WiFi通话：揭露降级攻击和并不那么私密的私钥.pdf

1、Wi-Fi CallingRevealing Downgrade Attacks and Not-so-private Private KeysGabriel K.Gegenhuber,Florian Holzbauer,Philipp.Frenzel,Edgar Weippl,Adrian DabrowskiThe SpeakersGabriel GegenhuberBachelors and Masters from TU WienResearcher at SBA ResearchPhD Candidate at University of ViennaAdrian DabrowskiP

2、hD from TU WienPostDoc at University of California,IrvinePostDoc at CISPA Helmholtz CenterFaculty at University of Applied Sciences,FHCampus WienBlack Hat Europe 2024WiFi Calling:Revealing Downgrade Attacks and Not-so-private Private Keys2/49Cellular Research ChallangesDifferent AccessTechnologiesRa

3、dio:2G,3G,4G,5GVoice:legacy and CSFB,VoLTELegacy ProtocolsUSSD,OTA,ProactiveSIM,WAPCorner CasesRoamingZero-ratingGeo-blocked ServicesGeographyStrict confinementthrough frequencylicensing2-4 bare metalopterators per countryBlack Hat Europe 2024WiFi Calling:Revealing Downgrade Attacks and Not-so-priva

4、te Private Keys3/49Large-scale/International Measurement in Radio Access NetworksExample:Measuring One Operator in Three CountriesBlack Hat Europe 2024WiFi Calling:Revealing Downgrade Attacks and Not-so-private Private Keys5/49Example:Measuring Three Operators in Three CountriesBlack Hat Europe 2024

5、WiFi Calling:Revealing Downgrade Attacks and Not-so-private Private Keys6/49Example:(6+1)3 Operators3 Plans3 Territories=189Black Hat Europe 2024WiFi Calling:Revealing Downgrade Attacks and Not-so-private Private Keys7/49Geographically Decoupling Modem and SIM CardTraditionally modem and SIM card ar

6、e seen as anindivisible unitWe execute a relay attack on the communicationbetween SIM card and modemModem is at location/country ASIM card can be at location/country BVirtual Circuit:APDU over TCP connectionSIM Tunnel interface=)3072-bit(14)2048-bit(5)1536-bit(2)1024-bit(1)768-bitDH Groups17(11%)12(