CIS 6930 - Cellular and Mobile Network Security: End-to-End - PowerPoint PPT Presentation

CIS 6930 - Cellular and Mobile Network Security: End-to-End Authentication Professor Patrick Traynor 11/8/2018 (Thanks to Adam Doupé and Brad Reaves) Florida Institute for Cybersecurity (FICS) Research

Announcements • Abstracts for Course Project Due 11/13 (Tuesday) • Assignment is already open on Canvas • Turn in PDF and .tex source! • Tuesday class will be pre-recorded • Are your experiments running? • You should each be prepping a 12-15 min 
 presentation for 11/29… Florida Institute for Cybersecurity (FICS) Research 2

What Are We Authenticating? • We’ve talked about authentication in the context of 1-4G networks… • …so who gets authenticated to what? • 1G - Authentication by assertion - nobody to nobody • 2G - User to network (BS) • 3G - Mutual authentication (UE to Node B) • 4G - Mutual authentication (UE to EnB/MME) • Is that enough? • Like so many other questions, it depends… Florida Institute for Cybersecurity (FICS) Research 3

Quiz Time 1-800-432-1000 1-800-432-1000 Bank of America Bank of America Florida Institute for Cybersecurity (FICS) Research 4

Who Are You? • We have built an array of mechanisms to attest to identity for the Internet. • Well, for well-known entities on the Internet. • Phones are our backup, our trusted platform… • …and yet even a security expert can not tell who is calling him/her. • What we need are stronger notions 
 of identity for these devices. • …or at least an understanding of 
 the limits… Florida Institute for Cybersecurity (FICS) Research 5

End-to-End Authentication • Assertion : One of the great technological failures of the 21st century (thus far) is that my financial institutions, public services and government can’t call me on the phone. • So how do we fix it? • This set of lectures deals with precisely this problem. • We’ll look at a range of mechanisms to help us understand the state of the art and figure out what comes next. • What guarantees do we get from any of these things? Florida Institute for Cybersecurity (FICS) Research 6

Modern Telephony Systems Intermediary IP Networks Telco Networks VOIP Carrier Cell Network Web Gateway Internet Services VOIP Proxy Gateway PSTN Florida Institute for Cybersecurity (FICS) Research 7

What Happens in a Call Along the way: 1. Identity is asserted, not attested Intermediary IP Networks Telco Networks VOIP Carrier • No authentication of ID Cell Network Web Gateway Internet Services VOIP 2. Signaling protocols change Proxy Gateway • ID assertion is not easily fixed PSTN 3. Audio compression changes The only thing we can guarantee that is transmitted correctly is voice. Florida Institute for Cybersecurity (FICS) Research 8

Blacklists • Blacklist yourself - use the National Do Not Call Registry! • If you know which numbers are used as part of scams, just block those! • Multiple applications now offer communal blacklists (e.g., True Caller, NoMoRobo, Mr. Number, etc). • Under a variety of different monetization models. • Problem: Caller ID Values are asserted and not attested . • So attackers can simply switch numbers every time 
 and evade ALL of these systems. • We’re going to need something better… Florida Institute for Cybersecurity (FICS) Research 9

Recall: Analog vs Digital Phone systems are generally classified as either analog or digital. • What exactly does that mean? 
 • This is all about how data is represented and delivered through the network. 
 • Analog is the translation of voice/sound into electrical impulses. • Pure waveform representations of sounds. 
 • Digital is an approximation of this waveform, 
 • represented in 0s and 1s. Florida Institute for Cybersecurity (FICS) Research 10

What is a Codec? When we chose the digital option, we have to also decide how we are • going to encode our data. At what bit rate? • With what expectation of audio quality? • At what compression? • With what assumptions about loss rates? • With what knowledge of network bandwidth? • Florida Institute for Cybersecurity (FICS) Research 11

Codec- GSM-FR Pulse Code Modulation (PCM) is the basis for GSM Full-Rate (GSM-FR) • voice encoding. 8 kHz samples (64 kbps) reduced to 13.2 kbps using Regular Pulse • Excitation - Long Term Prediction (RPE-LTP). What can vary here? • ... ... ... ... 20 msec 20 msec 160 Samples 160 Samples 260-bit frame RTP-LTP RTP-LTP Encoder Decoder Sender Receiver Florida Institute for Cybersecurity (FICS) Research 12

Solution: Call Provenance Information about the source and path taken by a call • Where is this call coming from ? • Is this really Bank of America calling ? • Observe that receiver end call audio embeds artifacts of networks that it • traverses Packet loss in a VoIP network • Advantage: Provenance determined completely at the receiving end • without infrastructure modifications Florida Institute for Cybersecurity (FICS) Research 13

PinDr0p Overview • Packet Loss • Noise Path Traversal Signature • Quality Cell VoIP PSTN − − − − − Extract Features ML Classifier − − − − − − − − − − − − − − − Identify Networks Characterize Networks Call Signature (Alice) Goal • What is the path taken by a call ? • What is the source of a call ? • For each network, extract features • Identify and characterize the network • Robust to manipulation • Florida Institute for Cybersecurity (FICS) Research 14

Short Term Energy To Detect Packet Loss 5 10 1 iLBC Packet Loss 0.5 0 10 Amplitude STE 0 − 5 10 − 0.5 30 ms − 10 10 − 1 2 2.2 2 2.2 2.4 2.4 2.6 2.6 2.8 2.8 3 3 3.2 3.2 3.4 3.4 3.6 3.8 3.6 4 3.8 4 5 5 10 10 Packet Loss Speex 0 0 10 10 STE STE 20 ms − 5 − 5 10 10 − 10 − 10 10 10 2 2.2 2.4 2.6 2.8 3 3.2 3.4 3.6 3.8 4 2 2.2 2.4 2.6 2.8 3 3.2 3.4 3.6 3.8 4 Time (s) Time (s) Short term energy (STE) is used to detect abrupt losses in energy • PL detection by looking for significant drop in energy followed by energy floor, accompanied by significant rise • Length of energy floor depends on amount of audio lost • The exact multiple also indication of codec used - G.729 uses 10 ms, G.711 and Speex use 20 ms and iLBC uses 30 ms • STE identifies if there is a VoIP network and the codec used, and characterizes the network based on its loss rate • Florida Institute for Cybersecurity (FICS) Research 15

Identifying and Characterizing PSTN and Cellular Networks PSTN - G.711 • G.711 Speex iLBC Uncompressed (64 kbps) - high fidelity audio • G.729 30 GSM 28 Waveform codec - introduces noise only 
 Noise Spectral Range • 26 during speech activity (multiplicative noise) 24 22 20 Cellular - GSM • 18 16 Significant compression (13 kbps) - lower 
 12 • 20 11 quality audio 15 10 10 9 5 Noise Spectral Deviation Spectral Clarity Speech model - no multiplicative noise • High fidelity audio detected by spectral clarity • Presence of multiplicative noise detected by spectral level range and deviation • Combination of noise characteristics used to identify and characterize PSTN and cellular networks • Florida Institute for Cybersecurity (FICS) Research 16

Overall PinDr0p Architecture PL and PLC features - identify and • characterize VoIP network − − − Noise features - identify and − • Extract Features characterize PSTN and cellular networks STE/ Noise Statistics P .563 Score Correlation Quality features - identify number of • networks as quality degrades with networks traversed PL/PLC Features Noise Features Quality Features Feature Vector Create combined feature vector for • each call sample Label based on signature required • Florida Institute for Cybersecurity (FICS) Research 17

Evaluation: Call Signature Accuracy = 90% Accuracy = 97.5% ATL-Cell ATL-Cell DAL-LL DAL-LL NYC-Cell NYC-Cell ATL-Skype ATL-Skype ATL-LL ATL-LL PUN-MJack PUN-MJack ATL-GT1 ATL-GT1 ATL-Von ATL-Von ATL-Skype ATL-Skype ATL-GT2 ATL-GT2 DUB-Von DUB-Von BAL-MJack BAL-MJack MEL-NFone MEL-NFone FRA-LL FRA-LL LON-Cell LON-Cell SJC-Cell SJC-Cell MEL-NFone MEL-NFone PUN-MJack PUN-MJack BAL-MJack BAL-MJack ATL-Skype ATL-Skype ATL-Skype ATL-Skype DUB-Von DUB-Von LON-Cell ATL-GT2 ATL-GT1 NYC-Cell LON-Cell ATL-GT2 ATL-GT1 NYC-Cell SJC-Cell ATL-Von SJC-Cell ATL-Von ATL-Cell ATL-Cell FRA-LL DAL-LL FRA-LL DAL-LL ATL-LL ATL-LL Atlanta PSTN Origin (a) (b) Cellular Origin Skype Origin 16 different locations, each making 10 calls of duration 20 seconds to testbed in Atlanta • Train classifier on N (1 - 5) call sets and test on 5 random unseen sets • MagicJack Origin With single call set 90% accuracy, increases to 97.5% with 3 labeled call sets, 100% with 5 labeled call sets • Vonage Origin London mobile phone misclassified as New York mobile phone (~origin) or France landline (~distance) • MyNetPhone Origin Able to distinguish phones from same location, eg., three landline phones from Atlanta • Vonage calls show PSTN characteristics - immediately transfers to PSTN backbone for high quality of service • Features we extract are consistent for same call source but have enough variability to distinguish different call sources • Florida Institute for Cybersecurity (FICS) Research 18