1 00:00:19,340 --> 00:00:21,660 Herald: Okay, very warm welcome everybody. 2 00:00:22,540 --> 00:00:24,375 It's my great pleasure to announce this next talk 3 00:00:24,375 --> 00:00:26,560 which is going to be called SigOver + alpha 4 00:00:26,570 --> 00:00:29,520 where CheolJun Park and Mincheol Son are going 5 00:00:29,520 --> 00:00:33,150 to be talking about signal overshadowing attacks in LTE 6 00:00:33,640 --> 00:00:37,140 The two of them are researchers at the KIST in Korea, 7 00:00:37,140 --> 00:00:39,760 the Korean Advanced Institute of Science and Technology 8 00:00:40,340 --> 00:00:45,220 and I'm really interested in hearing about the exploits these two found. 9 00:00:45,230 --> 00:00:49,760 Please give them a huge warm welcome with an applause thank you. 10 00:00:50,270 --> 00:00:53,400 [Applause] 11 00:00:53,540 --> 00:00:59,480 Mincheol: Thank you. Good afternoon. Welcome to our talk. The name SigOver + Alpha 12 00:00:59,510 --> 00:01:05,773 what we're talking about is very interesting, realistic and a new attack in LTE. 13 00:01:06,540 --> 00:01:07,760 my name is Mincheol. 14 00:01:08,440 --> 00:01:13,380 I'm a graduate student at System Security Lab at KAIST. 15 00:01:13,380 --> 00:01:18,160 My research interest is in cellular networks and comparison analysis. 16 00:01:18,540 --> 00:01:20,570 CheolJun: Hi, my name is CheolJun 17 00:01:20,600 --> 00:01:25,570 and I'm also a PhD student in security systems security lab in KAIST 18 00:01:25,940 --> 00:01:28,570 My research interest is also cellular 19 00:01:28,570 --> 00:01:32,360 network systems and mobile security analysis. 20 00:01:33,240 --> 00:01:38,960 In this presentation we prepared a lot of interesting attack demo videos 21 00:01:40,040 --> 00:01:43,460 and Mincheol will talk in the first half of the presentation 22 00:01:43,840 --> 00:01:47,780 about some introductions on LTE network and concepts on Sig 23 00:01:47,780 --> 00:01:52,360 over attack and broadcasting message injection using SigOver. 24 00:01:52,740 --> 00:01:55,010 Then I will talk in the remaining part of 25 00:01:55,020 --> 00:01:58,650 the presentation about a little more advanced attack. 26 00:02:01,840 --> 00:02:03,360 Mincheol: Okay, let's start. 27 00:02:03,840 --> 00:02:08,500 First of all what I'm going to talk about is the cellular network. 28 00:02:08,540 --> 00:02:11,960 All of us use our cell phone for voice calls 29 00:02:11,960 --> 00:02:17,810 playing games or watching a video anywhere at any time. 30 00:02:18,931 --> 00:02:25,231 And the mobile phone has been developed from first generation to fourth generation 31 00:02:25,280 --> 00:02:28,060 As shown in the figure on the right 32 00:02:28,060 --> 00:02:32,120 And 5th generation services have now started. 33 00:02:32,150 --> 00:02:36,900 Today we are going to talk about new and powerful attack 34 00:02:36,910 --> 00:02:40,160 techniques that can be used for attacks in LTE. 35 00:02:41,340 --> 00:02:44,790 Also we will explain some examples of attacks 36 00:02:44,980 --> 00:02:47,060 and show demonstrations of them. 37 00:02:51,240 --> 00:02:53,780 To understand the main contents, 38 00:02:53,840 --> 00:02:56,060 we need a background for LTE. 39 00:02:56,070 --> 00:03:01,550 The LTE system is largely composed of UEs such as a smartphone 40 00:03:01,940 --> 00:03:04,940 used by your user for LTE service 41 00:03:05,140 --> 00:03:10,360 and our base station is in charge of transmitting and receiving radio signals. 42 00:03:11,040 --> 00:03:14,400 And our core network for the mobility management, 43 00:03:14,410 --> 00:03:18,050 authentication and data services of the user. 44 00:03:19,040 --> 00:03:22,460 For control messages such as radio connection, 45 00:03:23,240 --> 00:03:26,960 The UE and base station use RRC protocols. 46 00:03:28,140 --> 00:03:29,830 Similarly, the UE 47 00:03:29,830 --> 00:03:35,250 and the core network sent and receive control messages with NAS protocols 48 00:03:35,940 --> 00:03:40,240 The main part of our talk are the UE and the base station. 49 00:03:40,240 --> 00:03:47,140 If so, how does the UE establish a radio connection with the base station 50 00:03:47,150 --> 00:03:49,770 and use the LTE service? 51 00:03:50,540 --> 00:03:55,460 First, the UE has to decide which base station to connect to. 52 00:03:56,200 --> 00:03:57,510 To do this, 53 00:03:57,520 --> 00:04:03,800 the UE scans the LTE frequency band and selects the most stable base station 54 00:04:03,810 --> 00:04:09,960 by considering the frequency priority and signal strength of the base station. 55 00:04:12,720 --> 00:04:14,460 After selecting one base station, 56 00:04:15,040 --> 00:04:17,560 the UEs start the attach procedure 57 00:04:18,040 --> 00:04:19,850 with the base station 58 00:04:20,240 --> 00:04:22,740 First, so UE receives 59 00:04:23,540 --> 00:04:25,570 PSS and SSS signal 60 00:04:26,190 --> 00:04:27,920 sent by the base station. 61 00:04:28,230 --> 00:04:29,210 In turn, 62 00:04:29,640 --> 00:04:32,660 MIB and SIB are decoded. 63 00:04:33,440 --> 00:04:36,560 All three messages are broadcast messages 64 00:04:36,740 --> 00:04:38,660 sent by the base station. 65 00:04:39,240 --> 00:04:42,560 They are used to match time synchronization 66 00:04:43,040 --> 00:04:46,580 to know boundaries or transmission scheme and 67 00:04:46,580 --> 00:04:49,360 to know information about the base station. 68 00:04:50,140 --> 00:04:52,360 After the broadcast message 69 00:04:53,640 --> 00:04:55,300 the UE establishes 70 00:04:55,480 --> 00:04:56,550 a radio connection 71 00:04:57,240 --> 00:04:58,350 with the base station. 72 00:04:58,840 --> 00:05:04,720 This process is done using the RRC protocol messages after which the UE 73 00:05:04,720 --> 00:05:08,160 Proceeds with secret setup for the NAS protocol. 74 00:05:09,340 --> 00:05:10,660 Throughout this process, 75 00:05:11,140 --> 00:05:14,770 the UE and the core network share the key and algorithms 76 00:05:14,980 --> 00:05:17,160 for encryption and integrity check. 77 00:05:18,040 --> 00:05:21,160 The security setup process is also performed 78 00:05:21,740 --> 00:05:23,660 between the UE and the base station. 79 00:05:25,140 --> 00:05:27,910 After this series of procedures the you 80 00:05:27,910 --> 00:05:32,550 can attach successfully and use the LTE service. 81 00:05:34,140 --> 00:05:37,700 And then, what attack is possible against the UE 82 00:05:37,700 --> 00:05:41,760 connected to the network and using the service? 83 00:05:42,740 --> 00:05:47,960 The most widely used method used so far is to use a fake base station. 84 00:05:48,940 --> 00:05:51,570 An attacker could use a fake base station 85 00:05:51,580 --> 00:05:54,800 that behaves like a legitimate base station, 86 00:05:54,810 --> 00:05:56,540 causing the victim UE 87 00:05:56,850 --> 00:06:03,660 to disconnect from the legitimate base station and connect to the fake base station. 88 00:06:05,040 --> 00:06:07,140 This is possible because the UE 89 00:06:07,140 --> 00:06:11,160 preferentially tries to connect to a strong base station. 90 00:06:12,640 --> 00:06:16,360 Several attacks using FBS have been introduced, 91 00:06:16,840 --> 00:06:17,680 including 92 00:06:18,140 --> 00:06:19,000 man in the middle of attack, 93 00:06:19,420 --> 00:06:22,250 denial of services, user identity leak, 94 00:06:22,840 --> 00:06:24,580 fake emergency alert 95 00:06:24,890 --> 00:06:25,450 and so on. 96 00:06:26,840 --> 00:06:29,280 As such, the fake base station attack 97 00:06:29,280 --> 00:06:32,660 using the characteristics of the radio communication 98 00:06:33,240 --> 00:06:37,460 is actively used for research or actual attacks. 99 00:06:38,540 --> 00:06:42,495 And then, here is the questions: 100 00:06:43,170 --> 00:06:50,950 Is the FBS attack the only attack method using the characteristics of LTE radio connection, 101 00:06:52,140 --> 00:06:57,450 or should the victim UEs always be connected to the FBS for wireless attacks? 102 00:06:58,640 --> 00:07:00,260 The answer is no, 103 00:07:01,240 --> 00:07:06,460 there is a more intuitive and powerful attack methods than FBS. 104 00:07:08,140 --> 00:07:10,450 It is a signal overshadowing attack. 105 00:07:11,040 --> 00:07:13,050 While the previous FBS attack 106 00:07:13,540 --> 00:07:18,160 use the characteristic of selecting a stronger signal base station, 107 00:07:18,640 --> 00:07:21,160 the SigOver attack uses 108 00:07:21,940 --> 00:07:24,960 the characteristic of wireless communication 109 00:07:25,340 --> 00:07:27,650 to decode the stronger signal 110 00:07:28,040 --> 00:07:31,960 when different signals are transmitted as the same frequency. 111 00:07:33,340 --> 00:07:36,160 This is listed by the figure below 112 00:07:37,540 --> 00:07:43,750 the normal base station continuously transmits LTE signals in time and frequency. 113 00:07:44,240 --> 00:07:47,960 The UE then receives and decodes the signal. 114 00:07:48,740 --> 00:07:55,230 If the attacker can match the time and frequency exactly with the normal signal and 115 00:07:55,240 --> 00:07:59,440 transmit a stronger signal than real signal 116 00:07:59,450 --> 00:08:03,560 the UE will decode the stronger signal. 117 00:08:04,740 --> 00:08:08,760 This is the signal overshadowing attack that overrides the LTE signal. 118 00:08:09,840 --> 00:08:12,450 If the signal overshadowing attack is possible, 119 00:08:13,030 --> 00:08:15,660 then what message can be used to overwrite? 120 00:08:18,140 --> 00:08:22,760 The messages we can overwrite are those with no security protection. 121 00:08:23,340 --> 00:08:26,560 First, there is a broadcast message. 122 00:08:26,940 --> 00:08:31,650 The broadcast messages of base stations and signal for all users 123 00:08:32,040 --> 00:08:35,620 with no consideration for encryption and 124 00:08:35,620 --> 00:08:38,160 integrity checks in LTE specification. 125 00:08:38,740 --> 00:08:44,450 Second, there is a message that can be used for an attack because 126 00:08:44,840 --> 00:08:50,380 it is unprotected among messages transmitted only to a specific user, 127 00:08:50,390 --> 00:08:52,159 not a broadcast message. 128 00:08:52,740 --> 00:08:57,450 One reason that it is not is protected is a bug in the UE implementation. 129 00:08:58,340 --> 00:08:59,750 The other is that 130 00:09:00,140 --> 00:09:03,260 there are several messages in the specification. 131 00:09:03,640 --> 00:09:07,260 There are low [protected?] messages before performing security setup. 132 00:09:08,040 --> 00:09:12,060 The details of the SigOver attack will be discussed one by one. 133 00:09:13,340 --> 00:09:19,160 First, I will explain what to serve in order to perform the SigOver attack 134 00:09:20,140 --> 00:09:25,120 And how the SigOver attack is different from the existing FBS attack 135 00:09:25,340 --> 00:09:30,160 and what kinds of attacks are possible using broadcast messages and SigOver. 136 00:09:30,640 --> 00:09:35,260 Lastly, CheolJun will explain attacks using unicast messages 137 00:09:35,740 --> 00:09:37,780 and then discuss something like 138 00:09:37,910 --> 00:09:39,460 countermeasure and future works. 139 00:09:41,640 --> 00:09:46,360 So first there are some challenges and questions for the SigOver attack. 140 00:09:47,040 --> 00:09:52,340 First, we should consider which part of the signal we override. 141 00:09:53,140 --> 00:09:55,360 If too many signals are overwritten 142 00:09:55,740 --> 00:10:02,060 the UE will now receive no normal signals causing only those effects such as jamming 143 00:10:02,940 --> 00:10:03,950 On the contrary, 144 00:10:04,280 --> 00:10:06,560 if too few signals are covered 145 00:10:07,140 --> 00:10:10,930 the difficulty of the attack increases and the 146 00:10:10,930 --> 00:10:13,860 UE may not be able to decode properly. 147 00:10:14,840 --> 00:10:18,950 The second challenge is how to synchronize time and frequency. 148 00:10:19,540 --> 00:10:24,760 This is the most important challenge in SigOver attack where the attack signal 149 00:10:24,760 --> 00:10:29,160 must be accurately overwritten on the signal of the normal base station. 150 00:10:29,840 --> 00:10:32,860 Finally, how much area is okay, 151 00:10:33,840 --> 00:10:37,160 even if the signal is transmitted like a normal base station, 152 00:10:37,740 --> 00:10:41,280 there may be a slight error in time or frequency. 153 00:10:41,290 --> 00:10:44,590 Therefore it is necessary to know how much 154 00:10:44,600 --> 00:10:49,460 accuracy is required for the UE to properly decode the signal. 155 00:10:50,840 --> 00:10:54,560 I will explain the details of these three challenges and questions 156 00:10:56,240 --> 00:10:58,360 to answer about the first question. 157 00:10:58,840 --> 00:11:01,450 Let's look at the LTE frame structure first. 158 00:11:02,440 --> 00:11:07,580 An LTE frame consists of multiple subframes and a subframe has 159 00:11:07,580 --> 00:11:11,760 multiple symbols and the message is included in our subframe, 160 00:11:12,840 --> 00:11:16,650 meaning that there are various options to be overshadowed. 161 00:11:18,040 --> 00:11:21,960 Symbol overshadowing requires precise synchronization. 162 00:11:22,440 --> 00:11:25,350 So success rate is hard to guarantee 163 00:11:25,940 --> 00:11:31,760 on the other end, frame level overshadowing requires to rewrite multiple subframes 164 00:11:32,140 --> 00:11:36,850 or multiple messages. It can also affect other normal messages. 165 00:11:37,440 --> 00:11:41,760 So it is quite natural to overshadow in the subframe level. 166 00:11:44,140 --> 00:11:49,260 Next, let's look at the time synchronization first along synchronization issues 167 00:11:49,840 --> 00:11:52,810 Attacker's subframe and legitimate subframe 168 00:11:52,820 --> 00:11:56,260 must arrive at the UE simultaneously 169 00:11:56,740 --> 00:12:00,550 in order to override our particular subframe accurately. 170 00:12:01,340 --> 00:12:07,060 For simplicity, let's assume there is no propagation delay for now. 171 00:12:08,340 --> 00:12:13,650 The attacker utilized synchronization signal called PSS and SSS 172 00:12:14,140 --> 00:12:17,650 to get accurate time synchronization as they are sent 173 00:12:18,240 --> 00:12:21,150 periodically from the legitimate base station. 174 00:12:22,100 --> 00:12:27,330 But concretely, first, the attacker issues PSS, SSS 175 00:12:27,340 --> 00:12:30,500 to get frame timing of legitimate base station, 176 00:12:30,510 --> 00:12:36,360 meaning that the attacker can identify the frame timing t0, t1, and t2. 177 00:12:37,140 --> 00:12:40,480 Second, once the attacker runs the timing, 178 00:12:40,490 --> 00:12:43,860 she can predict the timing of the target subframe, 179 00:12:44,740 --> 00:12:50,060 since each subframe has fixed size which is one millisecond. 180 00:12:51,040 --> 00:12:56,560 For example, if the attacker overshadows the second subframe of frame 566 181 00:12:57,140 --> 00:13:02,660 then she can transmit the malicious subframe at t2 plus one millisecond. 182 00:13:03,240 --> 00:13:07,890 Now the attacker signal arrives at the UE simultaneously. 183 00:13:07,900 --> 00:13:11,760 Since we assume that there is no propagation delay. 184 00:13:13,040 --> 00:13:18,860 However in real life there is propagation delay depending on the location, 185 00:13:19,540 --> 00:13:22,500 meaning that the zero will be delayed due 186 00:13:22,500 --> 00:13:26,050 to the propagation delay or PSS and SSS. 187 00:13:26,740 --> 00:13:31,150 Also, if the attacker is located far from the UE, 188 00:13:31,540 --> 00:13:33,140 more delay would be added. 189 00:13:33,640 --> 00:13:38,020 The delay could be compensated if the attacker precisely locate 190 00:13:38,170 --> 00:13:40,150 the UE and the base station. 191 00:13:40,840 --> 00:13:44,160 But it is not realistic in the wild 192 00:13:46,240 --> 00:13:49,260 the delay is up to some maximum value 193 00:13:49,840 --> 00:13:53,350 because they are located within range of the base station. 194 00:13:54,040 --> 00:13:58,660 So in practice there is a delay that cannot be compensated 195 00:13:59,540 --> 00:14:02,060 so subframes cannot be aligned exactly 196 00:14:02,940 --> 00:14:09,560 so then we can count on the LTE UE 197 00:14:10,240 --> 00:14:15,360 LTE is designed to be reliable especially in outdoor environments. 198 00:14:15,740 --> 00:14:24,000 In outdoor UE can move with using point or so there is a reflect effect because of buildings. 199 00:14:24,010 --> 00:14:27,460 So we expected that the UE would compensate 200 00:14:27,840 --> 00:14:33,450 such small errors if the subframe is somewhat is synchronized but not exactly. 201 00:14:34,440 --> 00:14:39,960 So the question is how much can the UE tolerate this delay error? 202 00:14:40,940 --> 00:14:47,150 Since it is chipset dependent we measured the max delay tolerance of two COTS smartphones 203 00:14:47,840 --> 00:14:53,150 and result is around 12 and 11 microseconds each 204 00:14:53,640 --> 00:14:56,490 And both results exceed max delay of 205 00:14:56,780 --> 00:15:00,750 the urban base station which is around eight microseconds. 206 00:15:01,440 --> 00:15:05,850 So this means that the attack can succeed 207 00:15:05,850 --> 00:15:08,450 regardless of the location of the base station 208 00:15:08,840 --> 00:15:10,250 and the victim UEs. 209 00:15:10,740 --> 00:15:15,180 In summary, the attacker can be anywhere within the range 210 00:15:15,180 --> 00:15:17,960 of the base station to succeed the attack. 211 00:15:20,640 --> 00:15:24,260 The last one to solve is frequency synchronization. 212 00:15:24,940 --> 00:15:29,620 LTE standard specifies the minimum frequency accuracy that 213 00:15:29,630 --> 00:15:33,250 LTE base station must have as 50 ppb. 214 00:15:33,840 --> 00:15:37,470 So for precise synchronization, 215 00:15:37,480 --> 00:15:42,150 the attacker needs to use a sufficiently accurate frequency 216 00:15:42,940 --> 00:15:48,950 after that, residual frequency error can be compensated by CFO 217 00:15:48,970 --> 00:15:50,600 correction algorithm. 218 00:15:53,540 --> 00:15:57,340 Since the SigOver was wrong on a typical 219 00:15:58,150 --> 00:16:03,180 SDR kit with an inaccurate oscillator, we adopt GPSDO. 220 00:16:03,210 --> 00:16:05,900 To improve its frequency accuracy. 221 00:16:06,040 --> 00:16:10,920 GPSDO guarantees 25 ppb accuracy 222 00:16:10,940 --> 00:16:14,860 without GPS antenna and 1 ppb with GPS antenna. 223 00:16:15,940 --> 00:16:19,660 Lastly we can compensate residual frequency error by 224 00:16:19,660 --> 00:16:23,024 by PSS/SSS-based CFO correction. 225 00:16:24,240 --> 00:16:25,610 Here's the summary 226 00:16:25,790 --> 00:16:28,350 of the main questions and answers. 227 00:16:28,740 --> 00:16:33,500 We overshadows subframe units using PSS/SSS. 228 00:16:33,500 --> 00:16:37,550 for time synchronization and using GPSDO and CFO 229 00:16:37,550 --> 00:16:40,050 correction for frequency synchronization. 230 00:16:40,740 --> 00:16:46,500 Finally, COTS UE is generous enough to cover the entire range of 231 00:16:46,610 --> 00:16:48,360 the urban base station 232 00:16:48,840 --> 00:16:53,880 In short, an attacker located in the range of the base station can 233 00:16:53,880 --> 00:16:59,570 overshadow broadcast messages to any victim within the base station coverage. 234 00:17:01,240 --> 00:17:06,350 Next before examining the difference between SigOver and FBS, 235 00:17:06,840 --> 00:17:09,270 I will explain the process of SigOver attack. 236 00:17:10,540 --> 00:17:14,930 First the attacker collects necessary values by listening to 237 00:17:14,930 --> 00:17:17,650 the broadcast message of the normal base station. 238 00:17:18,440 --> 00:17:22,730 This process is necessary because information about base 239 00:17:22,730 --> 00:17:26,960 station is required to disguise the attacker signal 240 00:17:27,490 --> 00:17:29,349 as that of a normal base station. 241 00:17:31,440 --> 00:17:34,380 Next the attacker creates a subframe 242 00:17:34,690 --> 00:17:37,349 that contains the messages to use for the attack. 243 00:17:39,040 --> 00:17:41,170 And now the attack begins 244 00:17:41,839 --> 00:17:45,720 first the attacker received the PSS and SSS 245 00:17:45,720 --> 00:17:51,050 signals of the normal base station and synchronizes time with the base station 246 00:17:52,440 --> 00:17:55,670 then send the malicious subframe that she made 247 00:17:56,640 --> 00:17:57,860 at the precise timing. 248 00:18:00,840 --> 00:18:05,660 Finally the UE receiving the signal receives a malicious message 249 00:18:06,040 --> 00:18:09,380 by decoding the articles of frames stronger than 250 00:18:09,390 --> 00:18:11,560 the signal of the normal base station. 251 00:18:13,740 --> 00:18:16,770 Here's our test environment to verify the SigOver. 252 00:18:17,340 --> 00:18:20,490 We implement the SigOver by using open source 253 00:18:20,490 --> 00:18:25,460 LTE stack and we used USRP series for radio transmission. 254 00:18:25,940 --> 00:18:27,350 We also such as 255 00:18:28,840 --> 00:18:32,050 iPhone XS or galaxy S9 256 00:18:32,110 --> 00:18:34,775 to verify this attack. 257 00:18:35,040 --> 00:18:38,960 In the remainder of this talk I will talk about performance of 258 00:18:38,960 --> 00:18:42,860 SigOver and attacks that can be launched using SigOver. 259 00:18:45,040 --> 00:18:46,770 Okay, so far 260 00:18:47,240 --> 00:18:50,490 I have shown that SigOver can be used in projects 261 00:18:51,340 --> 00:18:58,170 but both FBS and SigOver can inject malicious broadcast messages to the UEs 262 00:18:58,540 --> 00:19:03,010 So what is the difference between SigOver and FBS? 263 00:19:03,020 --> 00:19:06,050 Or what is the advantage of SigOver? 264 00:19:07,240 --> 00:19:10,560 The basic advantage of SigOver compared with 265 00:19:10,570 --> 00:19:13,560 fake base station comes from the fact that 266 00:19:14,040 --> 00:19:19,170 the SigOver does not need connection establishment to inject the message. 267 00:19:19,640 --> 00:19:21,860 This has multiple implications. 268 00:19:24,640 --> 00:19:27,160 Another advantage is power efficiency. 269 00:19:27,740 --> 00:19:31,360 SigOver does not require so strong power because 270 00:19:31,840 --> 00:19:37,450 the attack signal only needs to be higher enough to cover the original signal 271 00:19:37,840 --> 00:19:39,270 called capture effect. 272 00:19:40,640 --> 00:19:46,070 It shows 98% success rate on 3dB higher power than the legitimate 273 00:19:46,200 --> 00:19:49,770 base station. However, the FBS 274 00:19:50,140 --> 00:19:53,670 requires much stronger power than the SigOver. 275 00:19:54,740 --> 00:19:57,980 This is because the FBS needs to break the 276 00:19:57,980 --> 00:20:01,430 current connection between the victim UE and the legitimate 277 00:20:01,570 --> 00:20:03,320 base station. 278 00:20:04,740 --> 00:20:10,050 Next I'll talk about what we can do with SigOver and broadcast messages. 279 00:20:11,940 --> 00:20:15,600 I have explained that there is no connection between the victim UE 280 00:20:16,050 --> 00:20:17,680 and the SigOver attacker 281 00:20:17,890 --> 00:20:18,960 It means that 282 00:20:19,540 --> 00:20:22,720 the UE can keep communicating with the legitimate 283 00:20:22,850 --> 00:20:24,290 base station or 284 00:20:24,400 --> 00:20:25,860 network during the attack. 285 00:20:26,440 --> 00:20:27,270 For example 286 00:20:27,840 --> 00:20:31,950 the SigOver can inject a malicious message while the UE is on phone 287 00:20:33,040 --> 00:20:36,630 However, the UE cannot communicate with the network 288 00:20:36,780 --> 00:20:38,700 after attaching to the FBS. 289 00:20:39,140 --> 00:20:43,660 So the UE might fall in the denial of services. 290 00:20:44,540 --> 00:20:48,560 Let me show you some possible attacks using SigOver, but 291 00:20:49,040 --> 00:20:50,960 not feasible using FBS. 292 00:20:52,540 --> 00:20:55,060 First one is signaling storm attack 293 00:20:55,740 --> 00:20:59,060 in general signaling storm occurs through a botnet 294 00:20:59,740 --> 00:21:03,370 but the SigOver can launch the attack without using the botnet. 295 00:21:04,740 --> 00:21:08,200 The SigOver exploits a broadcast message called SIB-1 296 00:21:08,200 --> 00:21:11,550 Everyone especially the tracking area code 297 00:21:12,040 --> 00:21:15,160 by changing the tracking area code to new one, 298 00:21:15,840 --> 00:21:18,460 the attacker can trigger tracking area update 299 00:21:18,690 --> 00:21:20,870 procedure of the victim UE 300 00:21:22,240 --> 00:21:24,460 which is sent to the core network. 301 00:21:26,240 --> 00:21:28,760 All UEs in the attack range 302 00:21:29,240 --> 00:21:35,090 may continuously receive fake SIB-1 which caused tracking area update 303 00:21:35,090 --> 00:21:36,950 storm to the core network. 304 00:21:39,140 --> 00:21:41,560 FBS can do the same 305 00:21:42,040 --> 00:21:43,840 but as you expected 306 00:21:44,220 --> 00:21:46,360 the legitimate network would be safe 307 00:21:46,840 --> 00:21:53,170 from this attack because the FBS is not connected to the legitimate core network. 308 00:21:55,540 --> 00:21:58,450 This is the demonstration of signaling storm 309 00:22:01,140 --> 00:22:05,060 the program in this screenshot signaling messages of the UE 310 00:22:05,540 --> 00:22:08,360 first the attacker injecting malicious paging message. 311 00:22:09,340 --> 00:22:14,950 This malicious paging messages required for the UE to receive a SIB-1 312 00:22:15,640 --> 00:22:19,050 Then, the attacker will overshadow malicious SIB-1 message 313 00:22:19,740 --> 00:22:21,770 Then the UE generates signaling 314 00:22:22,440 --> 00:22:23,160 to the network 315 00:22:29,640 --> 00:22:31,110 We evaluated 316 00:22:31,230 --> 00:22:34,560 amplification factor of signaling storm attack 317 00:22:35,040 --> 00:22:39,660 In normal situation a UE send about 45 service request message 318 00:22:40,040 --> 00:22:44,660 corresponding to over 600 signaling messages per hour 319 00:22:46,060 --> 00:22:49,390 Signaling storm using SigOver can generate around 320 00:22:49,940 --> 00:22:58,670 21,000 tracking area request corresponding to around 400,000 signaling messages per hour 321 00:22:59,340 --> 00:23:04,770 In summary, signaling storm can generate 640 times 322 00:23:05,140 --> 00:23:07,325 more signaling messages per UE. 323 00:23:09,540 --> 00:23:14,060 The second is a selective DoS attack using SIB-2. 324 00:23:14,640 --> 00:23:18,540 In SIB-2 there is a field to prevent access of 325 00:23:18,550 --> 00:23:23,160 the UE for effective data service in a disaster situation. 326 00:23:24,340 --> 00:23:27,760 If we manipulate this field we can prevent 327 00:23:28,140 --> 00:23:31,460 UEs from sending service requests to the base station. 328 00:23:32,140 --> 00:23:35,250 Of course we can also adjust the barring time 329 00:23:36,040 --> 00:23:36,600 furthermore, 330 00:23:37,140 --> 00:23:42,660 In the recent specification, barring service is not only divided into signaling 331 00:23:42,670 --> 00:23:47,910 and data but also divided into details such as voice call, 332 00:23:47,920 --> 00:23:50,160 video calls, and SMS. 333 00:23:51,140 --> 00:23:53,770 Therefore selective DoS is possible. 334 00:23:54,240 --> 00:23:59,760 For example all other services are possible but only voice service. 335 00:24:00,140 --> 00:24:01,270 It's not available. 336 00:24:02,040 --> 00:24:07,560 The selective DoS attack was verified by Galaxy S9 and succeed 337 00:24:08,540 --> 00:24:10,270 this attack is also 338 00:24:10,640 --> 00:24:12,260 only possible with Sigover 339 00:24:12,940 --> 00:24:17,260 Even if the UE connect to the FBS and received the wrong SIB-2. 340 00:24:17,940 --> 00:24:20,090 The FBS cannot make this attack 341 00:24:20,940 --> 00:24:25,260 because the normal SIB-2 is received again 342 00:24:25,640 --> 00:24:29,060 when the UE is connected to the normal base station. Okay, 343 00:24:31,140 --> 00:24:32,550 this is the demonstration. 344 00:24:36,140 --> 00:24:40,960 It would be nice to show a video of selective DoS, but not ready. 345 00:24:41,340 --> 00:24:43,290 So this video is a DoS attack 346 00:24:43,410 --> 00:24:44,760 using excess barring 347 00:24:45,540 --> 00:24:48,480 the UEs can use normal data services 348 00:24:49,040 --> 00:24:51,460 and also voice calls. 349 00:25:10,740 --> 00:25:11,270 Okay. 350 00:25:12,640 --> 00:25:14,170 After the SigOver attack 351 00:25:14,840 --> 00:25:15,770 by the UE 352 00:25:33,240 --> 00:25:36,060 Victim UEs receive malicious paging and 353 00:25:36,100 --> 00:25:37,460 SIB-2 messages. 354 00:25:38,870 --> 00:25:39,670 And uh 355 00:25:40,640 --> 00:25:41,550 the UE 356 00:25:43,950 --> 00:25:45,760 Normal service is not available 357 00:25:50,040 --> 00:25:52,290 even after the attacker program is terminated. 358 00:25:52,420 --> 00:25:54,560 The normal service is not available too 359 00:26:17,140 --> 00:26:17,860 Okay. 360 00:26:18,540 --> 00:26:21,030 The following is an attack using 361 00:26:21,380 --> 00:26:23,760 IMSI paging. In the figure on the left, 362 00:26:24,140 --> 00:26:26,240 a UE that is normally attached. 363 00:26:26,240 --> 00:26:30,750 is released in the idle state by releasing radio connection when 364 00:26:30,920 --> 00:26:32,450 not using LTE data 365 00:26:33,140 --> 00:26:34,270 At this time, 366 00:26:34,640 --> 00:26:38,270 If there is a service request for the UE from the networks, 367 00:26:38,510 --> 00:26:41,660 the base station sends a broadcast message paging 368 00:26:42,140 --> 00:26:43,460 to inform the UE 369 00:26:44,040 --> 00:26:49,770 the identifier used at this time is a temporary ID of the UE called GUTI. 370 00:26:50,240 --> 00:26:53,900 However, if paging is sent using the unique ID 371 00:26:54,080 --> 00:26:56,270 of the UE called IMSI, 372 00:26:56,740 --> 00:27:00,860 The UE will disconnect and reattach according to the behavior 373 00:27:01,240 --> 00:27:02,670 defined in the standard. 374 00:27:03,640 --> 00:27:08,460 This alert, a DoS attack on the UE that is using the LTE service. 375 00:27:12,640 --> 00:27:14,200 This is IMSI paging demo 376 00:27:15,990 --> 00:27:17,560 This is our testbed setup 377 00:27:18,040 --> 00:27:20,210 There is a lot of attacker's PC and USRP. 378 00:27:28,440 --> 00:27:30,170 Victim UE receives 379 00:27:31,440 --> 00:27:32,450 the voice call 380 00:27:37,840 --> 00:27:41,840 the attacker inject a paging message with the victims IMSI 381 00:27:45,040 --> 00:27:46,270 due to the IMSI paging, 382 00:27:47,340 --> 00:27:48,860 the voice call is disconnected. 383 00:27:54,940 --> 00:28:00,060 The final attack I will introduce is a fake emergency alert attack 384 00:28:00,540 --> 00:28:02,846 This attack uses SIB-12, 385 00:28:02,846 --> 00:28:06,590 which is used for a lot of systems in normal networks. 386 00:28:06,600 --> 00:28:09,770 The process of using CMAS is as follows. 387 00:28:10,540 --> 00:28:11,720 Three messages: 388 00:28:11,850 --> 00:28:14,570 SIB-1, SIB-12. and paging 389 00:28:15,340 --> 00:28:17,350 are involved in CMAS process. 390 00:28:17,940 --> 00:28:19,320 based on this process. 391 00:28:19,560 --> 00:28:21,990 The attacker overshadows the SIB-1 392 00:28:22,350 --> 00:28:24,360 SIB-12 and paging messages. 393 00:28:38,340 --> 00:28:38,640 For attack, 394 00:28:39,940 --> 00:28:42,340 victim phone is connected to the legitimate 395 00:28:42,450 --> 00:28:43,270 base station 396 00:28:43,540 --> 00:28:45,081 and attacker 397 00:28:45,600 --> 00:28:46,790 synchronizes 398 00:28:47,340 --> 00:28:51,060 time and frequency with the legitimate base station. 399 00:29:06,540 --> 00:29:07,630 This is fake emergency alert 400 00:29:09,240 --> 00:29:09,960 message 401 00:29:12,940 --> 00:29:14,110 to sum up briefly, 402 00:29:14,840 --> 00:29:18,670 we have designed and implemented a signal overshadowing attack 403 00:29:18,680 --> 00:29:22,670 Using the fundamental weakness of wireless communication, 404 00:29:23,440 --> 00:29:27,060 the SigOver attack is more powerful than the FBS attack 405 00:29:27,640 --> 00:29:32,220 in terms of power efficiency and the connection between the UE 406 00:29:32,220 --> 00:29:36,360 and the normal base station can perform various attacks. 407 00:29:37,740 --> 00:29:41,960 As an example, I showed demonstrations of four attacks. 408 00:29:42,340 --> 00:29:47,360 Then what can you do with unicast injection attack? 409 00:29:47,840 --> 00:29:51,650 The answer of this question will be explained in detail by CheolJun. 410 00:29:56,140 --> 00:29:58,060 CheolJun: Hi again and thank you Mincheol. 411 00:29:58,840 --> 00:30:00,480 So as Mincheol said, 412 00:30:00,490 --> 00:30:04,860 what else can we do with the unicast SigOver injection attack? 413 00:30:06,640 --> 00:30:10,170 So when we go back to the fake base station attack, 414 00:30:10,540 --> 00:30:13,270 there have been various attacks using fake base station 415 00:30:14,040 --> 00:30:18,340 as an example of an existing FBS attack man in the middle 416 00:30:18,340 --> 00:30:23,850 attack can be used for injecting, stealing or eavesdropping victim's information. 417 00:30:24,640 --> 00:30:31,270 If the fake base station is not an LTE base station but a 3G or 2G base station, 418 00:30:32,340 --> 00:30:36,450 attacker can cause a greater damage to the victim's privacy. 419 00:30:37,740 --> 00:30:41,160 But actually these attacks are quite limited to use 420 00:30:42,240 --> 00:30:47,850 these attacks all assumed that the victim is already connected to the fake base station 421 00:30:48,540 --> 00:30:50,270 but in a static situation 422 00:30:50,640 --> 00:30:51,770 in order for a UE 423 00:30:52,210 --> 00:30:53,310 to pass over to the 424 00:30:53,480 --> 00:30:54,270 fake base station, 425 00:30:55,020 --> 00:30:58,560 The fake base station signal must be about 40 dB 426 00:30:58,940 --> 00:31:02,360 Or 10,000 times larger than the commercial one. 427 00:31:03,040 --> 00:31:04,240 This is because the fake 428 00:31:04,360 --> 00:31:08,500 base station need to break the current connection between victim UE 429 00:31:09,010 --> 00:31:10,860 and legitimate base station 430 00:31:11,940 --> 00:31:12,770 operating 431 00:31:12,770 --> 00:31:16,300 fake base station with a strong signal requires a lot 432 00:31:16,300 --> 00:31:20,060 of resources and increases the chance to be detected. 433 00:31:20,840 --> 00:31:24,670 However SigOver can solve these limitations 434 00:31:25,340 --> 00:31:30,890 by injecting unicast messages attacker can force victims to attach to the 435 00:31:31,110 --> 00:31:31,760 fake base station. 436 00:31:33,840 --> 00:31:36,550 So won't the unique text message. 437 00:31:36,560 --> 00:31:42,260 The RC connection release message is message delivered by the base station to the U. 438 00:31:42,260 --> 00:31:42,560 E. 439 00:31:43,640 --> 00:31:47,060 It is used to command the release of an RC connection. 440 00:31:47,640 --> 00:31:51,270 So when the U. E. Receives this message 441 00:31:51,640 --> 00:31:54,550 it will disconnect from the existing connection 442 00:31:55,740 --> 00:31:59,360 and plus unicorns messages can have additional fields. 443 00:32:01,340 --> 00:32:02,930 One of the additional fields. 444 00:32:02,940 --> 00:32:06,700 The redirected carrying full field is used to indicate the 445 00:32:06,700 --> 00:32:09,860 next frequency where the you we shall connect to. 446 00:32:11,040 --> 00:32:17,160 UE uses this information to select an acceptable base station to camp on. 447 00:32:18,540 --> 00:32:21,710 Also the redirected frequencies can be not only for 448 00:32:21,710 --> 00:32:24,790 lt base stations but also for three G. 449 00:32:24,800 --> 00:32:28,050 Or two G. Base station which is more vulnerable. 450 00:32:29,940 --> 00:32:34,860 And the another additional fields is idle mode mobility control. In full field. 451 00:32:35,640 --> 00:32:41,460 This field is used to provide dedicate sales, election rez election priorities. 452 00:32:42,440 --> 00:32:44,860 When the research is for the base station 453 00:32:45,240 --> 00:32:47,550 it does not check all the frequencies. 454 00:32:47,940 --> 00:32:52,710 Instead it checks only selected frequencies based on frequency 455 00:32:52,710 --> 00:32:56,850 previously connected or frequency received from the network. 456 00:32:57,940 --> 00:33:02,950 So we noticed that when the UE is redirected to a non 457 00:33:02,950 --> 00:33:07,560 searching frequency you we did not redirect it to that frequency. 458 00:33:08,340 --> 00:33:12,400 However when a non non searching frequency was 459 00:33:12,410 --> 00:33:15,360 included in the idle mode mobility controlling fulfilled 460 00:33:15,840 --> 00:33:19,950 you we was redirected. Well even though it was a new frequency, 461 00:33:22,140 --> 00:33:24,920 the figure actually shows that the U. E. 462 00:33:24,930 --> 00:33:29,870 Is redirected to another base station After receiving on RC connection release 463 00:33:29,880 --> 00:33:32,800 message with a redirected carrying fulfilled 464 00:33:32,810 --> 00:33:35,270 and idle mode mobility controlling fulfilled. 465 00:33:36,140 --> 00:33:37,720 You can see that the radio 466 00:33:37,720 --> 00:33:40,880 frequency channel number representing the communication 467 00:33:40,880 --> 00:33:46,460 frequency of the base station has changed from 100 to 2600. 468 00:33:47,240 --> 00:33:48,100 So 469 00:33:48,210 --> 00:33:51,950 if the attacker can inject this message to the victim, Ue 470 00:33:53,100 --> 00:33:57,360 attacker can force victim uE to move to the faith base station 471 00:34:00,140 --> 00:34:04,040 in order to inject this RC connection release message 472 00:34:04,050 --> 00:34:07,100 injected messages should be decoded on the U. 473 00:34:07,100 --> 00:34:07,460 E. 474 00:34:08,340 --> 00:34:09,360 To do this. 475 00:34:09,740 --> 00:34:14,450 More efforts are required than when injecting a broadcast message. 476 00:34:15,240 --> 00:34:15,960 Firstly 477 00:34:16,340 --> 00:34:18,260 when injecting broadcast message, 478 00:34:18,640 --> 00:34:23,670 attacker only had to consider base stations configuration to inject the message 479 00:34:24,640 --> 00:34:27,610 but to inject the unique cast message. 480 00:34:27,620 --> 00:34:34,650 Attacker also have to consider only additional information like us I. D. R. N. T. I. 481 00:34:34,659 --> 00:34:41,260 Which is a temporarily identify rare sequence number message format and so on. 482 00:34:42,040 --> 00:34:46,389 Moreover, the message must be set correctly in the right place. 483 00:34:47,340 --> 00:34:50,760 UE does not decode all the messages over the air, 484 00:34:51,239 --> 00:34:54,360 but only because what it needs to decode. 485 00:34:55,340 --> 00:34:59,510 The location of the broadcast message is common space and every 486 00:34:59,510 --> 00:35:02,659 year we have to decode the message on the common space, 487 00:35:03,440 --> 00:35:08,960 but the location of the unique cast message is a US specific space 488 00:35:09,340 --> 00:35:09,969 and 489 00:35:10,639 --> 00:35:13,550 it is determined according to the R. N. T. I. 490 00:35:14,040 --> 00:35:14,760 So 491 00:35:15,230 --> 00:35:19,190 the message should be decoded at the U. S. Specific space. 492 00:35:20,240 --> 00:35:25,970 With these extra efforts. Unicorns messages can also be injected. Fear sick over 493 00:35:28,440 --> 00:35:29,200 now, 494 00:35:29,210 --> 00:35:34,050 I will introduce attack scenarios using RC connection release message injection 495 00:35:34,840 --> 00:35:35,860 in this attack, 496 00:35:36,240 --> 00:35:41,250 the attacker is assumed to know the M Z or R N T I. Of the victim. 497 00:35:42,140 --> 00:35:45,720 We also assume that an attacker is located where he can 498 00:35:45,720 --> 00:35:50,120 hear signals from legitimate base station such as victim you. 499 00:35:50,120 --> 00:35:50,960 E 500 00:35:51,840 --> 00:35:54,560 Attack Scenarios can be divided into two. 501 00:35:55,440 --> 00:35:59,670 First situation is when there is a vulnerability on the device 502 00:36:00,140 --> 00:36:01,060 in this case, 503 00:36:01,440 --> 00:36:05,060 I'll take her in this to know M Z or R and T I. 504 00:36:05,840 --> 00:36:09,920 If the victim UE has the vulnerability that accepts 505 00:36:09,930 --> 00:36:14,470 security unprotected message even after the security activation, 506 00:36:14,940 --> 00:36:18,050 the attacker can easily inject the unique last message. 507 00:36:18,930 --> 00:36:21,310 We could found this vulnerability while 508 00:36:21,310 --> 00:36:24,960 developing methods to test devices vulnerability. 509 00:36:26,330 --> 00:36:30,550 The second situation is when there is no vulnerability on the device 510 00:36:31,230 --> 00:36:32,160 in this case 511 00:36:32,630 --> 00:36:34,660 the attacker needs to know the MZ. 512 00:36:35,930 --> 00:36:36,540 Then 513 00:36:36,690 --> 00:36:39,470 the attacker needs to inject message before the 514 00:36:39,570 --> 00:36:40,750 secret activation 515 00:36:41,730 --> 00:36:45,750 for this attack. There need additional technical implementations. 516 00:36:46,230 --> 00:36:49,050 Actually, this implementation is in progress. 517 00:36:51,130 --> 00:36:51,660 Now, 518 00:36:52,030 --> 00:36:56,650 the first scenario is when there is see a vulnerability in the U. E. 519 00:36:57,730 --> 00:37:02,570 This UV has a vulnerability that receives unprotected messages 520 00:37:02,580 --> 00:37:05,740 even in the presence of a security context. 521 00:37:06,730 --> 00:37:09,570 The victim UE is now connected to the 522 00:37:09,580 --> 00:37:13,960 legitimate network and has finished the security process. 523 00:37:14,930 --> 00:37:21,740 So the victim um he has a security context and it is using normal cellular service. 524 00:37:24,030 --> 00:37:24,660 Then 525 00:37:25,100 --> 00:37:30,250 the attacker injects on unprotected RC connection release message on the U. E. 526 00:37:31,530 --> 00:37:32,960 Due to the vulnerability 527 00:37:33,330 --> 00:37:34,750 the U. E. Except 528 00:37:34,880 --> 00:37:38,340 security. Unprotected RC connection release message. 529 00:37:38,830 --> 00:37:39,890 Then the U. 530 00:37:39,890 --> 00:37:44,120 We disconnect the existing connection and is redirected to the 531 00:37:44,120 --> 00:37:47,950 attacker state base station and request for the connection. 532 00:37:51,030 --> 00:37:55,250 The second scenario is when there is no vulnerability on the 533 00:37:56,330 --> 00:37:57,280 the victim, UV. 534 00:37:57,290 --> 00:38:02,960 Is now connected to the legitimate network and he has finished the security process 535 00:38:03,730 --> 00:38:06,370 so the victim um he has a security 536 00:38:06,370 --> 00:38:11,350 context and it only accept security protected messages. 537 00:38:11,730 --> 00:38:15,960 Thus the attacker cannot inject messages for now. 538 00:38:18,220 --> 00:38:23,870 So attacker must delete the user US security context in 539 00:38:23,870 --> 00:38:29,040 order for the victim to receive on our Attackers unprotected messages 540 00:38:29,820 --> 00:38:30,810 to do this. 541 00:38:30,950 --> 00:38:34,650 The attacker injects a mg paging message 542 00:38:35,620 --> 00:38:38,740 According to the three GPP specification. 543 00:38:39,220 --> 00:38:42,250 When you we received the MG patient message, 544 00:38:42,620 --> 00:38:45,710 it should immediately terminate all service 545 00:38:45,710 --> 00:38:49,540 sessions deletes parameters including security key. 546 00:38:50,520 --> 00:38:54,650 So by injecting mg paging message article 547 00:38:54,650 --> 00:38:58,340 can delete the security context of the victim 548 00:39:00,620 --> 00:39:03,060 after you terminate the existing connection. 549 00:39:03,620 --> 00:39:07,150 It's talks over the attached procedure with the base station. 550 00:39:09,420 --> 00:39:12,840 Before the victim usually finishes the security procedure, 551 00:39:13,520 --> 00:39:16,940 the attacker injects on RC connection release message 552 00:39:17,620 --> 00:39:20,010 When there is no security context. 553 00:39:20,020 --> 00:39:26,140 UE is allowed to receive the security unprotected RC connection release message. 554 00:39:26,820 --> 00:39:28,180 Therefore the U. 555 00:39:28,180 --> 00:39:31,790 E processes the Attackers message and sends a 556 00:39:31,790 --> 00:39:34,740 connection request to the attacker's face face station 557 00:39:36,920 --> 00:39:41,820 so far we have introduced a tax that brings target victims to the 558 00:39:42,030 --> 00:39:43,040 base stations 559 00:39:43,820 --> 00:39:50,150 but existing big base station attack can bring all the unspecified us to it 560 00:39:51,020 --> 00:39:53,650 from on FPs Attackers point of view 561 00:39:54,120 --> 00:39:55,300 it may be easier 562 00:39:55,500 --> 00:39:58,340 and better to attach all the um around 563 00:39:59,220 --> 00:39:59,720 then 564 00:39:59,980 --> 00:40:00,750 we need to know 565 00:40:01,220 --> 00:40:03,830 if this takeover attack can do the same thing 566 00:40:06,120 --> 00:40:07,140 in this attack. 567 00:40:07,520 --> 00:40:11,100 The attacker constantly monitors down like messages from 568 00:40:11,100 --> 00:40:14,350 the commercial base station to acquire are. 569 00:40:14,350 --> 00:40:17,240 NT I from RC connection setup message. 570 00:40:18,210 --> 00:40:20,140 Once the attacker gets the R. N. T. 571 00:40:20,140 --> 00:40:23,820 I, attacker injects the RC connection release message, 572 00:40:24,610 --> 00:40:29,740 attacker can repeat the entire process until he brings the all the US around. 573 00:40:32,810 --> 00:40:36,440 To verify this attack. We used galaxy s. four. 574 00:40:37,110 --> 00:40:40,350 The Galaxy S four is the one of the vulnerable device that 575 00:40:40,360 --> 00:40:45,930 receives an unprotected message even in the presence of a security context. 576 00:40:47,110 --> 00:40:49,620 This vulnerability was discovered while 577 00:40:49,620 --> 00:40:52,930 studying methods to test devices vulnerability 578 00:40:54,110 --> 00:40:58,710 in this case we could inject on RC connection release message to the U. 579 00:40:58,720 --> 00:41:02,140 E without deleting the security context 580 00:41:03,210 --> 00:41:05,950 to inject the RC collection release message. 581 00:41:05,960 --> 00:41:12,830 We used free open source LT software, S R S L. T and U S. R. P X. 310. 582 00:41:14,110 --> 00:41:18,070 When the U. E. Is normally connected to the cellular network. 583 00:41:18,080 --> 00:41:21,920 We injected crafted message to redirect the victim 584 00:41:21,920 --> 00:41:24,620 UE to the attacker state base stations, 585 00:41:24,620 --> 00:41:26,640 frequency 363. 586 00:41:27,510 --> 00:41:27,740 Okay. 587 00:41:29,110 --> 00:41:31,720 The injected message contains the redirected carrying 588 00:41:31,720 --> 00:41:34,470 fulfilled and idle mode mobility control. 589 00:41:34,480 --> 00:41:35,230 In fulfilled. 590 00:41:36,680 --> 00:41:41,240 Redirected carrying full field is set to the lT frequency type 591 00:41:41,610 --> 00:41:43,740 And contains 363 592 00:41:44,110 --> 00:41:46,140 the frequency of fake face station. 593 00:41:47,610 --> 00:41:51,320 The idle mode mobility control and fulfilled contains a list 594 00:41:51,320 --> 00:41:55,640 of normal base stations frequency and an attacker's frequency. 595 00:41:56,610 --> 00:41:57,440 At this time 596 00:41:57,810 --> 00:42:02,550 the priority of Attackers frequency is set to the highest to 597 00:42:02,550 --> 00:42:06,830 ensure that the victim's definitely passes over the fake face station. 598 00:42:08,810 --> 00:42:11,140 Here is the demonstration of the attack. 599 00:42:14,710 --> 00:42:14,940 Mhm. 600 00:42:20,500 --> 00:42:21,730 So at the first time 601 00:42:23,200 --> 00:42:23,920 the 602 00:42:24,400 --> 00:42:27,320 Victim's phone is connected to the alleged to make base station 603 00:42:27,700 --> 00:42:28,420 100 604 00:42:29,100 --> 00:42:30,920 And Autocracies Operating 605 00:42:31,270 --> 00:42:33,020 Base Station 3 6 3. 606 00:42:35,400 --> 00:42:37,730 Then the attacker injects the message. 607 00:42:44,800 --> 00:42:48,590 And as you can you could see at the monitor the signal 608 00:42:48,590 --> 00:42:54,120 was injected and the injected message has the contents of as follows. 609 00:42:54,130 --> 00:42:56,620 And this is same with what I said before. 610 00:43:07,900 --> 00:43:09,650 And then as you can see at the 611 00:43:09,760 --> 00:43:12,960 base stations, monitor the victim's phone is connected to the 612 00:43:13,100 --> 00:43:13,810 base station. 613 00:43:16,500 --> 00:43:19,920 And if you see the package during the attack 614 00:43:21,100 --> 00:43:21,520 do you? 615 00:43:22,100 --> 00:43:24,320 That one is the injected message. 616 00:43:25,100 --> 00:43:29,720 After that the victim's phone makes a new connection with the fake base station. 617 00:43:30,300 --> 00:43:33,510 So it moved from 100 to the 363. 618 00:43:34,200 --> 00:43:39,810 So after this attack we could do anything like me in the middle attack and so on. 619 00:43:43,700 --> 00:43:49,120 So in the previous previous demo the victim you we was connected to a commercial 620 00:43:49,120 --> 00:43:54,730 base station and then moved to a faith base station that had never been connected. 621 00:43:56,000 --> 00:43:58,930 Let's sum up the big base station attack using sick over 622 00:43:59,600 --> 00:44:04,550 first. This attack requires much less power and it's easier than 623 00:44:04,670 --> 00:44:07,010 the traditional fake base station attacks. 624 00:44:07,800 --> 00:44:08,850 As a result, 625 00:44:09,080 --> 00:44:12,570 the chance to be detected decreases and the effective 626 00:44:12,760 --> 00:44:14,120 range increases 627 00:44:14,900 --> 00:44:19,610 2nd. The attacker can choose victim to move to the big base station 628 00:44:20,190 --> 00:44:26,220 since the attacker injector unicorns message only the targeted um is affected. 629 00:44:27,090 --> 00:44:30,380 Therefore the chance to be detected also reduced. 630 00:44:30,390 --> 00:44:33,500 And it allows the attacker to definitely forced the 631 00:44:33,500 --> 00:44:36,300 target to attach to a big base station. 632 00:44:37,490 --> 00:44:38,210 Finally, 633 00:44:38,590 --> 00:44:39,550 The attack was fake. 634 00:44:39,550 --> 00:44:45,720 Base station can be not only LT base station but also a 3G or two G base station. 635 00:44:46,390 --> 00:44:50,330 As the 3G or 2G base stations are more vulnerable. 636 00:44:50,340 --> 00:44:53,610 Attacker can perform more severe attacks 637 00:44:56,290 --> 00:44:59,460 and now I'm going to talk about some countermeasures. 638 00:44:59,470 --> 00:45:01,810 Discussion conclusion and future. Works 639 00:45:02,590 --> 00:45:03,700 for future. Works 640 00:45:04,990 --> 00:45:07,950 to make this attack possible for all the U. S. 641 00:45:07,960 --> 00:45:11,220 Actually, additional implementations or needed 642 00:45:11,590 --> 00:45:17,220 first issued to be implemented to find out the identity of the victim using MZ. 643 00:45:18,190 --> 00:45:21,700 An attacker can do this by monitoring the RC connection, 644 00:45:21,700 --> 00:45:24,720 settle message after sending the MG paging. 645 00:45:26,190 --> 00:45:29,300 Actually it is already possible but it must 646 00:45:29,310 --> 00:45:32,910 be optimized with injecting techniques in real time. 647 00:45:33,890 --> 00:45:34,840 Second, 648 00:45:34,850 --> 00:45:40,720 it should be made implemented to inject message before the security process ends 649 00:45:41,290 --> 00:45:46,300 to do this. There is a little time to inject messages. As you can see at the figure 650 00:45:46,690 --> 00:45:49,420 hardware optimizations are necessary, 651 00:45:50,490 --> 00:45:53,820 although there are some things that need to be implemented. 652 00:45:53,830 --> 00:45:58,760 We expect that this attack will be possible on every U. E. 653 00:45:58,770 --> 00:46:01,410 If the hardware is fully optimized. 654 00:46:04,090 --> 00:46:06,910 And for the countermeasures for this attack, 655 00:46:07,690 --> 00:46:10,690 the secure solution against sick over attack on 656 00:46:10,690 --> 00:46:13,600 the message is to use digital signature. 657 00:46:14,390 --> 00:46:15,150 Currently 658 00:46:15,260 --> 00:46:20,410 only a single injected message can cause a long term denial of service. 659 00:46:21,380 --> 00:46:25,490 Once the message is protected with a digital signal signature, 660 00:46:26,280 --> 00:46:29,790 it it can prevent the attacks introduced so far. 661 00:46:30,780 --> 00:46:31,340 Plus 662 00:46:31,470 --> 00:46:33,410 the attack cost would be increased. 663 00:46:34,080 --> 00:46:38,640 This is because the attacker have to inject wrong message continuously 664 00:46:38,650 --> 00:46:43,100 to cause denial service in the presence of the digital signature. 665 00:46:44,080 --> 00:46:45,010 Moreover, 666 00:46:45,210 --> 00:46:48,910 it becomes possible to detect the presence of the attack. 667 00:46:50,280 --> 00:46:54,410 Actually, this is possible because from the 5G 668 00:46:54,780 --> 00:46:58,290 operators public key will be stored in the using 669 00:46:59,480 --> 00:47:01,220 In fact three GPP. 670 00:47:01,220 --> 00:47:04,360 is recently studying the FPs problem and 671 00:47:04,360 --> 00:47:07,910 lack of integrated protection of broadcasting information 672 00:47:10,180 --> 00:47:14,280 and since Ho jin first published sick over attack on broadcast message. 673 00:47:14,290 --> 00:47:20,230 In last august we have received many requests to request release the code. 674 00:47:20,240 --> 00:47:22,090 Attack code as an open source. 675 00:47:22,880 --> 00:47:25,600 However, we have some reasons that we can't. 676 00:47:26,380 --> 00:47:28,530 The first reason is that according to 677 00:47:28,530 --> 00:47:32,660 the GSM A on organization for cellular carriers 678 00:47:32,670 --> 00:47:39,300 said the GSM a have no objection to any security research being open sourced where 679 00:47:39,680 --> 00:47:45,710 there is a clear security benefit and there is no risk posed to innocent users 680 00:47:47,230 --> 00:47:51,150 releasing this code clearly has some security benefits. 681 00:47:51,580 --> 00:47:53,290 However, unfortunately 682 00:47:53,780 --> 00:47:59,090 the proposed attack can affect a large number of innocent users around. 683 00:47:59,580 --> 00:48:02,910 So it might be hard to release the arctic coat. 684 00:48:04,180 --> 00:48:06,790 And another reason is the quality of the codes. 685 00:48:09,280 --> 00:48:10,800 Thank you. 686 00:48:12,780 --> 00:48:13,120 Mm hmm. 687 00:48:15,090 --> 00:48:15,930 Currently 688 00:48:16,500 --> 00:48:20,400 the code we made is not well organized to make it open source. 689 00:48:23,070 --> 00:48:24,000 In conclusion, 690 00:48:24,370 --> 00:48:29,080 we presented single over attack physically overwriting specific self frames. 691 00:48:29,670 --> 00:48:35,490 Seek over is a new exploit on unpatched an insecure channel on LT network 692 00:48:36,570 --> 00:48:39,410 Comparing two attacks using fake face stations. 693 00:48:39,440 --> 00:48:42,390 Sick over is way cheaper and healthier. 694 00:48:43,670 --> 00:48:46,850 Also, we found new attacks on physical channel 695 00:48:47,970 --> 00:48:50,140 by injecting broadcast messages. 696 00:48:50,150 --> 00:48:53,150 We could cause denial of service access 697 00:48:53,150 --> 00:48:57,390 borrowing signaling stone and fake emergency alert. 698 00:48:58,370 --> 00:49:01,730 And by injecting unique cast message we could force 699 00:49:01,730 --> 00:49:04,790 targeted victim to move to the fake base station. 700 00:49:06,070 --> 00:49:06,880 Finally, 701 00:49:07,060 --> 00:49:11,200 I expect this sick over attack will be used in the wild. 702 00:49:11,970 --> 00:49:12,740 Therefore 703 00:49:12,920 --> 00:49:17,940 not only cellular networks but all the systems based on the cellular networks 704 00:49:18,350 --> 00:49:21,290 such as equal to everything can be affected 705 00:49:22,570 --> 00:49:27,770 in the future. Mobile communication technologies such as five G and six G R. 706 00:49:27,770 --> 00:49:28,590 Developed 707 00:49:29,270 --> 00:49:32,390 So more secure systems should be made 708 00:49:32,400 --> 00:49:35,200 by considering the security of the physical layer 709 00:49:35,570 --> 00:49:38,000 which was not considered before. 710 00:49:39,070 --> 00:49:39,900 Therefore, 711 00:49:39,910 --> 00:49:43,190 I strongly suggest three TPP to use digital 712 00:49:43,190 --> 00:49:47,200 signatures for physical channel despite its difficulty. 713 00:49:53,770 --> 00:49:54,400 Thank you. 714 00:49:55,070 --> 00:49:58,520 And for the last we have responsibly disclosed 715 00:49:58,530 --> 00:50:01,400 these attacks to the GSM A and Qualcomm. 716 00:50:03,070 --> 00:50:07,470 Thank you for listening And if you're having any questions please let us know. 717 00:50:07,480 --> 00:50:10,400 And if you're having any long questions, 718 00:50:10,400 --> 00:50:13,200 please email us through the emails on the slide 719 00:50:13,970 --> 00:50:14,590 and 720 00:50:15,170 --> 00:50:20,080 the photo is our left photo and my supervisor is younger kim. 721 00:50:20,660 --> 00:50:23,700 Maybe some of you would have heard about him 722 00:50:23,700 --> 00:50:26,550 because he's doing a lot of researches about security. 723 00:50:26,550 --> 00:50:26,870 So 724 00:50:27,050 --> 00:50:28,070 anyway, thank you. 725 00:50:29,160 --> 00:50:38,750 All right, thanks you too. So far we have around 10 minutes for questions. 726 00:50:38,750 --> 00:50:42,910 So if you have questions for the speakers, please go to one of the room mix. 727 00:50:42,920 --> 00:50:46,380 And well for let you ask your question, 728 00:50:47,560 --> 00:50:49,330 do we already have people lined up? 729 00:50:49,340 --> 00:50:51,330 Let's start with a question from the signal angel. 730 00:50:52,760 --> 00:50:56,310 -- There's one question -- are these methods similar 731 00:50:56,310 --> 00:50:57,310 or the same use 732 00:50:57,310 --> 00:51:03,080 -- by law -- enforcement and the user mentioned stingray for an example. 733 00:51:06,160 --> 00:51:07,990 Ah pardon please? 734 00:51:08,760 --> 00:51:11,740 Where where are you? Can you raise your hands? I can say okay. 735 00:51:11,750 --> 00:51:14,640 -- How can you say the -- question from the internet. So 736 00:51:14,650 --> 00:51:16,970 -- are -- these methods similar? 737 00:51:16,970 --> 00:51:19,380 The same used by the law enforcement, 738 00:51:19,760 --> 00:51:21,980 Low enforcement police. 739 00:51:22,560 --> 00:51:23,970 Yeah, maybe 740 00:51:25,060 --> 00:51:26,080 it might be possible. 741 00:51:26,080 --> 00:51:30,780 But actually it is as I know using the frequency 742 00:51:30,780 --> 00:51:36,220 that legitimate basis stations is already like illegal to use. 743 00:51:36,230 --> 00:51:36,990 So 744 00:51:37,760 --> 00:51:39,990 I think that cannot be the solution. 745 00:51:45,060 --> 00:51:49,980 Alright. I actually don't see anybody yet but there is one at Mike three Please. 746 00:51:51,060 --> 00:51:56,070 Yes. So you show us sub frame what you replace it? 747 00:51:56,860 --> 00:51:58,770 Why can't your hash 748 00:51:59,360 --> 00:52:01,690 the values for integrity. 749 00:52:02,060 --> 00:52:04,340 So the replacements will be kind of hard to do. 750 00:52:05,960 --> 00:52:13,280 Maybe that also can be your problem and solution, but using hash right, 751 00:52:15,820 --> 00:52:16,690 I said probably. 752 00:52:17,620 --> 00:52:23,210 -- So -- just to check some the full frame, so if you replace the suffering, 753 00:52:23,330 --> 00:52:25,060 that should be involved. 754 00:52:27,050 --> 00:52:28,960 Yeah, but that can be a solution, 755 00:52:28,960 --> 00:52:31,540 but I think we have to think about how 756 00:52:31,540 --> 00:52:36,290 to connect a secure connection at the first time. 757 00:52:36,300 --> 00:52:38,480 If we don't have anything between like 758 00:52:38,850 --> 00:52:40,770 U e and D network, 759 00:52:41,250 --> 00:52:45,060 maybe sending some hash also will be challenged maybe 760 00:52:47,150 --> 00:52:49,880 is that can be a solution to your question. 761 00:52:51,500 --> 00:52:51,980 There you go. 762 00:52:52,450 --> 00:52:56,220 -- Yes, so I'm not -- sure if I understood, so, you know that I could 763 00:52:56,220 --> 00:52:56,610 Have, 764 00:52:56,620 --> 00:52:57,760 let's say 10 frames, 765 00:52:58,250 --> 00:53:00,170 -- can you replace -- suffering too? 766 00:53:00,750 --> 00:53:01,220 Right, 767 00:53:01,370 --> 00:53:02,370 yep, 768 00:53:02,950 --> 00:53:06,480 -- yes, So if all -- The 10 frames will be harsh, 769 00:53:07,950 --> 00:53:10,540 your replacement will be detected. 770 00:53:11,850 --> 00:53:14,370 Is it possible on multi level 771 00:53:15,660 --> 00:53:18,690 -- to change the -- standard to have some hashing or integrity? 772 00:53:20,450 --> 00:53:22,470 Yeah, maybe that will be possible, 773 00:53:22,470 --> 00:53:30,980 but I think we need another way to transfer the hash value to check the connection. 774 00:53:31,550 --> 00:53:34,480 Well, I think that can also be another solution. 775 00:53:37,650 --> 00:53:39,520 Alright, let's go to mike wanda. 776 00:53:41,050 --> 00:53:44,680 -- Um I would like to know if you know what -- your personal 777 00:53:44,680 --> 00:53:46,160 opinion and feeling 778 00:53:46,160 --> 00:53:49,410 -- is um if this will -- be mitigated 779 00:53:49,420 --> 00:53:51,970 -- by the vendors and the standard -- bodies, 780 00:53:53,850 --> 00:53:55,320 I mean, will they fix it? 781 00:53:56,450 --> 00:53:58,070 Ah in the future. Right. 782 00:53:58,950 --> 00:54:01,990 -- Of course. In the future they cannot fix it in -- the past. Right? 783 00:54:02,210 --> 00:54:03,870 Yeah, so 784 00:54:05,150 --> 00:54:07,550 maybe as I said before, 785 00:54:07,560 --> 00:54:10,120 like Jessamy is already like considering these 786 00:54:10,120 --> 00:54:13,270 attacks and they have some regular meetings, 787 00:54:13,650 --> 00:54:19,560 Maybe the last meeting was in Nevada in november. And maybe in the future they will 788 00:54:20,150 --> 00:54:21,880 but not for now. So 789 00:54:23,150 --> 00:54:24,070 maybe you have to ask 790 00:54:24,450 --> 00:54:26,670 If there is any person from three g. p. p. 791 00:54:29,150 --> 00:54:29,570 Okay. 792 00:54:30,050 --> 00:54:31,760 Okay. Alright. Thanks. 793 00:54:32,610 --> 00:54:36,380 Does the Signal angel have any other questions? No. 794 00:54:37,350 --> 00:54:41,740 -- Then I think this concludes the question and answer section. Thanks -- again. 795 00:54:41,750 --> 00:54:42,380 Thank you. 796 00:54:43,450 --> 00:54:44,160 Yeah. 797 00:54:49,250 --> 00:54:51,880 Mm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm. 798 00:54:56,050 --> 00:54:59,370 Yeah. 799 00:55:00,650 --> 00:55:00,880 Okay. 800 00:55:01,450 --> 00:55:01,680 Thank you. 801 00:55:02,650 --> 00:55:03,080 Mm hmm 802 00:55:05,850 --> 00:55:06,270 mm hmm. 803 00:55:10,350 --> 00:55:10,680 Okay.