Skip to content

sbaresearch/vowifi-epdg-scanning

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

VoWiFi ePDG Scanning

This artifact contains the source code necessary to run client- and server-side evaluation scripts for our VoWiFi security analysis. While the scripts can be used to scan for various security parameters (e.g., ciphers), our evaluation focuses on the key exchange (i.e., the supported Diffie-Hellman (DH) groups and the rekey-timings) that are used for the first (i.e., phase 1) VoWiFi tunnel that is essential to the security of the overall communication.

📚 Publication

Our corresponding USENIX Security '24 paper can be found here. The presentation slides are available here.

If you want to cite our paper in your work, please use the following BibTeX entry.

@inproceedings{gegenhuber2024diffie,
  title={Diffie-Hellman Picture Show: Key Exchange Stories from Commercial VoWiFi Deployments},
  author={Gegenhuber, Gabriel K and Holzbauer, Florian and Frenzel, Philipp {\'E} and Weippl, Edgar and Dabrowski, Adrian},
  booktitle={33rd USENIX Security Symposium (USENIX Security 24)},
  year={2024}
}

Cloning the repository

We use Git LFS (Git Large File Storage) for the dumps.zip file containing client-side operator configurations. To successfully clone the repository including the 400MB dumps.zip file, Git LFS hooks are required.

Thefore:

  • Make sure to have Git LFS installed.

  • Setup the LFS hooks by running git lfs install.

  • Clone the repository by running git clone https://github.com/sbaresearch/vowifi-epdg-scanning.git.

Alternatively, if you do not want to use Git LFS you can clone the repository without the prior instructions and download the dumps.zip file via a mirror at our scientific artifact storage.

git clone https://github.com/sbaresearch/vowifi-epdg-scanning.git
wget -O vowifi-epdg-scanning/client-side/dumps.zip https://services.phaidra.univie.ac.at/api/object/o:2083413/download

Client Side Configuration Extraction (Passive/Static Analysis)

This README file contains the instructions for the client-side VoWiFi parameter analysis (Section 5).

You can reproduce all the client-side analysis steps using the provided jupyter notebook.

Installation

cd client-side
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

To run the notebook:

jupyter notebook client_side_evaluation.ipynb

The jupyter notebook provides step-by-step instructions for extracting and harmonizing the client-side configuration data for different device types. Furthermore, it allows using the harmonized results in json-format (created via the first part of the notebook) to generate graphs representing the summarized results in a more convenient and human-friendly way.

Extracting Client Configurations from Firmware ROMs

Since this requires downloading complete firmware ROMs (having often more than 10GB) from external sources and since unpacking the relevant configurations from the ROM is an overall time-consuming extraction approach, we took a shorter path for the artifact evaluation and just provide the configuration files that were used within our publication in the dumps.zip file.

To make it easier for other researchers to repeat the full configuration extraction at a later point in time (e.g., with more recent or different firmware ROMs) we reference the used approach here.

Server Side ePDG Probing (Active/Dynamic Analysis)

This README section contains the instructions for the server-side ePDG probing (Section 6).

Installation

cd server-side
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Execution

Note

The server-side scans use scapy to send and receive packets and thus require root privileges.

sudo su
source venv/bin/activate
./epdg_scanner.py --testcase SUPPORT_DH_768MODP
./epdg_scanner.py --testcase SUPPORT_DH_1024MODP
./epdg_scanner.py --testcase SUPPORT_DH_1536MODP
Dockerized Execution

If you have troubles running the server-side scans on your system you can also run it within a docker container.

Run the ubuntu container via docker (interactive mode):

docker run -i -t ubuntu bash

Setup the docker system and run the scan:

apt update
apt install -y git python3-pip python3-venv tcpdump
git clone https://github.com/sbaresearch/vowifi-epdg-scanning.git
cd vowifi-epdg-scanning/server-side/
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

./epdg_scanner.py --testcase SUPPORT_DH_768MODP

Evaluation

The probing results can be found in the results directory. The .txt file contains the security associations that were negotiated with each server. The .pcap file can be used for further (more precise) analysis with Wireshark.

For simple evaluation, the .txt file can filtered in the following manner:

grep successful results/SUPPORT_DH_768MODP_*.txt

or, to just display the affected operators/domains:

grep successful results/SUPPORT_DH_768MODP_*.txt | cut -d' ' -f2 | uniq

Extracting Configurations for Other Devices

Depending on the device, the following approaches were used to extract the VoWiFi configuration data:

Provider VoWiFi configuration through Download & Parse
Apple IPCC Files https://github.com/mrlnc/ipcc-downloader
Oppo MBN Files https://github.com/sbaresearch/mbn-mcfg-tools
Xiaomi MBN Files https://github.com/sbaresearch/mbn-mcfg-tools
Samsung XML Files Handset path: /system/etc/epdg_apns_conf.xml

Apple

To extract VoWiFi configurations from IPCC files the following steps are necessary.

Download IPCC files using ipcc-downloader.

./download_ipccs.py -d # May take some time
cd data
for i in $(find . | grep plist); do plistutil -i $i -o $i.xml; done

The IPCC URLs (ipcc_urls.txt) and the unpacked carrier configurations are stored in the data folder.

Samsung

  1. Extract AP (.tar.md5) file

  2. lz4: unpack super.img.lz4 to super.img [lz4 super.img.lz4]

  3. simg2img: unpack super.img to super.img.raw [simg2img super.img super.img.raw]

  4. lpunpack: extract system image from super.img.raw [python3 lpunpack.py --partition=system super.img.raw extracted]

  5. Mount extracted/system and go to /system/etc/

The system/etc/epdg_apns_conf.xml file contains ePDG endpoints and the corresponding cipher configurations.

Xiaomi + Oppo (Qualcomm-generic)

  1. Extract ROM, go to images folder
  2. Mount NON-HLOS.bin
  3. MBN MCFG files are located at /image/modem_pr/mcfg
  4. Use mbn-mcfg-tools to further process MBN files

License

This project is licensed under GPLv3.

License: GPL v3