New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols

Abstract Mobile communications are used by more than two-thirds of the world population who expect security and privacy guarantees. The 3rd Generation Partnership Project (3GPP) responsible for the worldwide standardization of mobile communication has designed and mandated the use of the AKA protocol to protect the subscribers’ mobile services. Even though privacy was a requirement, numerous subscriber location attacks have been demonstrated against AKA, some of which have been fixed or mitigated in the enhanced AKA protocol designed for 5G. In this paper, we reveal a new privacy attack against all variants of the AKA protocol, including 5G AKA, that breaches subscriber privacy more severely than known location privacy attacks do. Our attack exploits a new logical vulnerability we uncovered that would require dedicated fixes. We demonstrate the practical feasibility of our attack using low cost and widely available setups. Finally we conduct a security analysis of the vulnerability and discuss countermeasures to remedy our attack.

[1]  Cristina Cano,et al.  srsLTE: an open-source platform for LTE evolution and experimentation , 2016, WiNTECH@MobiCom.

[2]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[3]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[4]  Fang-Yie Leu,et al.  Improving security level of LTE authentication and key agreement procedure , 2012, 2012 IEEE Globecom Workshops.

[5]  Jari Arkko,et al.  Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) , 2006, RFC.

[6]  Yongjun Wang,et al.  Security Enhanced Authentication and Key Agreement Protocol for LTE/SAE Network , 2011, 2011 7th International Conference on Wireless Communications, Networking and Mobile Computing.

[7]  Nicolas Sklavos,et al.  LTE/SAE Security Issues on 4G Wireless Networks , 2013, IEEE Security & Privacy.

[8]  Ralf Sasse,et al.  A Formal Analysis of 5G Authentication , 2018, CCS.

[9]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[10]  Kyungtae Kang,et al.  A Privacy Threat in 4th Generation Mobile Telephony and Its Countermeasure , 2014, WASA.

[11]  Kunihiko Miyazaki,et al.  Improving the Security of Cryptographic Protocol Standards , 2015, IEEE Security & Privacy.

[12]  Joeri de Ruiter,et al.  Defeating IMSI Catchers , 2015, CCS.

[13]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[14]  Mark Ryan,et al.  New privacy issues in mobile telephony: fix and verification , 2012, CCS.

[15]  Muzammil Khan,et al.  Vulnerabilities of UMTS Access Domain Security Architecture , 2008, 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing.

[16]  David Baelde,et al.  A Method for Verifying Privacy-Type Properties: The Unbounded Case , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[17]  Yuguang Fang,et al.  Security analysis and enhancements of 3GPP authentication and key agreement protocol , 2005, IEEE Trans. Wirel. Commun..

[18]  Stéphanie Delaune,et al.  A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols , 2017, J. Log. Algebraic Methods Program..

[19]  Vincent Cheval,et al.  Proving More Observational Equivalences with ProVerif , 2013, POST.

[20]  Ravishankar Borgaonkar,et al.  Mobile Subscriber WiFi Privacy , 2017, 2017 IEEE Security and Privacy Workshops (SPW).

[21]  Ralf Sasse,et al.  Verification of stateful cryptographic protocols with exclusive OR , 2020, J. Comput. Secur..

[22]  A. B. M. Musa,et al.  Tracking unmodified smartphones using wi-fi monitors , 2012, SenSys '12.

[23]  Chris J. Mitchell,et al.  Another Look at Privacy Threats in 3G Mobile Telephony , 2014, ACISP.