Breaking cell phone authentication: vulnerabilities in AKA, IMS and Android

Authors:
Jethro G. Beekman;Christopher Thompson
Affiliations:
Electrical Engineering and Computer Science, University of California, Berkeley;Electrical Engineering and Computer Science, University of California, Berkeley
Venue:
WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies
Year:
2013

Citing 11
Cited 0

Protocol Interactions and the Chosen Protocol Attack

Proceedings of the 5th International Workshop on Security Protocols
A man-in-the-middle attack on UMTS

Proceedings of the 3rd ACM workshop on Wireless security
Implications of Unlicensed Mobile Access (UMA) for GSM security

SECURECOMM '05 Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks
Using the domain name system for system break-ins

SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
Solutions to the GSM Security Weaknesses

NGMAST '08 Proceedings of the 2008 The Second International Conference on Next Generation Mobile Applications, Services, and Technologies
A Survey of Voice over IP Security Research

ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
An Introduction to Standards-Based VoIP: SIP, RTP, and Friends

IEEE Internet Computing
The effectiveness of application permissions

WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
Security analysis and enhancements of 3GPP authentication and key agreement protocol

IEEE Transactions on Wireless Communications
The most dangerous code in the world: validating SSL certificates in non-browser software

Proceedings of the 2012 ACM conference on Computer and communications security
Why eve and mallory love android: an analysis of android SSL (in)security

Proceedings of the 2012 ACM conference on Computer and communications security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Next generation IP telephony such as the IP Multimedia Subsystem (IMS) framework has been used to create Internet calling services which let cellular users make and receive calls even when without cellular reception. In this paper, we look at the security aspects of Internet calling services and other systems that use the 3GPP Authentication and Key Agreement (AKA) protocol for authentication, particularly focusing on the context of cellular authentication in Android. We describe a new man-in-the-middle attack on T-Mobile's Wi-Fi Calling service, which is installed on millions of T-Mobile Android smartphones. We also describe three new attacks on AKA in the context of Internet calling and Android. We have worked with T-Mobile to fix the man-in-the-middle vulnerability, and we present clear and actionable solutions to fix the remaining vulnerabilities.