Table Of ContentProceedingsonPrivacyEnhancingTechnologies2019
Ravishankar Borgaonkar, Lucca Hirschi∗, Shinjo Park, and Altaf Shaik
New Privacy Threat on 3G, 4G, and Upcoming
5G AKA Protocols
Abstract: Mobile communications are used by more The 3rd Generation Partnership Project (3GPP)
than two-thirds of the world population who expect group, responsible for the standardization of 3G, 4G,
security and privacy guarantees. The 3rd Generation and 5G technologies, designed the Authentication and
Partnership Project (3GPP) responsible for the world- Key Agreement (AKA) protocol that aims at mutually
wide standardization of mobile communication has de- authenticatingaphoneequippedwithaUSIMcardwith
signed and mandated the use of the AKA protocol to networks, and establishing keys to protect subsequent
protect the subscribers’ mobile services. Even though communications. This protocol is notably implemented
privacy was a requirement, numerous subscriber lo- in all 3G and 4G USIM cards and cellular networks
cation attacks have been demonstrated against AKA, worldwide. For 5G, the 3GPP has standardized 5G
some of which have been fixed or mitigated in the AKA, an enhanced version of AKA [2]. In addition,
enhanced AKA protocol designed for 5G. AKAisalsousedinExtensibleAuthenticationProtocol
Inthispaper,werevealanewprivacyattackagainstall (EAP) mechanisms (e.g., EAP-AKA, EPS-AKA, EPS-
variants of the AKA protocol, including 5G AKA, that AKA’) to secure point-to-point protocol authentication
breaches subscriber privacy more severely than known methods, wireless LAN internetworking, and generic
location privacy attacks do. Our attack exploits a new authentication architectures including generic solutions
logical vulnerability we uncovered that would require for securing HTTP based services [3, 4]. In a nutshell,
dedicatedfixes.Wedemonstratethepracticalfeasibility AKA is a challenge-response protocol mainly based on
ofourattackusinglowcostandwidelyavailablesetups. symmetriccryptographyandasequence number (SQN)
Finallyweconductasecurityanalysisofthevulnerabil- to verify the freshness of challenges, preventing replay
ity and discuss countermeasures to remedy our attack. attacks.
While privacy was an explicit requirement for 3G
and 4G [5, 6], numerous fake base station attacks have
been shown to compromise subscriber privacy in these
1 Introduction
networks [7–15]. The fake base station attacks typically
exploit weaknesses in the AKA protocol such as the
As of 2018, around 5 billion mobile subscribers non-protected identity request mechanism (e.g., with
equipped with Universal Subscriber Identity Module IMSI-catchers [9–15]) and the privacy-leak resulting
cards (USIM) are accessing cellular network services from authentication failure messages [7, 8]. In prac-
(e.g., Internet, calls), mostly relying on 3G or 4G tech- tice, those attacks break subscriber location privacy:
nologies [1] (e.g., ca. 75% of connections in Europe and an attacker can identify if certain subscribers are in
North America). With the growing importance of cel- the range of attacker’s fake base stations. For 5G, the
lular network services in our daily activities, there is a 3GPP has improved AKA in order to mitigate these
crucial need to provide security and privacy protection well-known privacy issues [2]. The 5G AKA protocol
to mobile subscribers. notably introduces randomized asymmetric encryption
for protecting identifiers sent prior to authentication.
Contributions. In this paper, we reveal a new pri-
vacy attack against all variants of the AKA protocol
(including 5G AKA and EAP variants) that breaches
Ravishankar Borgaonkar:SINTEFDigital,Norway.E-
subscribers’ privacy more severely than known location
mail:[email protected]
Lucca Hirschi∗:Inria&LORIA,France.E-mail: privacy attacks do. Our attack exploits a new logical
[email protected]. vulnerability we uncovered in the protocol specification
Shinjo Park:TechnischeUniversitätBerlin,Germany.E- that would require dedicated fixes. More precisely, we
mail:[email protected]
make the following contributions:
Altaf Shaik:TechnischeUniversität,Berlin,Germany.E-
1. New logical vulnerability and privacy at-
mail:[email protected]
tacks on AKA. We found a new logical vulnerability
NewPrivacyThreaton3G,4GandUpcoming5GAKAProtocols 2
in the specifications of all aforementioned variants of that 5G AKA could be fixed before the deployment of
AKA: the protection mechanism of the SQN can be the second phase (Release 16, to be completed by the
defeated under specific replay attacks due to its use end of 2019).
of Exclusive-OR (XOR) and a lack of randomness. We
Outline.Insection2,weexplainthegeneralcellularse-
showhowtoleveragethisvulnerabilitytobreakthecon-
curity architecture and the core protocol underlying all
fidentialityofSQN,thusdefeatingthepurposeofaded-
AKA protocol variants. Section 3 presents our new log-
icated protection mechanism and breaking an explicit
ical vulnerability breaking the confidentiality of SQN.
privacy requirement [6]. We show that partly learning
In Section 4, we show how the latter can be exploited
SQN leads to a new class of privacy attacks (i.e., activ- to mount activity monitoring and location attacks and
ity monitoring attacks): an active attacker can leverage discuss practical impact. In Section 5, we show feasi-
fake base stations and our attack to learn information
bility of our attacks in real 4G networks. We conduct
about targeted subscribers’ mobile service consump-
a security analysis in Section 6 and provide potential
tion, even when subscribers move away from the attack
countermeasuresinSection7.WeconcludeinSection8.
area(e.g.,rangeofafakebasestation).Thisisinstark
contrast to location attacks that do not reveal service
consumption and requires the targeted subscribers to
2 Background
stayinattackareas.Lessimportantly,weshowthatour
logical vulnerability also yields a new location attack.
Wefirstgiveahigh-leveloverviewofthesecurityarchi-
2. Low-cost proof of concept. We demonstrate
tecture used in 3G, 4G, and 5G networks and explain
the feasibility of our attack using widely available and
howmobilesubscribersareauthenticatedtothenetwork
low-cost setup on commercial 4G networks in several
usingtheAKAprotocol.Wethendescribethedifferent
European countries. Our attack affects all 3G and 4G
privacy requirements of 3G, 4G, and 5G networks out-
devicescurrentlydeployedallovertheworldandfuture
lined in the 3GPP specification. We conclude with a
5G devices (according to the specification [2]).
discussion on threat models, previously known attacks
3. Security analysis and countermeasures.
againsttheAKAprotocol,formerlyproposedfixes,and
We discuss the weaknesses of the AKA protocol, its
a comparison with our attack.
deployment, design trade-offs, and the overall cellular
architecturethathavemadepossibleourattackinorder
to draw lessons for the future generation networks. We
2.1 Security Architecture and the AKA
propose countermeasures to our attack and establish
Protocol
formal security guarantees using the state-of-the-art
tool Tamarin [16].
We describe a simplified view of the security architec-
Impact. Unlike the previously known location privacy
turedeployedincellularnetworksandfocusontheparts
attacks [7–15], we disclose a new type of privacy attack
that are necessary to understand our attack. We also
enablingsubscriber activity monitoring.Wenowdiscuss
slightly simplify our description of the AKA protocol
subsequent impacts of our attack. First, an attacker
for the sake of clarity and only focus on the core proto-
can learn 3G, 4G, and 5G subscribers’ typical activity
col which is common to all the AKA protocol variants.
patterns (e.g., number of calls, SMSs sent in a given
Further,weadoptasimplifiedterminologysincetheoffi-
time). We stress that those activity patterns can be
cialterminologyheavilydependsonthegeneration.We
monitored remotely for a long time even if, most of
refertheknowledgeablereadertoAppendixAwherean
the time, subscribers move away from the attack areas.
informal correspondence with standardized terminolo-
We followed the responsible disclosure procedure and
gies for the different generations is given.
reported our findings to the 3GPP, GSM Association
(GSMA), several manufacturers (Ericsson, Nokia, and
Huawei),andcarriers(DeutscheTelekomandVodafone
2.1.1 Architecture
UK).Ourfindingswereacknowledgedbythe3GPPand
GSMA and remedial actions are underway to improve
The cellular network architecture mainly consists of
the protocol for the next generations. Finally, while 5G
AKAwillsufferfromourattackinthefirstdeployment three components. First, User Equipments (UEs) are
of 5G (i.e., Release 15 [2], phase 1), we are still hopeful carried by subscribers (we shall use both terms alter-
natively) and are typically smartphones or IoT devices
NewPrivacyThreaton3G,4GandUpcoming5GAKAProtocols 3
User Equipment - UE Serving Network - SN Home Network - HN
K,IMSI,SQN K,IMSI,SQN
UE ID_Req HN
ID_Resp,ID ID
newrandomR
AK←f5(R,K)
MAC←f1(⟨SQN ,R⟩,K)
HN
CONC←SQN ⊕AK
HN
AUTN←⟨CONC,MAC⟩
CK,IK←f3(R,K),f4(R,K)
xRES←f2(R,K)
SQN ←SQN +1
HN HN
Auth_Req,R,AUTN R,xRES,CK,IK,AUTN
⟨xCONC,xMAC⟩←AUTN
AK←f5(R,K)
xSQN ←AK⊕xCONC
HN
MAC←f1(⟨xSQN ,R⟩,K)
HN
CHECK(i)xMAC=MACand
(ii)SQN <xSQN <SQN +∆
UE HN UE
If(i)and(ii)
SQN ←xSQN
UE HN
RES←f2(R,K)
xCK,xIK←f3(R,K),f4(R,K)
Auth_Resp,RES
ifREScomplieswithxRES
thencontinue
If¬(i) Mac_Failure
If(i)and¬(ii)
MAC∗←f1∗(⟨SQN ,R⟩,K)
AK∗←f5∗(R,K) UE
CONC∗←SQN ⊕AK∗
AUTS←⟨CONCU∗E,MAC∗⟩
Sync_Failure,AUTS
Fig.1.TheAKAprotocol.K denotesK .
IMSI
containingaUSIMcard.Second,HomeNetworks(HNs) EachUE containsaUSIMhavingcryptographicca-
contain a database of their subscribers’ and their cor- pabilities(e.g.,symmetricencryption,MAC)whichno-
responding USIM cards and are in charge of their au- tably stores:
thentication. However, it is often the case that UEs are – anuniqueandpermanentsubscriberidentity,called
in locations where their corresponding HN has no base International Mobile Subscriber Identity (IMSI),
station(i.e.,antennasthatmayconnectUEstothenet- – a unique, permanent secret symmetric key that we
work).Therefore,thearchitecturealsoconsidersathird indicate as K (used as a shared secret between
IMSI
entity: the Serving Networks (SN) to which UEs may a UE and its corresponding HN),
attach to and that play the role of relays to HNs. – and a 48-bits counter, called Sequence Number that
we denote as SQN (used as replay protection, as
explained later in this section).
NewPrivacyThreaton3G,4GandUpcoming5GAKAProtocols 4
The HN associated with some USIM card stores the Challenge-response. Upon reception of a request for
same information in its database. When the context is authentication material from a SN, the HN computes
clear, we use K to refer to K . an authentication challenge made of a random nonce
IMSI
R and some message AUTN. In addition, the expected
authentication response xRES = f2(R, K ) – com-
IMSI
2.1.2 The AKA Protocol puted using f2 described below–, the encryption key
CK, and the integrity key IK are also computed by
When a UE attaches to a SN (or when UE requests HN (but not sent by SN to UE). Note that, in 5G, the
access to a service such as sending an SMS or making messagexRES hasaslightlydifferentform;thishasno
a call), it needs to establish a secure channel with the impact on our attack.
SN (ensuring confidentiality of the user data) after au- The functions f1−f5,f1∗, and f5∗, used to compute
thenticating itself to its corresponding HN (mainly for theauthenticationparameters,areone-waykeyedcryp-
billingpurpose)andauthenticatingitsHN (sothatfake tographic functions completely unrelated1, and ⊕ de-
SN cannotestablishsuchachannelandbreakconfiden- notes the eXclusive-OR (XOR) operator.
tiality).Todoso,3GPPhasstandardizedtheAKApro- AUTN contains a MAC (Message Authentication
tocol (the only authentication method allowed for 3G, Code)oftheconcatenationofRwiththecorresponding
4G and 5G for 3GPP access). While this protocol has sequence number SQN stored for this subscriber. A
HN
evolved with each generation [2, 6, 17], its core specifi- new sequence number is generated by an increment of
cation remained the same. We shall only focus on this the counter. The sequence number SQN allows the
HN
core protocol that already suffers from our attack. UE toverifythefreshnessoftheauthenticationrequest
The AKA protocol achieves mutual authentication to defend against replay attacks and the MAC proves
and key exchange between a UE and its corresponding the authenticity of the challenge. However, SQN is
HN
HN, relying on some SN that is known by the HN. It not transmitted in clear text to avoid being eaves-
allows some UE and SN to establish session keys to dropped on. Thus, the specification requires SQN to be
be used to secure subsequent communications (e.g., in- concealed; i.e., XORed with a value, called Anonymity
tegrity and confidentiality of calls or SMSs). As men- Key, that should remain private: AK = f5(R, K ).
IMSI
tioned before, the key K is used as a long-term Formally, the concealed value, also included in AUTN,
IMSI
shared secret, and SQN is used as replay protection for isasfollows:CONC∗=SQN ⊕AKandallowstheUE
HN
the UE. While SQN is expected to be synchronized be- to extract SQN by computing AK.
HN
tween the UE and HN, it may become out-of-sync. We The UE replies with an Authentication Response
thus use SQN (resp. SQN ) to refer to the SQN message when the authentication is successful, or Au-
UE HN
value stored in the UE (resp. HN). The AKA protocol thentication Failure message with the cause of failure
is made up of 3 main phases: identification, challenge- otherwise.Tocheckwhetherauthenticationissuccessful
response, and re-synchronization procedure (that is op- ornot,theUE extractsSQN fromAUTNandchecks
HN
tionalandaimsatupdatingSQNontheHN sideincase that: (i) MAC is a correct MAC value w.r.t. K ,
IMSI
SQNisout-of-sync).Thewholeprotocolflowwithmes- replies Mac_failure if it is not the case; (ii) the au-
sage specifications is depicted in Figure 1, which uses thenticationrequestisfresh(i.e.xSQN >SQN and
HN UE
the same notations as in this section. xSQN <SQN +∆), replies Sync_failure, AUTS
HN UE
Identification. First, the SN identifies the UE. If the otherwise (AUTS is explained next). The quantity ∆
is a threshold that is fixed according to an availabil-
current UE’s identity is unknown to the SN, it may
ask for the permanent identity IMSI (or an encryption ity vs. security trade-off. If all checks hold then the UE
thereof in 5G) by sending an Identity Request message. computesthecipheringkeyCK andtheintegritykeyIK
and stores them to secure subsequent messages. It also
The UE then gives its identity in an Identity Response
message. This identity enables the SN to request au- computestheauthenticationresponseRES andsendsit
thenticationmaterialtotheappropriateHN inthenext totheSN usingAuthenticationResponsemessage.Only
phase. In 5G, UE never reveals its permanent identity RES is included in the message, other computed values
in plaintext. It rather sends the randomized encryption
thereof,protectedwiththeHN’spublickey,alongwith
the HN’s identity (forming the so-called SUCI [2]). 1 Eventhoughthespecificationsarenotclearabouttherequire-
mentsofthosefunctions[2,6,17],Milenage[18]andTUAK[19]
schemesareusedinpractice,whicharebasedonblockciphers.
NewPrivacyThreaton3G,4GandUpcoming5GAKAProtocols 5
like CK and IK are not transmitted. The SN authenti- required financial resources and the attacker’s capabili-
catestheUE byverifyingwhetherthereceivedresponse ties.However,suchfakebasestationscannowbeeasily
matcheswithxRES.Ifso,theAKAprotocolissuccess- built using e.g., widely available hardware [22] or even
fullycompletedandsubsequentcommunicationscanbe WiFi technology [23]. Therefore, in our security analy-
secured using the secret keys IK and CK. sis,weconsiderbothpassiveandactiveattackermodels
for 3G, 4G, and 5G networks.
Re-synchronizationprocedure.Incaseofasynchro-
nization failure (case (i) and ¬(ii)), the UE replies Passive. The passive adversary can sniff over-the-air
radio broadcast channels using dedicated hardware and
with Sync_failure, AUTS. The AUTS message’s pur-
software (as described in Section 5). Note that, he does
pose is to allow the HN to re-synchronize with the UE
not need to know any key material used in the authen-
byreplacingitsownSQN bythesequencenumberof
HN
tication procedure.
the UE (i.e., SQN +1). For reasons explained above,
UE
SQN is concealed: CONC∗ = SQN ⊕AK∗ where Active. In addition, the active adversary has the ca-
UE UE
AK∗=f5∗(R, K ).Finally,AUTS=CONC∗, MAC∗ pability to set up and operate a rogue base station to
IMSI
where MAC∗ = f1∗(K ,(SQN , R) allowing the injectmalicioustraffictowardsUEs.Toachievethis,we
IMSI UE
assumeheknowstheprotocolspecification.However,we
HN to authenticate this message as coming from the
do not assume he knows any cryptographic keys.
intended UE.
2.3 Related Work on AKA and Known
2.2 Privacy Requirements
Flaws
The 3G and 4G specifications consider user identity
and location confidentiality, and user untraceability as There are numerous known attacks against the AKA
explicit privacy requirements [6, 17]. Privacy was even protocol that were often described for older generation
more of a critical security goal in the design of 5G, as cellular networks but are still inherited in 4G networks
acknowledged by the standard: due to the support of legacy systems and re-use of the
same core protocol from AKA.
[20]: “Subscription privacy deals with various aspects
related to the protection of subscribers’ personal infor- Identity Requests and IMSI-catchers. The first
mation, e.g., identifiers, location, data, etc. [...] The kind of attacks relies on the unprotected identity re-
subscription privacy is very important area for Next quest mechanism that is broadcast over-the-air and is
Generation system as can be seen by the growing atten- often termed as IMSI-catchers.
tion towards it, both inside and outside [3GPP].” Inanutshell,anactiveattackercaneasilybroadcast
We also emphasize that, SQN is considered to be an identity request to all the UEs in the area. Conse-
privacy-sensitive, and must be protected (i.e., remain quently,theUEswillreplywiththeirpermanentidenti-
ties-thisflawiscommonlyexploitedinIMSIcatcherat-
confidential) by the AKA protocol:
tacks[9–12]totracksubscribersincertaingeographical
[6]: “[AK∗] is an anonymity key used to conceal the
areas. Even though UEs may use temporary identities,
sequence number as the latter may expose the identity
a passive attacker can find a co-relation between them
and location of the user.”
andsocialidentities[9](includingFacebook,Twitter,or
More recently, a 3GPP study on privacy explains that:
phone number).
[21]: “[AKA] is an example of how to fulfill anonymity:
Several studies cover research on how to secure
[...]Anonymizingtechniqueused:useAnonymityKeyin
unprotected messages carrying identity requests by ad-
theAuthenticationTokentoconceal(blind)thesequence
ditional cryptographic mechanisms [7, 24, 25]. More
number.”
importantly, in order to comply with the new stronger
As we shall see, our attack defeats the purpose of
privacy protection requirement in 5G, 3GPP has mod-
the anonymity AK∗.
ified the identity request phase of the AKA protocol.
Asmentionedearlier,theUE sendsitspermanentiden-
tity protected by randomized, asymmetric encryption
2.2.1 Threat Model
using the HN’s public key, in such a way that the SNs
or fake base stations only learn the underlying HN.
While designing the AKA protocol in the year 2000,
fakebasestationswereconsideredexpensiveintermsof
NewPrivacyThreaton3G,4GandUpcoming5GAKAProtocols 6
HN HN
(SQN) (SQN)
SN SN SN SN SN SN
a b c a b c
UE UE
Attacker Attacker
Safe Area Attack Area SSaaffee AArreeaa Attack Area
(a)WhentheUE isintheattackarea,itwasknownthatitmay (b)UEs weresupposedtobesafewhenoutsideofattackareas.
besubjecttotracking,locationattack,andmonitoringattacks. ThisisnolongerthecaseduetoourattackasUEs’activitiesin
thatareawillpartiallyleakwhentheyre-enteranattackarea.
Fig.2.PrivacythreatsdependontheUE’slocationdepictedwithadot.Attacker’sfakebasestation(resp.genuinebasestation)is
depictedwithacross(resp.box).IndependentlyfromtheUE’slocation,theUE’sactivitieshaveaneffectonSQN storedattheHN.
Therefore, the aforementioned IMSI catchers attacks privacy attacks only leak the presence of targeted UEs
will be defeated in 5G. in attack areas.
However, note that, even after fixing these vulner- Third, our attack can break subscribers’ privacy
able messages (including the fix in 5G phase 1 [2]), our evenwhentheyescapeattackareas.Indeed,remindthat
attack re-introduces new subscriber privacy risks since we consider a threat model for which attackers may ex-
it does not rely on this identification phase. ploitalimitednumberoffakebasestationsdeployedat
Linkability of failure messages. A few other at- specific locations; typically busy crossing points (e.g.,
tacks [7, 8] exploit the fact that the AKA proto- subwayortrainstations,airports),targetedoffices(e.g.,
nearby embassies), or, places visited on a regular basis
col exposes to the attacker the reason for the failure
when an authentication is rejected by a UE: either bytargetedUEs (e.g.,shops).Withpriorattacks,there
weretwoverydifferentsituations(depictedinFigure2):
Mac_Failure or Sync_Failure. This allows to track a
targeted UE: it suffices to replay an old authentication – ifthetargetedUE isoutsidetherangeofattacker’s
challenge that UE has already received and then ob- base stations (e.g., at home), then the UE is com-
pletelysafe:nofakebasestation-basedattackscould
serve whether the reply is Mac_Failure (not the tar-
break the subscriber’s privacy (situation shown in
geted UE) or Sync_Failure (only replied by the tar-
Figure 2b);
geted UE). Again, our attack does not rely on distin-
– otherwise,thesubscribermaybesubjecttolocation
guishing between the two sources of failure and cannot
bepreventedbyfixingthisissuealone(e.g.,bymerging attacks or monitoring attacks (i.e., attacker may
the two sources of failure into a single message). eavesdrop on communication between UE and SNc
tolearnwhenUE consumesservices)(situationde-
picted in Figure 2a).
2.4 Comparisons Between Existing Therefore, even though the UEs may be attacked when
Attacks and our Attack in the range of attacker’s fake base stations, as soon as
theyescapesuch(apriori narrow)areas,theyweresafe.
This is unfortunately no longer the case as our at-
First, as explained in Section 2.3, our attack relies on
tackintroducesatotallynewthreatonprivacy.Indeed,
a different logical vulnerability that is completely or-
even when UEs are using mobile services outside the
thogonal to the attack vectors of prior, known attacks
attackarea,partofthisactivitymaybeleakedtosome
(i.e., unprotected identities and linkability of failure
adversaryusingourattackthenexttimetheUE enters
messages). Therefore, our attack would require differ-
again the attack area. Intuitively, this is because, inde-
ent and dedicated fixes.
pendentlyofitslocation,theUE’sactivityhasaneffect
Second, our attack poses a new kind of threat on
onthecounterSQNstoredintheHN thatwillbeleaked
privacy as it allows an attacker to learn subscribers’
when the UE is (actively) under attack (we extensively
mobileservicesconsumptionpatterns.Incontrast,prior
NewPrivacyThreaton3G,4GandUpcoming5GAKAProtocols 7
discuss impacts on privacy in Section 4). We call this ends with an offline computation using algo(⋅) which
new kind of threat activity monitoring attacks. Hence, takesfetchedAUTSmessagesasinputsandreturnsthe
areasoutsidefakebasestationsrangearenolongersafe. n least significant bits of the sequence number SQN .
HN
Inanutshell,theattackconsistsinchoosingappro-
priate injections and timestamps t such that the at-
i
3 Logical Attack tacker can retrieve values δ =SQN ⊕(SQN +2i)
i HN HN
for 1≤i≤n (see Section 3.2.1). We then explain (Sec-
tion 3.2.2) how one can infer from the δ ’s the n least
In this section, we reveal the main attack vector based i
significant bits of SQN . Finally, we also show that
on a new logical vulnerability (Section 3.1) that can be HN
under certain circumstances (i.e., when the UE is per-
exploitedto mount anattack breakingthe confidential-
forming a lot of authentication sessions when in the at-
ity of SQN (Section 3.2).
tack area), a far less costly variant of the attack (only
n+2 injections) achieves the same goal (Section 3.2.3).
We describe the attack and our inference algorithm
3.1 Logical Vulnerability
when the HN increments SQN by 1 after each suc-
HN
cessful authentications as described in Section 2. Our
Our attack vector exploits a lack of randomness and
attack works for any such increment; the interaction
the use of XOR in AUTS, more precisely in the con-
cealedsequencenumberCONC∗=SQN ⊕AK∗ where is always the same and we designed a generic algo(⋅)
UE parametrized by the increment used by the opera-
AK∗ = f5∗(R, K ). The value R is extracted from
IMSI tor. However, for the sake of clarity, we only describe
the challenge R,AUTN received by the UE. There-
here our attack and our generic algorithm for an in-
fore, if the UE receives two times the same challenge
crement equal to 1. We describe the full algorithm in
R,AUTN and yield two synchronization failures, then
Appendix B. Note that the full algorithm might actu-
the two concealed SQNs will be of the form: CONC∗ =
1 ally infer more than n bits for some inputs; we report
SQN1 ⊕AK∗ and CONC∗=SQN2 ⊕AK∗ such that
UE 1 2 UE 2 on practical results of this algorithm in Section 5.
AK∗=f5∗(R, K )=AK∗.
1 IMSI 2
Therefore, an attacker having a genuine challenge
3.2.1 Fetching Data
R,AUTN for some UE can transmit it to the UE at
two different times t1 and t2, retrieve values CONC∗1 In a first phase (loop for i = 0 to 2n from Fig-
and CONC∗2, and compute: ure3),theattackerneedstofetchconsecutivechallenges
CONC∗⊕CONC∗ = (SQN1 ⊕AK∗)⊕ Ri,AUTNi intended for the targeted UE. This is made
1 2 (SQN2UE⊕AK∗1) possible by the fact that, in the AKA protocol, UE re-
UE 2 ceives such challenges prior to authentication but after
= SQN1 ⊕SQN2
UE UE identification.Therefore,anattackeronlyneedstoknow
where SQNi is the value SQN at time t . We show onevalididentityofthetargetedUE (e.g.,IMSI,tempo-
UE UE i
in the next section that by cleverly choosing several rary identifiers such as TMSI, or encrypted permanent
timestamps t ’s, the attacker is able to exploit values identities such as SUCI) in order to (partly) imperson-
i
such as SQNi ⊕SQNj to break the confidentiality atetheUE totheSN (andthecorrespondingHN)and
UE UE
of SQN. get those challenges. We will explain in Section 5 how
this can be easily done in practice. Note that because
SQN is incremented by 1 after the computation of
HN
3.2 Breaking the Confidentiality of SQN every challenge, R ,AUTN is computed based on some
i i
SQNvalue(thatwedenotebySQN (AUTN ))equals
HN i
We show how an active attacker who knows any UE’s to SQN0 +i.
HN
identity (temporary, permanent, or encrypted) is then Immediately after the first phase, the attacker in-
able to learn the n least significant bits of SQN , jects the first challenge he obtained: R ,AUTN . From
HN 0 0
stored in the HN. The attacker first fetches 2n+2 suc- the UE’s perspective, this is a genuine challenge (the
cessive,fresh,authenticationchallengesintendedforthe MAC verification (i) succeeds) that has never be re-
targetedUE andreplaysatotalof2(n+2)ofthemtothe ceived before and that is based on a recent enough
UE.TheinteractionisdepictedinFigure3.Theattack SQN (AUTN ) = SQN0 (the freshness verification
HN 0 HN
NewPrivacyThreaton3G,4GandUpcoming5GAKAProtocols 8
(ii) succeeds). At this time (before the second loop), Data: δ =(2i+X)⊕X for 0≤i≤n (in
i
SQNUE equals SQN0HN +1. Then, the attacker injects little-endian), n<48
again the challenge R0,AUTN0 yielding a synchroniza- Result: Res: n least significant bits of X (in
tion failure containing some AUTS′ = ⟨c′,MAC∗⟩ mes- little-endian)
sage where the conceal SQN equals:
Res←[0, 0, ..., 0] //size n
for i from 0 to n−1 do
c′=(SQN0 +1)⊕f5∗(R ,K ).
HN 0 IMSI //Let’s analyze δi at bit positions i, i+1
Inthelastphase(loopforj=0tonfromFigure3), (b1, b2)←(δi[i], δi[i+1])
the attacker injects R ,AUTN that is accepted by if (b1, b2)==(1, 0) then
2j 2j
the UE, in order to make the UE updates its SQN //no remainder propagate when +2i to X
UE
to the value Res[i]←0
elif (b , b )==(1, 1) then
1 2
SQNUE∶=SQNHN(AUTN2j)+1=SQN0HN+2j+1. //a remainder propagates when +2i to X
Res[i]←1
Aftereachsuchinjection,theattackertheninjectsagain
else //cannot happen
the challenge R ,AUTN provoking a synchronization
0 0 Error
failure containing some AUTS =⟨c∗,MAC∗⟩ where:
j j j
end
c =(SQN0 +2j+1)⊕f5∗(R ,K ). return (Res)
j HN 0 IMSI
Algorithm 1: SQN Inference Algorithm
3.2.2 Inference Algorithm kind of scenarios are realistic when the attack areas are
e.g., offices where targeted UEs stay most of the day
We now describe algo(⋅) that takes the n+2 fetched but expect to be safe when being outside attack areas
AUTS’s messages (i.e., c′,c for 0 ≤ j ≤ n) as inputs (e.g., at home).
j
and outputs the n least significant bits of 1+SQN0 . Essentially, instead of fetching the challenges
HN
Recall that c′=(1+SQN0HN)⊕f5∗(R0,KIMSI) and cj = Ri,AUTNi and injecting the challenges that are
(1+SQN0HN+2j)⊕f5∗(R0,KIMSI). Therefore, for any accepted by the UE (i.e., R0,AUTN0 and then
0≤j≤n, it holds that: R2j,AUTN2j for 0 ≤ j ≤ n), the attacker can let the
UE attachestoanygenuineSN andletitreceiveschal-
c′⊕c = (1+SQN0 )⊕(2j+1+SQN0 ). lenges and completes the AKA sessions. The attacker
j HN HN
just passively eavesdrops on the exchanged messages,
We note δ the quantity c′ ⊕ c . One has that δ =
i i i notably the challenges, and counts the number of suc-
(2i+X)⊕X for all 0 ≤ i ≤ n where X = 1+SQN0
HN cessfulauthentications.However,theattackerstillneeds
is the quantity we seek to infer the n least significant
to (actively) replay the challenge R ,AUTN at appro-
bits of. In a nutshell, the idea of the algorithm consists 0 0
priate times; more precisely, after the UE received the
inanalyzinghowremainderspropagatein(2i+X)atbit
genuine challenge (R ,AUTN ) and then challenges
position i and i+1 (in little-endian notation) by look- 0 0
(R ,AUTN ) for 0 ≤ j ≤ n. This variant is far less
ing at δ . Considering X and δ as arrays of 48 bits in 2j 2j
i i costly: it only requires passive attacking capabilities
little-endian, we describe the algorithm in Algorithm 1
and n+2 additional (active) injections.
that, given the δ ’s, infers n bits of X. Note that this
i
algorithmcanbeexecutedcompletelyofflineonthecol-
lected data.
3.2.4 Variants for Other SQN Policies
According to non-normative parts of the specifica-
3.2.3 Improving the Attack Under Stronger Threat
tion [6]), SQN and its update policy can take different
Model
forms. We briefly explain how our attack can be easily
adapted for those variants. We refer to Appendix C for
When the targeted UE stays a long time in the attack
more details.
area or intensely consumes mobile services (triggering
SQN can be composed of two components SQN =
a lot of AKA authentication sessions), the attacker has
SEQ∣∣IND where SEQ is a 43 bits long integer that
asimplerwaytobreaktheconfidentialityofSQN.This
NewPrivacyThreaton3G,4GandUpcoming5GAKAProtocols 9
User Equipment - UE Attacker Network (SN+HN)
kIMSI,IMSI,SQNUE ID KIMSI,IMSI,SQN0HN
fori=0to2n:
ID
Ri,[...],AUTNi
[...]
SQN ←SQN +1
HN HN
=SQN0 +(i+1)
HN
Auth_Req,R0,AUTN0
Auth_Resp,RES0
Auth_Req,R0,AUTN0
Sync_Failure,AUTS′
forj=0ton:
Auth_Req,R2j,AUTN2j
Auth_Resp,RESj
Auth_Req,R0,AUTN0
Sync_Failure,AUTSj
[1+SQN0HN]n←algo(AUTS′,{AUTSj}0≤j≤n)
Fig.3.SequenceNumberInferenceAttack(whereSQN0 istheinitialSQN forIMSI storedintheHN and[X]n denotesthenleast
HN
significantbitsofX).
counts all past AKA sessions and IND is a 5 bits long bits of SQN at different times t ,t ,... We explain in
1 2
index that describes the SN for which the given SEQ is Section 4.1 how the attacker can then relate this in-
valid.Whensuchapolicyisinuse,onecanuseaslightly formation to the number of AKA sessions subscribers
different variant of our attack: (i) injections of authen- have made between times t ,t ,.... Next, we show how
1 2
ticationchallengesshouldbedonewhileusingthesame the attacker can relate the number of AKA sessions
SN identifier towards the UE and the same SN while some UE has performed in a given period of time to its
fetching authentication tokens, and (ii) the algorithm typical service consumption during that period.
used to infer bits should drop the 5 bits of SQN corre- Therefore, the attacker learns the typical service
sponding to IND. This allows the attacker to break the consumption of targeted subscribers between times
counter part of SQN, namely SEQ; leading to the same t ,t ,... even if such subscribers escape the attack area
1 2
privacy attacks explained in the next section. most of the time (i.e., in between times t ). Please re-
i
fer to Section 5 for practical aspects of the attack (e.g.,
number of bits of SQN that can be inferred). We il-
4 Attacks on Privacy lustrate this new threat by giving some illustrations of
practical attack scenarios (Section 4.2). We conclude in
Section4.3withavariantofourattackthatcouldyield
We now explain how one can leverage the attack pre-
locationattacksinavariantofAKAthatfixpreviously
sented in Section 3 to break subscribers’ privacy by
known privacy attacks which is notably relevant in the
conducting an activity monitoring attack. As explained
context of the in-progress standardization of 5G AKA,
in Section 2.4, this new class of attacks allows an at-
phase 2.
tacker to monitor targeted subscribers’ activity, even
forperiodswheresubscribersescapetheattackarea(see
Figure 2b).
In a nutshell, the attacker needs to conduct the
previously described attack when targeted subscribers
are in the attack area, thereby learning n significant
NewPrivacyThreaton3G,4GandUpcoming5GAKAProtocols 10
4.1 Relating SQN Increases to Activity orSMSsweremadeyieldingabigriseofSQN),ifoneis
Patterns using his work phone at home, if a phone was switched
off for certain time periods or trips (possibly indicating
WefirstneedtolearnthevaluethatisaddedtoSQN af- multiple SIMs usage), etc.
tereachsuccessfulauthentication.Theconclusionofour Better ads targeting. Consider for instance a shop
practicalinvestigations(seeSection5)isthatthisvalue that is willing to know more about its customers
is1foralltestedoperators.Thisvalueisneededbecause (e.g., for improving ads targeting) using fake base
equal differences of SQN could be resulted by different stations. This kind of scenario has already been re-
operations:ifthevictimSQNhadbeenincreasedby20, ported [26] (using Wi-Fi capabilities of smartphones)
it could be the result of either 4 increases of 5 (4 au- and exploited [27] in real shops. Our attack causes a
thentications) or 2 increases of 10 (2 authentications). new threat in that context since it leaks to the shop
We found how much SQN is increasing upon authen- typical customers’ mobile consumption during time pe-
tication for several operators by running the algorithm riods between customers’ visit (while they escape the
algo() for several values of the increment and keeping attack area).
thevalue yielding noError (see Algorithm 1). We stress
thatthishastobedonejustoncefororagivenoperator.
4.3 Deriving Location Attacks
Next,inordertorelateinformationaboutthenum-
ber of AKA sessions of a victim with the victim’s ac-
tivity, we have to exploit the fixed authentication poli- Using variants of our attack, one could mount location
cies discussed in Section 5.2 (i.e., which user’s activ- attacks (i.e., inferring if some targeted UE is in some
ities trigger an authentication and thus an AKA ses- physical area) even if the leak of identity (currently en-
sion). Because of the different operator configurations, abling IMSI-catchers attacks) and the traceability based
authenticationmayormaynothappenoneachSN net- on failure messages were fixed.
work attach, call or reception/sending of SMSs. As a Moreprecisely,wefirstassumethattheidentityre-
result, we also analyzed how frequently authentication quest phase would be well-protected using e.g., encryp-
isperformedbyanalyzingsignalingmessagesduringre- tion (as done in 5G, phase 1 [2]). Second, we assume
peated attach procedure (by calling or sending SMSs). that the two failure cases (MAC or freshness failure)
We found that there are little variations in authentica- would be merged (AUTS message is also sent out in
tion frequency among operators but for most of them, case of MAC failure, the network being able to infer
an authentication was required for each outgoing call thereasonofthefailure)toaddresstheaforementioned
and sent SMS). Despite those variations, one can easily knownflaw.Underthoseassumptions,tothebestofour
infer the fixed policy for some operator, once for all, by knowledge, there is no known attack that could break
inspecting signaling messages e.g., on her own phone. subscribers’ privacy. However, either of the two follow-
Weleaveasfutureworkthetaskofdoingacompre- ingvariantsofourattackstillallowsanactiveadversary
hensive review of existing policies. to perform location attacks2.
First, if an attacker knows a value CONC of some
0
targeted UE and obtains a value CONC from some
0
4.2 Examples of Practical Scenarios unknown UE (this can be easily obtained by replaying
a genuine challenge), then he can infer if the unknown
We now illustrate the potential real-life impacts of our UE is UE with very high probability by inspecting
0
activitymonitoringattackwithtwopracticalscenarios. howlargeisCONC ⊕CONC,interpretedasaninteger.
0
Spying on embassy officials, journalists, or any Indeed, when both UEs do not match then CONC ⊕
0
high-value target. Assuming an adversary having a CONC = (SQN ⊕AK∗)⊕(SQN′ ⊕AK∗) (where
UE0 0 UE? ?
fakebasestationnearanembassy,hecanlearntheoffi- AK∗≠AK∗;seeSection3.1)whichisa48-bitsrandom-
? 0
cials’activitynotonlywhentheyareattheofficeduring looking value. By contrast, when they do match, then
working hours, but also when they are not, including CONC ⊕CONC = SQN ⊕SQN′ which is very
0 UE0 UE0
during evenings and nights (e.g., at home) or during likely a small value (we never observed more than 10
business trips. Therefore, such an attacker may learn if
targets use different SIMs cards for private use (no ac-
tivity at home), if some specific time periods (e.g., one
2 Notethatouractivitymonitoringattackcanalsobeexploited
evening and night) were specifically busy (a lot of calls
underthosecircumstances.
Description:discussion on threat models, previously known attacks against the AKA protocol, .. Result: Res: n least significant bits of X (in little-endian). Res ← [0
