Breaking Cell Phone Authentication: Vulnerabilities in AKA, IMS and Android

Last year, I worked on reverse engineering Android implementations of IMS, the next generation 4G IP based telephony suite of protocols, with Jethro Beekman at Berkeley.

We released a technical report on our MITM attack against T-Mobile’s WiFi Calling service, which was caused by unvalidated SSL certificates. This was joint work with Jethro Beekman, another EECS grad student at Berkeley. Big takeaway: T-Mobile was great to work with on fixing this vulnerability—their security team is excellent.

In addition to the technical report, we continued to look at IMS systems in general, and how T-Mobile and Android implemented them. We found that, amongst other things, Digest AKAv1, the authentication and key exchange protocol used in IMS, doesn’t correctly require use of the generated secret keys, allowing a variety of attacks. Additionally, generally accessible APIs in both core Android and in T-Mobile’s customized ROMs allow apps with just the READ_PHONE_STATE permission to access the IMS authentication routines in the SIM card, making it possible for low-privilege malware on a phone to let a remote attacker authenticate as that phone.

A simple example of why you might care: An attacker can pretend to be you (your number, your subscriber ID, your phone) and call premium 1-900 numbers or send text premium text messages, costing you real money.

Jethro presented our paper at USENIX WOOT (Workshop On Offensive Technologies) 2013 a couple weeks ago. Thanks to USENIX open access policies, you can view the paper, slides, and video of the talk online