Rogue Femtocell Owners: How Mallory Can Monitor My Devices David - PowerPoint PPT Presentation

Rogue Femtocell Owners: How Mallory Can Monitor My Devices David Malone, Darren F. Kavanagh and Niall R. Murphy 19 April 2013

Femtocells • Small devices acting as cellular base stations. • Deployed to extend coverage in homes, offices, . . . • Access can be open or closed. • No direct connection to MNO network. • Use Internet and IPsec for backhaul.

Femtocell (front) Alcatel-Lucent 9361 Home Cell V2-V.

Femtocell (back) Alcatel-Lucent 9361 Home Cell V2-V.

Femtocell Access Control • Anyone device can connect to open femtocell. • Closed femtocells allow ACL. • Commonly administered by web page, list phone numbers. • No further checking done. • Idea: ACL to target devices who shouldn’t trust us? • Idea: Use traffic analysis as passive attack. • Snoop on your neighbour?

Monitoring a device • Add phone (Nokia X6) to femtocell’s ACL. • SMS, MMS, voice calls, web browsing, management. • Collect femtocell traffic on router. • Traffic (mostly) encrypted, but know time, size, ToS. • What does traffic tell us about activity?

7000 Phone fully booted Turn phone on Turn phone off Get short text message ToS 0 ToS 2 Get text long message Traffic Analysis (to femtocell) Get text message 6000 End web browsing Start web browsing Call to 1191 end Call to 1191 starts Hang up Call mobile number with no answer 5000 Sending short test text again again Get short text again Sending short test text again Get short text Sending short test text 4000 Incoming call begins ringing Incoming call ends ringing End lap of block Begin lap of block 3000 2000 Hang up on ringing call Call a number with no answer Get short text saying Testing 1000 Call to 1191 ends a few seconds ago At the signal it will be 20:46:40 Call to 1191 starts Send MMS send icon gone Send MMS with 126kB message Send SMS saying This is a longer text ..... Send SMS saying Testing short text. 0 1400 1200 1000 800 600 400 200 0

7000 Phone fully booted Turn phone on Turn phone off Get short text message Traffic Analysis (from femtocell) ToS 0 ToS 72 ToS 74 ToS 184 ToS 192 Get text long message Get text message 6000 End web browsing Start web browsing Call to 1191 end Call to 1191 starts Hang up Call mobile number with no answer 5000 Sending short test text again again Get short text again Sending short test text again Get short text Sending short test text 4000 Incoming call begins ringing Incoming call ends ringing End lap of block Begin lap of block 3000 2000 Hang up on ringing call Call a number with no answer Get short text saying Testing 1000 Call to 1191 ends a few seconds ago At the signal it will be 20:46:40 Call to 1191 starts Send MMS send icon gone Send MMS with 126kB message Send SMS saying This is a longer text ..... Send SMS saying Testing short text. 0 1400 1200 1000 800 600 400 200 0

7000 Phone fully booted Turn phone on Turn phone off Get short text message ToS 0 ToS 72 ToS 74 ToS 184 ToS 192 Get text long message Get text message 6000 Traffic Analysis (cleaned up) End web browsing Start web browsing Call to 1191 end Call to 1191 starts Hang up Call mobile number with no answer 5000 Sending short test text again again Get short text again Sending short test text again Get short text Sending short test text 4000 Incoming call ends ringing Incoming call begins ringing End lap of block Begin lap of block 3000 2000 Hang up on ringing call Call a number with no answer Get short text saying Testing 1000 Call to 1191 ends a few seconds ago At the signal it will be 20:46:40 Call to 1191 starts Send MMS send icon gone Send MMS with 126kB message Send SMS saying This is a longer text ..... Send SMS saying Testing short text. 0 1400 1200 1000 800 600 400 200 0

Classification • Could we classify based on this? • Yes — hand designed algorithm based on 10s buckets. • Some trouble telling SMS/signaling and MMS/data apart. • Works well (15000s, 35 events, one false positive). for each (10s interval) { Remove background traffic (size, TOS, direction) Count number_of packets for each (TOS, direction) Store largest packet size for each (TOS, direction) if (number_of (TOS 184,SRC) packets > 1) event "Call in progress"; if (number_of (TOS 0,SRC) packets > 0) { if (largest (TOS 0, SRC|DST) > 800) event "Web session in progress"; else if (largest (TOS 0, DST) > 800) event "Recv MMS in progress"; else if (largest (TOS 0, SRC) > 800) event "Send MMS in progress"; else event "Small Data/MMS in progress"; } if (number_of (TOS 74) > 0 && number_of (TOS 0|72|184, SRC) == 0) event "Signaling or SMS"; }

Classification vs. Events 6000 5500 MMS actually arrives Recv MMS in progress+ + MMS in transit Signaling or SMS+ MMS starts to arrive 5000 End incoming call + + + + + Call in progress+ Begin incoming call 4500 Phone fully on Signaling or SMS+ Turn phone on Signaling or SMS+ Turn phone off phone fully off 4000 SMS actually arrives Signaling or SMS+ Start getting SMS MMS icon gone Small data traffic in progress+ Send MMS in progress+ + Begin sending MMS 3500 End web browsing 3000 100 80 60 40 20 0 Begin web browsing

Two Femtocells? • Suppose we can snoop on two femtocells, each near a target. • E.g. two celebrities, are they exchanging calls? • Can we correlate the information at both ends? • Two femtos, two gateways (NTP synced), two phones (iPhone). • Collect traffic, compare traces. • Run classifier, correlate results.

Traffic Analysis (two femto) Packets from Femto 2 (above axis) and to Femto 1 (below axis) 1500 Femto 1 Dst ToS 0 Femto 1 Dst ToS 2 Femto 2 Src ToS 0 Femto 2 Src ToS 72 1000 Femto 2 Src ToS 74 Femto 2 Src ToS 184 Femto 2 Src ToS 192 500 Packet Size (bytes) 0 500 1000 1500 0 500 1000 1500 2000 2500 3000 3500 Time (s)

Traffic Analysis (two femto) Packets from Femto 1 (above axis) to Femto 2 (below axis) 1500 Femto 1 Src ToS 0 Femto 1 Src ToS 72 Femto 1 Src ToS 74 Femto 1 Src ToS 184 1000 Femto 1 Src ToS 192 Femto 2 Dst ToS 0 Femto 2 Dst ToS 2 500 Packet Size (bytes) 0 500 1000 1500 0 500 1000 1500 2000 2500 3000 3500 Time (s)

Traffic Analysis (two femto) Packets from Femto 2 (above axis) and to Femto 1 (below axis) Femto 1 Dst ToS 0 Femto 1 Dst ToS 2 400 Femto 2 Src ToS 0 Femto 2 Src ToS 72 Femto 2 Src ToS 74 Femto 2 Src ToS 184 Femto 2 Src ToS 192 200 Packet Size (bytes) 0 200 400 390 400 410 420 430 440 450 Time (s)

Other Side Channels • We control femtocell’s environment. • Are there other things we can snoop on? • RF? • Power usage? • LEDs?

Power Analysis Power consumption of femtocell under different conditions 9 8 7 6 Power (W) 5 4 3 2 Booting Idle One Voice Call 1 Two Voice Calls FTP Transfer 0 0 100 200 300 400 500 600 Time (s) Measured with help of Roberto Riggo. Actually significant difference in means!

LED Analysis Maybe good for clearing false positives?

Fixes? Dummy Traffic Generate dummy traffic all the time, to hide behaviour. Unlikely to be popular. IMEI/IMSI Number Ask for more information when adding phone to ACL. User Confirmation Send a SMS and ask if OK to use femto? The last addresses the issue of user consent. Issues for dumb devices.

Conclusion • Analysis worked pretty well. • Trusted devices with potentially rogue network administrators. • Attacks on compressed voice (Wright et al). • What about active attacks? • More ambitions — botnet of femto gateways?