CS Computer and Network Security: GSM Overload

Transcription

1 CS Computer and Network Security: GSM Overload Professor Patrick Traynor Fall 2017

2 Reminders You need to start working on your project! Some of you have not yet built anything. This will be a problem soon! Remember, you must turn in all of your code, plus a makefile and instructions on how to run it! Remember to keep doing your reading! Not just for the final, but also so that you can participate in the class! 2

3 Unintended Consequences The law of unintended consequences states that most human actions have at least one unintended consequence. 3

4 Low Rate DoS Attacks While recent attacks on cellular networks seem unrelated, there is a common factor that catalyzes them all. Comparing multiple attacks uncovers causality: SMS Attack (JCS 09, CCS 05) Network Characterization and Partial Mitigations (TON 10, MobiCom 06) Data Teardown/Setup Attacks (USENIX Security 07) Clash of Design Philosophies The architecture of cellular networks inherently makes them susceptible to denial of service attacks. 4

5 SMS Delivery (simplified) CCH PSTN VLR MSC HLR VLR Network SMSC MSC Internet ESME 5

6 Control Channels Control channels are used for a handful of infrequently used functions. Call setup, SMS delivery, mobility management, etc... The SDCCH allows the network to perform most of these functions. The number of SDCCHs typically depends on the expected use in an area. 4/8/12... PCH RACH AGCH SDCCH 6

7 GSM TDMA Frames TDMA Frame: Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: msec Frame 0 Frame 1 Frame 2... Frame Multiframe: msec 7

8 From Frames to Channels 26 Multiframe: ms }Frame: 4.615ms 8

9 Recognition Once you fill the SDCCH channels with SMS traffic, call setup is blocked Voice X SMS SMS SMS SMS SMS SMS SMS SMS The goal of an adversary is therefore to fill SDCCHs with SMS traffic. Not as simple as you might think... 9

10 Reconnaissance Can such an attack be launched by targeting a single phone? Low end phones: msgs High end phones: 500+ msgs (battery dies) How do you get messages into the network? , IM, provider websites, bulk senders, etc... Don t the networks have protections? IP Address blocking, Spam filtering 10

11 Finding Phones North American Numbering Plan (NANP) NPA-NXX-XXXX Numbering Plan Area Numbering Plan Exchange (Area code) Mappings between providers and exchanges publicly documented and available on the web Implication: An adversary can identify the prefixes used in a target area. 11

12 Web-Scraping Googling for phone numbers gives us better results: 7,300 in NYC 6,184 in D.C. in 5 seconds... 12

13 Provider Interfaces Almost all provider interfaces indicate whether or not a number is good. Some sites even tell you a target phone s availability. This interface is an oracle for available phones. 13

14 Exploit (Metro) C Sectors in Manhattan SDCCHs per sector 12 SDCCH (55 sectors) 1 sector 594, 000 msg/hr 165 msg/sec Messages per SDCCH per hour «900 msg/hr 1 SDCCH «165 msgs/sec * 1500 bytes = kb/sec kb/sec on multi-send interface... Comparison: Cable modem ~= 768 kb/sec 14

15 Attack Profile 1.2 SDCCH Utilization TCH Utilization 1 Utilization SDCCH Utilization TCH Utilization Time (seconds) Applied simulation and analysis to better characterize the attacks. Examined call blocking under multiple arrival patterns with exponentially distributed service times. Using 495 msgs/sec, a blocking probability of 71% is possible with the bandwidth of a cable modem. 15

16 Security Goals Goal: To preserve the fidelity of both voice services and legitimate text messages during targeted SMS attacks. Security Model: We must trust equipment in the network core. We can not trust Internet users or customer devices. 16

17 Placing Mitigations PSTN VLR MSC HLR VLR Network SMSC MSC Internet ESME 17

18 Solution Classifications Scheduling/Shaping/Regulation WFQ, Leaky Bucket, Priority Queues AQM (WRED, REM, AVQ) Resource Provisioning SDCCH (SMS) SDCCH (Voice) TCH (Voice) Service Queue (SMS) Service Queue (Voice) TCH (Voice) SRP Percent of Attempts Blocked Percent of Attempts Blocked DRP Time (seconds) SDCCH TCH Service Queue Time (seconds) SDCCH (SMS) SDCCH (Voice) TCH (Voice) DCA Utilization Percent of Attempts Blocked Time (seconds) Time (seconds) 18

19 WRED - Overview High Med Low t med,max t med,min t low,max t low,min 19

20 WRED - Overview High Med Low t med,max t med,min t low,max t low,min N Q = P Q 1 ρ target = ρ actual (1 P drop ) P drop = P drop,high λ high + P drop,med λ med + P drop,low λ low λ SMS P drop = P drop,max (Q avg t min ) (t max t min ) 20

21 WRED - Results 1 Service Queue (SMS - Priority 1) Service Queue (SMS - Priority 2) Service Queue (SMS - Priority 3) 1 SDCCH TCH Service Queue Percent of Attempts Blocked Low Priority SMS Blocking Utilization Average Queue Occupancy Time (seconds) Time (seconds) Messages of high and medium-priority experience no blocking, but increased delay. An average of 77% of low-priority messages are blocked. This is a nice solution, assuming meaningful partitioning of flows. 21

22 ...and yet... Performance improvements come from one of two changes: speedup or parallelization. As diverse as our solutions appear, they all attempt to maximize performance through the latter. In many senses, we are not solving the problem - we are pushing food around on our plate. Adding bandwidth should logically address this problem. 22

23 Cellular Data Networks GPRS/EDGE provide much higher bandwidth service. Packet-switched data services are attractive to providers and users for a number of reasons. User devices operate in one of three states: IDLE, STANDBY and READY. STANDBY IDLE: The device is unavailable. STANDBY: Available, but not exchanging packets. READY: Actively listening for packets. STANDBY Timer Expires Paging Request GPRS Detach READY READY Timer Expires GPRS Attach IDLE 23

24 Data Architecture HLR Internet GGSN SGSN IP Address SGSN

25 Real Network Configs To make these simulations represent reality, we use a Samsung Blackjack in Field Test Mode to discover settings of an operational network. Field Test Mode tells us that control channels for voice and data are shared in real networks. Voice and data traffic may be able to interfere with each other. 25

26 Reducing Overhead Because paging is so expensive, we don t want to do it for every packet. Establishing a connection takes 5 seconds: Waiting: Paging, Wakeup, Processing, Acquiring timeslots Transmission GPRS differentiates packets at the MAC layer by Temporary Block Flows (TBFs). Each TBF is assigned a Temporary Flow ID (TFI). 26

27 Teardown Attack: Overview TFIs are implemented as 5-bit fields, yielding a maximum of 32 concurrent flows. If you send a message to a phone once every 5 seconds, the targeted device maintains its TFI. An adversary can therefore cause legitimate flows to block due to TBF/TFI exhaustion msgs msgs Capacity sectors sectors 1 sector Kbps 110 Kbps 41 bytes 41 bytes 1 msg 1 msg sec 5 sec 27

28 Teardown Attack: Results 1 Average Percent Blocking During Attack Attack Traffic (kbps) RACH (Data) RACH (Voice) PDTCH (Data) TCH (Voice) If an attacker can send 160Kbps of data traffic, 97% of legitimate traffic will be blocked. Note that data service is blocked with less than 30% of the attack traffic previously used to attack SMS. 28

29 Setup Attack Average Percent Blocking During Attack Attack Traffic (kbps) RACH (Data) RACH (Voice) To prevent this attack, we reclaim TFIs when the base station sends the last packet in a flow. If an attacker can send 4950Kbps of attack traffic, over 85% of all legitimate traffic will be blocked. Voice and SMS will be blocked at the same rate! 29

30 Broken Solutions Add more TFIs. This is an artificial boundary. Why does it exist? Add more bandwidth. Session establishment requires a few seconds, so adding bandwidth should speed this up and alleviate the problem. lim T hroughput = #Requests # Requests BW Setup(P aging, W aiting, P rocessing) T hroughput = Setup(P aging, W aiting, P rocessing) + T ransmission 30

31 The Failure of Bandwidth Control Channel Throughput (packets/sec) (requests/sec) Setup Latency = 1 sec 2 sec 3 sec 4 sec 5 sec Decreasing the cost of connection establishment requires reducing connection setup latency. Increased Rate Bandwidth (packets/sec) Today 31

32 Connecting the Dots... The concept of connection establishment is considerably different in cellular and data networks. Cellular networks page, wake and negotiate with hosts. Data networks simply forward packets. These networks were specialized to deliver voice, but data service has been shoehorned in... The setup for data connections simply can not be amortized like voice calls... 32

33 Clash of Design Philosophies The Internet uses the End-to-End Principle as its guiding philosophy. Cellular data networks are still fundamentally circuit-switched systems. Because specialized networks implement more functionality than absolutely necessary for all flows, they exhibit rigidity. Such systems are unable to adapt to meet changing requirements and conditions. 33

34 A Cautionary Tale... Cellular networks are among the most specialized systems ever constructed. Adding services that violate the assumptions upon which the network is optimized allows an attacker to force such systems to fail at very low rates... The unintended consequence of attempts to save battery life allow attackers to shut down the network. Many more vulnerabilities exist in this network... 34