CIS 6930 - Cellular and Mobile Network Security: Classical Telephony - - PowerPoint PPT Presentation

cis 6930 cellular and mobile network security
SMART_READER_LITE
LIVE PREVIEW

CIS 6930 - Cellular and Mobile Network Security: Classical Telephony - - PowerPoint PPT Presentation

Sep 20, 2023 767 likes •887 views

CIS 6930 - Cellular and Mobile Network Security: Classical Telephony Security Professor Patrick Traynor 10/30/18 Florida Institute for Cybersecurity (FICS) Research Ah, the Classics... Florida Institute for Cybersecurity (FICS) Research 2

slide-1
SLIDE 1

Florida Institute for Cybersecurity (FICS) Research

CIS 6930 - Cellular and Mobile Network Security:

Classical Telephony Security

Professor Patrick Traynor 10/30/18

slide-2
SLIDE 2

Florida Institute for Cybersecurity (FICS) Research

Ah, the Classics...

2

slide-3
SLIDE 3

Florida Institute for Cybersecurity (FICS) Research

Well Placed Nostalga?

  • The general feeling is that the Internet and its openness brought about

significant insecurity.


  • If only, some lamented, we could go back to a more closed and controlled

environment like telecommunications networks, security would no longer be such an issue.


  • Is such an assertion well founded?

  • How secure are telecommunications 


networks in reality?

3

slide-4
SLIDE 4

Florida Institute for Cybersecurity (FICS) Research

Setting Expectations

  • This lecture is designed to kick off the final portion of the semester and give us

context to our security discussions.

  • Just how good were the “good old days”?

  • We will introduce classes of vulnerabilities today.
  • We will spend the rest of the semester studying many of them in great detail.

  • Many of the lectures moving ahead rely on 


the understanding of the architecture of the 
 networks you have spent so much time 
 learning.

4

slide-5
SLIDE 5

Florida Institute for Cybersecurity (FICS) Research

Weak Cryptography

  • The algorithms underlying these operations are also insecure.
  • Rumor has it that was is partially intentional.
  • COMP-128 (used as A3) can expose Ki.
  • 219 queries to the SIM card allow attacker to recover Ki.
  • A5/1 and A5/2 (used as A5) are also weak.
  • Golic (1997) and Biryukov (2000) created known-plaintext attacks

possible in 240 operations or with 300 GB of space.

  • Multiple recent efforts use rainbow tables and GPUs to rapidly crack

keys.

5

slide-6
SLIDE 6

Florida Institute for Cybersecurity (FICS) Research

Vulnerabilities in the Network Core

  • In-band Signaling
  • “Captain Crunch” attacks

  • Unauthenticated signaling in the SS7 core.
  • MAPSec standard created, never used in reality outside of one unfortunate and

informative instance.

  • How “walled” are these gardens in reality?

  • ASN.1 compiler/parser buffer overflows
  • Nearly every core node vulnerable.

6

slide-7
SLIDE 7

Florida Institute for Cybersecurity (FICS) Research

Eavesdropping

  • AMPS had no encryption.
  • Device cloning attacks by capturing the ESN.

  • Networks can specify A5/0 mode during Cipher Mode “negotiation”.
  • A5/0 is mandated in France to allow easy over-the-air lawful

interception.


  • Crypto ends at the BS.
  • Microwave backhauls to the network make interception easy.

7

slide-8
SLIDE 8

Florida Institute for Cybersecurity (FICS) Research

Jamming

  • A number of companies sell “personal jamming” devices.
  • You can buy them in street markets in many major cities.
  • Many public places (e.g., theaters, churches, etc) have considered purchasing

slightly higher-grade products.

  • This is HIGHLY illegal in the US, but not so in other countries.

  • AMPS and GSM are relatively easy to jam directly.

  • CDMA should make this much hard.
  • Why do you think jamming is still possible?

8

slide-9
SLIDE 9

Florida Institute for Cybersecurity (FICS) Research

Tracking, Privacy and CALEA

  • Lawful intercept of personal communications has a deep legal history in this

country.

  • In general, your calls can not be listened in upon without the approval of a

judge.

  • Significant infrastructure exists to support lawful interception.
  • Recent history provides examples of “less-lawful” interception.
  • Location of specific individuals, email sent over cellular networks and text

messages are very much in a grey area.

  • US DoJ is arguing against the need for warrants 

  • here. Implications?

9

slide-10
SLIDE 10

Florida Institute for Cybersecurity (FICS) Research

Overload and DoS

  • Networks are designed and provisioned based on certain assumptions

about traffic load.

  • Voice traffic is much easier to predict than data.
  • Connecting telephony to the much less regulated, less predictable Internet

creates opportunities to violate the above assumptions.

  • Understanding the architecture can make these attacks targeted and

efficient.

  • Brute-force DoS is largely uninteresting...

10

slide-11
SLIDE 11

Florida Institute for Cybersecurity (FICS) Research

Malware and Mobile Phones

  • Up to this point, most malware in this space has been fairly basic and

uninteresting from an analysis perspective.

  • The vast majority rely on social engineering.
  • Mobile AV products exist, but how many people do you know that

actually run them?

  • New exploits are becoming increasingly sophisticated.
  • PDF vulnerabilities, Heap spraying
  • What are applications secretly leaking about you?
  • What can be done in this space given the constraints?

11