Security Flaws allow 3G devices to be tracked ~ Hackinthus

Wednesday, October 10, 2012

Security Flaws allow 3G devices to be tracked

By: Santosh Pavate

New privacy threats have been uncovered by security researchers that could allow every device operating on 3G networks to be tracked, according to research from the University of Birmingham with collaboration from the Technical University of Berlin.


Two attacks were conducted using off-the-shelf kit and a rooted — or modified — femtocell unit which broadcasted a 3G signal. The attacks were made by intercepting, altering and injecting 3G Layer-3 messages into communication between the base station and mobile phones in both directions. The research team took pains to emulate a real-world scenario under the environment, and they tested the attacks techniques against network providers including T-Mobile, Vodafone and O2 in Germany, and French outfit SFR.

One attack, the IMSI paging attack, forced mobile devices to reveal the static identity (IMSI) in response to a temporary number (TMSI) paging request which contained the IMSI, a number which was assumed was known to the attacker. This would reveal the presence of devices in a monitored area, breaking anonymity and ‘unlinkability’ by revealing the IMSI and TMSI correlation.

The tampered sessions might be noticed by users who attempted to place a phone call or send a text message when an authentication request or IMSI paging request was injected.
In the Authentication and Key Agreement (AKA) protocol attack, the same authentication request would be injected to all phones in range causing all but the targeted device – which would return a Mac failure -- to respond with synchronisation failures.

“The captured authentication request can now be replayed by the adversary each time he wants to check the presence of [a device] in a particular area. In fact, thanks to the error messages, the adversary can distinguish any mobile station from the one the authentication request was originally sent to,” the paper stated.

In tests, the authentication requests were obtained by placing six phone calls to a target’s phone and listening to the communication with osmocom-bb. The researchers wrote that the attacks could be used to track staff movements within a building.

"[The employer] would first use the femtocell to sniff a valid authentication request. This could happen in a different area than the monitored one. Then the employer would position the device near the entrance of the building. Movements inside the building could be tracked as well by placing additional devices to cover different areas of the building," they wrote.

"If devices with wider area coverage than a femtocell are used, the adversary should use triangulation to obtain finer position data.”

Not the same
Previous attacks have been established that allow locations to be gleaned and calls to be intercepted on both GSM and 3G networks. However the new attacks were notable in that they targeted the protocol logic and were independent of device weaknesses or the need to break weak cryptographic functions.

The closest attack to the current research was made by Muxiang Zhang and Yuguang Fang which demonstrated how attackers could redirect a target's outgoing traffic to different networks, such as one with weak encryption or which charges higher rates.

The feat was possible because phones did not authenticate their serving networks.
It differed from the University of Birmingham and Technical University of Berlin research, the paper stated, because the attack focused on “impersonation, service theft and data confidentiality” rather than privacy issues in 3G.

Proposed fixes
The researchers proposed what they said were unique fixes for the vulnerabilities which introduced an “unlinkability” session key which was an additional key used in the AKA protocol and IMSI paging procedure fixes. It also included modifications to error messages that would prevent the attacks.
Both fixes use public-key cryptography which would need to be deployed by cellular operators within their networks. The proposed public key infrastructure was lightweight and changes to the adopted protocols were minimal.

The fixes would also not be expensive. “The solutions we propose show that privacy friendly measures could be adopted by the next generation of mobile telephony standards while keeping low the computational and economical cost of implementing them.”

You can like us on Facebook and Twitter to keep yourself updated.
Please let us know about your views by your comments.


Post a Comment


Twitter Delicious Facebook Digg Stumbleupon Favorites More