Mobile Security 14-829 Fall 2012 Patrick Tague Class #5 Telecom Infrastructure Attacks
Announcements Project teams and topics need to be set soon Project topics must be approved before the proposal can be submitted/presented Each team will have 6-8 minutes to present their proposal in class on Monday Sign up for survey presentations soon Homework #1 is posted, due on September 24
Agenda Telecom infrastructure attacks DoS vulnerabilities in SMS and data systems Rogue base stations and MitM attacks
SMS, Pkt Data, & DoS Attacks
Short Messaging Service Original SMS standard (1985) outlined three types of functionality: Short message mobile terminated 1992: 1 st SMS message Short message mobile originated 2000: 5x10 9 SMS/month Short message cell broadcast 2005: 10 12 SMS/month
SMS Message Delivery SMS SMS SMSC short msg service center Where is X? X not reachable HLR ESME external short messaging entity Message Queue X
Message Delivery ESME SMS SMS SMSC short msg service center SMS Where is X? X is at MSC2 MSC1 HLR BTS1 external short messaging entity MSC2 SMS BTS2 Is X active? Yes, at BTS3 BTS3 SMS (TCH) Traffic channel X VLR
Message Delivery SMS SMSC Where is X? X is at MSC2 HLR ESME external short messaging entity SMS short msg service center SMS VLR NO Is X active? MSC1 MSC2 X? X? X? Auth X BTS1 BTS2 BTS3 Paging X (PCH) Paging channel Paging X (PCH) Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel Delivery (SDCCH) X Standalone dedicated control channel
At the SMSC: SMS Queuing Queues are finite Messages can be lost Dropping/overflow management varies by carrier For details, see [Traynor et al., JSC 2008] At the MS: Queues are finite, batteries are small If MS queue is full, HLR tells SMSC it is unavailable Batteries can be drained...
SMS-Based Attacks Two general types of attacks apply to SMS Content-based attacks Phishing, spoofing, malware, ad-ware, Behavior-based attacks Denial-of-Service (DoS), resource depletion,
Content-Based SMS Attacks Basic idea: Malicious SMS messages aim to retrieve info from users; wide-spread solicitation, similar to spam email; infect mobile devices (e.g., for mobile botnets!) Similar to web/email-based attacks
Targeted SMS DoS Flooding a user with SMS messages: 1.Buffer (@ MS or SMSC) overflow With enough flooding, SMSC will drop valid messages Some devices auto-delete previously read messages when they run out of storage 2.Valid messages are delayed beyond useful lifetime Ex: meeting reminders are useless after the meeting 3.Valid messages are buried in the SMS flood Also a battery-depletion attack...
Voice & SMS Sharing BTS3 Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel SMS delivery (SDCCH) X Standalone dedicated control channel Voice & SMS Resources TCH is not used for SMS BTS3 Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel TCH Setup (SDCCH) X Standalone dedicated control channel Voice traffic (TCH) Traffic channel Both SMS and voice init. use RACH, AGCH, and SDCCH SMS flooding also works as DoS against voice calls!
Voice & SMS Sharing From [Traynor et al., Security for Telecommunications Networks, 2008]
How to DoS a City... How much SMS traffic must be sent to saturate the SDCCHs in a large metro area? SMS Capacity ~ (#Cell Towers) * (#Sectors/Tower) * (#SDCCH/Sector) * (Capacity/SDCCH) Ex: Washington DC 40 cell towers, 3 sectors/tower Either 8, 12, or 24 SDCCH/Sector Each SDCCH supports ~ 900 msgs/hour SMS Capacity ~ 240 msgs/sec (for 8 SDCCH/sector) ~ 2.8 Mbps
How to DDoS a Country... How much SMS traffic must be sent to saturate the SDCCHs in a large country? SMS Capacity ~ (Eff. Sector Density) * (Urban pop. Area) Ex: USA ~1.75 sectors / sq. mile 8 SDCCH/Sector * (#SDCCH/Sector) * (Capacity/SDCCH) Each SDCCH supports ~ 900 msgs/hour SMS Capacity ~ 325.5 Kmsgs/sec ~ 3.8 Gbps Or ~ 380 Mbps for 10x multi-recipient messaging
Potential Defenses Elimination of Internet-originated SMS Not economically practical (SMS = $) Doesn't fully solve the problem (attack from within) Separation of voice and data Complete redesign of infrastructure, hw, & sw Doesn't fully solve the problem Add more resources Rate limiting Improved queue management
Mitigating SMS Flooding Incorporate fairness and priority management into SMS queuing Weighted Fair Queuing (WFQ): Each flow goes into a separate message queue - users get a proportional share of the queue to handle their messages Weighted Early Random Detection (WRED): Messages are randomly dropped in proportion to queue occupancy variable for different service classes (emergency use, mobile originated, web originated)
Mitigating SMS Flooding From [Traynor et al., Security for Telecommunications Networks, 2008]
Cellular Data Service Internet Cellular Network Cellular data service acts as a gateway to the Internet Connecting to an open network through a closed network?
Internet Data GGSN Data Delivery Where is X? X is at SGSN2 HLR gateway GPRS support node Data SGSN1 X? BTS1 Paging X (PPCH) MS IP Address SGSN IP Address 192.168.100.1 192.168.1.2 192.168.100.2 192.168.1.2 SGSN2 serving GPRS support node X? X? Auth X BTS2 BTS3 Paging X (PPCH) Paging X (PPCH) Temporary Flow ID (TFI) marks each flow X Reply (PRACH) Ch. Assign (PAGCH) ACK (PACCH) Delivery (PDTCH)
MS Data Activity State Activity States To save battery, devices do not constantly listen for packets Ready: constantly listening for packets Standby: periodically listens for pages Idle: device is unregistered / unreachable
Data-Based DoS Attacks Establishing a data connection is costly! Timeouts are typically delayed to prevent frequent reallocation and reestablishment due to minor variation Timers ~ 5 seconds TFI field is 5 bits If an adversary establishes 32 data sessions in a sector, DoS to everyone else! Capacity ~ (#Sectors) * (#Msgs/Sector) * (Bytes/Msg) Timer duration Ex: Washington DC: 120 sectors, 41 B/Msg 252 kbps Order of magnitude less work to deny data traffic compared to SMS DoS attack on voice
Rogue Base Stations & MitM Attacks Slide credit: C. Midler & B. Tello
Rogue BTS An adversary can deploy a rogue BTS that attempts to spoof the service provided by a valid BTS, attracting users for various reasons Possible to launch a MitM attack on 2G/3G mobile connections Applies to GPRS, EDGE, UMTS, and HSPA capable devices Cheap
Typical Data Flow Device connects to BTS and establishes IP data connection with GGSN, BSC, and SGSN IP packets are tunneled to the GGSN, which (de)encapsulates them and sends them to/from the Internet BTS controls encryption options [Perez & Pico, BlackHat 2011]
Lack of Authentication GPRS and EDGE use 2G GSM authentication Devices are required to prove their identity to the BTS BTS is NOT required to prove its identity to the device
Null Encryption Support GPRS / EDGE devices are required to support null encryption (i.e., plaintext) BTS can only offer to support null encryption Most devices will accept the offer and send data in the clear
Fallback Support Devices running UMTS/HSPA (3G/3.5G) are often configured to fall back to GPRS/EDGE if no UMTS/HSPA service is available Sometimes occurs in network fringes, rural areas, etc. Also, if someone is jamming the UMTS/HSPA frequencies or certain channels
Setting up a Rogue BTS [Perez & Pico, BlackHat 2011]
Setting up a Rogue BTS GSM + GPRS + EDGE capable BTS Connects to BSC over Ethernet
Setting up a Rogue BTS Consumer grade laptop with Internet connection OpenBSC OSMOSGSN OpenGGSN
Setting up a Rogue BTS UMTS/HSPA (3G/3.5G) jammer Only required if the attacker wants to target 3G devices $25-500
MitM Attack Attacker positions BTS in range of the target Range can be improved by using a high-gain directional antenna or amplifier
Attack Details Attacker must use suitable spectrum for the target's (known) carrier network BTS must be configured to operate using these known frequencies/channels BTS configured to accept connections from desired victim phones If intent is MitM, attacker configures SGSN/GGSN to properly route traffic to Internet, otherwise, just intercepts data rather than forwarding Victim will attach to rogue BTS if power is higher than the real BTS
Defenses Major modifications would be needed to make GSM/GPRS/EDGE secure against rogue BTS Higher level protections can be used to secure data against MitM attack UMTS/HSPA devices can be configured to not fall back to 2G/2.5G 4G to the rescue?
4G Not to the Rescue
Next Time September 17: Project Proposals September 19: WiFi Authentication & Access Control WiFi and how it works Security protocols Vulnerabilities