SlideShare a Scribd company logo

D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdf

F
f2po1

5g security enhancement

Technology
1 of 22
Download to read offline
5G Security Enhancement Say Goodbye to IMSI Catcher Leader of 360 Radio Security Research Institute HUANG Lin Nov. 2 2018
360 Radio Security Research Institute Wireless connection is widely used in Internet of Things. We focus on the security issues in the wireless pipelines. • WiFi • 2G~5G cellular network • RFID/NFC • Bluetooth & ZigBee • LoRa/NB-IoT • Satellite communication: GPS/Beidou • Others: ADS-B 360 Technology is the only Chinese security company in 3GPP standardization organization.
Case of GSM SMS Sniffing Source: Nandu Big Data Research Institute A case in Aug. 2018 In Guangdong province, someone’s cellphone received more than 100 SMS verification messages during one night and the attacker stole around 10,000 RMB through many APPs.
GSM Attacks Public Reported Level 0 – Spam SMS Level 1 – SMS Sniffing Level 2 – Man-in-the-middle attack Level 3 – Downgrade attack
Attack Surface in Cellular Network • Protocol vulnerability • GSM one-way authentication, IMSI Catcher, redirection attack, etc. • Implementation • Baseband chipset vulnerabilities • TMSI overflow case (Intel) • AUTN overflow case (Qualcomm) • SMS PDU overflow • Base station vulnerabilities • Deployment and configuration faults • ‘Ghost Telephonist’, CSFB vulnerability
Attack to Network Side • 2G network • Low confidentiality and one-way authentication • Sniffing • Man-in-the-middle • DoS attacks • RACH flood • IMSI attach flood, IMSI detach • Paging response • 4G network • DoS attacks • RACH, attach flood • Relay • Position spoofing
Attack to Terminal Side • 2G network • Low confidentiality and one-way authentication • Sniffing • Man-in-the-middle • Silent SMS • Spam SMS • 4G network • MITM:‘aLTEr’ vulnerability • DoS attack: attach reject,TAU reject • Downgrade attack: redirection • IMSI Catcher to all 2G/3G/4G
5G Security Technologies (March 2018, Release 15) • Primary authentication: enhance home network control • Secondary authentication: authentication for outside the mobile operator • Inter-operator security: Solve some issues in SS7 and Diameter • Privacy: Encrypt subscriber permanent identity • Service based architecture: security about Service Based Architecture • Central Unit – Distributed Unit: connection security • Key hierarchy: integrity protection of user data channel • Mobility: separate mobility anchor and security anchor
Why Enhance Home Network Control 4G AKA 5G AKA
Integrity Protection in User Plane
Example:‘aLTEr’ Attack – DNS Spoofing https://alter-attack.net/ by David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper
Permanent Identity Privacy IMSI Catcher Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network.
SimilarWeakness inWiFi • WiFi MAC scanner • It passively listens surrounding WiFi devices’ signal and captures the MAC addresses. • Some underground industry has the leaked data which has the mapping information from MAC address to other info, such as cellphone number, IMEI, list of installed APPs, financial credit information etc.
Status of WiFi MAC Address Randomization • iOS and Android • Random MAC address during connection setup (in scanning) • Use permanent MAC address after connection setup, to facilitate access control • Can be bypassed when the attack emulates an known AP • Windows 10 • Fully randomization • Can manually disable • Depends on WIFI adapter type
IMSI Encryption • New terminology is 3GPP’s tradition  • SUPI: Subscription Permanent Identifier • SUCI: Subscription Concealed Identifier Encrypted & Randomizing
How to Send SUCI and SUPI in 5G Cellphone gNB SEAF AUSF UDM/ARPF/SIDF 1.Decrypt SUCI to SUPI 2.Do authentication Registration Request Registration Request Authentication Request Authentication Request SUCI or GUTI SUCI or GUTI SUCI or SUPI + SN-Name SUCI or SUPI + SN-Name
How to Encrypt SUPI ?
How to Init & Store Public Key • Different from common certification and public key infrastructure • Operator’s public key is stored in SIM card. • The security of SIM card guarantees the public key is true and cannot be manipulated.
BUT, No Encryption is Permitted • Operator has right to decide whether it uses SUPI encryption. It can use null-scheme, i.e. no encryption. • This is because SUPI encryption needs change subscribers’ SIM card. Operators may not force all its customers to replace 4G card by 5G one. So 4G card may exist for a long time.
Fake 5G Base Station may still Exist DoS attack examples: ✓ You are an illegal cellphone! ✓ Here is NO network available.You could shut down your modem. The root cause is the initial broadcasting message from network can not be proved to be trustable. NO PKI infrastructure solution reaches agreement in 3GPP.
Fake 4G Base Station Sends Fake Alert Message
We could continue in 6G …

Recommended

5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problemPositiveTechnologies
 
Ravi i ot-enablingtechnologies
Ravi i ot-enablingtechnologiesRavi i ot-enablingtechnologies
Ravi i ot-enablingtechnologiesskumartarget
 
Session810 ken huang
Session810 ken huangSession810 ken huang
Session810 ken huangKen Huang
 
An approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxAn approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxamalouwarda1
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Be a Virtual Mobile Network for your M2M/IoT Devices, Martin Giess, EMnify
Be a Virtual Mobile Network for your M2M/IoT Devices, Martin Giess, EMnifyBe a Virtual Mobile Network for your M2M/IoT Devices, Martin Giess, EMnify
Be a Virtual Mobile Network for your M2M/IoT Devices, Martin Giess, EMnifyAlan Quayle
 
4G to 5G: New Attacks
4G to 5G: New Attacks4G to 5G: New Attacks
4G to 5G: New Attacks3G4G
 
Abdullah Al Mamun 062507056
Abdullah Al Mamun 062507056Abdullah Al Mamun 062507056
Abdullah Al Mamun 062507056mashiur
 

Recommended

5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problemPositiveTechnologies
 
Ravi i ot-enablingtechnologies
Ravi i ot-enablingtechnologiesRavi i ot-enablingtechnologies
Ravi i ot-enablingtechnologiesskumartarget
 
Session810 ken huang
Session810 ken huangSession810 ken huang
Session810 ken huangKen Huang
 
An approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxAn approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxamalouwarda1
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Be a Virtual Mobile Network for your M2M/IoT Devices, Martin Giess, EMnify
Be a Virtual Mobile Network for your M2M/IoT Devices, Martin Giess, EMnifyBe a Virtual Mobile Network for your M2M/IoT Devices, Martin Giess, EMnify
Be a Virtual Mobile Network for your M2M/IoT Devices, Martin Giess, EMnifyAlan Quayle
 
4G to 5G: New Attacks
4G to 5G: New Attacks4G to 5G: New Attacks
4G to 5G: New Attacks3G4G
 
Abdullah Al Mamun 062507056
Abdullah Al Mamun 062507056Abdullah Al Mamun 062507056
Abdullah Al Mamun 062507056mashiur
 
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii LukinHackIT Ukraine
 
AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011Risk Analysis Consultants, s.r.o.
 
Security management systemofcellular_communication
Security management systemofcellular_communicationSecurity management systemofcellular_communication
Security management systemofcellular_communicationardhita banu adji
 
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...James Mack
 
Having Fun With RFID
Having Fun With RFIDHaving Fun With RFID
Having Fun With RFIDFathi Kamil Mohad Zainuddin
 
Security model evaluation of 3 g
Security model evaluation of 3 gSecurity model evaluation of 3 g
Security model evaluation of 3 gRotract CLUB of BSAU
 
Chapter 6 contemporary telecommunication technologies
Chapter 6 contemporary telecommunication technologiesChapter 6 contemporary telecommunication technologies
Chapter 6 contemporary telecommunication technologiessakariachromabook
 
Ruckus wp wifi-into-core
Ruckus wp wifi-into-coreRuckus wp wifi-into-core
Ruckus wp wifi-into-corewarchitect
 
20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網Dr. Chang Jung Lee
 
Project gsm
Project gsmProject gsm
Project gsmKIIT
 
Netas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyNetas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyCagdas Tanriover
 
Accessing remote networks
Accessing remote networksAccessing remote networks
Accessing remote networksWestermo Network Technologies
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network SecuritySatish Chavan
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
Embedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applicationsEmbedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applicationsM2M Alliance e.V.
 
Wire less networking system zigbee
Wire less networking system zigbeeWire less networking system zigbee
Wire less networking system zigbeeMunem Shahrear
 
Security Requirements in IoT Architecture
Security Requirements in IoT Architecture Security Requirements in IoT Architecture
Security Requirements in IoT Architecture Vrince Vimal
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2016
 
Securing 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationSecuring 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationDr. Edwin Hernandez
 
How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...
How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...
How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...Alan Quayle
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 

More Related Content

Similar to D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdf

"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii LukinHackIT Ukraine
 
Security management systemofcellular_communication
Security management systemofcellular_communicationSecurity management systemofcellular_communication
Security management systemofcellular_communicationardhita banu adji
 
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...James Mack
 
Chapter 6 contemporary telecommunication technologies
Chapter 6 contemporary telecommunication technologiesChapter 6 contemporary telecommunication technologies
Chapter 6 contemporary telecommunication technologiessakariachromabook
 
Ruckus wp wifi-into-core
Ruckus wp wifi-into-coreRuckus wp wifi-into-core
Ruckus wp wifi-into-corewarchitect
 
20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網Dr. Chang Jung Lee
 
Project gsm
Project gsmProject gsm
Project gsmKIIT
 
Netas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyNetas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyCagdas Tanriover
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network SecuritySatish Chavan
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
Embedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applicationsEmbedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applicationsM2M Alliance e.V.
 
Wire less networking system zigbee
Wire less networking system zigbeeWire less networking system zigbee
Wire less networking system zigbeeMunem Shahrear
 
Security Requirements in IoT Architecture
Security Requirements in IoT Architecture Security Requirements in IoT Architecture
Security Requirements in IoT Architecture Vrince Vimal
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2016
 
Securing 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationSecuring 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationDr. Edwin Hernandez
 
How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...
How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...
How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...Alan Quayle
 

Similar to D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdf (20)

"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
 
AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011
 
Security management systemofcellular_communication
Security management systemofcellular_communicationSecurity management systemofcellular_communication
Security management systemofcellular_communication
 
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
 
Having Fun With RFID
Having Fun With RFIDHaving Fun With RFID
Having Fun With RFID
 
Security model evaluation of 3 g
Security model evaluation of 3 gSecurity model evaluation of 3 g
Security model evaluation of 3 g
 
Chapter 6 contemporary telecommunication technologies
Chapter 6 contemporary telecommunication technologiesChapter 6 contemporary telecommunication technologies
Chapter 6 contemporary telecommunication technologies
 
Ruckus wp wifi-into-core
Ruckus wp wifi-into-coreRuckus wp wifi-into-core
Ruckus wp wifi-into-core
 
20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網
 
Project gsm
Project gsmProject gsm
Project gsm
 
Netas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyNetas Nova Cyber Security Product Family
Netas Nova Cyber Security Product Family
 
Accessing remote networks
Accessing remote networksAccessing remote networks
Accessing remote networks
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
 
Embedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applicationsEmbedded SIM New opportunities for security sensitive IoT applications
Embedded SIM New opportunities for security sensitive IoT applications
 
Wire less networking system zigbee
Wire less networking system zigbeeWire less networking system zigbee
Wire less networking system zigbee
 
Security Requirements in IoT Architecture
Security Requirements in IoT Architecture Security Requirements in IoT Architecture
Security Requirements in IoT Architecture
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
 
Securing 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationSecuring 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and Virtualization
 
How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...
How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...
How a Multi-IMSI architecture makes global cellular IoT deployments manageabl...
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdf

  • 1. 5G Security Enhancement Say Goodbye to IMSI Catcher Leader of 360 Radio Security Research Institute HUANG Lin Nov. 2 2018
  • 2. 360 Radio Security Research Institute Wireless connection is widely used in Internet of Things. We focus on the security issues in the wireless pipelines. • WiFi • 2G~5G cellular network • RFID/NFC • Bluetooth & ZigBee • LoRa/NB-IoT • Satellite communication: GPS/Beidou • Others: ADS-B 360 Technology is the only Chinese security company in 3GPP standardization organization.
  • 3. Case of GSM SMS Sniffing Source: Nandu Big Data Research Institute A case in Aug. 2018 In Guangdong province, someone’s cellphone received more than 100 SMS verification messages during one night and the attacker stole around 10,000 RMB through many APPs.
  • 4. GSM Attacks Public Reported Level 0 – Spam SMS Level 1 – SMS Sniffing Level 2 – Man-in-the-middle attack Level 3 – Downgrade attack
  • 5. Attack Surface in Cellular Network • Protocol vulnerability • GSM one-way authentication, IMSI Catcher, redirection attack, etc. • Implementation • Baseband chipset vulnerabilities • TMSI overflow case (Intel) • AUTN overflow case (Qualcomm) • SMS PDU overflow • Base station vulnerabilities • Deployment and configuration faults • ‘Ghost Telephonist’, CSFB vulnerability
  • 6. Attack to Network Side • 2G network • Low confidentiality and one-way authentication • Sniffing • Man-in-the-middle • DoS attacks • RACH flood • IMSI attach flood, IMSI detach • Paging response • 4G network • DoS attacks • RACH, attach flood • Relay • Position spoofing
  • 7. Attack to Terminal Side • 2G network • Low confidentiality and one-way authentication • Sniffing • Man-in-the-middle • Silent SMS • Spam SMS • 4G network • MITM:‘aLTEr’ vulnerability • DoS attack: attach reject,TAU reject • Downgrade attack: redirection • IMSI Catcher to all 2G/3G/4G
  • 8. 5G Security Technologies (March 2018, Release 15) • Primary authentication: enhance home network control • Secondary authentication: authentication for outside the mobile operator • Inter-operator security: Solve some issues in SS7 and Diameter • Privacy: Encrypt subscriber permanent identity • Service based architecture: security about Service Based Architecture • Central Unit – Distributed Unit: connection security • Key hierarchy: integrity protection of user data channel • Mobility: separate mobility anchor and security anchor
  • 9. Why Enhance Home Network Control 4G AKA 5G AKA
  • 11. Example:‘aLTEr’ Attack – DNS Spoofing https://alter-attack.net/ by David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper
  • 12. Permanent Identity Privacy IMSI Catcher Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network.
  • 13. SimilarWeakness inWiFi • WiFi MAC scanner • It passively listens surrounding WiFi devices’ signal and captures the MAC addresses. • Some underground industry has the leaked data which has the mapping information from MAC address to other info, such as cellphone number, IMEI, list of installed APPs, financial credit information etc.
  • 14. Status of WiFi MAC Address Randomization • iOS and Android • Random MAC address during connection setup (in scanning) • Use permanent MAC address after connection setup, to facilitate access control • Can be bypassed when the attack emulates an known AP • Windows 10 • Fully randomization • Can manually disable • Depends on WIFI adapter type
  • 15. IMSI Encryption • New terminology is 3GPP’s tradition  • SUPI: Subscription Permanent Identifier • SUCI: Subscription Concealed Identifier Encrypted & Randomizing
  • 16. How to Send SUCI and SUPI in 5G Cellphone gNB SEAF AUSF UDM/ARPF/SIDF 1.Decrypt SUCI to SUPI 2.Do authentication Registration Request Registration Request Authentication Request Authentication Request SUCI or GUTI SUCI or GUTI SUCI or SUPI + SN-Name SUCI or SUPI + SN-Name
  • 17. How to Encrypt SUPI ?
  • 18. How to Init & Store Public Key • Different from common certification and public key infrastructure • Operator’s public key is stored in SIM card. • The security of SIM card guarantees the public key is true and cannot be manipulated.
  • 19. BUT, No Encryption is Permitted • Operator has right to decide whether it uses SUPI encryption. It can use null-scheme, i.e. no encryption. • This is because SUPI encryption needs change subscribers’ SIM card. Operators may not force all its customers to replace 4G card by 5G one. So 4G card may exist for a long time.
  • 20. Fake 5G Base Station may still Exist DoS attack examples: ✓ You are an illegal cellphone! ✓ Here is NO network available.You could shut down your modem. The root cause is the initial broadcasting message from network can not be proved to be trustable. NO PKI infrastructure solution reaches agreement in 3GPP.
  • 21. Fake 4G Base Station Sends Fake Alert Message
  • 22. We could continue in 6G …