cse 543 computer security fall 2006
play

CSE 543 - Computer Security (Fall 2006) Lecture 25 - Cellular - PowerPoint PPT Presentation

Feb 20, 2024 •450 likes •677 views

CSE 543 - Computer Security (Fall 2006) Lecture 25 - Cellular Network Security Guest Lecturer: William Enck November 30, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06 CSE 543 Computer (and Network) Security - Fall 2006 - Professor

  1. CSE 543 - Computer Security (Fall 2006) Lecture 25 - Cellular Network Security Guest Lecturer: William Enck November 30, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06 CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 1

  2. Unintended Consequences • The law of unintended consequences holds that almost all human actions have at least one unintended consequence. CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 2

  3. Large Scale Attacks • Past damaging attacks follow a pattern ... • Bad (or good) guys find the vulnerability ... • Somebody does some work ... • Then exploit it ... • Hence, an exploit evolves in the following way: 1. Recognition 2. Reconnaissance 3. Exploit 4. Recovery/Fix CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 3

  4. Recognition: SMS Messaging • What is SMS? • Allows mobile phones and other devices to send small asynchronous messages containing text. • Ubiquitous internationally (Europe, Asia) • Often used in environments where voice calls are not appropriate or possible. • On September 11th, SMS helped many people communicate even though call channels were full • also observed anecdotally during recent hurricanes • Can be delivered via Internet • Web-pages (provider websites) • Email, IM, ... CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 4

  5. SMS message delivery in 30 seconds ... Base Station BS BS BS MSC Mobile Switching PSTN Center HLR VLR Cell VLR Network BS SMSC MSC Short Messaging Service Center Internet BS BS ESME External Short Messaging Entity CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 5

  6. The “air interface” • Traffic channels (TCH) • used to deliver voice traffic to cell phones (yak yak ...) • Control Channel (CCH) • used for signaling between base station and phones • used to deliver SMS messages • not originally designed for SMS CCH TCH CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 6

  7. GSM as TDM • GSM Analysis • Each channel divided into 8 time-slots • Each call transmits during its time-slot (TCH) • Paging channel (PCH) and SDCCH are embedded in CCH • BW: 762 bits/sec (96 bytes) per SDCCH • Number of SDCCH is 2 * number of channels • Number of channels averages 2-6 per sector (2/4/8/12/??) 4 5 Frame # 0 1 2 3 4 5 6 7 8 9 0 Multiframe SDCCH 0 SDCCH 1 Channel Time Slot # 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 7

  8. The vulnerability • Once you fill the SDCCH channels with SMS traffic, call setup is blocked Voice X SMS SMS SMS SMS SMS SMS SMS SMS • So, the goal of an adversary is to fill the cell network with SMS traffic • Not as simple as you might think .... CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 8

  9. Reconnaissance: Gray-box Testing • Standards documentation only tells half of the story • Open Questions (Implementation Specific): • How are messages stored? • How do injection and delivery rates compare? • What interface limitations currently exist? Cellular Network Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  10. Gray-box Testing Summary • Individual phones are only capable of accepting so many messages. • Low end devices: ~30-50 messages • High end devices: 500+ (battery drain) • Messages can be injected orders of magnitude faster than they can be delivered • Delivery time is multiple seconds • Interfaces have trivial mass insertion countermeasures • Address-based authentication, bulk senders, etc Result : An attack must be distributed and must target many users Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10

  11. Reconnaissance: Finding cell phones ... • North American Numbering Plan (NANP) NPA-NXX-XXXX Numbering Plan Exchange Numbering Plan Area (Area code) • NPA/NXX prefixes are administered by a provider • Phone number mobility may change this a little • Mappings between providers and exchanges publicly documented and available on the web • Implication : An adversary can identify the prefixes used in a target area (e.g., metropolitan area) CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 11

  12. Web scraping • Googling for phone numbers 865 numbers in SC 7,300 in NYC 6,184 in DC ... in less than 5 seconds CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 12

  13. Using the SMS interface • While google may provide a good “hit-list”, it is advantageous to create a larger and fresher list • Providers entry points into the SMS are available, e.g., email, web, instant messaging • Almost all provider web interfaces indicate whether the phone number is good or not (not just ability to deliver) • Hence, web interface is an oracle for available phones CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 13

  14. Exploit: Area Capacity • Determining the capacity of an area is simple with the above observations. C = (sectors/area)*(SDCCHs/sector)*(throughput/SDCCH) • Note that this is the capacity of the system. An attack would be aided by normal traffic. • Model Data • Channel Bandwidth: 3GPP TS 05.01 v8.9.0 (GSM Standard) • City profiles and SMS channel characteristics: National Communications System NCS TIB 03-2 • City and population profiles: US Census 2000 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 14

  15. The Exploit (Metro) • Capacity = sectors * SDCCH/sector * msgs/hour Sectors in SDCCHs per Messages per Manhattan sector SDCCH per hour „ 12 SDCCH « „ 900 msg/hr « (55 sectors ) C ≃ 1 sector 1 SDCCH 594 , 000 msg/hr ≃ 165 msg/sec ≃ • 165 msgs/sec * 1500 bytes (max message length) = 1933.6 kb/sec • Comparison: cable modem ~= 768 kb/sec • 193.36 on multi-send interface • What happens when we have broadcast SMS? CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 15

  16. Regional Service • How much bandwidth is needed to prevent access to all cell phones in the United States? • About 3.8 Gbps or 2 OC-48s (5.0 Gbps) CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 16

  17. Recovery/Fix: The solutions (today) • Solution 1 : separate Internet from cell network • pros: essentially eliminates attacks (from Internet) • cons: infeasible, loss of important functionality • Solution 2 : resource over-provisioning • pros: allows a mitigation strategy without re-architecting • cons: costly, just raises the bar on the attackers CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 17

  18. The solutions (tomorrow) • Solution 3 : Queuing • Separate queues for control vs. SMS • Control messaging should preempt with priority • Cons: complexity? • Solution 4 : Rate limitation • Control the aggregate input into a network/sector • Cons: complex to do correctly • Solution 5 : Next generation networks • 3G networks will logically separate data and voice • Thus, Internet -based DOS attacks will affect data only • Cons: available when? CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 18

  19. The Reality • Attacks occur accidentally • “Celebration Messages Overload SMS Network” (Oman) • “Mobile Networks Facing Overload” (Russia) • “Will Success Spoil SMS?”(Europe and Asia) • In-place tools may prevent trivial exploits • message filtering, Over-provisioning • Sophisticated adversaries could likely exploit this vulnerability without additional counter-measures • Many possible entry points into the network • Zombie networks • Little network internal control of SMS messaging • Note: Edge solutions are unlikely to be successful CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 19

  20. Recommendations • Short term: reduce number of SMS gateways and regulate input flow into cell phone network • Remove any feedback on the availability of cell phones or success of message delivery • Implement an emergency shutdown procedure • Disconnect from Internet during crisis • Only allow emergency services during crisis • Seek solutions from equipment manufacturers • Separate control traffic from SMS messaging • Advanced cell networks CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 20

  21. A cautionary tale ... • Attaching the Internet to any critical infrastructure is inherently dangerous • ... because of the unintended consequences • Will/have been felt in other areas • electrical grids • emergency services • banking and finance • and many more ... CSE 543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger 1 Denial of Service Intentional

406 views • 18 slides
CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06 CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger 1 Midterm Grades 85-100 -- A

1.41k views • 26 slides
Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! Manage could mean prevention of

537 views • 26 slides
1 Electronic Pearl Harbor Is this just scare-mongering? Slammer worm took down Bank of

1 Electronic Pearl Harbor Is this just scare-mongering? Slammer worm took down Bank of

Website: http://www.richmond.edu/~dszajda/classes/cs334/ Fall_2008/main.html Fall 2008 Fall 2008 CS 334 Computer Security 1 Fall 2008 CS 334 Computer Security 2 Text: Security in Computing by Charles P. Thanks to Anthony Joseph, Doug and

278 views • 6 slides
Chapter 9: Computer Memory Dr. Ming Yu Dept. of ECE FAMU-FSU College of Engineering Fall 2006

Chapter 9: Computer Memory Dr. Ming Yu Dept. of ECE FAMU-FSU College of Engineering Fall 2006

11/16/2006 EEL 4746: Microprocessor-based System Design Chapter 9: Computer Memory Dr. Ming Yu Dept. of ECE FAMU-FSU College of Engineering Fall 2006 11/16/2006 1 Table of Contents 1. Introduction 2. Computer Types and Memory Maps 3.

851 views • 26 slides
Law and Security CS461/ECE422 Computer Security I Fall 2010 Slide #6-1 Overview Law and

Law and Security CS461/ECE422 Computer Security I Fall 2010 Slide #6-1 Overview Law and

Law and Security CS461/ECE422 Computer Security I Fall 2010 Slide #6-1 Overview Law and privacy Cybercrime Laws Affecting Computer Use Slide #6-2 Reading Material Secrets of Computer Espionage: Tactics and Countermeasures

690 views • 33 slides
Related Work CSE545 - Fall 2006 Introduction Computer and Network Security Professor McDaniel

Related Work CSE545 - Fall 2006 Introduction Computer and Network Security Professor McDaniel

76 views • 6 slides
Network Security Architecture CS461/ECE422 Computer Security I Fall 2008 Reading Material

Network Security Architecture CS461/ECE422 Computer Security I Fall 2008 Reading Material

Network Security Architecture CS461/ECE422 Computer Security I Fall 2008 Reading Material Computer Security chapter 26. Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second

1.24k views • 50 slides
Computer Networks fall 2006 1. Introduction, Internet, reference models Hlzatok, 2006

Computer Networks fall 2006 1. Introduction, Internet, reference models Hlzatok, 2006

Computer Networks fall 2006 1. Introduction, Internet, reference models Hlzatok, 2006 Lukovszki Tams 1 Organisation Web page http://people.inf.elte.hu/lukovszki/Courses/NWI/ Lecture Wendesday, 2-4 pm, place: Mogyordi

732 views • 36 slides
Cryptography Well, a gentle intro to cryptography Fall 2014 CS 334: Computer Security 1

Cryptography Well, a gentle intro to cryptography Fall 2014 CS 334: Computer Security 1

Cryptography Well, a gentle intro to cryptography Fall 2014 CS 334: Computer Security 1 Special Thanks: to our friends at the Australian Defense Force Academy for providing the basis for these slides Fall 2014 CS 334: Computer Security 2

730 views • 47 slides
Cryptography Well, a gentle intro to cryptography Fall 2010 CS 334: Computer Security 1

Cryptography Well, a gentle intro to cryptography Fall 2010 CS 334: Computer Security 1

Cryptography Well, a gentle intro to cryptography Fall 2010 CS 334: Computer Security 1 Special Thanks: to our friends at the Australian Defense Force Academy for providing the basis for these slides Fall 2010 CS 334: Computer Security 2

626 views • 43 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Computer Science 161: Computer Security Computer Science 161 Fall 2016 Popa and Weaver

Computer Science 161: Computer Security Computer Science 161 Fall 2016 Popa and Weaver

Computer Science 161: Computer Security Computer Science 161 Fall 2016 Popa and Weaver Prof. Raluca Ada Popa Nicholas Weaver http://inst.eecs.berkeley.edu/~cs161/ 1 And a team of talented TAs Computer Science 161 Fall 2016 Popa and

866 views • 42 slides
Session 1 Introduction to Computer Security Sbastien Combfis Fall 2019 This work is

Session 1 Introduction to Computer Security Sbastien Combfis Fall 2019 This work is

I5020 Computer Security Session 1 Introduction to Computer Security Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. Objectives Computer

864 views • 61 slides
To Publish or Not to Publish? CSE545 - Fall 2006 Introduction Computer and Network Security

To Publish or Not to Publish? CSE545 - Fall 2006 Introduction Computer and Network Security

447 views • 12 slides
Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals

Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals

Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals Confidentiality : concealment of information or resources. Availability : preserve ability to use information or resource desired. An unavailable

318 views • 19 slides
Ein Blick ins Aquarium Was gibt's Neues in Bean Validation 1.1 and CDI 1.1? Hardy Ferentschik

Ein Blick ins Aquarium Was gibt's Neues in Bean Validation 1.1 and CDI 1.1? Hardy Ferentschik

Ein Blick ins Aquarium Was gibt's Neues in Bean Validation 1.1 and CDI 1.1? Hardy Ferentschik Red Hat About me Hardy Ferentschik - hardy@hibernate.org Hibernate team member for 5 years Focus on Validator and Search Validator

743 views • 41 slides
Introduction to Swedish Civil Contingencies Agency (MSB) methodological support for introducing

Introduction to Swedish Civil Contingencies Agency (MSB) methodological support for introducing

Methodilogical support Prepare Analyze Assignments References Introduction to Swedish Civil Contingencies Agency (MSB) methodological support for introducing Information Security Management Systems (ISMS). Carina Bengtsson, Daniel Bosk and

1.19k views • 73 slides
Procurement and State aid update Patrick Halliday 30 November 2016 Procurement & State aid

Procurement and State aid update Patrick Halliday 30 November 2016 Procurement & State aid

Procurement and State aid update Patrick Halliday 30 November 2016 Procurement & State aid smorgasbord 1. Abnormally low tenders: FP McCann 2. Disclosure of marking method: TNS Dimarso 3. Marking challenges: Energysolutions v NDA 4.

196 views • 7 slides
IP, Commercialisation and Going Global What can TTOs do to be more entrepreneurial OPTEON Philip

IP, Commercialisation and Going Global What can TTOs do to be more entrepreneurial OPTEON Philip

IP, Commercialisation and Going Global What can TTOs do to be more entrepreneurial OPTEON Philip Mendes Principal Mob + 61 414 615 345 Email philip@opteon.com.au Web www.opteon.com.au IP, Commercialisation - Going Global What is sought to be

594 views • 24 slides
Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com SS7 in the 20 th century SCP STP STP SSP SCP STP STP PSTN SSP SSP SS7 Signaling System #7, a set of telephony protocols

937 views • 60 slides
1 27/02/2020 2 Cellular Connectivity Anywhere In The World (2G, 3G, 4G, LTE-M, soon NB-IoT)

1 27/02/2020 2 Cellular Connectivity Anywhere In The World (2G, 3G, 4G, LTE-M, soon NB-IoT)

1 27/02/2020 2 Cellular Connectivity Anywhere In The World (2G, 3G, 4G, LTE-M, soon NB-IoT) 180+ countries 540+ networks We are where you are In the Cloud Intra-Cloud Peering Connectivity Meta- Global Reliable and Secure for Device Data

196 views • 18 slides
Systematic Mapping Studies Marcel Heinz 23. Juli 2014 Marcel Heinz Systematic Mapping Studies

Systematic Mapping Studies Marcel Heinz 23. Juli 2014 Marcel Heinz Systematic Mapping Studies

Systematic Mapping Studies Marcel Heinz 23. Juli 2014 Marcel Heinz Systematic Mapping Studies 23. Juli 2014 1 / 44 Presentation Overview Motivation 1 Systematic Mapping Studies 2 Comparison to Systematic Reviews 3 Guidelines 4 Marcel

931 views • 44 slides
CS378 - Mobile Computing Services and Broadcast Receivers Services One of the four primary

CS378 - Mobile Computing Services and Broadcast Receivers Services One of the four primary

CS378 - Mobile Computing Services and Broadcast Receivers Services One of the four primary application components: activities content providers services broadcast receivers 2 Services Application component that performs

595 views • 35 slides

More recommend