Privacy through Pseudonymity in MobileTelephony Systems

Myrto Arapinis 1 Loretta Mancini 2 Eike Ritter 2 Mark Ryan 2

1School of Informatics, University of Edinburgh2School of Computer Science, University of Birmingham

NDSS 2014

1 / 24

Context

2 / 24

Law enforcement agencies track individuals

3 / 24

But also...

I private detectives, jealous partners, abusive bosses, nosyneighbors, . . .

I retailers, shopping malls, airports, railway stations, museums,public areas, . . .

4 / 24

But also...

I private detectives, jealous partners, abusive bosses, nosyneighbors, . . .

I retailers, shopping malls, airports, railway stations, museums,public areas, . . .

4 / 24

Privacy and the GSM/UMTS standards

5 / 24

Privacy is an explicit goal of GSM/UMTS

GSM/UMTS aim at providing user untraceability from thirdparties

GSM/UMTS specification [3GPP TS 33.102 V9.3.0(2010-10)]

An intruder cannot deduce whether different services are deliveredto the same user.

−→ the user is identified by a pseudonym/temporary identity(TMSI) which should be periodically updated.

6 / 24

TMSI reallocation in the GSM/UMTS standards

I Initiated by the MS toupdate its location

I MS unique identity storedin the SIM card: IMSI

I The network assigns atemporary identity TMSI

I A new TMSI should beassigned at each changeof location

7 / 24

TMSI reallocation in the GSM/UMTS standards

I Initiated by the MS toupdate its location

I MS unique identity storedin the SIM card: IMSI

I The network assigns atemporary identity TMSI

I A new TMSI should beassigned at each changeof location

7 / 24

Analysis of TMSI reallocation

8 / 24

TMSI reallocation procedure

9 / 24

Our focus: correct usage of TMSIs

Does TMSI reallocation really achieve privacy?

I What does periodically mean?

I Is a new TMSI assigned at each change of location as thestandard specifies?

I Are session keys reused?

10 / 24

Our focus: correct usage of TMSIs

Does TMSI reallocation really achieve privacy?

I What does periodically mean?

I Is a new TMSI assigned at each change of location as thestandard specifies?

I Are session keys reused?

10 / 24

Our focus: correct usage of TMSIs

Does TMSI reallocation really achieve privacy?

I What does periodically mean?

I Is a new TMSI assigned at each change of location as thestandard specifies?

I Are session keys reused?

10 / 24

Our focus: correct usage of TMSIs

Does TMSI reallocation really achieve privacy?

I What does periodically mean?

I Is a new TMSI assigned at each change of location as thestandard specifies?

I Are session keys reused?

10 / 24

Experimental setup

11 / 24

Experimental setup

I Osmocom-BB project implements GSM mobile stationcontrolled by host

I Radio communication executed via flashed firmware on mobilephone

I Can use wireshark to analyse the communication

   

OsmocomBB

layer1ccch_scan

mobile

Layer2/3

bcch_scan

ccch_scan

cell_log

cbch_sniff

wireshark

osmocon

network

phonelayer1

12 / 24

TMSI reallocation procedure rarely executed

I same TMSI allocated for hours and even days,

I independently of MS activity

Observed for major operators in UK, France, Italy and Greece

13 / 24

Change of location without TMSI reallocationChange of location area does not imply a change of TMSIExample: couch journey between different cities in the UK

I First new TMSI assigned after about 45 min (53km)I Second new TMSI assigned after about 60 min (70km)

However: location update procedure performed every 5 min (3km)

14 / 24

Reuse of previous ciphering keys

Previously established keys are reused for TMSI reallocationObserved for major UK and Italian network operators

⇒ Gives rise to replay attack

15 / 24

Reuse of previous ciphering keys

Previously established keys are reused for TMSI reallocationObserved for major UK and Italian network operators

⇒ Gives rise to replay attack

15 / 24

Replay attack and fix

16 / 24

TMSI reallocation replay attack (1)

17 / 24

TMSI reallocation replay attack (2)

18 / 24

Fix for replay attack

19 / 24

Unlinkability

UMTS specification [3GPP TS 33.102 V9.3.0 (2010-10)]

An intruder cannot deduce whether different services are deliveredto the same user.

An attacker cannot distinguish two scenarios

20 / 24

Fixed TMSI reallocation satisfies unlinkability

I Formal model of fixed TMSI reallocation procedure inthe applied pi calculus

I Formal proof of unlinkability

νdck .(!(Init|MS)|!SN) ≈ νdck .(!(Init|!MS)|!SN)

Proof works by constructing suitable bisimulationKey point: multiple sessions of same mobile phone can besimulated by multiple phones executing one session each

21 / 24

Conclusion

22 / 24

Summary of our results

I What does periodically mean?

RARELY⇒ locate a victim by paging it1

⇒ TMSI reallocation should be activity dependent

I Is a new TMSI assigned at each change of location as thestandard specifies?

NO⇒ tracking across different locations by passively sniffing⇒ TMSI reallocation should be executed at each change oflocation

I Are session keys reused?

YES⇒ replay attacks allowing phone tracking⇒ replay attacks can be avoided using a simple counter, or byforbidding the reuse of session keys

1

D. F. Kune et al. Location leaks over the GSM air interface, NDSS, 2012.K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, 2010.

23 / 24

Summary of our results

I What does periodically mean? RARELY⇒ locate a victim by paging it1

⇒ TMSI reallocation should be activity dependent

I Is a new TMSI assigned at each change of location as thestandard specifies?

NO⇒ tracking across different locations by passively sniffing⇒ TMSI reallocation should be executed at each change oflocation

I Are session keys reused?

YES⇒ replay attacks allowing phone tracking⇒ replay attacks can be avoided using a simple counter, or byforbidding the reuse of session keys

1D. F. Kune et al. Location leaks over the GSM air interface, NDSS, 2012.K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, 2010.

23 / 24

Summary of our results

I What does periodically mean? RARELY⇒ locate a victim by paging it1

⇒ TMSI reallocation should be activity dependent

I Is a new TMSI assigned at each change of location as thestandard specifies?

NO⇒ tracking across different locations by passively sniffing⇒ TMSI reallocation should be executed at each change oflocation

I Are session keys reused?

YES⇒ replay attacks allowing phone tracking⇒ replay attacks can be avoided using a simple counter, or byforbidding the reuse of session keys

1D. F. Kune et al. Location leaks over the GSM air interface, NDSS, 2012.K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, 2010.

23 / 24

Summary of our results

I What does periodically mean? RARELY⇒ locate a victim by paging it1

⇒ TMSI reallocation should be activity dependent

I Is a new TMSI assigned at each change of location as thestandard specifies? NO⇒ tracking across different locations by passively sniffing

⇒ TMSI reallocation should be executed at each change oflocation

I Are session keys reused?

YES⇒ replay attacks allowing phone tracking⇒ replay attacks can be avoided using a simple counter, or byforbidding the reuse of session keys

1D. F. Kune et al. Location leaks over the GSM air interface, NDSS, 2012.K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, 2010.

23 / 24

Summary of our results

I What does periodically mean? RARELY⇒ locate a victim by paging it1

⇒ TMSI reallocation should be activity dependent

I Is a new TMSI assigned at each change of location as thestandard specifies? NO⇒ tracking across different locations by passively sniffing⇒ TMSI reallocation should be executed at each change oflocation

I Are session keys reused?

YES⇒ replay attacks allowing phone tracking⇒ replay attacks can be avoided using a simple counter, or byforbidding the reuse of session keys

1D. F. Kune et al. Location leaks over the GSM air interface, NDSS, 2012.K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, 2010.

23 / 24

Summary of our results

I What does periodically mean? RARELY⇒ locate a victim by paging it1

⇒ TMSI reallocation should be activity dependent

I Is a new TMSI assigned at each change of location as thestandard specifies? NO⇒ tracking across different locations by passively sniffing⇒ TMSI reallocation should be executed at each change oflocation

I Are session keys reused? YES⇒ replay attacks allowing phone tracking

⇒ replay attacks can be avoided using a simple counter, or byforbidding the reuse of session keys

1D. F. Kune et al. Location leaks over the GSM air interface, NDSS, 2012.K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, 2010.

23 / 24

Summary of our results

I What does periodically mean? RARELY⇒ locate a victim by paging it1

⇒ TMSI reallocation should be activity dependent

I Is a new TMSI assigned at each change of location as thestandard specifies? NO⇒ tracking across different locations by passively sniffing⇒ TMSI reallocation should be executed at each change oflocation

I Are session keys reused? YES⇒ replay attacks allowing phone tracking⇒ replay attacks can be avoided using a simple counter, or byforbidding the reuse of session keys

1D. F. Kune et al. Location leaks over the GSM air interface, NDSS, 2012.K. Nohl and S. Munaut, Wideband gsm sniffing, 27C3, 2010.

23 / 24

Thank you!

24 / 24