Rogue Femtocell Owners: How Mallory Can Monitor My Devices David - - PowerPoint PPT Presentation

Rogue Femtocell Owners: How Mallory Can Monitor My Devices

David Malone, Darren F. Kavanagh and Niall R. Murphy 19 April 2013

Femtocells

• Small devices acting as cellular base stations.
• Deployed to extend coverage in homes, offices, . . .
• Access can be open or closed.
• No direct connection to MNO network.
• Use Internet and IPsec for backhaul.

Femtocell (front)

Alcatel-Lucent 9361 Home Cell V2-V.

Femtocell (back)

Alcatel-Lucent 9361 Home Cell V2-V.

Femtocell Access Control

• Anyone device can connect to open femtocell.
• Closed femtocells allow ACL.
• Commonly administered by web page, list phone numbers.
• No further checking done.
• Idea: ACL to target devices who shouldn’t trust us?
• Idea: Use traffic analysis as passive attack.
• Snoop on your neighbour?

Monitoring a device

• Add phone (Nokia X6) to femtocell’s ACL.
• SMS, MMS, voice calls, web browsing, management.
• Collect femtocell traffic on router.
• Traffic (mostly) encrypted, but know time, size, ToS.
• What does traffic tell us about activity?

Traffic Analysis (to femtocell)

200 400 600 800 1000 1200 1400 1000 2000 3000 4000 5000 6000 7000

Send SMS saying Testing short text. Send SMS saying This is a longer text ..... Send MMS with 126kB message Send MMS send icon gone Call to 1191 starts At the signal it will be 20:46:40 Call to 1191 ends a few seconds ago Get short text saying Testing Call a number with no answer Hang up on ringing call Begin lap of block End lap of block Incoming call begins ringing Incoming call ends ringing Sending short test text Get short text Sending short test text again Get short text again Sending short test text again again Call mobile number with no answer Hang up Call to 1191 starts Call to 1191 end Start web browsing End web browsing Get text message Get text long message Get short text message Turn phone off Turn phone on Phone fully booted

ToS 0 ToS 2

Traffic Analysis (from femtocell)

200 400 600 800 1000 1200 1400 1000 2000 3000 4000 5000 6000 7000

Send SMS saying Testing short text. Send SMS saying This is a longer text ..... Send MMS with 126kB message Send MMS send icon gone Call to 1191 starts At the signal it will be 20:46:40 Call to 1191 ends a few seconds ago Get short text saying Testing Call a number with no answer Hang up on ringing call Begin lap of block End lap of block Incoming call begins ringing Incoming call ends ringing Sending short test text Get short text Sending short test text again Get short text again Sending short test text again again Call mobile number with no answer Hang up Call to 1191 starts Call to 1191 end Start web browsing End web browsing Get text message Get text long message Get short text message Turn phone off Turn phone on Phone fully booted

ToS 0 ToS 72 ToS 74 ToS 184 ToS 192

Traffic Analysis (cleaned up)

200 400 600 800 1000 1200 1400 1000 2000 3000 4000 5000 6000 7000

Send SMS saying Testing short text. Send SMS saying This is a longer text ..... Send MMS with 126kB message Send MMS send icon gone Call to 1191 starts At the signal it will be 20:46:40 Call to 1191 ends a few seconds ago Get short text saying Testing Call a number with no answer Hang up on ringing call Begin lap of block End lap of block Incoming call begins ringing Incoming call ends ringing Sending short test text Get short text Sending short test text again Get short text again Sending short test text again again Call mobile number with no answer Hang up Call to 1191 starts Call to 1191 end Start web browsing End web browsing Get text message Get text long message Get short text message Turn phone off Turn phone on Phone fully booted

ToS 0 ToS 72 ToS 74 ToS 184 ToS 192

Classification

• Could we classify based on this?
• Yes — hand designed algorithm based on 10s buckets.
• Some trouble telling SMS/signaling and MMS/data apart.
• Works well (15000s, 35 events, one false positive).

for each (10s interval) { Remove background traffic (size, TOS, direction) Count number_of packets for each (TOS, direction) Store largest packet size for each (TOS, direction) if (number_of (TOS 184,SRC) packets > 1) event "Call in progress"; if (number_of (TOS 0,SRC) packets > 0) { if (largest (TOS 0, SRC|DST) > 800) event "Web session in progress"; else if (largest (TOS 0, DST) > 800) event "Recv MMS in progress"; else if (largest (TOS 0, SRC) > 800) event "Send MMS in progress"; else event "Small Data/MMS in progress"; } if (number_of (TOS 74) > 0 && number_of (TOS 0|72|184, SRC) == 0) event "Signaling or SMS"; }

Classification vs. Events

20 40 60 80 100 3000 3500 4000 4500 5000 5500 6000

Begin web browsing End web browsing Begin sending MMS MMS icon gone Start getting SMS SMS actually arrives Turn phone off phone fully off Turn phone on Phone fully on Begin incoming call End incoming call MMS starts to arrive MMS in transit MMS actually arrives Send MMS in progress+ + Small data traffic in progress+ Signaling or SMS+ Signaling or SMS+ Signaling or SMS+ Call in progress+ + + + + + Signaling or SMS+ Recv MMS in progress+ +

Two Femtocells?

• Suppose we can snoop on two femtocells, each near a target.
• E.g. two celebrities, are they exchanging calls?
• Can we correlate the information at both ends?
• Two femtos, two gateways (NTP synced), two phones

(iPhone).

• Collect traffic, compare traces.
• Run classifier, correlate results.

Traffic Analysis (two femto)

1500 1000 500 500 1000 1500 500 1000 1500 2000 2500 3000 3500 Packet Size (bytes) Time (s) Packets from Femto 2 (above axis) and to Femto 1 (below axis) Femto 1 Dst ToS 0 Femto 1 Dst ToS 2 Femto 2 Src ToS 0 Femto 2 Src ToS 72 Femto 2 Src ToS 74 Femto 2 Src ToS 184 Femto 2 Src ToS 192

Traffic Analysis (two femto)

1500 1000 500 500 1000 1500 500 1000 1500 2000 2500 3000 3500 Packet Size (bytes) Time (s) Packets from Femto 1 (above axis) to Femto 2 (below axis) Femto 1 Src ToS 0 Femto 1 Src ToS 72 Femto 1 Src ToS 74 Femto 1 Src ToS 184 Femto 1 Src ToS 192 Femto 2 Dst ToS 0 Femto 2 Dst ToS 2

Traffic Analysis (two femto)

400 200 200 400 390 400 410 420 430 440 450 Packet Size (bytes) Time (s) Packets from Femto 2 (above axis) and to Femto 1 (below axis) Femto 1 Dst ToS 0 Femto 1 Dst ToS 2 Femto 2 Src ToS 0 Femto 2 Src ToS 72 Femto 2 Src ToS 74 Femto 2 Src ToS 184 Femto 2 Src ToS 192

Other Side Channels

• We control femtocell’s environment.
• Are there other things we can snoop on?
• RF?
• Power usage?
• LEDs?

Power Analysis

1 2 3 4 5 6 7 8 9 100 200 300 400 500 600 Power (W) Time (s) Power consumption of femtocell under different conditions Booting Idle One Voice Call Two Voice Calls FTP Transfer

Measured with help of Roberto Riggo. Actually significant difference in means!

LED Analysis

Maybe good for clearing false positives?

Fixes?

Dummy Traffic Generate dummy traffic all the time, to hide

• behaviour. Unlikely to be popular.

IMEI/IMSI Number Ask for more information when adding phone to ACL. User Confirmation Send a SMS and ask if OK to use femto? The last addresses the issue of user consent. Issues for dumb devices.

Conclusion

• Analysis worked pretty well.
• Trusted devices with potentially rogue network administrators.
• Attacks on compressed voice (Wright et al).
• What about active attacks?
• More ambitions — botnet of femto gateways?