Skip to main content

Wireless Hacking - Part3

IMSI CATCHING OVER WIFI NETWORKS: EXPOSING WIFI-OFFLOADING

 Introduction

 IMSI (International Mobile Subscriber Identity) catchers have been widely known in 3G mobile networks as a malicious device to intercept and eavesdrop mobile traffic and tracking users, considered a type of man-in-the-middle attacks. This type of attack has been aroused in wifi networks as well.

Wifi networks that operate over 2G-4G protocols, better known as Wifi-offloading, has been an emerging concept adopted by mobile operators for several years to relieve the congested mobile data networks with additional capacity from the unlicensed Wifi spectrum.

Wifi offloading architecture relies heavily on the mobile operator's infrastructure as the users are authenticated via their SIM/(U)SIM cards as the normal defined 3GPP mobile authentication mechanism.

The architecture of wifi offloading solutions mainly consists of the wireless access point that the user attaches to and depends on the operator’s core infrastructure that is responsible for authenticating, using an EAP based AAA server that is connected to the operator's Home Location Register, known as HLR (HLR is the operator's database that is responsible to store the details of every authorized subscriber), a WLC (WLAN Controller) that acts as a DHCP and leases IP, and the GGSN (GPRS Gateway Serving Node) that acts as a gateway to the internet. The below diagram gives a high level view on how wifi offloading architecture depends much on the same core nodes as 3G/4G.

Fig 1. WiFi offloading Architecture

Traffic Flow
The sequential traffic flow for user equipment (UE) on a 3G/4G wifi network is described as the below:
      1. The subscriber associated to SSID.
      2. 802.1x EAP-SIM/AKA request to AP.
      3. WLC sends RADIUS auth-request.
      4. AAA server checks SIM credentials with HLR using MAP over the SS7 network.
      5. After successful authentication, WLC leases an IP address to subscriber.
      6. Subscriber traffic is now directed to the GGSN to have internet access.

WIFI offloading Authentication Vulnerability

EAP is Extensible Authentication Protocol, which can be used to create new types of authentication protocols for Radius. EAP-SIM/AKA are one of those new types of authentication commonly used in WLANs.

EAP-SIM/AKA are designed for use with existing GSM/3GPP authentication systems (AuC, HLR/HSS) and SIM/USIM cards. EAP-SIM/AKA standards allow WLAN users to authenticate access to wireless networks using mobile SIM cards.


Fig 2. High Level Authentication Procedure (Source: Cisco Networks)

The above figure shows an overview of the authentication procedure. The UE communicates with an EAP server that is located on an authentication server using AAA.

The first EAP request issued by the authenticator (EAP Server) is EAP-Request/Identity. On full authentication, the UE’s EAP-Response/Identity includes the IMSI.

GSM subscribers are identified with IMSI. The IMSI is a string of not more than 15 digits. It is composed of a three digit Mobile Country Code (MCC), a two or three digit Mobile Network Code (MNC), and a Mobile Subscriber Identification Number (MSIN) of no more than 10 digits.

Fig 3. IMSI Structure

The vulnerability found in this authentication mechanism is that the user identity is transported in clear text upon first AAA server-UE handshaking, making anyone in the vicinity of the access point able to passively eavesdrop and catch the IMSI of the attached users. This is a vulnerability in the implementation of this architecture in mobile operators, and the way the EAP-SIM was standardized, as stated by the EAP-SIM RFC4186, the user identity privacy method used for authentication is an optional method, it's up to the operator to implement it or not.

The criticality of exposing the subscriber's IMSI is that it is the main attribute in mobile networks used for various operations, not limited to the following: Subscriber authentication, routing of calls, location identification, routing of SMS, routing of data, charging, subscriber’s subscription profile modifications, and many more. Thus, exposing the IMSI of a subscriber may have a severe impact on user’s privacy as it could be used in man-in-the-middle attacks, location tracking and fraud. The impact does not affect user’s privacy only, but the operators themselves; DDoS attacks could be launched on the operator's infrastructure using other complementing techniques, all of that resulting
from exposing a single piece of data, yet a critical one, the IMSI.

Exploiting the EAP-SIM

This proof of concept was run on one of the operators on their 3G WiFi network. Unlike the well known GSM IMSI catchers, better known for stingrays, the methods used to exploit this vulnerability are quite simple, it could be exploited using a wifi adapter, i.e TP-Link 722N, or the laptop’s built-in adapters could do the job, if only doing passive attacks.

The passive attack vector for this vulnerability occurs if an attacker runs a wifi sniffer, captures the initial interaction and observes the IMSI transported in the initial EAP/Response in the AT_INDETITY attribute. The IMSI will also be seen if the fast re-authentication fails and full authentication occurs once again.


Fig 4 .Wifi IMSI Catcher

As shown in the above packet, this is an EAP packet response and of a type identity as shown in the code attribute (2) and identity attribute (1), respectively, in the EAP layer of the packet. The last attribute in this layer is the identity used by the UE, in this case, it’s the IMSI which takes the following form:
1602xxxxxxxxxxxx@wlan.mncxx.mcc602.3gppnetwork.org.
When IMSI is used as identifiers, the first digit is “1” followed by the country code (MCC: 602, Egypt) followed by the 2-3 digits of operator code (MNC), followed by MSIN digits.

What makes this type of attack extensively critical is that the normal wireless hacking techniques could be easily adopted, after all, it's a pure wireless communication inheriting all of its characteristics between the UE and the wireless access point. Thus, even if a user is attached to the SSID, the attacker could send a simple de-authentication packet which will force the UE to re-authenticate sending its IMSI again.

This attack could be achieved even if the attacker is not in the vicinity of a 3G/4G wifi SSID, the attacker can monitor the broadcast packets over the air. By default, the UE will send probe requests to the SSIDs stored in their preferred list on the handsets, thus there is a probability to easily to identify the users and set up a rogue access point to accept the request, then craft an EAP packet to request the user's identity, which is, in this case, the IMSI.

Impact of the Attack

Attackers never focus on only one technique or methodology for attacking, instead they complement it with all available and relevant techniques. As mentioned earlier, the aftermath of exposing the IMSI could be used for further attacks, like location tracking, interception, etc. With the emerging new attack vectors on the telecom infrastructure and protocols, this could be achieved by using the SS7 protocol vulnerability.

Location tracking could be achieved by using the IMSI as a parameter to the MAP-provideSubsciberInfo message as described below:

Fig 5. Using SS7 to track location via IMSI

Upon sending the ProvideSubscriberInfo request to the operator’s MSC/VLR that is responsible to temporarily store the location of the user, the response will include, but is not limited to, the following important information:
● Cell ID
● GPS location (if available)
● IMEI (hardware serial number) of handset

With this information, the GPS and Cell ID could be looked up in an open source Cell ID database, like (opencellid.org) thus knowing the exact location of the target wherever located. Knowing the IMEI will reveal the exact vendor of the handset giving the attacker the opportunity to customize a dedicated malware for this specific vendor.

Mitigation

EAP-SIM includes optional identity privacy (anonymity) support that can be used to hide the clear text permanent identity and thereby make the subscriber’s EAP exchanges untraceable to eavesdroppers. Because the permanent identity never changes, revealing it would help observers to track the user.

Identity privacy is based on temporary identities, or pseudonyms, that is created by the EAP server, which are equivalent to but separate from the Temporary Mobile Subscriber Identities (TMSI) that are used on cellular networks.

The EAP server transmits pseudonym usernames to the peer in cipher, using the AT_ENCR_DATA attribute in the EAP-Request/SIM/Challenge after the first full authentication is done. Upon successful first full authentication, and the encrypted data includes a pseudonym user-name, then the peer may use the obtained pseudonym user-name on  the next full authentication. The EAP server holds a mapping between the IMSI and its correspondent pseudonyms. This pseudonym is also recommended to be used in fast-authentication.
As shown in the exploitation section, wireless hacking techniques could be adopted along with setting a rogue access point. This should be resolved by the operators enforcing the use of EAP-AKA instead of EAP-SIM. By standard AKA authentication mechanism is adopted for 3G authentication using the USIM cards, which ensure mutual authentication, unlike EAP-SIM, not only the network will authenticate the subscriber, but the subscriber will get to authenticate the network itself to make sure it's his operator by solving a challenge.

Securing the user’s identity with pseudonyms configuration on the EAP servers mobile operators and using mutual authentication implemented in EAP-AKA will ensure privacy of the subscribers against the emerging attacks on mobile users.



Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more