Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network - - PowerPoint PPT Presentation

Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge

Brad Reaves*, Ethan Shernan**, Adam Bates*, Henry Carter**, Patrick T raynor*

*Florida Institute for Cyber Security University of Florida **Georgia Institute of T echnology

Presented By: Gohar Irfan

There is a black market for long-distance and international call termination Some companies provide “gray routes” that deliver calls without paying required tariffs or using regulated interconnects between carriers How do you connect to a carrier without them knowing?

Are you happy with your long distance carrier?

Typical Interna7onal Call

The point of this setup is to deliver a call into carrier B without paying for a real interconnection with that carrier. Carriers use the term “interconnect bypass fraud” We’ll use the term “simbox fraud” for this talk

PSTN Network A

Internet International Border

Simbox

PSTN Network B

Legitimate Local Call

Enter: Simbox Fraud

VoIP GSM

Simbox

Cellular networks are necessarily provisioned under an assumptions of average call volume/cell The cellular network is fundamentally incapable of supporting the load of an illicit, unlicensed telecommunications provider Not to mention:

This is a real problem

• Call quality is terrible
• People near the simbox operation have trouble placing

calls

• It costs carriers $2 Billion annually

Cellular Networks

• GSM (Global System for Mobile Communica6ons)
• 2G
• 3G
• 4G LTE
• SIM (Subscriber Iden6ty Module)
• GSM Full Rate (GSM FR) for encoding

VoIP

• Voice over Internet Protocol
• IP Only
• IP-PSTN
• Carried over UDP
• Characteris6cs:
• Packet loss
• JiOer
• Gaps are filled by silence (default)
• PLC (Packet Loss Concealment Algorithms)

Simbox

• Connects VoIP calls to GSM network
• There is a strong legi6mate market for these
• Private Enterprise Telephone Networks
• Support hundreds of SIM cards and codecs
• “Sim Servers” – use “virtual SIM cards” for calls

Ammit

• This work presents the Ammit system
• Key Insight: Simboxed call audio will

sound different than legitimate call audio

• Ammit detects individual calls in real time at the tower

servicing the simbox

• Ammit can isolate individual calls and SIM cards aWer

just 20 calls

Why Ammit W

• rks

V

• IP

Degrades Source Network Degrades

PSTN Network A

Internet International Border

Legitimate Local Call

Simbox

PSTN Network B

Over-the-Air Degrades

VoIP GSM

Cellular voice sees typical loss rates of several percent How are we supposed to tell legitimate losses from losses due to simboxing? Have the tower keep track of lost frames and ignore them when analyzing the audio!

Dealing with Air Loss

Because V

• IP is entirely digital, audio only degrades

from lost (or really late) packets When losses occur, a V

• IP client can either:
• 1. Insert silence
• 2. T

ry to conceal packet losses

Audio degrada7ons in VoIP

We can compute the short-term energy of audio and look for sudden drops and rises again

Detec7ng Unconcealed Losses

50 100 150 200 250 0.004 0.002 0.006 0.016 0.014 0.012 0.01 0.008 0.018 0.02

Time (ms) Short−time energy

Packet Loss Detected Loss True Positive Undetectable Loss

Authors looked at the GSM-FR packet loss concealment algorithm GSM-FR conceals losses by repeating and attenuating the last good 20 millisecond frame. Cepstral analysis (used for echo detection) can detect this

Detec7ng concealed losses

GSM-FR Loss

10 Audio Amplitude

Repeated, Attenuated Signal

20 30 Time (ms) 40 50 60 −0.04 0.6 −0.02 0.04 0.02 5 25 10 15 Quefrency (ms) 20 −0.4 0.4 0.2 −0.2 Cepstrum Magnitude

Original Signal Repeated, Attenuated Signal

Simulated sets of 20 calls from 99 speakers to test effects of detecting multiple calls from a single SIM

Simula7on Setup

TIMIT Audio GSM PLC Detector Silence Insertion Detector Simbox Decision

GSM Frame Errors

Ammit Simbox Detector Transit Encode Channel Loss Transit Decode GSM Air Simulator Encode Audio

Audio Audio Audio

Packetize Internet Loss Silence/PLC V

• IP Simulator

Encode Audio

T ested Ammit on 462 individual simulated calls to systematically measure effect of loss rate and codec

Results: Individual Simulated Calls

1 2 5 30 26 15 1 49 66 100 92 87 % Calls Detected % Loss Rate GSM−FR GSM−FR PLC G.711 Legitimate Calls (FP)

Results: Detec7ng Simulated SIMs

1% 2% % Loss Rate 5% 28 43 100 96 % SIMs Detected G.711 GSM−FR GSM−FR PLC

• 100 simboxed and normal calls
• 87% of simboxed calls detected — no false positives

Results: Real Simbox Calls

Ammit hardware and software no less accessible to attackers than network core (e.g. billing systems) Ammit analyzes all call audio (Our implementation could handle up to 150 simultaneous calls.) Ammit reports single-call judgements to a central location (like the HLR) Ammit is widely deployed (to prevent trivial evasion)

Security Assump7ons

Simboxers may try to evade Ammit, but it will be hard to do. Here are some tricks they could try: Redundantly transmit audio to avoid packet loss (expensive) T ry PLC's that Ammit doesn't know about (Most are known) T ransmit bad V

• IP frames to the tower as damaged GSM

frames (really hard and probably detectable)

Poten7al evasions

The use of simboxes for interconnect bypass fraud represent a threat to the reliable function of cellular networks that billions rely on.

Take-aways

Ammit uses call audio to detect simbox calls in real time, stopping them at the source before they can be profitable

Discussion:

• Why is this approach good/bad?
• Can you think of ways to circumvent Ammit?
• Would this be prac6cal to install in real telephone

networks?

• What happens if you have an ideal loss-less VoIP

connec6on?