Mobile Security Fall 2012

Similar documents
Mobile Security / /

Mobile Security Fall 2013

Mobile Security Fall 2014

Mobile Security Fall 2015

CS Computer and Network Security: GSM Overload

Wireless Network Security Spring 2011

CSE Computer Security (Fall 2006)

GPRS System Architecture

10 Call Set-up. Objectives After this chapter the student will: be able to describe the activities in the network during a call set-up.

Mobile Communications

WIRELESS SYSTEM AND NETWORKING

FROM GSM TO LTE-ADVANCED: AN INTRODUCTION TO MOBILE NETWORKS AND MOBILE BROADBAND 2. GENERAL PACKET RADIO SERVICE (GPRS) AND EDGE

General Packet Radio Service (GPRS) 13 年 5 月 17 日星期五

GPRS and UMTS T

GSM System Overview. Ph.D. Phone Lin.

GSM. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides) GPRS

SMS ATTACKS AND SECURITY IN MOBILE COMPUTING

Dimensioning, configuration and deployment of Radio Access Networks. part 1: General considerations. Mobile Telephony Networks

Attacking Mobile-Terminated Services in GSM

Understand iwag Solution for 3G Mobile Data

Mobile Security Fall 2013

M2M in the Real World: Security Best Practices and Lessons Learned

Mobile Networks Evolution: Economic Aspects of Evolution towards IMT2000

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

Cellular Networks and Mobility

Chapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach

GPRS security. Helsinki University of Technology S Security of Communication Protocols

End-to-end IP Service Quality and Mobility - Lecture #5 -

Lecture overview. Modifications and derivatives of GSM Data transmission in GSM: HSCSD GPRS part one EDGE

Nexus8610 Traffic Simulation System. Intersystem Handover Simulation. White Paper

Attacks on WLAN Alessandro Redondi

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

Mobile Security / /

Mobility: vocabulary

Basics of GSM in depth

NETWORK SECURITY. Ch. 3: Network Attacks

CSC 401 Data and Computer Communications Networks

Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

GSM and Similar Architectures Lesson 13 GPRS

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

SIMULATION FRAMEWORK MODELING

40 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 17, NO. 1, FEBRUARY 2009

Addressing Current and Future Wireless Demand

CSC 4900 Computer Networks: Mobility

Chapter 10: Denial-of-Services

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Kapsch CarrierCom. Challenging limits

Last time?! Block 3: Lecture 1! Wireless networks! Ingredients 2: Antennas! Ingredients 1: Mobile Phones, PDAs & Co.! 20/05/14. Part 3: lecture 3!

Real-World Experience with a Mobile Broadband Network

Mobile Security Fall 2013

Cell Catcher CC1900 3G Target Identifier + IMSI Catcher + Phone Tracking

Link Layer: Retransmissions

Exploiting Open Functionality in SMS-Capable Cellular Networks

DNS Security. Ch 1: The Importance of DNS Security. Updated

Wireless Network Security Spring 2016

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

GSM security country report: Estonia

CSE 565 Computer Security Fall 2018

ETSI TS V ( )

EFFECTIVE DEFENCE In a connected world. Philippe COTELLE, Airbus Defence and Space 2016, Nov 4th

2001, Cisco Systems, Inc. All rights reserved. Copyright 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.

E3-E4 (CM MODULE) CDMA x & EV-DO. For internal circulation of BSNL only

GSM security country report: Thailand

Pertemuan 7 GSM Network. DAHLAN ABDULLAH

Wireless Network Security Spring 2011

Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks

Mobile forensics. SMS (Short Message Service) EMS, MMS, CBS

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Wireless Network Security Spring 2012

COPYRIGHTED MATERIAL. Introduction. Harri Holma and Antti Toskala. 1.1 WCDMA technology and deployment status

Wireless systems overview

Rab Nawaz Jadoon. Cellular Systems - II DCS. Assistant Professor. Department of Computer Science. COMSATS Institute of Information Technology

Hands-On Modern Mobile and Long Term Evolution LTE

Abbreviations. Coding Scheme

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

Mobile Network Challenges (and why LACSEC should care)

Wireless Network Security Spring 2013

CTS2134 Introduction to Networking. Module 08: Network Security

Wireless Security Background

Wireless Network Security Spring 2015

Smeal College of Business - Central Firewall Rules and Policies

Cellular Communication

ENSC 835: HIGH-PERFORMANCE NETWORKS CMPT 885: SPECIAL TOPICS: HIGH-PERFORMANCE NETWORKS

Exploiting Open Functionality in SMS-Capable Cellular Networks

Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks

Beyond 3G Wireless. K.Raghunandan (RAGHU) Construction Administrator (Wireless) Communication Engineering New York City Transit (MTA)

Running GPRS/EDGE Data Services with Osmocom

End-to-End QoS in Mobile Networks

Module 6: Wireless Mobile Networks

EXPERIMENT N0: 06 AIM:TO DESIGN UMTS NETWORK USING OPNET MODELER APPARATUS: OPNET MODELER 14.0

Communication Systems for the Mobile Information Society

Advanced WiFi Attacks Using Commodity Hardware

GSM Open-source intelligence

Mobile Security Fall 2013

Wireless Network Security Spring 2014

Evolution from GSM to UMTS (IMT-2000)*

THREATS TO PACKET CORE SECURITY OF 4G NETWORK

Optimizing the Internet Quality of Service and Economics for the Digital Generation. Dr. Lawrence Roberts President and CEO,

Transcription:

Mobile Security 14-829 Fall 2012 Patrick Tague Class #5 Telecom Infrastructure Attacks

Announcements Project teams and topics need to be set soon Project topics must be approved before the proposal can be submitted/presented Each team will have 6-8 minutes to present their proposal in class on Monday Sign up for survey presentations soon Homework #1 is posted, due on September 24

Agenda Telecom infrastructure attacks DoS vulnerabilities in SMS and data systems Rogue base stations and MitM attacks

SMS, Pkt Data, & DoS Attacks

Short Messaging Service Original SMS standard (1985) outlined three types of functionality: Short message mobile terminated 1992: 1 st SMS message Short message mobile originated 2000: 5x10 9 SMS/month Short message cell broadcast 2005: 10 12 SMS/month

SMS Message Delivery SMS SMS SMSC short msg service center Where is X? X not reachable HLR ESME external short messaging entity Message Queue X

Message Delivery ESME SMS SMS SMSC short msg service center SMS Where is X? X is at MSC2 MSC1 HLR BTS1 external short messaging entity MSC2 SMS BTS2 Is X active? Yes, at BTS3 BTS3 SMS (TCH) Traffic channel X VLR

Message Delivery SMS SMSC Where is X? X is at MSC2 HLR ESME external short messaging entity SMS short msg service center SMS VLR NO Is X active? MSC1 MSC2 X? X? X? Auth X BTS1 BTS2 BTS3 Paging X (PCH) Paging channel Paging X (PCH) Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel Delivery (SDCCH) X Standalone dedicated control channel

At the SMSC: SMS Queuing Queues are finite Messages can be lost Dropping/overflow management varies by carrier For details, see [Traynor et al., JSC 2008] At the MS: Queues are finite, batteries are small If MS queue is full, HLR tells SMSC it is unavailable Batteries can be drained...

SMS-Based Attacks Two general types of attacks apply to SMS Content-based attacks Phishing, spoofing, malware, ad-ware, Behavior-based attacks Denial-of-Service (DoS), resource depletion,

Content-Based SMS Attacks Basic idea: Malicious SMS messages aim to retrieve info from users; wide-spread solicitation, similar to spam email; infect mobile devices (e.g., for mobile botnets!) Similar to web/email-based attacks

Targeted SMS DoS Flooding a user with SMS messages: 1.Buffer (@ MS or SMSC) overflow With enough flooding, SMSC will drop valid messages Some devices auto-delete previously read messages when they run out of storage 2.Valid messages are delayed beyond useful lifetime Ex: meeting reminders are useless after the meeting 3.Valid messages are buried in the SMS flood Also a battery-depletion attack...

Voice & SMS Sharing BTS3 Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel SMS delivery (SDCCH) X Standalone dedicated control channel Voice & SMS Resources TCH is not used for SMS BTS3 Paging X (PCH) X Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel TCH Setup (SDCCH) X Standalone dedicated control channel Voice traffic (TCH) Traffic channel Both SMS and voice init. use RACH, AGCH, and SDCCH SMS flooding also works as DoS against voice calls!

Voice & SMS Sharing From [Traynor et al., Security for Telecommunications Networks, 2008]

How to DoS a City... How much SMS traffic must be sent to saturate the SDCCHs in a large metro area? SMS Capacity ~ (#Cell Towers) * (#Sectors/Tower) * (#SDCCH/Sector) * (Capacity/SDCCH) Ex: Washington DC 40 cell towers, 3 sectors/tower Either 8, 12, or 24 SDCCH/Sector Each SDCCH supports ~ 900 msgs/hour SMS Capacity ~ 240 msgs/sec (for 8 SDCCH/sector) ~ 2.8 Mbps

How to DDoS a Country... How much SMS traffic must be sent to saturate the SDCCHs in a large country? SMS Capacity ~ (Eff. Sector Density) * (Urban pop. Area) Ex: USA ~1.75 sectors / sq. mile 8 SDCCH/Sector * (#SDCCH/Sector) * (Capacity/SDCCH) Each SDCCH supports ~ 900 msgs/hour SMS Capacity ~ 325.5 Kmsgs/sec ~ 3.8 Gbps Or ~ 380 Mbps for 10x multi-recipient messaging

Potential Defenses Elimination of Internet-originated SMS Not economically practical (SMS = $) Doesn't fully solve the problem (attack from within) Separation of voice and data Complete redesign of infrastructure, hw, & sw Doesn't fully solve the problem Add more resources Rate limiting Improved queue management

Mitigating SMS Flooding Incorporate fairness and priority management into SMS queuing Weighted Fair Queuing (WFQ): Each flow goes into a separate message queue - users get a proportional share of the queue to handle their messages Weighted Early Random Detection (WRED): Messages are randomly dropped in proportion to queue occupancy variable for different service classes (emergency use, mobile originated, web originated)

Mitigating SMS Flooding From [Traynor et al., Security for Telecommunications Networks, 2008]

Cellular Data Service Internet Cellular Network Cellular data service acts as a gateway to the Internet Connecting to an open network through a closed network?

Internet Data GGSN Data Delivery Where is X? X is at SGSN2 HLR gateway GPRS support node Data SGSN1 X? BTS1 Paging X (PPCH) MS IP Address SGSN IP Address 192.168.100.1 192.168.1.2 192.168.100.2 192.168.1.2 SGSN2 serving GPRS support node X? X? Auth X BTS2 BTS3 Paging X (PPCH) Paging X (PPCH) Temporary Flow ID (TFI) marks each flow X Reply (PRACH) Ch. Assign (PAGCH) ACK (PACCH) Delivery (PDTCH)

MS Data Activity State Activity States To save battery, devices do not constantly listen for packets Ready: constantly listening for packets Standby: periodically listens for pages Idle: device is unregistered / unreachable

Data-Based DoS Attacks Establishing a data connection is costly! Timeouts are typically delayed to prevent frequent reallocation and reestablishment due to minor variation Timers ~ 5 seconds TFI field is 5 bits If an adversary establishes 32 data sessions in a sector, DoS to everyone else! Capacity ~ (#Sectors) * (#Msgs/Sector) * (Bytes/Msg) Timer duration Ex: Washington DC: 120 sectors, 41 B/Msg 252 kbps Order of magnitude less work to deny data traffic compared to SMS DoS attack on voice

Rogue Base Stations & MitM Attacks Slide credit: C. Midler & B. Tello

Rogue BTS An adversary can deploy a rogue BTS that attempts to spoof the service provided by a valid BTS, attracting users for various reasons Possible to launch a MitM attack on 2G/3G mobile connections Applies to GPRS, EDGE, UMTS, and HSPA capable devices Cheap

Typical Data Flow Device connects to BTS and establishes IP data connection with GGSN, BSC, and SGSN IP packets are tunneled to the GGSN, which (de)encapsulates them and sends them to/from the Internet BTS controls encryption options [Perez & Pico, BlackHat 2011]

Lack of Authentication GPRS and EDGE use 2G GSM authentication Devices are required to prove their identity to the BTS BTS is NOT required to prove its identity to the device

Null Encryption Support GPRS / EDGE devices are required to support null encryption (i.e., plaintext) BTS can only offer to support null encryption Most devices will accept the offer and send data in the clear

Fallback Support Devices running UMTS/HSPA (3G/3.5G) are often configured to fall back to GPRS/EDGE if no UMTS/HSPA service is available Sometimes occurs in network fringes, rural areas, etc. Also, if someone is jamming the UMTS/HSPA frequencies or certain channels

Setting up a Rogue BTS [Perez & Pico, BlackHat 2011]

Setting up a Rogue BTS GSM + GPRS + EDGE capable BTS Connects to BSC over Ethernet

Setting up a Rogue BTS Consumer grade laptop with Internet connection OpenBSC OSMOSGSN OpenGGSN

Setting up a Rogue BTS UMTS/HSPA (3G/3.5G) jammer Only required if the attacker wants to target 3G devices $25-500

MitM Attack Attacker positions BTS in range of the target Range can be improved by using a high-gain directional antenna or amplifier

Attack Details Attacker must use suitable spectrum for the target's (known) carrier network BTS must be configured to operate using these known frequencies/channels BTS configured to accept connections from desired victim phones If intent is MitM, attacker configures SGSN/GGSN to properly route traffic to Internet, otherwise, just intercepts data rather than forwarding Victim will attach to rogue BTS if power is higher than the real BTS

Defenses Major modifications would be needed to make GSM/GPRS/EDGE secure against rogue BTS Higher level protections can be used to secure data against MitM attack UMTS/HSPA devices can be configured to not fall back to 2G/2.5G 4G to the rescue?

4G Not to the Rescue

Next Time September 17: Project Proposals September 19: WiFi Authentication & Access Control WiFi and how it works Security protocols Vulnerabilities

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback