CIS 6930 - Cellular and Mobile Network Security: GSM Overload Professor Patrick Traynor 11/1/18 Florida Institute for Cybersecurity (FICS) Research
Reminders • You need to start working on your project! • Some of you have not yet built anything. This will be a problem soon! • Remember, you must turn in all of your code, plus a makefile and instructions on how to run it! • Remember to keep doing your reading! • Not just for the final, but also so that you can participate in the class! Florida Institute for Cybersecurity (FICS) Research 2
Unintended Consequences The law of unintended consequences states that • most human actions have at least one unintended consequence. Florida Institute for Cybersecurity (FICS) Research 3
Low Rate DoS Attacks • While recent attacks on cellular networks seem unrelated, there is a common factor that catalyzes them all. Comparing multiple attacks uncovers causality: • SMS Attack ‣ (JCS’09, CCS’05) Clash of Design Network Characterization and ‣ Philosophies Partial Mitigations (TON’10, MobiCom’06) Data Teardown/Setup Attacks ‣ (USENIX Security’07) • The architecture of cellular networks inherently makes them susceptible to denial of service attacks. Florida Institute for Cybersecurity (FICS) Research 4
SMS Delivery (simplified) CCH MSC PSTN HLR VLR VLR Network SMSC MSC Internet ESME Florida Institute for Cybersecurity (FICS) Research 5
Control Channels Control channels are used for a handful of infrequently used functions. • Call setup, SMS delivery, mobility management, etc... ‣ The SDCCH allows the network to perform most of these functions. • The number of SDCCHs typically depends on the expected use in an area. • 4/8/12... ‣ PCH RACH AGCH SDCCH Florida Institute for Cybersecurity (FICS) Research 6
Recognition Once you fill the SDCCH channels with SMS traffic, call setup is blocked • Voice X SMS SMS SMS SMS SMS SMS SMS SMS The goal of an adversary is therefore to fill SDCCHs with SMS traffic. • Not as simple as you might think... ‣ Florida Institute for Cybersecurity (FICS) Research 7
Reconnaissance Can such an attack be launched by targeting a single phone? • Low end phones: 30-50 msgs ‣ High end phones: 500+ msgs (battery dies) ‣ How do you get messages into the network? • Email, IM, provider websites, bulk senders, etc... ‣ Don’t the networks have protections? • IP Address blocking, Spam filtering ‣ Florida Institute for Cybersecurity (FICS) Research 8
Finding Phones North American Numbering Plan (NANP) • NPA-NXX-XXXX Numbering Plan Exchange Numbering Plan Area (Area code) Mappings between providers and exchanges publicly documented ‣ and available on the web Implication : An adversary can identify the prefixes used in a target • area. Florida Institute for Cybersecurity (FICS) Research 9
Web-Scraping Googling for phone numbers • gives us better results: 7,300 in NYC 6,184 in D.C. in 5 seconds... Florida Institute for Cybersecurity (FICS) Research 10
Provider Interfaces Almost all provider interfaces indicate whether or not a number is good. • Some sites even tell you a target phone’s availability. ‣ This interface is an “oracle” for available phones. • Florida Institute for Cybersecurity (FICS) Research 11
Exploit (Metro) Sectors in SDCCHs per Messages per Manhattan sector SDCCH per hour „ 12 SDCCH « „ 900 msg/hr « (55 sectors ) C � 1 sector 1 SDCCH 594 , 000 msg/hr � 165 msg/sec � 165 msgs/sec * 1500 bytes = 1933.6 kb/sec • 193.36 kb/sec on multi-send interface... • Comparison: Cable modem ~= 768 kb/sec • Florida Institute for Cybersecurity (FICS) Research 12
Attack Profile 1.2 SDCCH Utilization TCH Utilization 1 0.8 SDCCH Utilization Utilization 0.6 TCH Utilization 0.4 0.2 0 0 500 1000 1500 2000 2500 3000 3500 4000 Time (seconds) Applied simulation and analysis to better characterize the attacks. • Examined call blocking under multiple arrival patterns with exponentially distributed • service times. Using 495 msgs/sec, a blocking probability of 71% is possible with the bandwidth of a • cable modem. Florida Institute for Cybersecurity (FICS) Research 13
Security Goals Goal: To preserve the fidelity of both voice services and legitimate text messages • during targeted SMS attacks. Security Model: • We must trust equipment in the network core. ‣ We can not trust Internet users or customer devices. ‣ Florida Institute for Cybersecurity (FICS) Research 14
Placing Mitigations MSC PSTN HLR VLR VLR Network SMSC MSC Internet ESME Florida Institute for Cybersecurity (FICS) Research 15
Solution Classifications Scheduling/Shaping/Regulation • WFQ, Leaky Bucket, Priority Queues ‣ AQM (WRED, REM, AVQ) ‣ Resource Provisioning • 1 1 Service Queue (SMS) SDCCH (SMS) Service Queue (Voice) SDCCH (Voice) TCH (Voice) TCH (Voice) 0.8 0.8 Percent of Attempts Blocked Percent of Attempts Blocked SRP 0.6 ‣ 0.6 0.4 0.4 0.2 0.2 DRP ‣ 0 0 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 Time (seconds) Time (seconds) 1 1 SDCCH (SMS) SDCCH SDCCH (Voice) TCH TCH (Voice) Service Queue 0.8 0.8 DCA ‣ Percent of Attempts Blocked 0.6 0.6 Utilization 0.4 0.4 0.2 0.2 0 0 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 Time (seconds) Time (seconds) Florida Institute for Cybersecurity (FICS) Research 16
WRED - Overview High Med Low t med,max t med,min t low,min t low,max Florida Institute for Cybersecurity (FICS) Research 17
WRED - Overview High Med Low t med,max t med,min t low,min t low,max ρ N Q = P Q 1 − ρ ρ target = ρ actual (1 − P drop ) P drop = P drop,high · λ high + P drop,med · λ med + P drop,low · λ low λ SMS P drop = P drop,max · ( Q avg − t min ) ( t max − t min ) Florida Institute for Cybersecurity (FICS) Research 18
WRED - Results 1 1 Service Queue (SMS - Priority 1) SDCCH Service Queue (SMS - Priority 2) TCH Service Queue (SMS - Priority 3) Service Queue 0.8 0.8 Percent of Attempts Blocked 0.6 0.6 Average Queue Utilization Occupancy Low Priority 0.4 0.4 SMS Blocking 0.2 0.2 0 0 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 Time (seconds) Time (seconds) • Messages of high and medium-priority experience no blocking, but increased delay. • An average of 77% of low-priority messages are blocked. • This is a nice solution, assuming meaningful partitioning of flows. Florida Institute for Cybersecurity (FICS) Research 19
...and yet... Performance improvements come from one of two changes: speedup or • parallelization. As diverse as our solutions appear, they all attempt to maximize performance • through the latter. In many senses, we are not solving the problem - we are pushing food ‣ around on our plate. Adding bandwidth should logically • address this problem. Florida Institute for Cybersecurity (FICS) Research 20
Cellular Data Networks GPRS/EDGE provide much higher bandwidth service. • Packet-switched data services are attractive to providers and users for a number of • reasons. User devices operate in one of three • states: IDLE, STANDBY and READY. STANDBY READY Paging Timer IDLE: The device is unavailable. ‣ Request Expires STANDBY Timer READY STANDBY: Available, but not ‣ Expires exchanging packets. GPRS GPRS Detach Attach READY: Actively listening for packets. ‣ IDLE Florida Institute for Cybersecurity (FICS) Research 21
Data Architecture HLR Internet GGSN SGSN IP Address SGSN 192.168.100.1 192.168.1.2 192.168.100.2 192.168.1.2 Florida Institute for Cybersecurity (FICS) Research 22
Real Network Configs To make these simulations represent reality, we use a Samsung Blackjack in • Field Test Mode to discover settings of an operational network. Field Test Mode tells us that control channels for voice and data are shared in • real networks. Voice and data traffic may be ‣ able to interfere with each other. Florida Institute for Cybersecurity (FICS) Research 23
Reducing Overhead Because paging is so expensive, we don’t want to do it for every packet. • Establishing a connection takes 5 seconds: • Waiting: Paging, Wakeup, Processing, Acquiring timeslots ‣ Transmission ‣ GPRS differentiates packets at the MAC layer by Temporary Block Flows • (TBFs). Each TBF is assigned a Temporary Flow ID (TFI). ‣ Florida Institute for Cybersecurity (FICS) Research 24
Teardown Attack: Overview TFIs are implemented as 5-bit fields, yielding a maximum of 32 concurrent • flows. If you send a message to a phone once every 5 seconds, the targeted device • maintains its TFI. An adversary can therefore cause legitimate flows to block due to TBF/TFI ‣ exhaustion. 55 sectors × 4 → 16 msgs × 41 bytes 55 sectors × 32 msgs 1 sector × 41 bytes 1 1 Capacity Capacity ≈ × ≈ × 1 sector 1 msg 5 sec 1 msg 5 sec 14 . 1 → 56 . 4 Kbps ≈ 110 Kbps ≈ Florida Institute for Cybersecurity (FICS) Research 25
Recommend
More recommend