CS 5410 - Computer and Network Security: Cellular Network Security - - PowerPoint PPT Presentation

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

CS 5410 - Computer and Network Security: Cellular Network Security

Professor Kevin Butler Fall 2015

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Reminders

• Poster showcase next Monday
• For final project: turn in all of your code, plus a

makefile and instructions on how to run it

2

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Unintended Consequences

• The law of unintended consequences states that 


most human actions have at least


• ne unintended consequence.
• Rigidity in networks: how would you characterize

the rigidity of:

• The Internet?
• The telephone network?

3

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Low Rate DoS Attacks

• While recent attacks on cellular networks seem unrelated, there is

a common factor that catalyzes them all.


• Comparing multiple attacks uncovers causality:
• SMS Attack 


(JCS’09, CCS’05)

• Network Characterization and


Partial Mitigations (TON’10, MobiCom’06)

• Data

Teardown/Setup Attacks


(USENIX Security’07)


• The architecture of cellular networks inherently makes them

susceptible to denial of service attacks.

Clash of Design 
 Philosophies

4

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

SMS Delivery (simplified)

Network Internet PSTN

MSC

VLR VLR

MSC

ESME

HLR

SMSC

CCH

5

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Control Channels

• Control channels are used for a handful of

infrequently used functions.

• Call setup, SMS delivery, mobility management,

etc...


• The SDCCH allows the network to perform most
• f these functions.

• The number of SDCCHs typically depends on the

expected use in an area.

• 4/8/12...

PCH AGCH RACH SDCCH

6

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

GSM TDMA Frames

• TDMA Frame:


7

Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7

Frame: 4.615 msec

Frame 0 Frame 1 Frame 2 Frame 50 ...

51 Multiframe: 235.365 msec

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

From Frames to Channels

8

1 2 3 4 5 6 7 }

Frame: 4.615ms

26 Multiframe: 120.00 ms

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Recognition

• Once you fill the SDCCH channels with SMS

traffic, call setup is blocked

• The goal of an adversary is therefore to fill

SDCCHs with SMS traffic.

• Not as simple as you might think...

SMS Voice SMS SMS SMS SMS SMS SMS SMS X

9

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Reconnaissance

• Can such an attack be launched by targeting a single

phone?

• Low end phones: 30-50 msgs
• High end phones: 500+ msgs (battery dies)

• How do you get messages into the network?
• Email, IM, provider websites, bulk senders, etc...

• Don’t the networks have protections?
• IP Address blocking, Spam filtering

10

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Finding Phones

• North American Numbering Plan (NANP)


• Mappings between providers and

exchanges publicly documented and available on the web

• Implication: An adversary can identify

the prefixes used in a target area.

NPA-NXX-XXXX

Numbering Plan Area (Area code) Numbering Plan Exchange

11

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Web-Scraping

• Googling for phone numbers gives us better

results:
 
 7,300 in NYC
 6,184 in D.C.
 
 in 5 seconds...

12

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Provider Interfaces

• Almost all provider interfaces indicate

whether or not a number is good.

• Some sites even tell you a target phone’s

availability.


• This interface is an “oracle” for available

phones.

13

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Exploit (Metro)

• 165 msgs/sec * 1500 bytes = 1933.6 kb/sec
• 193.36 kb/sec on multi-send interface...
• Comparison: Cable modem ~= 768 kb/sec

Sectors in Manhattan SDCCHs per sector Messages per SDCCH per hour

C

• (55 sectors)

„12 SDCCH 1 sector « „900 msg/hr 1 SDCCH «

• 594, 000 msg/hr
• 165 msg/sec

14

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Attack Profile

• Applied simulation and analysis to better characterize the attacks.
• Examined call blocking under multiple arrival patterns with

exponentially distributed service times.

• Using 495 msgs/sec, a blocking probability of 71% is possible with

the bandwidth of a cable modem.

0.2 0.4 0.6 0.8 1 1.2 500 1000 1500 2000 2500 3000 3500 4000 Utilization Time (seconds) SDCCH Utilization TCH Utilization

SDCCH Utilization TCH Utilization

15

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Security Goals

• Goal: To preserve the fidelity of both voice services and

legitimate text messages during targeted SMS attacks.


• Security Model:
• We must trust equipment in the network core.
• We can not trust Internet users or customer devices.


16

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Placing Mitigations

Network Internet PSTN

MSC

VLR VLR

MSC

ESME

HLR

SMSC

17

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Solution Classifications

• Scheduling/Shaping/Regulation
• WFQ, Leaky Bucket, Priority Queues
• AQM (WRED, REM, AVQ)

• Resource Provisioning
• SRP
• DRP
• DCA

18

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

WRED - Overview

Low Med High

tlow,min tmed,min tmed,max

tlow,max

19

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

WRED - Overview

Low Med High

ρtarget = ρactual(1 − Pdrop)

Pdrop = Pdrop,high · λhigh + Pdrop,med · λmed + Pdrop,low · λlow λSMS

Pdrop = Pdrop,max · (Qavg − tmin) (tmax − tmin)

tlow,min tmed,min tmed,max

tlow,max

NQ = PQ ρ 1 − ρ

20

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

WRED - Results

• Messages of high and medium-priority experience no blocking,

but increased delay.

• An average of 77% of low-priority messages are blocked.
• This is a nice solution, assuming meaningful partitioning of flows.

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Percent of Attempts Blocked Time (seconds) Service Queue (SMS - Priority 1) Service Queue (SMS - Priority 2) Service Queue (SMS - Priority 3)

Low Priority SMS Blocking

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Utilization Time (seconds) SDCCH TCH Service Queue

Average Queue 
 Occupancy

21

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

...and yet...

• Performance improvements come from one of

two changes: speedup or parallelization.


• As diverse as our solutions appear, they all attempt

to maximize performance through the latter.

• In many senses, we are not solving the problem
• we are pushing food around on our plate.

• Adding bandwidth should logically


address this problem.

22

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Cellular Data Networks

• GPRS/EDGE provide much higher bandwidth service.

• Packet-switched data services are attractive to

providers and users for a number of reasons.


• User devices operate in one of three 


states: IDLE, STANDBY and READY.

• IDLE: The device is unavailable.
• STANDBY: Available, but not 


exchanging packets.

• READY: Actively listening for packets.

STANDBY READY IDLE GPRS Attach READY Timer Expires Paging Request STANDBY Timer Expires GPRS Detach

23

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Internet

IP Address SGSN 192.168.100.1 192.168.1.2 192.168.100.2 192.168.1.2

HLR GGSN SGSN

Data Architecture

24

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Real Network Configs

• To make these simulations represent reality, we use

a Samsung Blackjack in Field Test Mode to discover settings of an operational network.


• Field Test Mode tells us that control channels for

voice and data are shared in real networks.

• Voice and data traffic may be 


able to interfere with each 


• ther.

25

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Reducing Overhead

• Because paging is so expensive, we don’t want to do it

for every packet.


• Establishing a connection takes 5 seconds:
• Waiting: Paging, Wakeup, Processing, Acquiring

timeslots

• Transmission

• GPRS differentiates packets at the MAC layer by

Temporary Block Flows (TBFs).

• Each TBF is assigned a Temporary Flow ID (TFI).

26

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Teardown Attack: Overview

• TFIs are implemented as 5-bit fields, yielding a

maximum of 32 concurrent flows.


• If you send a message to a phone once every 5

seconds, the targeted device maintains its TFI.

• An adversary can therefore cause legitimate

flows to block due to TBF/TFI exhaustion.


Capacity ≈ 55 sectors × 32 msgs 1 sector × 41 bytes 1 msg × 1 5 sec ≈ 110 Kbps

Capacity ≈ 55 sectors × 4 → 16 msgs 1 sector × 41 bytes 1 msg × 1 5 sec ≈ 14.1 → 56.4 Kbps

27

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Teardown Attack: Results

• If an attacker can send 160Kbps of data traffic, 


97% of legitimate traffic will be blocked.

• Note that data service is blocked with less than 30%
• f the attack traffic previously used to attack SMS.

0.2 0.4 0.6 0.8 1 200 180 160 140 120 100 Average Percent Blocking During Attack Attack Traffic (kbps)

RACH (Data) RACH (Voice) PDTCH (Data) TCH (Voice)

28

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Setup Attack

• To prevent this attack, we reclaim TFIs when the base station

sends the “last” packet in a flow.

• If an attacker can send 4950Kbps of attack traffic, over 85%
• f all legitimate traffic will be blocked.
• Voice and SMS will be blocked at the same rate!

0.2 0.4 0.6 0.8 1 2200 2750 3300 3850 4400 4950 Average Percent Blocking During Attack Attack Traffic (kbps)

RACH (Data) RACH (Voice)

29

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Broken Solutions

• Add more TFIs.
• This is an artificial boundary. Why does it exist?

• Add more bandwidth.
• Session establishment requires a few 


seconds, so adding bandwidth should speed 
 this up and alleviate the problem.

lim

BW →∞ Throughput =

# Requests Setup(Paging, Waiting, Processing)

Throughput = #Requests Setup(Paging, Waiting, Processing) + Transmission

30

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

The Failure of Bandwidth

0.25 0.5 0.75 1 1.25 1.5 0.01 0.1 1 10 100 1000 10000 100000 Control Channel Throughput (requests/sec) Bandwidth (packets/sec) 5 sec 4 sec 3 sec 2 sec 1 sec

Bandwidth (packets/sec)

Today Increased Rate

Decreasing the cost of connection 
 establishment requires reducing 
 connection setup latency.

Setup Latency = (packets/sec)

31

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Connecting the Dots...

• The concept of connection establishment is

considerably different in cellular and data networks.

• Cellular networks page, wake and negotiate with

hosts.

• Data networks simply forward packets.

• These networks were specialized to deliver voice,

but data service has been shoehorned in...

• The setup for data connections simply can not be


amortized like voice calls...

32

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Clash of Design Philosophies

• The Internet uses the End-to-End Principle as its

guiding philosophy.

• Cellular data networks are still fundamentally

circuit-switched systems.


• Because specialized networks implement more

functionality than absolutely necessary for all flows, they exhibit rigidity.

• Such systems are unable to adapt to meet

changing requirements and conditions.


33

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

A Cautionary Tale...

• Cellular networks are among the most specialized

systems ever constructed.


• Adding services that violate the assumptions upon

which the network is optimized allows an attacker to force such systems to fail at very low rates...

• The unintended consequence of attempts to save

battery life allow attackers to shut down the network.


• Many more vulnerabilities exist in this network...

34