research-article

New privacy issues in mobile telephony: fix and verification

Authors:

Myrto Arapinis,

Loretta Mancini,

Kevin Redon, and

Ravishankar BorgaonkarAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

Pages 205 - 216

https://doi.org/10.1145/2382196.2382221

Published: 16 October 2012 Publication History

Abstract

Mobile telephony equipment is daily carried by billions of subscribers everywhere they go. Avoiding linkability of subscribers by third parties, and protecting the privacy of those subscribers is one of the goals of mobile telecommunication protocols. We use formal methods to model and analyse the security properties of 3G protocols. We expose two novel threats to the user privacy in 3G telephony systems, which make it possible to trace and identify mobile telephony subscribers, and we demonstrate the feasibility of a low cost implementation of these attacks. We propose fixes to these privacy issues, which also take into account and solve other privacy attacks known from the literature. We successfully prove that our privacy-friendly fixes satisfy the desired unlinkability and anonymity properties using the automatic verification tool ProVerif.

References

[1]

http://www.pathintelligence.com. Path Intelligence Ltd. (2010) FootPath.

[2]

http://www.markryan.eu/research/UMTS/.

[3]

3GPP. Technical specification group services and system aspects; 3G security; formal analysis of the 3G authentication protocol (release 4). Technical Report TR 33.902, V4.0.0, 3rd Generation Partnership Project, 2001.

[4]

3GPP. Generic Access Network (GAN); Mobile GAN interface layer 3 specification. Technical Specification TS 44.318 v9.2.0, 3rd Generation Partnership Project, 2010.

[5]

3GPP. Generic Access Network (GAN); Stage 2. Technical Specification TS 43.318 v9.0.0, 3rd Generation Partnership Project, 2010.

[6]

3GPP. Technical specification group services and system aspects; 3G security; security architecture (release 9). Technical Report TS 33.102 V9.3.0, 3rd Generation Partnership Project, 2010.

[7]

3GPP. Security of Home Node B (HNB) / Home evolved Node B (HeNB). Technical Specification TS 33.302 v11.2.0, 3rd Generation Partnership Project, 2011.

[8]

3GPP. Technical specification group services and system aspects; 3G security; cryptographic algorithm requirements (release 10). Technical Report TS 33.105 V10.0.0, 3rd Generation Partnership Project, 2011.

[9]

M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL, 2001.

Digital Library

[10]

Z. Ahmadian, S. Salimi, and A. Salahi. New attacks on UMTS network access. In Conference on Wireless Telecommunications Symposium, WTS'09, 2009.

Digital Library

[11]

M. Arapinis, T. Chothia, E. Ritter, and M. Ryan. Analysing unlinkability and anonymity using the applied pi calculus. In IEEE Computer Security Foundations Symposium, CSF, 2010.

Digital Library

[12]

A. Armando, R. Carbone, L. Compagna, J. Cuellar, and M. L. Tobarra. Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps. In ACM Workshop on Formal Methods in Security Engineering, FMSE, 2008.

Digital Library

[13]

G. Avoine and P. Oechslin. RFID Traceability: A Multilayer Problem. In Financial Cryptography, FC, 2005.

Digital Library

[14]

M. Barbaro and T. Zeller Jr. A face is exposed for AOL searcher no. 4417749. The New York Times, August 9, 2006.

[15]

B. Blanchet. Proverif: Cryptographic protocol verifier in the formal model. http://www.proverif.ens.fr/.

[16]

M. Bortolozzo, M. Centenaro, R. Focardi, and G. Steel. Attacking and fixing PKCS#11 security tokens. In ACM Conference on Computer and Communications Security, CCS, 2010.

Digital Library

[17]

C. Caldwell. A pass on privacy? The New York Times, July 17, 2005.

[18]

I. Cervesato, A. D. Jaggard, A. Scedrov, J.-K. Tsay, and C. Walstad. Breaking and fixing public-key kerberos. Inf. Comput., 206:402--424, February 2008.

Digital Library

[19]

D. Burgess et al. OpenBTS. http://openbts.sourceforge.net/.

[20]

N. H. Denis Foo Kune, John Koelndorfer and Y. Kim. Location leaks over the gsm air interface. In Annual Network & Distributed System Security Symposium, NDSS, 2012.

[21]

Ettus. USRP. http://www.ettus.com/products, 2009.

[22]

D. Fox. IMSI-Catcher. Datenschutz und Datensicherheit (DuD), 21:539--539, 1997.

[23]

N. Golde, K. Redon, and R. Borgaonkar. Weaponizing femtocells: The effect of rogue devices on mobile telecommunications. In Annual Network & Distributed System Security Symposium, NDSS, 2012.

[24]

D. Goodin. Defects in e-passports allow real-time tracking. The Register, 26th January 2010.

[25]

Kineto Wireless Inc. official Unlicensed Mobile Access presentation webiste. http://www.smart-wi-fi.com/, June 2010.

[26]

G. Koien and V. Oleshchuk. Location privacy for cellular systems; analysis and solution. In Privacy Enhancing Technologies Symposium, volume 3856, 2006.

Digital Library

[27]

G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using fdr. In Tools and Algorithms for the Construction and Analysis of Systems, TACAS, 1996.

Digital Library

[28]

U. Meyer and S. Wetzel. A man-in-the-middle attack on UMTS. In ACM Workshop on Wireless Security, WiSe, 2004.

Digital Library

[29]

K. Nohl and S. Munaut. Wideband gsm sniffing. http://events.ccc.de/congress/2010/Fahrplan/attachments/1783_101228.27C3.GSM-Sniffing.Nohl_Munaut.pdf.

[30]

openBSC Project. GSM Network at 28C3. http://events.ccc.de/congress/2011/wiki/GSM#GSM_Network_at_28C3, December 2011.

[31]

C. Paget. Practical cellphone spying. Def Con 18 Hacking Conference, 2010.

[32]

D. Strobel. IMSI Catcher, 2007. Seminar Work, Ruhr-Universitat Bochum.

[33]

H. Welte, H. Freyther, D. Spaar, S. Schmidt, D. Willmann, J. Luebbe, T. Seiler, and A. Eversberg. OpenBSC. http://openbsc.osmocom.org.

[34]

H. Welte, S. Munaut, A. Eversberg, and other contributors. OsmocomBB. http://bb.osmocom.org.

[35]

J. Zhang and G. de la Roche. Femtocells: Technologies and Deployment. John Wiley & Sons, Ltd, 2009.

Digital Library

[36]

M. Zhang and Y. Fang. Security analysis and enhancements of 3GPP authentication and key agreement protocol. IEEE Transactions on Wireless Communications, 4(2):734--742, 2005.

Digital Library

Cited By

Pacherkar HYan GKim YKim JKoushanfar FRasmussen K(2024)PROV5GC: Hardening 5G Core Network Security with Attack Detection and Attribution Based on Provenance GraphsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656129(254-264)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656129
Rossi Figlarz GPassuelo Hessel F(2024)Enhancing the 5G-AKA Protocol with Post-quantum Digital Signature MethodAdvanced Information Networking and Applications10.1007/978-3-031-57916-5_9(99-110)Online publication date: 9-Apr-2024
https://doi.org/10.1007/978-3-031-57916-5_9
Chen YTang DYao YZha MWang XLiu XTang HLiu BCalandrino JTroncoso C(2023)Sherlock on specsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620435(3529-3545)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620435
Show More Cited By

Index Terms

New privacy issues in mobile telephony: fix and verification
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods

Recommendations

Analysis of privacy in mobile telephony systems

We present a thorough experimental and formal analysis of users' privacy in mobile telephony systems. In particular, we experimentally analyse the use of pseudonyms and point out weak deployed policies leading to some critical scenarios which make it ...
Read More
An Unlinkable Anonymous Payment Scheme based on near field communication

Display Omitted We propose an anonymous mobile payment protocol to protect users' privacy.Using anonymizing schemes to improve anonymity and unlinkability in a mobile transaction.Users can use mobile phones with NFC to perform commercial transactions. A ...
Read More
The security of EPC Gen2 compliant RFID protocols
ACNS'08: Proceedings of the 6th international conference on Applied cryptography and network security

The increased functionality of EPC Class1 Gen2 (EPCGen2) is making this standard the de facto specification for inexpensive tags in the RFID industry. EPCGen2 supports only very basic security tools such as a 16-bit Pseudo-Random Number Generator and a ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

105
Total Citations
View Citations
1,242
Total Downloads

Downloads (Last 12 months)72
Downloads (Last 6 weeks)3

Other Metrics

View Author Metrics

Citations

Cited By

Pacherkar HYan GKim YKim JKoushanfar FRasmussen K(2024)PROV5GC: Hardening 5G Core Network Security with Attack Detection and Attribution Based on Provenance GraphsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656129(254-264)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656129
Rossi Figlarz GPassuelo Hessel F(2024)Enhancing the 5G-AKA Protocol with Post-quantum Digital Signature MethodAdvanced Information Networking and Applications10.1007/978-3-031-57916-5_9(99-110)Online publication date: 9-Apr-2024
https://doi.org/10.1007/978-3-031-57916-5_9
Chen YTang DYao YZha MWang XLiu XTang HLiu BCalandrino JTroncoso C(2023)Sherlock on specsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620435(3529-3545)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620435
Zhu YLiu CYou WZhang YZhang W(2023)A Business Process-Based Security Enhancement Scheme for the Network Function Service Access Procedure in the 5G Core NetworkElectronics10.3390/electronics1203057612:3(576)Online publication date: 23-Jan-2023
https://doi.org/10.3390/electronics12030576
Fei YZhu HYin J(2023)FVF-AKA: A Formal Verification Framework of AKA Protocols for Multi-server IoTFormal Aspects of Computing10.1145/359973135:4(1-36)Online publication date: 25-May-2023
https://dl.acm.org/doi/10.1145/3599731
Lu XYang FZou LLio PHui P(2023)An LTE Authentication and Key Agreement Protocol Based on the ECC Self-Certified Public KeyIEEE/ACM Transactions on Networking10.1109/TNET.2022.320736031:3(1101-1116)Online publication date: Jun-2023
https://doi.org/10.1109/TNET.2022.3207360
Intoci FSturm JFraunholz DPyrgelis ABarschel C(2023)P3LI5: Practical and confidEntial Lawful Interception on the 5G core2023 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS59707.2023.10288872(1-9)Online publication date: 2-Oct-2023
https://doi.org/10.1109/CNS59707.2023.10288872
Fei TWang W(2023)The vulnerability and enhancement of AKA protocol for mobile authentication in LTE/5G networksComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.109685228:COnline publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1016/j.comnet.2023.109685
Cui JCheng FZhong HZhang QGu CLiu L(2023)Multi-factor based session secret key agreement for the Industrial Internet of ThingsAd Hoc Networks10.1016/j.adhoc.2022.102997138(102997)Online publication date: Jan-2023
https://doi.org/10.1016/j.adhoc.2022.102997
Naga Nithin G(2023)An Efficient and Secure Mechanism for Ubiquitous Sustainable Computing SystemInternet of Things. Advances in Information and Communication Technology10.1007/978-3-031-45882-8_12(160-175)Online publication date: 26-Oct-2023
https://doi.org/10.1007/978-3-031-45882-8_12
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents