touching the untouchables
play

Touching the Untouchables: Dynamic Security Analysis of the LTE - PowerPoint PPT Presentation

Nov 06, 2022 •253 likes •605 views

Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho Lee, Eunkyu Lee, and Yongdae Kim 2019 IEEE Symposium on Security and Privacy LTE communication is everywhere Public safety services Autonomous driving

  1. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho Lee, Eunkyu Lee, and Yongdae Kim 2019 IEEE Symposium on Security and Privacy

  2. LTE communication is everywhere Public safety services Autonomous driving (PS-LTE) (Cellular V2X) Industrial IoT devices Maritime communication Railway communication (NB-IoT, LTE-M) (LTE-Maritime) (LTE-R)

  3. LTE network architecture LTE Core Network Registration Identification Auth. MME IMS HSS UE Internet Data eNodeB GWs v LTE service procedures are separated into control plane and user plane v Control plane procedures v (De)Registration of mobile phones, mutual authentication, mobility support, … v Always preceded by the user plane procedures v Might be a good target for adversaries 3 *UE: User Equipment, *MME: Mobility Management Entity

  4. Previous studies and its limitations v Formal analysis of LTE specification Ambiguities in LTE specification • include a lot of exception cases • leave freedom to the carriers and v endors about the implementation d etails • have protocol conformance test sta ndard but, § Only for UE (LTE phone) § Do not consider the malicious/inco rrect procedures Carriers may have implementation bugs even if the spec. is correct 4

  5. Previous studies and its limitations Fake base station UE • Steal user identity • DoS attack • Location tracking Fake UE Commercial network What about a fake LTE phone to inspect commercial networks? 5

  6. Challenges in active network testing v Difficulties to actively inspect operational LTE networks 1. Sending malicious signal to a commercial network is not allowed è Got Carriers’ Testbed access 2. It is hard to control baseband chipsets for simulating malicious behavior è Use open-source LTE software (srsLTE, openLTE, and SCAT) 3. An LTE network is a closed system è Device-side debugging 6

  7. Goal of our research v Investigate potential problems of the control plane procedures in LTE – Rooted from either Specification problem Implementation bug Configuration bug – How? Comprehensive dynamic testing against commerci al LTE networks 7

  8. Overview of LTEFuzz 2. Executing test cases 1. Generating test cases Security properties LTE networks Randomly picking fie ld values A set of test cases Commercial logs Baseband chipsets 3. Classifying problematic behavior 4. Construct & validate attacks Attack scenario 1 Case 1 Case 2 Attack scenario 2 Test results Problematic Case 3 Attack scenario 3 behavior Decision tree Root cause analysis wi Case 4 th carriers 8

  9. Generating test cases v Target control plane protocols: RRC and NAS v Target procedures – Radio connection, network attach/detach, location management, and session manag ement, … UE eNodeB MME NAS NAS RRC RRC SCTP SCTP PDCP PDCP RLC RLC IP IP Inspecting all combinations are infeasible MAC MAC L2 L2 PHY PHY L1 L1 9 RRC: Radio Resource Control, NAS: Non Access Stratum

  10. Generating test cases 1. Define basic security properties based on LTE specification Property 1. Plain messages should be handled properly § Plain messages by design § Plain messages manipulated by an attacker Property 2. Invalid security protected messages should be handled properly § Invalid security header type § Invalid MAC (Messages Authentication Code) § Invalid Sequence number Property 3. Mandatory security procedures should not be bypassed § Authentication § Key agreement procedure Generate test cases that violate the properties 10

  11. Generating test cases 1. Define basic security properties based on LTE specification RRC test case NAS test case Sequence No. Security Header Ty pe MAC Sequence Number (8 LSBs of counter) MAC 11

  12. Generating test cases 1. Define basic security properties based on LTE specification RRC test case NAS test case Sequence No. RRC message NAS message (Encrypted if required) 12

  13. Generating test cases 2. Pick remaining field values randomly from commercial control plane logs – Not to cause memory corruption errors in the operational networks Case 1 M 1 F1 F2 F3 Message 1 Case 2 Field 1 Field 2 Field 3 M F1 F2 F3 Case 3 Commercial control plane logs e xtracted from the phones. M F1 F2 F3 Save the field values which are u sed in the commercial networks 13

  14. Executing test cases Tester UE Test case ( Spoofed as victim UE ) SDR Check response UE state Case # Operational LTE UE identity Accepted? Ping “Google.com” Check if connection state is changed UE state monitor Observe problematic b ehavior Victim UE 14

  15. Operational networks are complicated 1. Victim UE 4G Access Network 4G Core Network • Each carrier has different con figurations MME A • Each carrier deploys different Tester UE network equipment Cell • In a single carrier, network eq uipment differs by the service eNodeB area 2. Victim UE • The location of the tester and the victim affects the results MME B 3. Victim UE Hard to manually analyze which case is problem 15

  16. Classifying the problematic behavior • Target protocol: RRC or NAS Test case • Victim’s state: Conn. or Idle • Direction: UL or DL … Accepted by the 
 receiving entity? Yes No or unknown Cause de-registration? Cause de-registration? (When victim is connected) (When victim is connected) Prohibit connection? Prohibit connection? ( When victim is idle ) ( When victim is idle ) Yes No or unknown Yes No 1. Problematic 2. Problematic 3. Problematic 4. Benign Denial of Service Message spoofing Denial of Service

  17. LTEFuzz test environment Network testing Baseband testing v Target network vendors v Target baseband chipsets – Carrier A: two MME vendors, one e – Qualcomm, Exynos, HiSilicon, MediaTe NB vendor k – Carrier B: one MME vendor, two eN B vendors Tester LTE network Target mobile device Shield box Tester UE + UE state monitor in one laptop 17

  18. Implementation v Test input collector & message generator – 1937 lines of code of C++ v Tester – Network testing § srsUE (fully controllable LTE baseband) § (Additional) 550 lines of code of C++ – Baseband testing § openLTE & srsLTE (fully controllable LTE network) § (Additional) 840 lines of code of C++ v UE state monitor & testing automation – For classifying problematic cases when each test case is executed – Based on Signaling Collection and Analysis Tool (SCAT) – 143 lines of code of python for testing automation § 80 lines for testing automation, 63 lines for monitoring victim device

  19. Findings v Test cases classified into problematic behavior – Total 51 cases: 36 new and 15 previously known – Categorized into five vulnerability types § Unprotected initial procedure cause failure (Property 1-1) § Invalid plain requests are accepted (Property 1-2) § Messages with invalid integrity protection (Property 2-1) § Messages with invalid sequence number (Replay) (Property 2-2) § AKA procedure can be bypassed (Property 3) v Validated with the corresponding carriers and vendors – No false positive, but two false negatives § UplinkNAStransport (for SMS) and Service request (response was encrypted ) 19

  20. Index Specification problem MME vendor s Baseband ve ndors Vuln. From d ifferent vend ors B: Benign - : n/a P: plain I: Invalid MA C R: Replay 20

  21. ATTACKS 21

  22. Remote de-register attack v Exploited test case: 15 cases in NAS (Attach, Detach, TAU, PDN con/discon…) v An Attacker is within the same MME pool of the victim UE v Implementation bugs & configuration mistakes NAS EMM State: NAS EMM State: Registered Detached 1. Establish an RRC Connection 2. Send invalid NAS message Victim’s S-TMSI Normal service eNodeB MME Attacker Operational LTE network No LTE services at all Victim UE Downgrade to legacy network (e.g., 3G) v Nitpick: GUTI in NAS messages are not correctly checked in some MME vendors 22

  23. Demo 23

  24. Responsible disclosure v Standard bodies – 3GPP – GSMA v Vendors – LTE network vendors § Validated through the contacted carriers § Also validated the fixes created by the vendors – Baseband chipset vendors § Reported AKA Bypass attack, and replay attack § Will be patched soon 24

  25. Conclusion v Operational LTE networks are not as secure as we expected! – Complicated deployments (e.g., each network equipment is from different vendors) generate extremely complicated behavior (faults). v We have implemented LTEFuzz – A semi-automated dynamic testing tool for both networks and devices – Using open source LTE software and a simple decision tree – Specification problems: 16, Implementation bugs + configuration issues: 35 – LTEFuzz considers realistic attack assumptions in operational LTE networ k v Future work – Extend LTEFuzz to support other control protocols and 5G if allowed 25

  26. Thank you Contact: hongilk@kaist.ac.kr Website: http://ltefuzz.syssec.kr 26

  27. BACKUP SLIDES 27

  28. Obtaining valid S-TMSIs 1. Install Fake LTE eNodeB • Obtain a UE’s S-TMSI in the TAU request from the UE. 2. Periodically trigger Paging by making calls to the victim UE • The attacker listens pagings in a same eNodeB with the victim UE 3. Sniff downlink RRC Connection setup

  29. LTE testbed: open source vs. commercial v Open source testbed v Commercial testbed – – Cheap (Laptop + SDR = 3,500,000 Expensive KRW) – Hard to change, modify the behaviors – Fully controllable from PHY to A PP layer

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Teaching Touching Safety Touching Safety Teaching A Safety Education Program for Students in

Teaching Touching Safety Touching Safety Teaching A Safety Education Program for Students in

Teaching Touching Safety Touching Safety Teaching A Safety Education Program for Students in the Catholic Schools of the Diocese of Paterson Today s Agenda s Agenda Today Background and lead-up to this program Approaching

421 views • 23 slides
Detection and Segmentation of Detection and Segmentation of Touching Characters in Touching

Detection and Segmentation of Detection and Segmentation of Touching Characters in Touching

Detection and Segmentation of Detection and Segmentation of Touching Characters in Touching Characters in Mathematical Expressions Mathematical Expressions A. Nomura, A. Nomura, K. Michishita, K. Michishita, S. Uchida, S. Uchida, M.

571 views • 19 slides
WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING

WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING

WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING BOTTOM UNITED ALL OF US ON THE SAME PURPOSE @ R u t a _ N CITIZENS MEDELLNS SCIENCE, TECHNOLOGY AND INNOVATION PLAN M E D E L L N 2 0 1 1

400 views • 12 slides
Seeing and touching: your mobile brain Chris Atherton @finiteattention 1. How our brains see

Seeing and touching: your mobile brain Chris Atherton @finiteattention 1. How our brains see

Seeing and touching: your mobile brain Chris Atherton @finiteattention 1. How our brains see 2. How we synthesise reality 3. How we fail at seeing 4. Computers and stupidity 5. Married to the Mob(ile) 1. How our brains see different

1.34k views • 120 slides
The The Roc ockS kSTAR AR Prog rogra ram m Touching Lives One Rocks ckstar tar At A

The The Roc ockS kSTAR AR Prog rogra ram m Touching Lives One Rocks ckstar tar At A

The The Roc ockS kSTAR AR Prog rogra ram m Touching Lives One Rocks ckstar tar At A Time Created by Keitt Stathem Lice censed nsed Professional fessional Counselor nselor EMDR R Trai aine ned The Th e RockS ckSTAR TAR

850 views • 26 slides
Factorization of density correlation functions for clusters touching the sides of a rectangle

Factorization of density correlation functions for clusters touching the sides of a rectangle

Factorization of density correlation functions for clusters touching the sides of a rectangle Peter Kleban University of Maine Jacob J. H. Simmons University of Chicago Robert M. Ziff University of Michigan Support: NSF DMR 0536927 (PK),

454 views • 31 slides
MEXICO EARTHQUAKES EASNA May 2018 Touching Life Mexican EAP founded in 2004. Cover more than

MEXICO EARTHQUAKES EASNA May 2018 Touching Life Mexican EAP founded in 2004. Cover more than

CASE STUDY PRESENTATION RESILENCE AND SUCCESS AFTER RECENT MEXICO EARTHQUAKES EASNA May 2018 Touching Life Mexican EAP founded in 2004. Cover more than 60,000 lives across the country. Offer psychological counselling, wellness services.

804 views • 27 slides
Modelling of wall currents excited by plasma wall-touching kink and vertical modes during a

Modelling of wall currents excited by plasma wall-touching kink and vertical modes during a

Modelling of wall currents excited by plasma wall-touching kink and vertical modes during a tokamak disruption, with application to ITER C.V. Atanasiu 1 , L.E. Zakharov 2 ,K. Lackner 3 , M. Hoelzl 3 , F.J. Artola 4 , E. Strumberger 3 , X. Li 5 1

381 views • 24 slides
SPARC 12 Speed Presentation Abstracts Group 1: Arts and Health Sciences 1. Touching the past: the

SPARC 12 Speed Presentation Abstracts Group 1: Arts and Health Sciences 1. Touching the past: the

SPARC 12 Speed Presentation Abstracts Group 1: Arts and Health Sciences 1. Touching the past: the memorialisation of small memories in a changing landscape. Annie Harrison Art, MMU This presentation outlines an aspect of my

471 views • 13 slides
Representing Graphs and Hypergraphs by Touching Polygons in 3D Pawe Rzewski, Noushin Saeedi

Representing Graphs and Hypergraphs by Touching Polygons in 3D Pawe Rzewski, Noushin Saeedi

Representing Graphs and Hypergraphs by Touching Polygons in 3D Pawe Rzewski, Noushin Saeedi joint work with William Evans, Chan-Su Shin, and Alexander Wolff How to draw a graph? (in 2d) non-crossing drawings How to draw a graph? (in

1.05k views • 58 slides
Touching Lives: Over 3000 youth have attended our RYLA over the past 20-plus years RYLA by the

Touching Lives: Over 3000 youth have attended our RYLA over the past 20-plus years RYLA by the

Touching Lives: Over 3000 youth have attended our RYLA over the past 20-plus years RYLA by the numbers * 155 Campers * 40 Trailblazers (2 nd year campers) * 15 Jr Counselor 1 (must complete service project) * 12 Jr Counselor 2 * 12 Sr Counselors

276 views • 25 slides
NCAA Major Changes Matt Davis Points of Emphasis - 2014 Touching either crosse on the

NCAA Major Changes Matt Davis Points of Emphasis - 2014 Touching either crosse on the

NCAA Major Changes Matt Davis Points of Emphasis - 2014 Touching either crosse on the faceoffs Illegal tactics when defending Cross check Cross check hold Sideline behavior 1-10 Substitution Area Substitution box expanded

407 views • 27 slides
Sensory Integration Module Vision Seeing and Hearing Events Fisher Force & tactile

Sensory Integration Module Vision Seeing and Hearing Events Fisher Force & tactile

Seeing, Hearing, and Touching: Moving to multimodality Putting It All Together Sensory Integration Module Vision Seeing and Hearing Events Fisher Force & tactile Touching, Seeing, and Hearing MacLean Virtual feedback

480 views • 12 slides
Small Busines Small Business s Finding, T Finding, Touching, P ouching, Partnering

Small Busines Small Business s Finding, T Finding, Touching, P ouching, Partnering

Small Busines Small Business s Finding, T Finding, Touching, P ouching, Partnering artnering Jack Hubbard Chief Experience Officer, St. Meyer & Hubbard jhubbard@smandh.com Small Business Pr Small Busines s Products or

261 views • 8 slides
Touch Technologies Touching the World by Sara Kilcher Distributed Systems Seminar 30. April

Touch Technologies Touching the World by Sara Kilcher Distributed Systems Seminar 30. April

Touch Technologies Touching the World by Sara Kilcher Distributed Systems Seminar 30. April 2013 sakilche@student.ethz.ch Motivation Overview Skin as touchscreen Skinput Overview Skin as touchscreen Skinput OmniTouch

980 views • 68 slides
English Language - IGCSE Touching the Void (I) Viewpoint 1 st person account vs 3 rd person

English Language - IGCSE Touching the Void (I) Viewpoint 1 st person account vs 3 rd person

English Language - IGCSE Touching the Void (I) Viewpoint 1 st person account vs 3 rd person account 2 nd person accounts are normally instructional 1 st and 3 rd person accounts may contain 2 nd person passages biographical vs

1.57k views • 144 slides
Adaptive Sparse Recovery Eric Price MIT 2012-04-26 Joint work with Piotr Indyk and David

Adaptive Sparse Recovery Eric Price MIT 2012-04-26 Joint work with Piotr Indyk and David

Adaptive Sparse Recovery Eric Price MIT 2012-04-26 Joint work with Piotr Indyk and David Woodruff, 2011-2012 Eric Price (MIT) Adaptive Sparse Recovery 2012-04-26 1 / 29 Outline Motivating Example 1 Eric Price (MIT) Adaptive Sparse

1.92k views • 154 slides
Disease Slides Previously Presented to ACHDNC by Lanetta B. Jordan, M.D., M.P.H., M.S.P.H. Chief

Disease Slides Previously Presented to ACHDNC by Lanetta B. Jordan, M.D., M.P.H., M.S.P.H. Chief

Carrier Screening for Sickle Cell Disease Slides Previously Presented to ACHDNC by Lanetta B. Jordan, M.D., M.P.H., M.S.P.H. Chief Medical Officer Sickle Cell Disease Association of America, Inc. R. Rodney Howell, M.D. February 5, 2010

483 views • 8 slides
All in the Family How Genetic Counselors Facilitate Familial Genetic Testing Amanda Openshaw, MS,

All in the Family How Genetic Counselors Facilitate Familial Genetic Testing Amanda Openshaw, MS,

All in the Family How Genetic Counselors Facilitate Familial Genetic Testing Amanda Openshaw, MS, LCGC Genetic Counselor, ARUP Laboratories Objectives Recognize different methodologies for performing family specific genetic testing

526 views • 21 slides
P5 & P6 Briefing for Parents Saturday, 19 January 2019 AGENDA School Strategic Goals

P5 & P6 Briefing for Parents Saturday, 19 January 2019 AGENDA School Strategic Goals

P5 & P6 Briefing for Parents Saturday, 19 January 2019 AGENDA School Strategic Goals & Directions 2019 Our Achievements Signature Programmes Curriculum & Assessment Matters PSLE Overview Direct School Admission

1.19k views • 101 slides
DPM test Pla lan Ba Babak Abi 17 Sep 2018 1 DPM tests plan Hardware, independent of

DPM test Pla lan Ba Babak Abi 17 Sep 2018 1 DPM tests plan Hardware, independent of

DPM test Pla lan Ba Babak Abi 17 Sep 2018 1 DPM tests plan Hardware, independent of firmware progress but if any art of firmware would be ready could help here too. After final semi-review (and probably a small design re-spin)

625 views • 3 slides
Insert Training Date PRISM Technical Support Volpe Center 2015 TWO MAJOR PROCESSES 1. Commercial

Insert Training Date PRISM Technical Support Volpe Center 2015 TWO MAJOR PROCESSES 1. Commercial

Insert Training Date PRISM Technical Support Volpe Center 2015 TWO MAJOR PROCESSES 1. Commercial Vehicle Registration (IRP International Registration Plan) 2. Motor Carrier Law Enforcement Cooperative Federal/State public safety

1.05k views • 48 slides
International Symposium on Bioethics Genetic Testing of Children and Confidentiality of Their

International Symposium on Bioethics Genetic Testing of Children and Confidentiality of Their

International Symposium on Bioethics Genetic Testing of Children and Confidentiality of Their Genetic Data Eiji Maruyama, Kobe University Mariko Tamai, Shinshu University Problems 1 . I s i t a l l o w e d , i n y o u r c

5.93k views • 12 slides
Steven Saunders, Director, HIV Prevention, NJDOH errol.saunders@doh.state.nj.us Wit ithout t

Steven Saunders, Director, HIV Prevention, NJDOH errol.saunders@doh.state.nj.us Wit ithout t

Steven Saunders, Director, HIV Prevention, NJDOH errol.saunders@doh.state.nj.us Wit ithout t the Rapid id-Rap apid id Testin ing g Alg lgorit ithm, hm, Lin inkage ge to Ca Care re on the Sa Same or r Ne Next Business iness Day

686 views • 41 slides

More recommend