Mobile Security / /

Transcription

1 Mobile Security / / Patrick Tague 14 Sept 2010 Class #7 Securing Cellular Services

2 Agenda Vulnerabilities in Cellular Services SMS and related attacks Cellular data services and attacks VoIP services and attacks No class 9/16, but HW #1 is due

3 Short Messaging Service Original SMS standard (1985) outlined three types of functionality: Short message mobile terminated 1992: 1 st SMS message Short message mobile originated 2000: 5x10 9 SMS/month Short message cell broadcast 2005: SMS/month

4 SMS Message Delivery SMS SMS SMSC short msg service center Where is X? X not reachable HLR ESME external short messaging entity Message Queue X

5 Message Delivery ESME SMS SMS SMSC short msg service center SMS Where is X? X is at MSC2 MSC1 HLR BTS1 external short messaging entity MSC2 SMS BTS2 Is X active? Yes, at BTS3 BTS3 SMS (TCH) Traffic channel X VLR

6 Message Delivery SMS SMSC Where is X? X is at MSC2 HLR ESME external short messaging entity SMS short msg service center SMS VLR NO Is X active? MSC1 MSC2 X? X? X? Auth X BTS1 BTS2 BTS3 Paging X (PCH) Paging channel Paging X (PCH) Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel Delivery (SDCCH) X Standalone dedicated control channel

7 At the SMSC: SMS Queuing Queues are finite Messages can be lost Dropping/overflow management varies by carrier For details, see [Traynor et al., JSC 2008] At the MS: Queues are finite, batteries are small If MS queue is full, HLR tells SMSC it is unavailable Batteries can be drained...

8 SMS-Based Attacks Two general types of attacks apply to SMS Content-based attacks Phishing, spoofing, malware, ad-ware, Behavior-based attacks Denial-of-Service (DoS), resource depletion,

9 Content-Based SMS Attacks Basic idea: Malicious SMS messages aim to retrieve info from users; wide-spread solicitation, similar to spam ; infect mobile devices (e.g., for mobile botnets!) Similar to web/ -based attacks

10 Targeted SMS DoS Flooding a user with SMS messages: 1.Buffer (@ MS or SMSC) overflow With enough flooding, SMSC will drop valid messages Some devices auto-delete previously read messages when they run out of storage 2.Valid messages are delayed beyond useful lifetime Ex: meeting reminders are useless after the meeting 3.Valid messages are buried in the SMS flood 4.Billing issues Also a battery-depletion attack...

11 Voice & SMS Sharing BTS3 Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel SMS delivery (SDCCH) X Standalone dedicated control channel Voice & SMS Resources TCH is not used for SMS BTS3 Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel TCH Setup (SDCCH) X Standalone dedicated control channel Voice traffic (TCH) Traffic channel Both SMS and voice init. use RACH, AGCH, and SDCCH SMS flooding also works as DoS against voice calls!

12 Voice & SMS Sharing From [Traynor et al., Security for Telecommunications Networks, 2008]

13 How to DoS a City... How much SMS traffic must be sent to saturate the SDCCHs in a large metro area? SMS Capacity ~ (#Cell Towers) * (#Sectors/Tower) * (#SDCCH/Sector) * (Capacity/SDCCH) Ex: Washington DC 40 cell towers, 3 sectors/tower Either 8, 12, or 24 SDCCH/Sector Each SDCCH supports ~ 900 msgs/hour SMS Capacity ~ 240 msgs/sec (for 8 SDCCH/sector) ~ 2.8 Mbps

14 How to DDoS a Country... How much SMS traffic must be sent to saturate the SDCCHs in a large country? SMS Capacity ~ (Eff. Sector Density) * (Urban pop. Area) Ex: USA ~1.75 sectors / sq. mile 8 SDCCH/Sector * (#SDCCH/Sector) * (Capacity/SDCCH) Each SDCCH supports ~ 900 msgs/hour SMS Capacity ~ Kmsgs/sec ~ 3.8 Gbps Or ~ 380 Mbps for 10x multi-recipient messaging

15 Mitigating SMS Flooding Incorporate fairness and priority management into SMS queuing Weighted Fair Queuing (WFQ): Each flow goes into a separate message queue - users get a proportional share of the queue to handle their messages Weighted Early Random Detection (WRED): Messages are randomly dropped in proportion to queue occupancy variable for different service classes (emergency use, mobile originated, web originated)

16 Mitigating SMS Flooding From [Traynor et al., Security for Telecommunications Networks, 2008] From [Traynor et al., Security for Telecommunications Networks, 2008]

17 Cellular Data Service Internet Cellular Network Cellular data service acts as a gateway to the Internet Connecting to an open network through a closed network?

18 Internet Data GGSN Data Delivery Where is X? X is at SGSN2 HLR gateway GPRS support node Data SGSN1 X? BTS1 Paging X (PPCH) MS IP Address SGSN IP Address SGSN2 serving GPRS support node X? X? Auth X BTS2 BTS3 Paging X (PPCH) Paging X (PPCH) Temporary Flow ID (TFI) marks each flow X Reply (PRACH) Ch. Assign (PAGCH) ACK (PACCH) Delivery (PDTCH)

19 MS Data Activity State Activity States To save battery, devices do not constantly listen for packets Ready: constantly listening for packets Standby: periodically listens for pages Idle: device is unregistered / unreachable

20 Data-Based DoS Attacks Establishing a data connection is costly! Timeouts are typically delayed to prevent frequent reallocation and reestablishment due to minor variation Timers ~ 5 seconds TFI field is 5 bits If an adversary establishes 32 data sessions in a sector, DoS to everyone else! Capacity ~ (#Sectors) * (#Msgs/Sector) * (Bytes/Msg) Timer duration Ex: Washington DC: 120 sectors, 41 B/Msg 252 kbps Order of magnitude less work to deny data traffic compared to SMS DoS attack on voice

21 What's Next? 9/16: No class HW #1 due 9/21: Securing cellular services - continued 9/23: Mobile app security?