mobile data charging
play

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES - PowerPoint PPT Presentation

Jan 20, 2024 •198 likes •480 views

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

  1. MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS’12

  2. ACM CCS'12 C Peng (UCLA) Mobile Data Access Mobile Data Access 2  1.2 billion global users Cellular Network Cellular Network Core N t Network k Internet

  3. ACM CCS'12 C Peng (UCLA) Mobile Data Charging Mobile Data Charging 3 Cellular Network Internet Metered charging Bill based on actual data usage, e.g., $20/month for 300MB (AT&T) Security: Security: Can any attack make the users pay MORE/LESS? Can any attack make the users pay MORE/LESS?

  4. ACM CCS'12 C Peng (UCLA) How Charging Works & Be Secured How Charging Works & Be Secured 4 C ll l Cellular Network N t k Authentication #1: Accounting @ core gateway only Gateway Gateway … #2 B th UL/DL #2: Both UL/DL per connection charged ti h d Internet Accounting Policy NAT #3 P li #3: Policy defined by operators d fi d b t Bill

  5. ACM CCS'12 C Peng (UCLA) Two Security Issues Two Security Issues 5 Authentication NAT NAT Bill #1: Can the attacker bypass the security mechanism to exploit charging architecture loophole to make the g g Stealth-spam-attack Stealth spam attack users pay MORE ? #2: Can the attacker exploit charging policy to pay LESS ? Toll-Free-Data-Access-Attack

  6. ACM CCS'12 C Peng (UCLA) Threat Models Threat Models 6  Cellular network is not compromised  Charging subsystem works as designed  Security mechanism works as designed  Attacker’s capability  Only use installed apps @ mobile, or O l i t ll d @ bil  Deploy malicious servers outside cellular networks

  7. ACM CCS'12 C Peng (UCLA) Outline Outline 7  Stealth-spam-attack (pay MORE) S l h k ( O )  Vulnerability  Attack design & implementation & damage  Countermeasures & insight  Toll-free-data-access-attack (pay LESS)  Vulnerability  Attack design & implementation & damage  Countermeasures & insight i i h  Summary  Summary

  8. Stealth-Spam-Attack 8

  9. ACM CCS'12 C Peng (UCLA) Security Against Spamming Security Against Spamming 9 Authentication Can security mechanism (e.g., Outgoing-Spam Outgoing-Spam NAT/Firewalls) block incoming spam? Incoming-Spam g p Outgoing-Spam due to •Private IP addr. is not accessible malwares@mobile or spoofing. •Access allowed only when initiated Access allowed only when initiated NAT NAT by the mobile Simple, not addressed here. Bill Bill

  10. ACM CCS'12 C Peng (UCLA) Vulnerability Vulnerability Authentication Different from conventional spamming, ① Init a data service i d i ① e.g., Email/SMS spam Unawareness (stealthy) L Long-lived (lasting hours or longer) li d (l ti h l ) ② Incoming Spam ② Incoming traffic Spam from the attacker ✔ Data Services (charged) ✗ ✗ ① trap the victim to open data access (normal) ② Incoming Spam time Actual charging time window g g E attacker E-attacker (attacked) (attacked) 10 10 NAT Bill

  11. ACM CCS'12 C Peng (UCLA) Stealth-Spam-Attack Stealth Spam Attack 11  Step1- Trap: init data access  Example-1: click a malicious web link p  Example-2: login Skype once / stay online  Step2- Spam: keep spamming  No matter what status @mobile

  12. ACM CCS'12 C Peng (UCLA) Web-based Attack Web based Attack 12  Implementation  Phone: click a malicious web link  Attacker (server): send spam data at constant rate (disable TCP congest control and tear-down) ( g )  Result: charging keeps going  Result: charging keeps going  Even after the phone tears down TCP  TCP FIN, timeout  Even when many “TCP RESET” sent from the mobile

  13. ACM CCS'12 C Peng (UCLA) Damage vs Spamming Rate Damage vs. Spamming Rate 13 Ch Charging volume vs. spamming rate i l i Operator-I Operator-II In proportion to spamming rate when rate is low Charging blocked when rate is high (> 1Mbps) Ch i bl k d h i hi h ( 1Mb ) The charged volume could be > the received one [Mobicom’12]

  14. ACM CCS'12 C Peng (UCLA) Damage vs Duration Damage vs. Duration 14 Spamming rate = 150Kbps No observed sign to end when the attack lasts 2 No observed sign to end when the attack lasts 2 hours if the rate is low ( spamming> 120MB )

  15. ACM CCS'12 C Peng (UCLA) Skype-based Attack Skype based Attack 15  Implementation I l t ti  Phone: do nothing (stay online once in Skype)  Attacker: Skype call the victim and hang up  Attacker: Skype call the victim and hang up  Attacker (server): send spam data at constant rate  Exploit Skype “loophole”  allows data access from the host who attempts to call  allows data access from the host who attempts to call the victim before the attempt is accepted  Demo

  16. ACM CCS'12 C Peng (UCLA) Demo: for a specific victim Demo: for a specific victim 16  Result: charging keeps going  Even after Skype logout  Even after Skype logout  Even when there is no any skype call session  Even when many “ ICMP unreachable ” sent from E h “ ICMP h bl ” t f the mobile

  17. ACM CCS'12 C Peng (UCLA) Damage vs Spamming Rate Damage vs. Spamming Rate 17 Ch Charging volume vs. spamming rate i l i Operator-I Operator-II No bounds on spamming rate compared with TCP-based attack

  18. ACM CCS'12 C Peng (UCLA) Damage vs Duration Damage vs. Duration 18 Spamming rate = 50Kbps No observed sign to end when the attack No observed sign to end when the attack lasts 24 hours ( spamming > 500MB )

  19. ACM CCS'12 C Peng (UCLA) Root Cause Root Cause 19 Current system: IP forwarding can push Secure only the initialization packets to the victim (not ① Init a data service i d i ① controlled by the victim) #1: Initial authentication ≠ authentication all along #1: Initial authentication ≠ authentication all along ② Incoming Spam ② I i S Current system: Different views @ mobile: ① trap the victim to open data access ① trap the victim to open data access K Keep charging if data comes h i if d t d t data conn. ends or never starts d t t Local view @ core gateway or exception happens E-attacker E attacker Lack of feedback/control Lack of feedback/control NAT #2: Data flow termination @ the phone ≠ h ≠ charging termination @ the operator i i i @ h Bill

  20. ACM CCS'12 C Peng (UCLA) Countermeasures Countermeasures 20  Spamming inevitable due to IP push model i i i bl d h d l  Remedy: stop early when spamming happens  Detection of unwanted traffic @mobile/operator  Detection of unwanted traffic @mobile/operator  Feedback (esp. from the mobile to the operator)  At least allow users to stop data charging (no service)  At least allow users to stop data charging (no service)  Exploit/design mechanisms in cellular networks: implicit- block, explicit-allow, explicit-stop p p p  Precaution, e.g., set a volume limit , g ,  Application: be aware of spamming attack

  21. Toll-Free-Data-Access-Attack 21

  22. ACM CCS'12 C Peng (UCLA) Vulnerability Vulnerability 22 Both operators provide free DNS service #1: free fake DNS loophole #1: free fake DNS loophole Real data over 53 Real data over 53 DNS packets DNS packets OP-I: Free via port 53 DNS flow ID: ( srcIP, destIP, srcPort, Policy : Policy : OP II: Free via UDP+Port 53 OP-II: Free via UDP+Port 53 destPort, protocol ) d tP t t l ) Free DNS Service OP-I: Packets via port 53 are free #2: no volume-check loophole OP II P OP-II: Packets via UDP+Port 53 free k t i UDP+P t 53 f Bill (DNS) Bill (DNS) = 0 0 Any enforcement for packets over p port 53? Bill (ANY- on-DNS ) = 0 Bill (ANY on-DNS ) 0 OP-I: no observed limits , except 29KB for one request packet OP-II: no observed limits

  23. ACM CCS'12 C Peng (UCLA) Toll-Free-Data-Access-Attack Toll Free Data Access Attack 23  Proxy outside cellular network P t id ll l t k  Tunneling over 53 between the mobile and external network  similar to calling 800-hotline  Implementation  Implementation  HTTP-proxy on port 53 (only for web, OP-I)  Sock-proxy on port 53 (for more apps, OP-I)  Sock proxy on port 53 (for more apps, OP I)  DNS-tunneling on UDP-53 (all apps, OP-I, II)  Results  Free data access > 200MB, no sign of limits  Demo if interested D if i t t d

  24. ACM CCS'12 C Peng (UCLA) Countermeasures Countermeasures 24  Simplest fix: stop free DNS service  OP-II stopped it since this July pp y  Other suggestions O h i  Authenticate DNS service  Only allow using authenticated DNS resolvers  DNS message integrity check g g y  Provide free DNS quota

  25. ACM CCS'12 C Peng (UCLA) Beyond DNS Beyond DNS 25  Existing DNS tunneling tools: iodine etc, i i li l i di  Designed for data access when Internet access is blocked differentiated-charging policy differentiated-charging policy e.g., free access to one website/ via some APN, or cheaper VoIP than Web Incentive to pay less (A (Attackers or even normal users) ) Bill Gap bt Gap btw policy and its enforcement polic and its enforcement Bullet-proof design & practice

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Charging for Mobile Content Helsinki University of Technology 05.12.2006 Cheevarat Jampathom

Charging for Mobile Content Helsinki University of Technology 05.12.2006 Cheevarat Jampathom

Charging for Mobile Content Helsinki University of Technology 05.12.2006 Cheevarat Jampathom Filip uba Agenda Introduction Voice vs. Non-Voice Services Revenue Leakage Charging Concepts Subscription Models Charging Terminology Post

808 views • 28 slides
in the current e-mobility charging infrastructure Where? When? How to pay? E-Mobility Network

in the current e-mobility charging infrastructure Where? When? How to pay? E-Mobility Network

Open Charging Cloud Security and Privacy in the current e-mobility charging infrastructure Where? When? How to pay? E-Mobility Network Architecture e-Mobility Energy Provider 1 Provider Charging (Mobile) Station Charging Internet

563 views • 39 slides
GO TO-U the next-generation EV charging platform WHAT DO WE DO? We transform EV charging

GO TO-U the next-generation EV charging platform WHAT DO WE DO? We transform EV charging

GO TO-U the next-generation EV charging platform WHAT DO WE DO? We transform EV charging stations into benefits generators, increasing clients traffic, and providing a boost to customer loyalty at the charging locations go-tou.com HOW DO WE

390 views • 21 slides
22 ND AUGUST 2019 HVC product portfolio Charging landscape Electric bus charging

22 ND AUGUST 2019 HVC product portfolio Charging landscape Electric bus charging

22 ND AUGUST 2019 HVC product portfolio Charging landscape Electric bus charging landscape Overnight charging (at the depot) Opportunity charging (on route or end stop) 3 main ways of heavy vehicles ABB supports all standardized

371 views • 12 slides
Charging Lennart Verheijen 2 GreenFlux Smart Charging Vision 3 GreenFlux Smart Charging

Charging Lennart Verheijen 2 GreenFlux Smart Charging Vision 3 GreenFlux Smart Charging

1 GreenFlux Smart Charging Leading Smart Charging Lennart Verheijen 2 GreenFlux Smart Charging Vision 3 GreenFlux Smart Charging Proud to be GreenFlux Leader in EV smart charging solutions 20.000 connected charge points 61.000 drivers

1.09k views • 52 slides
EV CHARGING AND AVAILABLE INCENTIVES EV CHARGING OVERVIEW AND PLAN OF ACTION Levels of

EV CHARGING AND AVAILABLE INCENTIVES EV CHARGING OVERVIEW AND PLAN OF ACTION Levels of

EV CHARGING AND AVAILABLE INCENTIVES EV CHARGING OVERVIEW AND PLAN OF ACTION Levels of Charging Cost and Considerations of Charging Benefits of Workplace Charging Available Incentives Plan of Action CHARGING HABITS

831 views • 16 slides
Telephone Charging Systems Charging CDR (Call detail Records) IP-DR (IP Detail

Telephone Charging Systems Charging CDR (Call detail Records) IP-DR (IP Detail

Telephone Charging Systems Charging CDR (Call detail Records) IP-DR (IP Detail Records) Petri Noponen, 60136B Charging 3GPP :Charging A function where whereby information related to chargeable operation is

341 views • 18 slides
Telephone Charging System Helsinki University of Technology Yao Yanjun Petteri Tulikoura

Telephone Charging System Helsinki University of Technology Yao Yanjun Petteri Tulikoura

Telephone Charging System Helsinki University of Technology Yao Yanjun Petteri Tulikoura Agenda Introduction Traditional telephone charging system Outdated Charging Charging Nowadays Future scenarios for charging Case:

572 views • 20 slides
Mobile Termination Rates June 15 th th , 2005 , 2005 June 15 Buenos Aires, Argentina Buenos

Mobile Termination Rates June 15 th th , 2005 , 2005 June 15 Buenos Aires, Argentina Buenos

Mobile Termination Rates June 15 th th , 2005 , 2005 June 15 Buenos Aires, Argentina Buenos Aires, Argentina D.93 ITU Recommendation Charging and accounting in the Charging and accounting in the international land mobile telephone

306 views • 11 slides
CHARGING PROGRAM Community Board 7 TC Briefing May 20 th 2019 1 Curbside EV Charging Pilot

CHARGING PROGRAM Community Board 7 TC Briefing May 20 th 2019 1 Curbside EV Charging Pilot

ELECTRIC VEHICLE CHARGING PROGRAM Community Board 7 TC Briefing May 20 th 2019 1 Curbside EV Charging Pilot Program nyc.gov/dot 2 PROJECT BACKGROUND Project Structure: Partnership : Con Ed and DOT will install 100 L2 EV charging ports

185 views • 14 slides
CHARGING PROGRAM Community Board 10 TC Briefing May 21, 2019 1 Curbside EV Charging Pilot

CHARGING PROGRAM Community Board 10 TC Briefing May 21, 2019 1 Curbside EV Charging Pilot

ELECTRIC VEHICLE CHARGING PROGRAM Community Board 10 TC Briefing May 21, 2019 1 Curbside EV Charging Pilot Program nyc.gov/dot 2 PROJECT BACKGROUND Project Structure: Partnership : Con Ed and DOT will install 100 L2 EV charging ports

577 views • 13 slides
CHARGING PROGRAM Community Board 8 TC Briefing May 16 th 2019 1 Curbside EV Charging Pilot

CHARGING PROGRAM Community Board 8 TC Briefing May 16 th 2019 1 Curbside EV Charging Pilot

ELECTRIC VEHICLE CHARGING PROGRAM Community Board 8 TC Briefing May 16 th 2019 1 Curbside EV Charging Pilot Program nyc.gov/dot 2 PROJECT BACKGROUND Project Structure: Partnership : Con Ed and DOT will install 100 L2 EV charging ports

465 views • 12 slides
PRICING FOR MOBILE DATA Sangtae Ha Princeton University Joint work with: Soumya Sen, Carlee

PRICING FOR MOBILE DATA Sangtae Ha Princeton University Joint work with: Soumya Sen, Carlee

TUBE: TIME DEPENDENT PRICING FOR MOBILE DATA Sangtae Ha Princeton University Joint work with: Soumya Sen, Carlee Joe-Wong, Youngbin Im, Mung Chiang 2 (Mobile) Data Explosion Mobile data growing at 78% annually 2.4 billion mobile users

670 views • 54 slides
Smart EV Charger Management Charging is tough! X Fragmented X Unpredictable X Insufficient 2

Smart EV Charger Management Charging is tough! X Fragmented X Unpredictable X Insufficient 2

Smart EV Charger Management Charging is tough! X Fragmented X Unpredictable X Insufficient 2 Future population is dependent on public/workplace charging 3 Charging is modernizing and getting more complex Integrate chargers with ampUp for

272 views • 12 slides
CHARGING PROGRAM Community Board 12 TC Briefing June 11 th 2019 1 Curbside EV Charging Pilot

CHARGING PROGRAM Community Board 12 TC Briefing June 11 th 2019 1 Curbside EV Charging Pilot

ELECTRIC VEHICLE CHARGING PROGRAM Community Board 12 TC Briefing June 11 th 2019 1 Curbside EV Charging Pilot Program nyc.gov/dot 2 PROJECT BACKGROUND Project Structure: Partnership : Con Ed and DOT will install 100 L2 EV charging

508 views • 13 slides
Secu ecurity rity of EV f EV-charging charging Erik Poll Radboud University Nijmegen C-DAX

Secu ecurity rity of EV f EV-charging charging Erik Poll Radboud University Nijmegen C-DAX

Secu ecurity rity of EV f EV-charging charging Erik Poll Radboud University Nijmegen C-DAX is funded by the European Union's Seventh Framework Programme (FP7-ICT-2011-8) under grant agreement n 318708 EV EV ch char arging: ging: th

434 views • 19 slides
Identifying Video Spammers in Online Social Networks Fabrcio Benevenuto 1 , Tiago Rodrigues 1 ,

Identifying Video Spammers in Online Social Networks Fabrcio Benevenuto 1 , Tiago Rodrigues 1 ,

Identifying Video Spammers in Online Social Networks Fabrcio Benevenuto 1 , Tiago Rodrigues 1 , Virglio Almeida 1 , Jussara Almeida 1 , Chao Zhang 2 , Keith Ross 2 1 Federal University of Minas Gerais Brazil 2 Polytechnic University New

311 views • 17 slides
Fourth Quarter 2014 Investor Call M. Terry Turner, President and CEO Harold R. Carpenter, EVP

Fourth Quarter 2014 Investor Call M. Terry Turner, President and CEO Harold R. Carpenter, EVP

Fourth Quarter 2014 Investor Call M. Terry Turner, President and CEO Harold R. Carpenter, EVP and CFO January 21, 2015 Safe Harbor Statements Forward-looking statements Certain of the statements in this presentation may constitute

805 views • 54 slides
On Measuring the Client- Side DNS Infrastructure Kyle Schomp , Tom Callahan, Michael

On Measuring the Client- Side DNS Infrastructure Kyle Schomp , Tom Callahan, Michael

On Measuring the Client- Side DNS Infrastructure Kyle Schomp , Tom Callahan, Michael Rabinovich , Mark Allman Case Western Reserve University International Computer Science Institute 10/23/2013 ACM IMC 2013 1 Motivation

1.07k views • 64 slides
The fight against SPAM An Internet Number Resources

The fight against SPAM An Internet Number Resources

The fight against SPAM An Internet Number Resources Management Perspec5ve By Amreesh D. Phokeer 04/12/2015 Overview 1. Background 2. Sta2s2cs 3.

474 views • 32 slides
Machine learning system design Priori3zing what to work on:

Machine learning system design Priori3zing what to work on:

Machine learning system design Priori3zing what to work on: Spam classifica3on example Machine Learning Building a spam classifier From:

288 views • 18 slides
A Priacy-Presering Scial-Aware Incentie System fr Wrd-f-Muth Adertisement

A Priacy-Presering Scial-Aware Incentie System fr Wrd-f-Muth Adertisement

A Priacy-Presering Scial-Aware Incentie System fr Wrd-f-Muth Adertisement Disseminatin n Smart Mbile Deices Wei Peng 1 Feng Li 1 Xukai Zu 1 Jie Wu 2 1 Indiana Uniersity-Purdue Uniersity Indianalis (IUPUI) 2

740 views • 63 slides
Alerting Husbandry Julien Goodwin jgoodwin@studio442.com.au @laptop006 Bad Alerts Obsolete

Alerting Husbandry Julien Goodwin jgoodwin@studio442.com.au @laptop006 Bad Alerts Obsolete

Alerting Husbandry Julien Goodwin jgoodwin@studio442.com.au @laptop006 Bad Alerts Obsolete Alerts $THING is down! Because we turned it down a year ago $THING has bug $FOO! Really? The vendor fixed it three years ago and we

288 views • 17 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides

More recommend