, 2023 603 likes •766 views

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and Christina Ppper 25.02.2020 NDSS Symposium, San Diego, USA Motivation: Internet Passes 2 LTE Security Aims Mutual Authentication Traffic

slide-1
SLIDE 1

IMP4GT

IMPersonation Attacks in 4G NeTworks

25.02.2020 NDSS Symposium, San Diego, USA David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper

slide-2
SLIDE 2

2

Motivation: Internet Passes

slide-3
SLIDE 3

3

Mutual Authentication Traffic Confidentiality Identity & Location Confidentiality

LTE Security Aims

slide-4
SLIDE 4

4

Security Features Authentication and Key Agreement Connection

slide-5
SLIDE 5

5

Missing Integrity Protection

Control Plane User Plane Encryption stream cipher Integrity Protection

slide-6
SLIDE 6

6

Malleable Encryption

Encryption Decryption

$10 $100

Stream Cipher

1 1 1 1 1 1 1 1

slide-7
SLIDE 7

7

Already Known: Redirection

Can it be worse? Yes, with IMP4GT

/ˈɪmpækt/

Rupprecht, D., Kohls, K., Holz, T., & Pöpper, C. “Breaking LTE on Layer Two”. In 2019 IEEE Symposium on Security and Privacy (SP)

slide-8
SLIDE 8

8

Impersonation in 4G Networks (IMP4GT)

Uplink Downlink

Impersonation of a user towards the network on the user-plane Impersonation of a network towards the user on the user-plane

Breaks mutual authentication in both directions.

slide-9
SLIDE 9

9

The Basic Principle

Encryption Oracle Decryption Oracle Impersonation Malleable Encryption Reflection

slide-10
SLIDE 10

10

Reflection: ICMP Ping

IP / ICMP (ping) / Data IP / ICMP (ping) / Data

slide-11
SLIDE 11

11

Uplink Encryption Oracle

IP / UDP / Payload IP / PING Request / Payload UE Relay IP / UDP / Payload Keystream Generation Target Server Network IP (target_ip) / TCP / new Payload IP / PING Reply / Payload IP (target_ip) / TCP / new Payload Encrypted on the Radio Layer Already Open.

slide-12
SLIDE 12

12

Uplink Enc + Downlink Dec = Full Impersonation

UE Relay Keystream Generation Target Server Network Decryption Server Uplink Encryption Downlink Decryption Uplink Encryption Downlink Decryption

slide-13
SLIDE 13

13

  • Commercial network and phone
  • Uplink impersonation
  • Visit a website only accessible by a victim: pass.telekom.de
  • Upload a 10KB file to a server
  • Downlink impersonation
  • TCP connection towards the phone
  • No interaction of the user
  • connectivitycheck.android.com
  • Checks if you have an Internet connection

Experiments

slide-14
SLIDE 14

14

Consequences

Providers

  • Over Billing
  • Authorization

Law Enforcement

  • Lawful Interception
  • Lawful Disclosure

Process User

  • Privacy
  • Firewall / NAT
  • IoT
slide-15
SLIDE 15

15

  • Fully specified and deployed
  • Unlikely…
  • Optional integrity protection
  • Limited support in early

implementations Conclusion: We need Integrity Protection! We emphasize the need for mandatory integrity protection.

David Rupprecht Ruhr University Bochum david.rupprecht@rub.de https://imp4gt-attacks.net