CIS 6930 - Cellular and Mobile Network Security: GSM Overload - - PowerPoint PPT Presentation

Florida Institute for Cybersecurity (FICS) Research

CIS 6930 - Cellular and Mobile Network Security: GSM Overload

Professor Patrick Traynor 11/1/18

Florida Institute for Cybersecurity (FICS) Research

Reminders

• You need to start working on your project!
• Some of you have not yet built anything. This will be a problem soon!
• Remember, you must turn in all of your code, plus a makefile and

instructions on how to run it!

• Remember to keep doing your reading!
• Not just for the final, but also so that you can participate in the class!

2

Florida Institute for Cybersecurity (FICS) Research

Unintended Consequences

• The law of unintended consequences states that 


most human actions have at least


• ne unintended consequence.

3

Florida Institute for Cybersecurity (FICS) Research

Low Rate DoS Attacks

• While recent attacks on cellular networks seem unrelated, there is a common factor that catalyzes

them all.


• Comparing multiple attacks uncovers causality:
• SMS Attack 


(JCS’09, CCS’05)

• Network Characterization and


Partial Mitigations (TON’10, MobiCom’06)

• Data

Teardown/Setup Attacks


(USENIX Security’07)


• The architecture of cellular networks inherently makes them susceptible to denial of service attacks.

Clash of Design 
 Philosophies

4

Florida Institute for Cybersecurity (FICS) Research

SMS Delivery (simplified)

Network Internet PSTN

MSC

VLR VLR

MSC

ESME

HLR

SMSC

CCH

5

Florida Institute for Cybersecurity (FICS) Research

Control Channels

• Control channels are used for a handful of infrequently used functions.
• Call setup, SMS delivery, mobility management, etc...

• The SDCCH allows the network to perform most of these functions.

• The number of SDCCHs typically depends on the expected use in an area.
• 4/8/12...

PCH AGCH RACH SDCCH

6

Florida Institute for Cybersecurity (FICS) Research

Recognition

• Once you fill the SDCCH channels with SMS traffic, call setup is blocked
• The goal of an adversary is therefore to fill SDCCHs with SMS traffic.
• Not as simple as you might think...

SMS Voice SMS SMS SMS SMS SMS SMS SMS X

7

Florida Institute for Cybersecurity (FICS) Research

Reconnaissance

• Can such an attack be launched by targeting a single phone?
• Low end phones: 30-50 msgs
• High end phones: 500+ msgs (battery dies)

• How do you get messages into the network?
• Email, IM, provider websites, bulk senders, etc...

• Don’t the networks have protections?
• IP Address blocking, Spam filtering

8

Florida Institute for Cybersecurity (FICS) Research

Finding Phones

• North American Numbering Plan (NANP)


• Mappings between providers and exchanges publicly documented

and available on the web

• Implication: An adversary can identify the prefixes used in a target

area.

NPA-NXX-XXXX

Numbering Plan Area (Area code) Numbering Plan Exchange

9

Florida Institute for Cybersecurity (FICS) Research

Web-Scraping

• Googling for phone numbers 


gives us better results:
 
 7,300 in NYC
 6,184 in D.C.
 
 in 5 seconds...

10

Florida Institute for Cybersecurity (FICS) Research

Provider Interfaces

• Almost all provider interfaces indicate whether or not a number is good.
• Some sites even tell you a target phone’s availability.

• This interface is an “oracle” for available phones.

11

Florida Institute for Cybersecurity (FICS) Research

Exploit (Metro)

• 165 msgs/sec * 1500 bytes = 1933.6 kb/sec
• 193.36 kb/sec on multi-send interface...
• Comparison: Cable modem ~= 768 kb/sec

Sectors in Manhattan SDCCHs per sector Messages per SDCCH per hour

C

• (55 sectors)

„12 SDCCH 1 sector « „900 msg/hr 1 SDCCH «

• 594, 000 msg/hr
• 165 msg/sec

12

Florida Institute for Cybersecurity (FICS) Research

Attack Profile

• Applied simulation and analysis to better characterize the attacks.
• Examined call blocking under multiple arrival patterns with exponentially distributed

service times.

• Using 495 msgs/sec, a blocking probability of 71% is possible with the bandwidth of a

cable modem.

0.2 0.4 0.6 0.8 1 1.2 500 1000 1500 2000 2500 3000 3500 4000 Utilization Time (seconds) SDCCH Utilization TCH Utilization

SDCCH Utilization TCH Utilization

13

Florida Institute for Cybersecurity (FICS) Research

Security Goals

• Goal: To preserve the fidelity of both voice services and legitimate text messages

during targeted SMS attacks.


• Security Model:
• We must trust equipment in the network core.
• We can not trust Internet users or customer devices.


14

Florida Institute for Cybersecurity (FICS) Research

Placing Mitigations

Network Internet PSTN

MSC

VLR VLR

MSC

ESME

HLR

SMSC

15

Florida Institute for Cybersecurity (FICS) Research

Solution Classifications

• Scheduling/Shaping/Regulation
• WFQ, Leaky Bucket, Priority Queues
• AQM (WRED, REM, AVQ)

• Resource Provisioning
• SRP
• DRP
• DCA

16

Florida Institute for Cybersecurity (FICS) Research

WRED - Overview

Low Med High

tlow,min tmed,min tmed,max

tlow,max

17

Florida Institute for Cybersecurity (FICS) Research

WRED - Overview

Low Med High

ρtarget = ρactual(1 − Pdrop)

Pdrop = Pdrop,high · λhigh + Pdrop,med · λmed + Pdrop,low · λlow λSMS

Pdrop = Pdrop,max · (Qavg − tmin) (tmax − tmin)

tlow,min tmed,min tmed,max

tlow,max

NQ = PQ ρ 1 − ρ

18

Florida Institute for Cybersecurity (FICS) Research

WRED - Results

• Messages of high and medium-priority experience no blocking, but increased delay.
• An average of 77% of low-priority messages are blocked.
• This is a nice solution, assuming meaningful partitioning of flows.

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Percent of Attempts Blocked Time (seconds) Service Queue (SMS - Priority 1) Service Queue (SMS - Priority 2) Service Queue (SMS - Priority 3)

Low Priority SMS Blocking

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Utilization Time (seconds) SDCCH TCH Service Queue

Average Queue 
 Occupancy

19

Florida Institute for Cybersecurity (FICS) Research

...and yet...

• Performance improvements come from one of two changes: speedup or

parallelization.


• As diverse as our solutions appear, they all attempt to maximize performance

through the latter.

• In many senses, we are not solving the problem - we are pushing food

around on our plate.


• Adding bandwidth should logically


address this problem.

20

Florida Institute for Cybersecurity (FICS) Research

Cellular Data Networks

• GPRS/EDGE provide much higher bandwidth service.

• Packet-switched data services are attractive to providers and users for a number of

reasons.


• User devices operate in one of three 


states: IDLE, STANDBY and READY.

• IDLE: The device is unavailable.
• STANDBY: Available, but not 


exchanging packets.

• READY: Actively listening for packets.

STANDBY READY IDLE GPRS Attach READY Timer Expires Paging Request STANDBY Timer Expires GPRS Detach

21

Florida Institute for Cybersecurity (FICS) Research

Internet

IP Address SGSN 192.168.100.1 192.168.1.2 192.168.100.2 192.168.1.2

HLR GGSN SGSN

Data Architecture

22

Florida Institute for Cybersecurity (FICS) Research

Real Network Configs

• To make these simulations represent reality, we use a Samsung Blackjack in

Field Test Mode to discover settings of an operational network.


• Field Test Mode tells us that control channels for voice and data are shared in

real networks.

• Voice and data traffic may be 


able to interfere with each 


• ther.

23

Florida Institute for Cybersecurity (FICS) Research

Reducing Overhead

• Because paging is so expensive, we don’t want to do it for every packet.

• Establishing a connection takes 5 seconds:
• Waiting: Paging, Wakeup, Processing, Acquiring timeslots
• Transmission

• GPRS differentiates packets at the MAC layer by Temporary Block Flows

(TBFs).

• Each TBF is assigned a Temporary Flow ID (TFI).

24

Florida Institute for Cybersecurity (FICS) Research

Teardown Attack: Overview

• TFIs are implemented as 5-bit fields, yielding a maximum of 32 concurrent

flows.


• If you send a message to a phone once every 5 seconds, the targeted device

maintains its TFI.

• An adversary can therefore cause legitimate flows to block due to TBF/TFI

exhaustion.


Capacity ≈ 55 sectors × 32 msgs 1 sector × 41 bytes 1 msg × 1 5 sec ≈ 110 Kbps

Capacity ≈ 55 sectors × 4 → 16 msgs 1 sector × 41 bytes 1 msg × 1 5 sec ≈ 14.1 → 56.4 Kbps

25

Florida Institute for Cybersecurity (FICS) Research

Teardown Attack: Results

• If an attacker can send 160Kbps of data traffic, 


97% of legitimate traffic will be blocked.

• Note that data service is blocked with less than 30% of the attack traffic

previously used to attack SMS.

0.2 0.4 0.6 0.8 1 200 180 160 140 120 100 Average Percent Blocking During Attack Attack Traffic (kbps)

RACH (Data) RACH (Voice) PDTCH (Data) TCH (Voice)

26

Florida Institute for Cybersecurity (FICS) Research

Setup Attack

• To prevent this attack, we reclaim TFIs when the base station sends the “last” packet in a flow.
• If an attacker can send 4950Kbps of attack traffic, over 85% of all legitimate traffic will be

blocked.

• Voice and SMS will be blocked at the same rate!

0.2 0.4 0.6 0.8 1 2200 2750 3300 3850 4400 4950 Average Percent Blocking During Attack Attack Traffic (kbps)

RACH (Data) RACH (Voice)

27

Florida Institute for Cybersecurity (FICS) Research

Broken Solutions

• Add more TFIs.
• This is an artificial boundary. Why does it exist?

• Add more bandwidth.
• Session establishment requires a few 


seconds, so adding bandwidth should speed 
 this up and alleviate the problem.

lim

BW →∞ Throughput =

# Requests Setup(Paging, Waiting, Processing)

Throughput = #Requests Setup(Paging, Waiting, Processing) + Transmission

28

Florida Institute for Cybersecurity (FICS) Research

The Failure of Bandwidth

• Decreasing the cost of connection establishment requires reducing connection setup latency.

0.25 0.5 0.75 1 1.25 1.5 0.01 0.1 1 10 100 1000 10000 100000 Control Channel Throughput (requests/sec) Bandwidth (packets/sec) 5 sec 4 sec 3 sec 2 sec 1 sec

Bandwidth (packets/sec)

Today Increased Rate

Decreasing the cost of connection 
 establishment requires reducing 
 connection setup latency.

Setup Latency = (packets/sec)

29

Florida Institute for Cybersecurity (FICS) Research

Connecting the Dots...

• The concept of connection establishment is considerably different in cellular

and data networks.

• Cellular networks page, wake and negotiate with hosts.
• Data networks simply forward packets.

• These networks were specialized to deliver voice, but data service has been

shoehorned in...

• The setup for data connections simply can not be


amortized like voice calls...

30

Florida Institute for Cybersecurity (FICS) Research

Clash of Design Philosophies

• The Internet uses the End-to-End Principle as its guiding philosophy.
• Cellular data networks are still fundamentally circuit-switched systems.

• Because specialized networks implement more functionality than absolutely

necessary for all flows, they exhibit rigidity.

• Such systems are unable to adapt to meet changing requirements and

conditions.


31

Florida Institute for Cybersecurity (FICS) Research

A Cautionary Tale...

• Cellular networks are among the most specialized systems ever constructed.

• Adding services that violate the assumptions upon which the network is
• ptimized allows an attacker to force such systems to fail at very low rates...
• The unintended consequence of attempts to save battery life allow attackers to

shut down the network.


• Many more vulnerabilities exist in this network...

32