More Web Proxy on the site http://driver.im/

research-article

Defeating IMSI Catchers

Authors:

Fabian van den Broek,

Joeri de RuiterAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 340 - 351

https://doi.org/10.1145/2810103.2813615

Published: 12 October 2015 Publication History

Abstract

IMSI catching is a problem on all generations of mobile telecommunication networks, i.e., 2G (GSM, GPRS), 3G (HDSPA, EDGE, UMTS) and 4G (LTE, LTE+). Currently, the SIM card of a mobile phone has to reveal its identity over an insecure plaintext transmission, before encryption is enabled. This identifier (the IMSI) can be intercepted by adversaries that mount a passive or active attack. Such identity exposure attacks are commonly referred to as 'IMSI catching'. Since the IMSI is uniquely identifying, unauthorized exposure can lead to various location privacy attacks. We propose a solution, which essentially replaces the IMSIs with changing pseudonyms that are only identifiable by the home network of the SIM's own network provider. Consequently, these pseudonyms are unlinkable by intermediate network providers and malicious adversaries, and therefore mitigate both passive and active attacks, which we also formally verified using ProVerif. Our solution is compatible with the current specifications of the mobile standards and therefore requires no change in the infrastructure or any of the already massively deployed network equipment. The proposed method only requires limited changes to the SIM and the authentication server, both of which are under control of the user's network provider. Therefore, any individual (virtual) provider that distributes SIM cards and controls its own authentication server can deploy a more privacy friendly mobile network that is resilient against IMSI catching attacks.

References

[1]

Sebastian Kay Belle, Oliver Haase, and Marcel Waldvogel. Callforge: Call anonymity in cellular networks. Technical report, 2010.

[2]

Sangmin Lee, Edmund L Wong, Deepak Goel, Mike Dahlin, and Vitaly Shmatikov. A platform for privacy-preserving apps. In NSDI, 2013.

Digital Library

[3]

Elad Barkan, Eli Biham, and Nathan Keller. Instant ciphertext-only cryptanalysis of GSM encrypted communication. In CRYPTO 2003, volume 2729/2003. Springer Berlin / Heidelberg, 2003.

[4]

Fabian van den Broek and Ronny Wichers Schreur. Femtocell Security in Theory and Practice. In Secure IT Systems, volume 8208 of LNCS, pages 183--198. Springer Berlin Heidelberg, 2013.

Digital Library

[5]

Craig Timberg for The Washington Post. Tech firm tries to pull back curtain on surveillance efforts in washington. http://wapo.st/1qgzImt. Last accessed May 2015.

[6]

Craig Timberg for The Washington Post. Feds to study illegal use of spy gear. http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/11/feds-to-study-illegal-use-of-spy-gear/. Last accessed May 2015.

[7]

Siraj Datoo for The Guardian. How tracking customers in-store will soon be the norm. http://gu.com/p/3ym4v/sbl. Last accessed May 2015.

[8]

Stuart Owen Goldman, Richard E Krock, Karl F Rauscher, and James Philip Runyon. Mobile forced premature detonation of improvised explosive devices via wireless phone signaling. US Patent 7552670, June 30 2009.

[9]

Michael Böck. Simulation chamber and method for setting off explosive charges contained in freight in a controlled manner. US Patent 14345697, September 19 2012.

[10]

Kadhim Shubber for Wired magazine. Tracking devices hidden in London's recycling bins are stalking your smartphone. http://www.wired.co.uk/news/archive/2013-08/09/recycling-bins-are-watching-you. Last accessed May 2015.

[11]

Daehyun Strobel. IMSI catcher. Chair for Communication Security, Ruhr-Universit\"at Bochum, page 14, 2007.

[12]

Nico Golde, Kevin Redon, and Ravishankar Borgaonkar. Weaponizing femtocells: the effect of roque devices on mobile telecommunication. In NDSS 2012. The Internet Society, 2012.

[13]

Ulrike Meyer and Susanne Wetzel. A man-in-the-middle attack on UMTS. In The 3rd ACM workshop on Wireless security. ACM, 2004.

Digital Library

[14]

ETSI. Digital cellular telecommunications system (Phase 2+); Mobile radio interface layer 3 specification, 1998. EN 300 940 / GSM 04.08.

[15]

ETSI. Universal Mobile Telecommunications System (UMTS);LTE;Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3, 2015. 3GPP TS 24.301 version 12.7.0 Release 12.

[16]

ETSI. Digital cellular telecommunications system (Phase 2+);UMTS;LTE;3G security;Security architecture, 2013. 3GPP TS 33.102 version 11.5.0 Release 11.

[17]

Myrto Arapinis, Loretta Ilaria Mancini, Eike Ritter, and Mark Ryan. Privacy through pseudonymity in mobile telephony systems. In NDSS, 2014.

[18]

PUB FIPS. Advanced encryption standard (AES). National Institute for Standards and Technology (NIST), 197(1), 2001.

[19]

Andrey Bogdanov, Lars R Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew JB Robshaw, Yannick Seurin, and Charlotte Vikkelsoe. PRESENT: An ultra-lightweight block cipher. In CHES 2007, volume 4727 of LNCS. Springer-Verlag, 2007.

Digital Library

[20]

Christophe De Canniere, Orr Dunkelman, and Miroslav Knezević. KATAN and KTANTAN - A family of small and efficient hardware-oriented block ciphers. In CHES 2009, volume 5747 of LNCS. Springer-Verlag, 2009.

Digital Library

[21]

Morris Dworkin. Recommendation for block cipher modes of operation: The CMAC mode for authentication. NIST Special Publication (800--38B), 38B:1--25, 2005.

[22]

PUB FIPS. The keyed-hash message authentication code (hmac). National Institute for Standards and Technology (NIST), 1:1--13, 2008.

[23]

PUB FIPS. Secure hash algorithm-3 (SHA-3) standard: Permutation-based hash and extendable-output functions. National Institute for Standards and Technology (NIST), 202(0), 2014.

[24]

ETSI. Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm specification, 2014. (3GPP TS 35.206 version 12.0.0 Release 12).

[25]

ETSI. Digital cellular telecommunications system (Phase 2+);Universal Mobile Telecommunications System (UMTS);LTE;Mobile radio interface Layer 3 specification;Core network protocols; Stage 3, 2015. (3GPP TS 24.008 version 12.8.0 Release 12).

[26]

ETSI. Universal Mobile Telecommunications System (UMTS); Formal Analysis of the 3G Authentication Protocol, 2001. 3GPP TR 33.902 version 4.0.0, Release 4.

[27]

Myrto Arapinis, Loretta Mancini, Eike Ritter, Mark Ryan, Nico Golde, Kevin Redon, and Ravishankar Borgaonkar. New privacy issues in mobile telephony: fix and verification. In CCS '12. ACM, 2012.

Digital Library

[28]

Jaap-Henk Hoepman, Engelbert Hubbers, Bart Jacobs, Martijn Oostdijk, and Ronny Wichers Schreur. Crossing borders: Security and privacy issues of the european e-passport. In Advances in Information and Computer Security, volume 4266 of LNCS, pages 152--167. Springer Berlin Heidelberg, 2006.

Digital Library

[29]

Yong Ki Lee, Lejla Batina, and Ingrid Verbauwhede. Privacy challenges in rfid systems. In The Internet of Things. Springer New York, 2010.

[30]

Latanya Sweeney. K-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05):557--570, 2002.

Digital Library

[31]

TSB - Telecommunication Standardization Bureau of ITU. Mobile Network Codes (MNC) for the international identification plan for public networks and subscriptions, 2014. (According to Recommendation ITU-T E.212 (05/2008))(Postition on 15 July 2014).

[32]

David P Jablon. Strong password-only authenticated key exchange. ACM SIGCOMM Computer Communication Review, 26(5):5--26, 1996.

Digital Library

[33]

Elad Barkan and Eli Biham. Conditional Estimators: An Effective Attack on A5/1, pages 1--19. Springer Berlin / Heidelberg, 2005.

Digital Library

[34]

Alex Biryukov, Adi Shamir, and David Wagner. Real time cryptanalysis of A5/1 on a PC. In Fast Software Encryption (FSE 2000), pages 1--18. Springer Berlin / Heidelberg, 2000.

Digital Library

[35]

Marc Briceno, Ian Goldberg, and David Wagner. A pedagogical implementation of the GSM A5/1 and A5/2 "voice privacy" encryption algorithms. http://cryptome.org/gsm-a512.htm (originally on www.scard.org), 1999. Last accessed April 2014.

[36]

Fabian van den Broek. Eavesdropping on GSM: state-of-affairs. In 5th Benelux Workshop on Information and System Security (WISSec 2010), November 2010.

[37]

Ian Goldberg and Marc Briceno. GSM cloning. http://www.isaac.cs.berkeley.edu/isaac/gsm.html.

[38]

Bruno Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In 14th Computer Security Foundations Workshop. IEEE, 2001.

Digital Library

[39]

Bruno Blanchet, Martín Abadi, and Cédric Fournet. Automated Verification of Selected Equivalences for Security Protocols. In 20th IEEE Symposium on Logic in Computer Science (LICS 2005). IEEE, 2005.

Digital Library

[40]

Danny Dolev and Andrew C. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198--208, 1983.

Digital Library

[41]

Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, and Edgar Weippl. Imsi-catch me if you can: Imsi-catcher-catchers. In Proceedings of the 30th Annual Computer Security Applications Conference, pages 246--255. ACM, 2014.

Digital Library

[42]

SR Labs. Snoopsnitch website. https://opensource.srlabs.de/projects/snoopsnitch. Last accessed February 2014.

[43]

Changhee Hahn, Hyunsoo Kwon, Daeyoung Kim, Kyungtae Kang, and Junbeom Hur. A privacy threat in 4th generation mobile telephony and its countermeasure. In Wireless Algorithms, Systems, and Applications, volume 8491 of LNCS. Springer, 2014.

Digital Library

Cited By

Sobrinho ÁVilarim MBarbosa ACandeia Gurjão EF. S. Santos DValadares DDias da Silva L(2024)Challenges and Opportunities in Mobile Network Security for Vertical Applications: A SurveyACM Computing Surveys10.1145/369644657:2(1-36)Online publication date: 21-Sep-2024
https://dl.acm.org/doi/10.1145/3696446
Eleftherakis SOtim TSantaromita GZayas AGiustiniano DKourtellis NGanesan DLane NShi W(2024)Demystifying Privacy in 5G Stand Alone NetworksProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3690696(1330-1345)Online publication date: 4-Dec-2024
https://dl.acm.org/doi/10.1145/3636534.3690696
Richter YDanieli ELevi IRichter R(2024)A Taxonomy of Multi-Modal Cyber Radio Frequency (CRF) Mitigation Based on Passive Geo-Location and Hardware Characteristics2024 IEEE International Conference on Microwaves, Communications, Antennas, Biomedical Engineering and Electronic Systems (COMCAS)10.1109/COMCAS58210.2024.10666202(1-6)Online publication date: 9-Jul-2024
https://doi.org/10.1109/COMCAS58210.2024.10666202
Show More Cited By

Index Terms

Defeating IMSI Catchers
1. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Network security
2. Social and professional topics
  1. Computing / technology policy
    1. Privacy policies

Recommendations

Trashing IMSI catchers in mobile networks
WiSec '17: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks

We address the decades-old privacy problem of disclosure of the permanent subscriber identity (IMSI) that makes IMSI catchers a real threat to all generations of mobile networks. A number of possible modifications to existing protocols have been ...
Anatomy of Commercial IMSI Catchers and Detectors
WPES'19: Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society

IMSI catchers threaten the privacy of mobile phone users by identifying and tracking them. Commercial IMSI catcher products exploit vulnerabilities in cellular network security standards to lure nearby mobile devices. Commercial IMSI catcher's technical ...
Protecting IMSI and User Privacy in 5G Networks
MobiMedia '16: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications

In recent years, many cases of compromising users' privacy in telecom networks have been reported. Stories of "fake" base stations capable of tracking users and collecting their personal data without users' knowledge have emerged. The current way of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

46
Total Citations
View Citations
1,049
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)6

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sobrinho ÁVilarim MBarbosa ACandeia Gurjão EF. S. Santos DValadares DDias da Silva L(2024)Challenges and Opportunities in Mobile Network Security for Vertical Applications: A SurveyACM Computing Surveys10.1145/369644657:2(1-36)Online publication date: 21-Sep-2024
https://dl.acm.org/doi/10.1145/3696446
Eleftherakis SOtim TSantaromita GZayas AGiustiniano DKourtellis NGanesan DLane NShi W(2024)Demystifying Privacy in 5G Stand Alone NetworksProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3690696(1330-1345)Online publication date: 4-Dec-2024
https://dl.acm.org/doi/10.1145/3636534.3690696
Richter YDanieli ELevi IRichter R(2024)A Taxonomy of Multi-Modal Cyber Radio Frequency (CRF) Mitigation Based on Passive Geo-Location and Hardware Characteristics2024 IEEE International Conference on Microwaves, Communications, Antennas, Biomedical Engineering and Electronic Systems (COMCAS)10.1109/COMCAS58210.2024.10666202(1-6)Online publication date: 9-Jul-2024
https://doi.org/10.1109/COMCAS58210.2024.10666202
Sowjanya KPal PVerma ADas BSaha DBaswade ALall B(2024)SUPI-Rear: Privacy-Preserving Subscription Permanent Identification Strategy in 5G-AKAStabilization, Safety, and Security of Distributed Systems10.1007/978-3-031-74498-3_22(307-321)Online publication date: 20-Oct-2024
https://doi.org/10.1007/978-3-031-74498-3_22
Fei YZhu HYin J(2023)FVF-AKA: A Formal Verification Framework of AKA Protocols for Multi-server IoTFormal Aspects of Computing10.1145/359973135:4(1-36)Online publication date: 25-May-2023
https://dl.acm.org/doi/10.1145/3599731
Baek JSoundrapandian PKyung SWang RShoshitaishvili YDoupé AAhn G(2023)Targeted Privacy Attacks by Fingerprinting Mobile Apps in LTE Radio Layer2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00035(261-273)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00035
Huang WDu HFeng JHan GZhang W(2023)A dynamic anonymous authentication scheme with trusted fog computing in V2G networksJournal of Information Security and Applications10.1016/j.jisa.2023.10364879(103648)Online publication date: Dec-2023
https://doi.org/10.1016/j.jisa.2023.103648
Fei TWang W(2023)The vulnerability and enhancement of AKA protocol for mobile authentication in LTE/5G networksComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.109685228:COnline publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1016/j.comnet.2023.109685
de Carvalho Macedo LCampista M(2023)Attacks to mobile networks using SS7 vulnerabilities: a real traffic analysisTelecommunication Systems10.1007/s11235-023-01018-083:3(253-265)Online publication date: 16-May-2023
https://doi.org/10.1007/s11235-023-01018-0
Abdel Hakeem SHussein HKim H(2022)Security Requirements and Challenges of 6G Technologies and ApplicationsSensors10.3390/s2205196922:5(1969)Online publication date: 2-Mar-2022
https://doi.org/10.3390/s22051969
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents