Side-Channel Attacks on Encrypted 5G/4G Voice Calls

Shaan Shekhar (18463575)

01 May 2024

<p dir="ltr">5G/4G voice calls are encrypted for the purpose of confidentiality, secrecy and privacy. Although protected by well-examined security measures we unveil several vulnerabilities previously unreported in the 5G/4G voice calls that unintentionally leak 5G/4G call state information despite encryption protection and device proof of concept attacks in this thesis. Unlike existing attacks, these new attacks are significantly more threatening because they are completely contactless without requiring any malware, access or compromise on the victim's phones, the 5G/4G network and the other call party. Instead, the attacker only needs to deploy a radio sniffer to eavesdrop on 5G/4G communication and infer confidential call information.</p><p dir="ltr">Interestingly, such confidentiality breaches are technically feasible due to recent 5G/4G call enhancement technologies standardized in the 3GPP specifications and adopted by mobile network operators. While effective in enhancing 5G/4G call quality and efficiency, they, unfortunately, expose extra call information, which can be exploited to infer call states and launch side-channel attacks precisely. Another major contributor to this attack is the IVR technology, which uses a computer-operated telephone system to help companies answer customer calls. In this thesis, we focus on snooping Pay-over-the-Phone transactions done over IVR calls and optionally inferring the company involved in the transaction. The attacks exploit technologies designed to enhance the call quality and efficiency and develop several attack modules to (1) detect voice calls over encrypted 5G/4G traffic, (2) infer the use of IVR over limited call information leaked in the air, and (3) spy on sensitive payment transactions in real-time. We have implemented this proof-of-concept attack using an SDR-based sniffer only. We have validated its effectiveness and assessed damages in various experiments with 5G operators in the US. Lastly, we have discussed the lessons learned from the attacks and the future work that can be done to improve the efficiency of the attacks and make them more threatening.</p>

System and network security

Voice Call Security

Phone Call Security

Side Channel Attacks

Inference Attacks

Exploiting On-Chip Voltage Regulators as a Countermeasure Against Power Analysis Attacks

Yu, Weize

24 May 2017

Non-invasive side-channel attacks (SCA) are powerful attacks which can be used to obtain the secret key in a cryptographic circuit in feasible time without the need for expensive measurement equipment. Power analysis attacks (PAA) are a type of SCA that exploit the correlation between the leaked power consumption information and processed/stored data. Differential power analysis (DPA) and leakage power analysis (LPA) attacks are two types of PAA that exploit different characteristics of the side-channel leakage profile. DPA attacks exploit the correlation between the input data and dynamic power consumption of cryptographic circuits. Alternatively, LPA attacks utilize the correlation between the input data and leakage power dissipation of cryptographic circuits. There is a growing trend to integrate voltage regulators fully on-chip in modern integrated circuits (ICs) to reduce the power noise, improve transient response time, and increase power efficiency. Therefore, when on-chip voltage regulation is utilized as a countermeasure against power analysis attacks, the overhead is low. However, a one-to-one relationship exists between the input power and load power when a conventional on-chip voltage regulator is utilized. In order to break the one-to-one relationship between the input power and load power, two methodologies can be considered: (a) selecting multi-phase on-chip voltage regulator and using pseudo-random number generator (PRNG) to scramble the activation or deactivation pattern of the multi-phase voltage regulator in the input power profile, (b) enabling random voltage/scaling on conventional on-chip voltage regulators to insert uncertainties to the load power profile. In this dissertation, on-chip voltage regulators are utilized as lightweight countermeasures against power analysis attacks. Converter-reshuffling (CoRe) technique is proposed as a countermeasure against DPA attacks by using a PRNG to scramble the input power profile. The time-delayed CoRe technique is designed to eliminate machine learning-based DPA attacks through inserting a certain time delay. The charge-withheld CoRe technique is proposed to enhance the entropy of the input power profile against DPA attacks with two PRNGs. The security-adaptive (SA) voltage converter is designed to sense LPA attacks and activate countermeasure with low overhead. Additionally, three conventional on-chip voltage regulators: low-dropout (LDO) regulator, buck converter, and switched-capacitor converter are combined with three different kinds of voltage/frequency scaling techniques: random dynamic voltage and frequency scaling (RDVFS), random dynamic voltage scaling (RDVS), and aggressive voltage and frequency scaling (AVFS), respectively, against both DPA and LPA attacks.

Hardware security

Side-channel attacks

Differential power analysis attacks

Leakage power analysis attacks

On-chip voltage regulation

Computer Engineering

Electrical and Computer Engineering

Physical design of cryptographic applications : constrained environments and power analysis resistance

Macé, François

24 April 2008

Modern cryptography responds to the need for security that has arisen with the emergence of communication appliances. However, its adapted integration in the wide variety of existing communication systems has opened new design challenges. Amongst them, this thesis addresses two in particular, related to hardware integration of cryptographic algorithms: constrained environments and side-channel security. In the context of constrained environments, we propose to study the interest of the Scalable Encryption Algorithm SEA for constrained hardware applications. We investigate both the FPGA and ASIC contexts and illustrate, using practical implementation results, the interest of this algorithm. Indeed, we demonstrate how hardware implementations can keep its high scalability properties while achieving interesting implementation figures in comparison to conventional algorithms such as the AES. Next, we deal with three complementary aspects related to side-channel resistance. We first propose a new class of dynamic and differential logic families achieving low-power performance with matched leakage of information to state of-the-art countermeasures. We then discuss a power consumption model for these logic styles and apply it to DyCML implementations. It is based on the use of the isomorphism existing between the gate structures of the implemented functions and the binary decision diagrams describing them. Using this model, we are not only able to predict the power consumption, and therefore attack such implementations, but also to efficiently choose the gate structures achieving the best resistance against this model. We finally study a methodology for the security evaluation of cryptographic applications all along their design and test phases. We illustrate the interest of such a methodology at different design steps and with different circuit complexity, using either simulations or power consumption measurements.

Cryptography

Side-Channel Attacks

Countermeasurs

Constrained Environments

Digital Circuit Design

Forgiveness: the Gift and Its Counterfeit

VanderBerg, James

11 1900

No description available.

Forgiveness

Derrida, Jacques

September 11 Terrorist Attacks, 2001

Poetry

Collaborative Network Security: Targeting Wide-area Routing and Edge-network Attacks

Hiran, Rahul Gokulchand

January 2016

To ensure that services can be delivered reliably and continuously over theInternet, it is important that both Internet routes and edge networks aresecured. However, the sophistication and distributed nature of many at-tacks that target wide-area routing and edge networks make it difficult foran individual network, user, or router to detect these attacks. Thereforecollaboration is important. Although the benefits of collaboration betweendifferent network entities have been demonstrated, many open questionsstill remain, including how to best design distributed scalable mechanismsto mitigate attacks on the network infrastructure. This thesis makes severalcontributions that aim to secure the network infrastructure against attackstargeting wide-area routing and edge networks. First, we present a characterization of a controversial large-scale routinganomaly, in which a large Telecom operator hijacked a very large numberof Internet routes belonging to other networks. We use publicly availabledata from the time of the incident to understand what can be learned aboutlarge-scale routing anomalies and what type of data should be collected inthe future to diagnose and detect such anomalies. Second, we present multiple distributed mechanisms that enable col-laboration and information sharing between different network entities thatare affected by such attacks. The proposed mechanisms are applied in thecontexts of collaborating Autonomous Systems (ASes), users, and servers,and are shown to help raise alerts for various attacks. Using a combina-tion of data-driven analysis and simulations, based on publicly availablereal network data (including traceroutes, BGP announcements, and net-work relationship data), we show that our solutions are scalable, incur lowcommunication and processing overhead, and provide attractive tradeoffsbetween attack detection and false alert rates. Finally, for a set of previously proposed routing security mechanisms,we consider the impact of regional deployment restrictions, the scale of thecollaboration, and the size of the participants deploying the solutions. Al-though regional deployment can be seen as a restriction and the participationof large networks is often desirable, we find interesting cases where regionaldeployment can yield better results compared to random global deployment,and where smaller networks can play an important role in achieving bettersecurity gains. This study offers new insights towards incremental deploy-ment of different classes of routing security mechanisms.

Collaboration

network security

BGP attacks

routing security

hijack

A self-healing framework to combat cyber attacks : analysis and development of a self-healing mitigation framework against controlled malware attacks for enterprise networks

Alhomoud, Adeeb M.

January 2014

Cybercrime costs a total loss of about $338 billion annually which makes it one of the most profitable criminal activities in the world. Controlled malware (Botnet) is one of the most prominent tools used by cybercriminals to infect, compromise computer networks and steal important information. Infecting a computer is relatively easy nowadays with malware that propagates through social networking in addition to the traditional methods like SPAM messages and email attachments. In fact, more than 1/4 of all computers in the world are infected by malware which makes them viable for botnet use. This thesis proposes, implements and presents the Self-healing framework that takes inspiration from the human immune system. The designed self-healing framework utilises the key characteristics and attributes of the nature’s immune system to reverse botnet infections. It employs its main components to heal the infected nodes. If the healing process was not successful for any reason, it immediately removes the infected node from the Enterprise’s network to a quarantined network to avoid any further botnet propagation and alert the Administrators for human intervention. The designed self-healing framework was tested and validated using different experiments and the results show that it efficiently heals the infected workstations in an Enterprise network.

364.16

EU:s säkerhetspolitik : En kvalitativ idéanalys av de åtgärder som vidtagits mellan åren 2015-2017 / The EU:s security policy : A qualitative idea analysis of measures taken between the years 2015-2017

Sendi, Evin

January 2019

In the past few years, the European Union has been affected by several terrorist attacks and many states have suffered from this. As a reaction to these terrorist attacks, the EU has adopted through treaties several strategies and measures to tackle the issues of terrorism. The purpose of this essay is to analyze the EU’s security policy between the years 2015 and 2017. Both of the main questions are answered through different theories that are provided for the essay. The first one is formulated to answer if the security policy has successfully been securitized and the other is answered through a perspective of realism and liberalism. Furthermore, the report is a qualitative idea analysis and is based on primary sources. The conclusion of the essay regarding the first question is that a complete securitization of terrorists has been fulfilled after the terrorist attacks in Paris 2015. The result regarding the second question shows that the European security policy has liberal tendencies.

EU

terrorism

terrorist attacks

securitization

realism

liberalism

Social Sciences

Samhällsvetenskap

Lanthanide metals as potential shark deterrents

Unknown Date

Sharks comprise a large portion of bycatch in pelagic longline fisheries worldwide. Lanthanide metals have been proposed as shark repellents. This study quantified the normalized voltage of lanthanide metals in seawater and found that there was no difference in normalized voltage among the six tested metals. Temperature and salinity had a significant effect on lanthanide normalized voltage. The output at 18ºC was significantly greater than at both 12 and 24ºC. The normalized voltage was significantly greater in freshwater than brackish or seawater. The dissolution rate for the lanthanides varied from -1.6 to -0.2g/h. As the metals dissolved the voltage remained constant. In a behavioral assay, neodymium was ineffective at repelling bonnethead sharks (Sphyrna tiburo) tested individually and in groups, and lemon sharks (Negaprion brevirostris) in groups. Due to high cost, fast dissolution rates, and lack of deterrent effects, lanthanide metals are not recommended for use in mitigating shark bycatch. / by Sara M. McCutcheon. / Thesis (M.S.)--Florida Atlantic University, 2012. / Includes bibliography. / Electronic reproduction. Boca Raton, Fla., 2012. Mode of access: World Wide Web.

Metals--Speciation

Lanthanide shift reagents

Shark attacks--Prevention

Lightweight Cryptography Meets Threshold Implementation: A Case Study for SIMON

Shahverdi, Aria

26 August 2015

"Securing data transmission has always been a challenge. While many cryptographic algorithms are available to solve the problem, many applications have tough area constraints while requiring high-level security. Lightweight cryptography aims at achieving high-level security with the benefit of being low cost. Since the late nineties and with the discovery of side channel attacks the approach towards cryptography has changed quite significantly. An attacker who can get close to a device can extract sensitive data by monitoring side channels such as power consumption, sound, or electromagnetic emanation. This means that embedded implementations of cryptographic schemes require protection against such attacks to achieve the desired level of security. In this work we combine a low-cost embedded cipher, Simon, with a stateof-the-art side channel countermeasure called Threshold Implementation (TI). We show that TI is a great match for lightweight cryptographic ciphers, especially for hardware implementation. Our implementation is the smallest TI of a block-cipher on an FPGA. This implementation utilizes 96 slices of a low-cost Spartan-3 FPGA and 55 slices a modern Kintex-7 FPGA. Moreover, we present a higher order TI which is resistant against second order attacks. This implementation utilizes 163 slices of a Spartan-3 FPGA and 95 slices of a Kintex-7 FPGA. We also present a state of the art leakage analysis and, by applying it to the designs, show that the implementations achieve the expected security. The implementations even feature a significant robustness to higher order attacks, where several million observations are needed to detect leakage."

cryptography

side-channel attacks

lightweight cryptography

SIMON

threshold implementation

The Coast Guard in transition : organization change in response to September 11

Buschman, Scott A. (Scott Andrew), 1962-

January 2003

Thesis (M.B.A.)--Massachusetts Institute of Technology, Sloan School of Management, 2003. / Includes bibliographical references (leaves 91-93). / Since the events of September 11, 2001 and the continuing terrorist threats facing the United States, the Coast Guard faces a number of new organizational and operational challenges. Many structural changes have occurred within a short period. Organizations have been regrouped and cross-organizational units have been formed in the recently established Department of Homeland Security. This thesis summarizes these changes and examines past and current roles of the Coast Guard. Data for this work include interviews, official documents and personal experience. Based on these materials, the thesis concludes with a set of recommendations that senior executives in the Coast Guard might consider to ease some of the current organizational challenges the Service now faces / by Scott A. Buschman. / M.B.A.

Sloan School of Management.

September 11 Terrorist Attacks, 2001