About the speaker

Vadim Yanitskiy

Mobile telecommunications security and research department specialist
- Positive Technologies, Moscow, vyanitskiy@ptsecurity.com
- 2G/3G/4G RAN / core network security audit
Software development engineer (C, Python, TTCN-3, Erlang)
Osmocom (Open Source Mobile Communications) project contributor
- Free and open source software for mobile networks (BTS, BSC, PCU, MSC, HLR, SMSC)
Positive Hack Days participant & organizing team
Chaos Communications Congress
- 2017, 34c3, TUWAT!: speaker
- 2018, 35c3, Refreshing memories: Engel, GSM team
- 2019, Chaos Communication Camp: Engel, GSM team
- 2019, 36c3, Resource exhaustion: Engel, GSM team

Talk structure (1)

2G/3G/4G Network (infra)structure
- Circuit switched (voice) and Packet Switched (data) domains
- Radio Access Network and Core Network components
- Basic principles of the cellular coverage
- Identification and authentication
2G radio interface basics
- Shared-medium access (FDMA, TDMA)
- Convolutional coding (Viterbi)
- CSD (Circuit switched Data)
- GPRS (General Packet Radio Service)
- EGPRS (Enhanced General Packet Radio Service)
2G Radio Interface security
- Subscriber identity masquerading
- A5/x ciphering and authentication
- The myth of frequency hopping

Talk structure (2)

Known vulnerabilities of 2G RAN
- A5/x weaknesses
- IMSI / TMSI Detach
- Paging Attack (race condition)
Radio Interface security evolution
- GERAN (GSM, GPRS, EGPRS) security
- UTRAN (UMTS) security
- EUTRAN (LTE) security
Fake Base Stations (IMSI Catchers)
- Fake base stations in 2G (GSM, GPRS)
- Fake base stations in 3G (UMTS)
- Fake base stations in 4G (LTE)

2G/3G network (infra)structure

2G/3G network (infra)structure

Circuit switched and Packet Switched domains

Two kinds of mobile traffic exist:
- Circuit switched: one channel - one subscriber
  - Signalling messages (MM, RR)
  - Voice calls (CC)
  - Supplementary Services (SS)
    - USSD (e.g. *100#)
    - call waiting and call forwarding services
  - SMS (Short Message Service) (SM)
  - CSD (Circuit Switched Data)
- Packet switched: one channel - many packets
  - Signalling messages (GMM)
  - SMS messages (SM) - SMS-over-GPRS
  - WAP, WWW, E-mail traffic

2G/3G network (infra)structure

MS (Mobile Station) - mobile phone + SIM-card

ME (Mobile Equipment) - the mobile phone itself
- MMI (Man-Machine Interface)
- Keyboard, screen, UI, notifications
SIM (Subscriber Identity Module) - SIM-card
- A very small computer with CPU and RAM
  - … running an operating system
  - … running a Java machine!
- SMS and phone book storage
- Permanent subscriber identifiers
- Secret keys
  - authentication vector generation
  - ciphering key generation

2G/3G network (infra)structure

BTS (Base Transceiver Station)

Receiving and transmitting entity of the network
The only visible part of the operator’s infrastructure
Consists of one or (usually) more transceivers
Directional antennas with controlled tilt

BSC (Base Station Controller)

Aggregates Base Stations into Location Area(s)
Manages radio resources of connected base stations (channel allocation)
Handover - flawless cell change

PCU (Packet Control Unit)

Kind of BSC for Packet Switched Domain
RLC/MAC-block fragmentation and assembly for (E)GPRS
Either BSC or BTS co-located

2G/3G network (infra)structure

HLR (Home Location Register)

Subscriber database
- Unique SIM-card identifiers and keys
- Subscriber phone numbers

VLR (Visitor Location Register)

Subscriber data cache
MSC/SGSN co-located or integrated

MSC (Mobile Switching Center)

Signalling and voice call commutator
Subscriber identification and authentication

SGSN (Serving GPRS Support Node)

(E)GPRS signalling and packet data router
Kind of MSC for Packet Switched Domain
Packet delivery control
Subscriber identification and authentication

2G/3G network (infra)structure

GGSN (GPRS Gateway Support Node)

Gate to the Internet
IPv4 / IPv6 address allocation for subscribers
GTP tunnel (session) management

Axillary nodes

SMSC (Short Message Service Center) - SMS storage and delivery
AuC (Authentication Center) - subsceiber authentication (may be integrated to HLR)
MGW (Media Gateway) - voice traffic gateway, transcoding
EIR (Equipment Identity Register) - ME identity database
MLC (Mobile Location Center) - RRLP, LCLS

UMTS specific elements

NodeB == BTS (Base Transceiver Station)
RNC (Radio Network Controller) == BSC (Base Station Controller)

4G network (infra)structure

4G network (infra)structure

Similar infrastructure, different abbreviations

UE (User Equipment) == MS (Mobile Station)
eNodeB == BTS (Base Transceiver Station)
MME (Mobility Management Entity) == MSC (Mobile Switching Center)
HSS (Home Subscriber Server) == HLR (Home Location Register)
S-GW (Serving Gateway) == SGSN (Serving GPRS Support Node)
P-GW (Packet Gateway) == GGSN (GPRS Gateway Support Node)

2G/3G/4G network (infra)structure

Basic principles of the cellular coverage

Each transceiver of a BTS covers one particular sector of a limited size
- The RF power is concentrated in a sector using directional antennas
Each sector can be covered by several service providers at the same time
- In 2G, the RF frequencies must be different!
Several coverage sectors are grouped into location areas
- Each cell gets a unique identifier - Cell ID
- Each location area gets unique identifier - Location Area Code (LAC)
- A subscriber can be (approximately) geolocated using these two identifiers
- Mobile phones perform Location Updating when moving from one LAC to another

2G/3G/4G network (infra)structure

Service provider identification

Each service provider (operator) is uniquely identified using a pair of numbers:
- MCC (Mobile Country Code)
- MNC (Mobile Network Code)
  - e.g. 901/70, 262/42
- http://www.mcc-mnc.com/
In GPRS, each GGSN has its own unique identifier
- APN (Access Point Name)
  - for example, internet.provider.com
A service provider may have several APNs:
- Different kinds of data - different charging
  - internet.provider.com - Internet traffic
  - wap.provider.com - WAP traffic
  - mms.provider.com - MMS messages

2G/3G/4G network (infra)structure

Subscriber identification (1)

MSISDN (Mobile Subscriber Integrated Services Digital Number) - phone number
- Not stored on SIM-card, only in HLR of the service provider
- Not used during subscriber identification
- May be absent ("data only" SIM)
- Mapped between IMSI and MSISDN is done on the network side
  - that’s why you can change a SIM card keeping your phone number
IMSI (International Mobile Subscriber Identity) - unique subscriber ID
- Stored on SIM-card and in HLR of the service provider
- Used during subscriber identification
- Never changes during the lifetime of SIM-card
  - can be changed Over-the-Air by the service provider though
IMEI (International Mobile Equipment Identity) - user equipment ID
- Stored in OTP memory of the Mobile Equipment (ideally)
- Ideally, cannot be changed

2G/3G/4G network (infra)structure

Subscriber identification (2)

TMSI/P-TMSI (Temporary Mobile Subscriber Identity)
- Not stored on SIM-card, nor in HLR of the service provider
- Used during subscriber identification (instead of IMSI)
- Changes on each voice call / SMS / USSD (ideally)
- The purpose of TMSI is to hide subscriber’s IMSI on the Um-interface
TLLI (Temporary Logical Link Identifier) - temporary identifier in (E)GPRS
- Similar to TMSI/P-TMSI, substitutes IMSI on the Um-interface
- Used exclusively in the Packet Switched domain
- In most cases, matches subscriber’s P-TMSI

2G/3G/4G network (infra)structure

Subscriber identification (3)

LTE specific subscriber identifiers
- GUTI (Globally Unique Temporary Identifier)
  - MCC/MNC + MMEGI + MMEC + M-TMSI
  - Used in the core network
- RNTI (Radio Network Temporary Identifiers)
  - Group of identifiers used on the radio interface

2G Radio Interface basics

Shared medium access

FDMA (Frequency-Division Multiple Access)
- Frequency bands used in GSM networks:
  - GSM-900 и DCS-1800 (mostly used in Europe)
  - GSM-850 и DCS-1900 (mostly used in North America)
- Each frequency band is split by two equal sub-bands:
  - Downlink - Base Station transmit, Mobile Station receive
  - Uplink - Base Station receive, Mobile Station transmit
- Each freq. band has a fixed number of channels (200 kHz each)
  - ARFCN (Absolute Radio-Frequency Channel Number)
  - a pair of Downlink and Uplink frequencies
    - ARFCN 33: Uplink 896.6 MHz / Downlink 941.6 MHz
    - ARFCN 666: Uplink 1741.0 MHz / Downlink 1836.0 MHz

2G Radio Interface basics

Shared medium access

TDMA (Time-Division Multiple Access)
- The payload is split into smal pieces - bursts
- Each burst is sent within an allocated time window
  - Such windows are called timeslots (0.577 ms each)
  - 8 timeslots make up one TDMA frame (about 4.615 ms each)
  - 1326 frames make up one superframe
  - 2048 superframes make up one hyperframe

2G Radio Interface basics

TDMA frame / slot hierarchy

2G Radio Interface basics

Control TDMA frame structure

2G Radio Interface basics

Traffic TDMA frame structure

2G Radio Interface basics

Convolutional coding

All signals in the RF are affected by noise and interference
Convolutional coding is used to minimize their negative influence
- The payload bits are accomplished with redundant bits and CRC
  - so the receiver can detect and correct potential bit errors
- The amoung of redundancy depends of SNR and importance of data
- Signalling usually has the highest redundancy:
  - 23 bytes of payload ⇒ 23 * 8 = 184 bit
  - The xCCH encoder generates 57 * 2 * 4 = 456 bit
  - Redundancy: 456 - 184 = 272 bit (about 148%)

2G Radio Interface basics

Data transfer technologies (plugins)

CSD (Circuit Switched Data)
- Basically binary data over voice channels (similar to Dial-up)
- No longer used for the mobile Internet access
- Although, some special purpose (e.g., telemetric) devices still use it
GPRS (General Packet Radio Service)
- Packet resource allocation on top of TDMA timeslot multeplex
- Unlike CSD, resources are allocated dynamically
  - Several subscribers can use the same PDCH timeslot
EDGE (Enhanced Data rates for GSM Evolution)
- ECSD (Enhanced Circuit Switched Data) - "evolved" CSD
  - most notably, the ability to use multiple timeslots in parallel
- EGPRS (Enhanced General Packet Radio Service) - "evolved" GPRS
  - most notably, 8-PSK modulation (3 times more bits per symbol)

2G Radio Interface security

Subscriber identity masquerading

Problem: sending IMSI over the shared medium
Consequences: subscriber location and/or presence tracking
Solution: TMSI (Temporary Mobile Subscriber Identity)
- The network assigns an additional unique identifier to each subscriber, that is:
  - known to the network and the MS only
  - valid withing a single Location Area
  - periodically changed (Periodic Location Updating)
  - ideally, never used twice (TMSI Reallocation)
    - Exception: the absence of TMSI (not yet assigned)
Are we secure? - No!
- TMSI Reallocation may be initiated by the network only, not by the MS itself
- Most service providers use the same TMSI more than once
- Some service providers never change TMSI periodically
- Some service providers generate low-entropy TMSI

2G Radio Interface security

Authentication

Problem: an attacker can spoof any subscriber identity (IMSI, TMSI)
Consequences: making voice calls, sending SMS on behalf of the victim
Solution: the A3 authentication algorithms
- A secret key Ki is stored on subscriber’s SIM-card
- A copy of the key Ki' is stored in the HLR
- Basic authentication scenario:
  - The network generates a random number RAND and sends it to the MS
  - The MS forwards that number to the SIM-card
  - The SIM-card signs RAND using Ki: A3(RAND, Ki) = SRAND
  - Signed number SRAND is sent back to the network
  - A3(RAND, Ki') == SRAND?
Are we secure? - In the most cases, yes!
- The secret key Ki never leaves the SIM-card, it’s impossible to read it out
- The service provider (operator) may implement its own A3 algorithm

2G Radio Interface security

The A5/x encryption

Problem: the signal is transmitted over a shared medium (RF spectrum)
Consequences: everybody can receive RF signals and decode confidential info
Solution: the A5/x encryption algorithms
- After the authentication, a part of SRAND (signed RAND) becomes Kc
- Kc - session key used for encryption (stored on the SIM-card)
- Ciphering is initiated by the network (Ciphering Mode Command)
- Three algorythms exist: A5/1, A5/2, A5/3
- A5(Kc, TDMA Fn, Burst bits) -> gamma
- burst XOR gamma -> encrypted burst
Are we secure? - No!
- Ciphering is not mandatory and initiated by the network
- Ciphering is applied after the convolutional encoding
- A5/1 broken "on parer" in 90-ies, then on practice in 20xx
- A5/2 intentionally insecure (prohibited to use)
- A5/3 broken "on paper"

2G Radio Interface security

The myth of frequency hopping

Basically transmitting radio signals among several frequency channels
- Rx/Tx frequencies are changed according to a pseudo-random sequence
- A hopping sequence is defined by a set of parameters:
  - MAI = f(HSN, MAIO, MA, TDMA Fn)
- The network chooses hopping parameters and sends to the MS
  - In some cases, the hopping parameters are sent in plain-text
  - The pseudo-random sequence generation algorithm is defined by GSM specs.
Does the frequency hopping prevent eavesdropping? No!
- The actual purpose is to reduce the RF interference
- Eavesdropping on hopping channel is possible in real time
  - A hacked Motorola C1xx (Calypso based) phone can be used
- There is no need to know the hopping parameters for an attacker
  - SDR (Software Defined Radio) can record the whole band of spectrum
  - The victim’s signal can be recovered from the recording later

Known attacks and vulnerabilities of 2G RAN

IMSI / TMSI Detach Attack

When switching off, the MS notifies the network (IMSI Detach)
IMSI Detach contains subscriber identity: IMSI or TMSI
This message is not authenticated, so arbitrary identity can be sent
- An attacker can spoof subscriber identity and send IMSI Detach on behalf of subscriber
  - The network would think that subscriber’s phone is off
  - All incomming calls and SMS would be blocked

Known attacks and vulnerabilities of 2G RAN

Paging Response Race Condition

The network pages subscriber (MT SMS, calls) on broadcast PCH channel
Paging Request contains subscriber identity: IMSI or TMSI
On receipt of Paging Request the MS initiates connection to the network
- Connection establishment does not happen immediately, there is alwats a delay
  - What if an attacker responds faster than subscriber?
    - An incoming call or SMS would be hijacked by the attacker
    - Delayed subscriber’s connection would be rejected by the network ⇒ DoS

Radio Interface security evolution

2G GSM

Authentication
- Challenge-response scheme
- 128-bit shared secret Ki
- The BTS authenticates the MS (not mutual)
Encryption
- Initiated by the network by sending a Ciphering Mode Command
- The encryption 64-bit key Kc is A8(Ki, RAND)
- The traffic is encrypted at the physical layer
- Symmetrical encryption (same key for both Uplink and Downlink)
- The following algorithms are available:
  - A5/0 : no encryption
  - A5/1 : LFSR-based stream cipher, 64-bit key, broken
  - A5/2 : LFSR-based stream cipher, 64-bit key, broken, prohibited use
  - A5/3 : KASUMI in OFB mode, 64-bit key extended to 128 bits (3GPP TS 55.216)
  - A5/4 : same as A5/3, 128-bit key (3GPP TS 55.226)
Integrity protection
- Traffic is not integrity protected in GSM!

Radio Interface security evolution

2.5G (E)GPRS

Authentication
- Similar to GSM, also not mutual
Encryption
- The traffic is encrypted at the LLC layer
- The 64-bit encryption key GPRS-Kc is A8(Ki, RAND)
- Asymmetrical encryption by using a direction bit
- Some GPRS encryption algorithms are not publicly documented
- The following algorithms are available:
  - GEA0 : no encryption
  - GEA1 : undocumented, LFSR-based stream cipher, 64-bit key, broken, prohibited use
  - GEA2 : undocumented, LFSR-based stream cipher, 64-bit key
  - GEA3 : KASUMI in OFB mode, 64-bit key extended to 128 bits, similar to A5/3 (3GPP TS 55.216)
  - GEA4 : same as GEA3, 128-bit key (3GPP TS 55.226)
Integrity protection
- Traffic is not integrity protected in (E)GPRS!

Radio Interface security evolution

3G UMTS (1)

Authentication
- Mutual authentication between the mobile and the base station
- Based on 128 or 256-bit shared secret key K stored in the USIM and the HLR
- Both sides keep track of a 48-bit SQN (sequence number) to prevent replay attacks
Encryption
- Initiated by the network by sending a RRC Security Mode Command
- The traffic is encrypted at the RLC layer
  - … or MAC layer in case of bearers in transparent mode
- As with (E)GPRS, asymmetrical encryption based on a direction bit
- Moreover, the traffic of each radio bearer is encrypted separately
  - … by using a 4-bit bearer ID
- The following algorithms are available:
  - UEA0 : no encryption
  - UEA1 : KASUMI in OFB mode, 128-bit key, similar to A5/3 (3GPP TS 35.201)
  - UEA2 : SNOW 3G, 128-bit key (3GPP TS 35.216)

Radio Interface security evolution

3G UMTS (2)

Integrity protection
- Initiated by the network by sending a RRC Security Mode Command
- NAS (Non-Access Stratum) is integrity protected at the RRC layer
- The 128-bit integrity key IK is f4(K, RAND)
- The following algorithms are available:
  - UIA0 : no integrity
  - UIA1 : 32-bit MAC, KASUMI in CBC-MAC mode (3GPP TS 35.201)
  - UIA2 : 32-bit MAC, based on SNOW 3G (3GPP TS 35.216)

Radio Interface security evolution

4G LTE (1)

Authentication
- Mutual authentication between the mobile and the base station
  - … same as in UMTS
Derived key hierarchy
- K (stored on USIM)
  - CK, IK
    - Kasme
      - Knasenc
      - Knasint
      - Kenb
        
        Kupenc
        
        Krrcenc
        
        Krrcint

Radio Interface security evolution

4G LTE (2)

Encryption
- Initiated by the network by sending a NAS Security Mode Command
- Asymmetrical encryption based on 32-bit PDCP counter and a 5-bit bearer ID
- The traffic is encrypted at the PDCP layer
- Three different 128-bit keys are used:
  - Knasenc for NAS (Non-Access Stratum) messages
  - Krrcenc for Access Stratum messages
  - Kupenc for User Plane messages
- The following algorithms are available:
  - EEA0 : no encryption
  - 128-EEA1 : same as UEA2 (3GPP TS 33.401)
  - 128-EEA2 : AES in CTR mode, 128-bit key (3GPP TS 33.401)
  - 128-EEA3 : ZUC, 128-bit key (3GPP TS 35.222)

Radio Interface security evolution

4G LTE (3)

Integrity protection
- Initiated by the network by sending RRC and NAS Security Mode Command
- NAS (Non-Access Stratum) is integrity protected at the PDCP layer
  - Control Plane is protected, while the User Plane is not
- Two different 128-bit keys are used:
  - Knasint for NAS (Non-Access Stratum) messages (derived from Kasme)
  - Krrcint for Access Stratum messages (derived from Kenb)
- The computation is basend on 32-bit PDCP counter and a 5-bit bearer ID
- The following algorithms are available:
  - EIA0 : no integrity, only for emergency calls
  - 128-EIA1 : similar to UIA2 (3GPP TS 33.401)
  - 128-EIA2 : 32-bit MAC, 128-bit AES in CMAC mode (3GPP TS 33.401)
  - 128-EIA3 : 32-bit MAC, based on ZUC (3GPP TS 35.222)

Known attacks and vulnerabilities

IMSI catchers coming soon…

Thanks for your attention!

Questions?

vyanitskiy@ptsecurity.com

2G RAN security vs IMSI Catchers

About the speaker

Talk structure (1)

Talk structure (2)

2G/3G network (infra)structure

2G/3G network (infra)structure

2G/3G network (infra)structure

2G/3G network (infra)structure

2G/3G network (infra)structure

2G/3G network (infra)structure

4G network (infra)structure

4G network (infra)structure

2G/3G/4G network (infra)structure

2G/3G/4G network (infra)structure

2G/3G/4G network (infra)structure

2G/3G/4G network (infra)structure

2G/3G/4G network (infra)structure

2G Radio Interface basics

2G Radio Interface basics

2G Radio Interface basics

2G Radio Interface basics

2G Radio Interface basics

2G Radio Interface basics

2G Radio Interface basics

2G Radio Interface security

2G Radio Interface security

2G Radio Interface security

2G Radio Interface security

Known attacks and vulnerabilities of 2G RAN

Known attacks and vulnerabilities of 2G RAN

Radio Interface security evolution

Radio Interface security evolution

Radio Interface security evolution

Radio Interface security evolution

Radio Interface security evolution

Radio Interface security evolution

Radio Interface security evolution

Known attacks and vulnerabilities

Thanks for your attention!