MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES - - PowerPoint PPT Presentation

MOBILE DATA CHARGING:

NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES

Chunyi Peng Chunyi Peng,

Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles

ACM CCS’12

Mobile Data Access

ACM CCS'12 C Peng (UCLA)

Mobile Data Access

2

 1.2 billion global users

Cellular Network Cellular Network

Core N t k

Internet

Network

Mobile Data Charging

ACM CCS'12 C Peng (UCLA)

Mobile Data Charging

3

Cellular Network

Internet

Metered charging

based on actual data usage, Bill

e.g., $20/month for 300MB (AT&T)

Security: Security:

Can any attack make the users pay MORE/LESS? Can any attack make the users pay MORE/LESS?

How Charging Works & Be Secured

ACM CCS'12 C Peng (UCLA)

How Charging Works & Be Secured

4

C ll l N t k Cellular Network

Authentication

Gateway

#2 B th UL/DL ti h d #1: Accounting @ core gateway only

Internet Gateway …

#2: Both UL/DL per connection charged

Accounting NAT Policy

#3 P li d fi d b t

Bill

#3: Policy defined by operators

Two Security Issues

ACM CCS'12 C Peng (UCLA)

Two Security Issues

5

Authentication

NAT NAT

Bill

#1: Can the attacker bypass the security mechanism to exploit charging architecture loophole to make the

Stealth-spam-attack

g g users pay MORE?

Stealth spam attack

#2: Can the attacker exploit charging policy to pay LESS?

Toll-Free-Data-Access-Attack

Threat Models

ACM CCS'12 C Peng (UCLA)

Threat Models

6

 Cellular network is not compromised  Charging subsystem works as designed  Security mechanism works as designed  Attacker’s capability

O l i t ll d @ bil

 Only use installed apps @ mobile, or  Deploy malicious servers outside cellular networks

Outline

ACM CCS'12 C Peng (UCLA)

Outline

7

S l h k ( O )

 Stealth-spam-attack (pay MORE)

 Vulnerability  Attack design & implementation & damage  Countermeasures & insight

 Toll-free-data-access-attack (pay LESS)

 Vulnerability  Attack design & implementation & damage

i i h

 Countermeasures & insight

 Summary  Summary

Stealth-Spam-Attack

8

Security Against Spamming

ACM CCS'12 C Peng (UCLA)

Security Against Spamming

9

Authentication Outgoing-Spam Outgoing-Spam

Can security mechanism (e.g., NAT/Firewalls) block incoming

Incoming-Spam

spam?

NAT

g p Outgoing-Spam due to malwares@mobile or spoofing.

• Private IP addr. is not accessible
• Access allowed only when initiated

NAT

Bill

Simple, not addressed here.

Access allowed only when initiated by the mobile

Bill

Vulnerability

ACM CCS'12 C Peng (UCLA)

Vulnerability

Authentication ① i d i

Different from conventional spamming,

① Init a data service

e.g., Email/SMS spam Unawareness (stealthy) L li d (l ti h l )

② Incoming traffic ② Incoming Spam ① trap the victim to open data access

✔ ✗

Spam from the attacker

Long-lived (lasting hours or longer)

10

E attacker

② Incoming Spam time Data Services (charged)✗ (normal) (attacked) Actual charging time window

10

NAT E-attacker

(attacked) g g

Bill

Stealth-Spam-Attack

ACM CCS'12 C Peng (UCLA)

Stealth Spam Attack

11

 Step1-Trap: init data access Example-1: click a malicious web link

p

Example-2: login Skype once / stay online  Step2-Spam: keep spamming No matter what status @mobile

Web-based Attack

ACM CCS'12 C Peng (UCLA)

Web based Attack

12

 Implementation  Phone: click a malicious web link  Attacker (server): send spam data at constant rate

(disable TCP congest control and tear-down) ( g )

 Result: charging keeps going  Result: charging keeps going  Even after the phone tears down TCP

 TCP FIN, timeout

 Even when many “TCP RESET” sent from the mobile

Damage vs Spamming Rate

ACM CCS'12 C Peng (UCLA)

Damage vs. Spamming Rate

13

Ch i l i Charging volume vs. spamming rate

Operator-I Operator-II

In proportion to spamming rate when rate is low Ch i bl k d h i hi h ( 1Mb ) Charging blocked when rate is high (> 1Mbps)

The charged volume could be > the received one [Mobicom’12]

Damage vs Duration

ACM CCS'12 C Peng (UCLA)

Damage vs. Duration

14

Spamming rate = 150Kbps

No observed sign to end when the attack lasts 2 No observed sign to end when the attack lasts 2 hours if the rate is low (spamming> 120MB)

Skype-based Attack

ACM CCS'12 C Peng (UCLA)

Skype based Attack

15

I l t ti

 Implementation  Phone: do nothing (stay online once in Skype)  Attacker: Skype call the victim and hang up  Attacker: Skype call the victim and hang up  Attacker (server): send spam data at constant rate  Exploit Skype “loophole”  allows data access from the host who attempts to call  allows data access from the host who attempts to call

the victim before the attempt is accepted

 Demo

Demo: for a specific victim

ACM CCS'12 C Peng (UCLA)

Demo: for a specific victim

16

 Result: charging keeps going  Even after Skype logout  Even after Skype logout Even when there is no any skype call session

E h “ICMP h bl ” t f

 Even when many “ICMP unreachable” sent from

the mobile

Damage vs Spamming Rate

ACM CCS'12 C Peng (UCLA)

Damage vs. Spamming Rate

17

Ch i l i Charging volume vs. spamming rate

Operator-I Operator-II

No bounds on spamming rate compared with TCP-based attack

Damage vs Duration

ACM CCS'12 C Peng (UCLA)

Damage vs. Duration

18

Spamming rate = 50Kbps

No observed sign to end when the attack No observed sign to end when the attack lasts 24 hours (spamming > 500MB)

Root Cause

ACM CCS'12 C Peng (UCLA)

Root Cause

19

① i d i

Current system: Secure only the initialization IP forwarding can push packets to the victim (not

① Init a data service ② I i S

controlled by the victim) #1: Initial authentication ≠ authentication all along

② Incoming Spam ① trap the victim to open data access

#1: Initial authentication ≠ authentication all along Current system: K h i if d t Different views @ mobile: d t d t t

E attacker

① trap the victim to open data access

Keep charging if data comes Local view @ core gateway data conn. ends or never starts

• r exception happens

Lack of feedback/control

NAT E-attacker

Lack of feedback/control #2: Data flow termination @ the phone

≠ h i i i @ h

Bill

≠ charging termination @ the operator

Countermeasures

ACM CCS'12 C Peng (UCLA)

Countermeasures

20

i i i bl d h d l

 Spamming inevitable due to IP push model  Remedy: stop early when spamming happens Detection of unwanted traffic @mobile/operator Detection of unwanted traffic @mobile/operator Feedback (esp. from the mobile to the operator)

 At least allow users to stop data charging (no service)  At least allow users to stop data charging (no service)  Exploit/design mechanisms in cellular networks: implicit-

block, explicit-allow, explicit-stop p p p

Precaution, e.g., set a volume limit

, g ,

 Application: be aware of spamming attack

Toll-Free-Data-Access-Attack

21

Vulnerability

ACM CCS'12 C Peng (UCLA)

Vulnerability

22

Both operators provide free DNS service

DNS packets

#1: free fake DNS loophole

Real data over 53

Policy: DNS packets DNS flow ID: (srcIP, destIP, srcPort, d tP t t l)

#1: free fake DNS loophole

OP-I: Free via port 53 OP II: Free via UDP+Port 53

Real data over 53

Policy: Free DNS Service

Bill (DNS)

destPort, protocol) OP-I: Packets via port 53 are free OP II P k t i UDP+P t 53 f

#2: no volume-check loophole

OP-II: Free via UDP+Port 53 Bill (DNS) = 0

Bill (ANY-on-DNS) = 0

OP-II: Packets via UDP+Port 53 free

Any enforcement for packets over port 53?

Bill (ANY on-DNS) 0

p OP-I: no observed limits, except 29KB for one request packet OP-II: no observed limits

Toll-Free-Data-Access-Attack

ACM CCS'12 C Peng (UCLA)

Toll Free Data Access Attack

23

P t id ll l t k

 Proxy outside cellular network

 Tunneling over 53 between the mobile and external

network

 similar to calling 800-hotline

 Implementation  Implementation

 HTTP-proxy on port 53 (only for web, OP-I)  Sock-proxy on port 53 (for more apps, OP-I)  Sock proxy on port 53 (for more apps, OP I)  DNS-tunneling on UDP-53 (all apps, OP-I, II)

 Results

 Free data access > 200MB, no sign of limits

D if i t t d

 Demo if interested

Countermeasures

ACM CCS'12 C Peng (UCLA)

Countermeasures

24

 Simplest fix: stop free DNS service OP-II stopped it since this July

pp y

O h i

 Other suggestions Authenticate DNS service

 Only allow using authenticated DNS resolvers  DNS message integrity check

g g y

Provide free DNS quota

Beyond DNS

ACM CCS'12 C Peng (UCLA)

Beyond DNS

25

i i li l i di

 Existing DNS tunneling tools: iodine etc, Designed for data access when Internet access is

blocked differentiated-charging policy differentiated-charging policy

e.g., free access to one website/ via some APN, or cheaper VoIP than Web

Incentive to pay less (A ) Gap bt polic and its enforcement (Attackers or even normal users)

Bill

Gap btw policy and its enforcement Bullet-proof design & practice

On Incentive

ACM CCS'12 C Peng (UCLA)

On Incentive

26

 Toll-Free-Data-Access-Attack ✔  Stealth-Spam-Attack Good news: no obvious and strong incentive

 No immediate gain for the attacker unless the ill-

intentioned operator does it

Monetary loss against the attacker’s adversary Unexpected incentive in the future?

Summary

More information/demo in h // l d / j h l

ACM CCS'12 C Peng (UCLA)

Summary

27

A th l bilit f 3G/4G d t h i

http://metro.cs.ucla.edu/projects.html

 Assess the vulnerability of 3G/4G data charging

system Two t pes of attacks

 Two types of attacks,  Toll-free-data-access-attack (free > 200MB)

 Enforcement of differentiated-charging policy  Enforcement of differentiated-charging policy

 Stealth-spam-attack (overcharging > 500MB)

 Rooted in charging architecture, security mechanism and IP

model

 No observed volume limits

Insight

 Insight  IP push model is not ready for metered-charging  Feedback or control needed during data charging  Feedback or control needed during data charging  Differentiated-charging policy has to secure itself