Mobile Security Fall 2012

Transcription

1 Mobile Security Fall 2012 Patrick Tague Class #5 Telecom Infrastructure Attacks

2 Announcements Project teams and topics need to be set soon Project topics must be approved before the proposal can be submitted/presented Each team will have 6-8 minutes to present their proposal in class on Monday Sign up for survey presentations soon Homework #1 is posted, due on September 24

3 Agenda Telecom infrastructure attacks DoS vulnerabilities in SMS and data systems Rogue base stations and MitM attacks

4 SMS, Pkt Data, & DoS Attacks

5 Short Messaging Service Original SMS standard (1985) outlined three types of functionality: Short message mobile terminated 1992: 1 st SMS message Short message mobile originated 2000: 5x10 9 SMS/month Short message cell broadcast 2005: SMS/month

6 SMS Message Delivery SMS SMS SMSC short msg service center Where is X? X not reachable HLR ESME external short messaging entity Message Queue X

7 Message Delivery ESME SMS SMS SMSC short msg service center SMS Where is X? X is at MSC2 MSC1 HLR BTS1 external short messaging entity MSC2 SMS BTS2 Is X active? Yes, at BTS3 BTS3 SMS (TCH) Traffic channel X VLR

8 Message Delivery SMS SMSC Where is X? X is at MSC2 HLR ESME external short messaging entity SMS short msg service center SMS VLR NO Is X active? MSC1 MSC2 X? X? X? Auth X BTS1 BTS2 BTS3 Paging X (PCH) Paging channel Paging X (PCH) Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel Delivery (SDCCH) X Standalone dedicated control channel

9 At the SMSC: SMS Queuing Queues are finite Messages can be lost Dropping/overflow management varies by carrier For details, see [Traynor et al., JSC 2008] At the MS: Queues are finite, batteries are small If MS queue is full, HLR tells SMSC it is unavailable Batteries can be drained...

10 SMS-Based Attacks Two general types of attacks apply to SMS Content-based attacks Phishing, spoofing, malware, ad-ware, Behavior-based attacks Denial-of-Service (DoS), resource depletion,

11 Content-Based SMS Attacks Basic idea: Malicious SMS messages aim to retrieve info from users; wide-spread solicitation, similar to spam ; infect mobile devices (e.g., for mobile botnets!) Similar to web/ -based attacks

12 Targeted SMS DoS Flooding a user with SMS messages: 1.Buffer (@ MS or SMSC) overflow With enough flooding, SMSC will drop valid messages Some devices auto-delete previously read messages when they run out of storage 2.Valid messages are delayed beyond useful lifetime Ex: meeting reminders are useless after the meeting 3.Valid messages are buried in the SMS flood Also a battery-depletion attack...

13 Voice & SMS Sharing BTS3 Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel SMS delivery (SDCCH) X Standalone dedicated control channel Voice & SMS Resources TCH is not used for SMS BTS3 Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel TCH Setup (SDCCH) X Standalone dedicated control channel Voice traffic (TCH) Traffic channel Both SMS and voice init. use RACH, AGCH, and SDCCH SMS flooding also works as DoS against voice calls!

14 Voice & SMS Sharing From [Traynor et al., Security for Telecommunications Networks, 2008]

15 How to DoS a City... How much SMS traffic must be sent to saturate the SDCCHs in a large metro area? SMS Capacity ~ (#Cell Towers) * (#Sectors/Tower) * (#SDCCH/Sector) * (Capacity/SDCCH) Ex: Washington DC 40 cell towers, 3 sectors/tower Either 8, 12, or 24 SDCCH/Sector Each SDCCH supports ~ 900 msgs/hour SMS Capacity ~ 240 msgs/sec (for 8 SDCCH/sector) ~ 2.8 Mbps

16 How to DDoS a Country... How much SMS traffic must be sent to saturate the SDCCHs in a large country? SMS Capacity ~ (Eff. Sector Density) * (Urban pop. Area) Ex: USA ~1.75 sectors / sq. mile 8 SDCCH/Sector * (#SDCCH/Sector) * (Capacity/SDCCH) Each SDCCH supports ~ 900 msgs/hour SMS Capacity ~ Kmsgs/sec ~ 3.8 Gbps Or ~ 380 Mbps for 10x multi-recipient messaging

17 Potential Defenses Elimination of Internet-originated SMS Not economically practical (SMS = $) Doesn't fully solve the problem (attack from within) Separation of voice and data Complete redesign of infrastructure, hw, & sw Doesn't fully solve the problem Add more resources Rate limiting Improved queue management

18 Mitigating SMS Flooding Incorporate fairness and priority management into SMS queuing Weighted Fair Queuing (WFQ): Each flow goes into a separate message queue - users get a proportional share of the queue to handle their messages Weighted Early Random Detection (WRED): Messages are randomly dropped in proportion to queue occupancy variable for different service classes (emergency use, mobile originated, web originated)

19 Mitigating SMS Flooding From [Traynor et al., Security for Telecommunications Networks, 2008]

20 Cellular Data Service Internet Cellular Network Cellular data service acts as a gateway to the Internet Connecting to an open network through a closed network?

21 Internet Data GGSN Data Delivery Where is X? X is at SGSN2 HLR gateway GPRS support node Data SGSN1 X? BTS1 Paging X (PPCH) MS IP Address SGSN IP Address SGSN2 serving GPRS support node X? X? Auth X BTS2 BTS3 Paging X (PPCH) Paging X (PPCH) Temporary Flow ID (TFI) marks each flow X Reply (PRACH) Ch. Assign (PAGCH) ACK (PACCH) Delivery (PDTCH)

22 MS Data Activity State Activity States To save battery, devices do not constantly listen for packets Ready: constantly listening for packets Standby: periodically listens for pages Idle: device is unregistered / unreachable

23 Data-Based DoS Attacks Establishing a data connection is costly! Timeouts are typically delayed to prevent frequent reallocation and reestablishment due to minor variation Timers ~ 5 seconds TFI field is 5 bits If an adversary establishes 32 data sessions in a sector, DoS to everyone else! Capacity ~ (#Sectors) * (#Msgs/Sector) * (Bytes/Msg) Timer duration Ex: Washington DC: 120 sectors, 41 B/Msg 252 kbps Order of magnitude less work to deny data traffic compared to SMS DoS attack on voice

24 Rogue Base Stations & MitM Attacks Slide credit: C. Midler & B. Tello

25 Rogue BTS An adversary can deploy a rogue BTS that attempts to spoof the service provided by a valid BTS, attracting users for various reasons Possible to launch a MitM attack on 2G/3G mobile connections Applies to GPRS, EDGE, UMTS, and HSPA capable devices Cheap

26 Typical Data Flow Device connects to BTS and establishes IP data connection with GGSN, BSC, and SGSN IP packets are tunneled to the GGSN, which (de)encapsulates them and sends them to/from the Internet BTS controls encryption options [Perez & Pico, BlackHat 2011]

27 Lack of Authentication GPRS and EDGE use 2G GSM authentication Devices are required to prove their identity to the BTS BTS is NOT required to prove its identity to the device

28 Null Encryption Support GPRS / EDGE devices are required to support null encryption (i.e., plaintext) BTS can only offer to support null encryption Most devices will accept the offer and send data in the clear

29 Fallback Support Devices running UMTS/HSPA (3G/3.5G) are often configured to fall back to GPRS/EDGE if no UMTS/HSPA service is available Sometimes occurs in network fringes, rural areas, etc. Also, if someone is jamming the UMTS/HSPA frequencies or certain channels

30 Setting up a Rogue BTS [Perez & Pico, BlackHat 2011]

31 Setting up a Rogue BTS GSM + GPRS + EDGE capable BTS Connects to BSC over Ethernet

32 Setting up a Rogue BTS Consumer grade laptop with Internet connection OpenBSC OSMOSGSN OpenGGSN

33 Setting up a Rogue BTS UMTS/HSPA (3G/3.5G) jammer Only required if the attacker wants to target 3G devices $25-500

34 MitM Attack Attacker positions BTS in range of the target Range can be improved by using a high-gain directional antenna or amplifier

35 Attack Details Attacker must use suitable spectrum for the target's (known) carrier network BTS must be configured to operate using these known frequencies/channels BTS configured to accept connections from desired victim phones If intent is MitM, attacker configures SGSN/GGSN to properly route traffic to Internet, otherwise, just intercepts data rather than forwarding Victim will attach to rogue BTS if power is higher than the real BTS

36 Defenses Major modifications would be needed to make GSM/GPRS/EDGE secure against rogue BTS Higher level protections can be used to secure data against MitM attack UMTS/HSPA devices can be configured to not fall back to 2G/2.5G 4G to the rescue?

37 4G Not to the Rescue

38 Next Time September 17: Project Proposals September 19: WiFi Authentication & Access Control WiFi and how it works Security protocols Vulnerabilities