MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES - PowerPoint PPT Presentation

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS’12

ACM CCS'12 C Peng (UCLA) Mobile Data Access Mobile Data Access 2  1.2 billion global users Cellular Network Cellular Network Core N t Network k Internet

ACM CCS'12 C Peng (UCLA) Mobile Data Charging Mobile Data Charging 3 Cellular Network Internet Metered charging Bill based on actual data usage, e.g., $20/month for 300MB (AT&T) Security: Security: Can any attack make the users pay MORE/LESS? Can any attack make the users pay MORE/LESS?

ACM CCS'12 C Peng (UCLA) How Charging Works & Be Secured How Charging Works & Be Secured 4 C ll l Cellular Network N t k Authentication #1: Accounting @ core gateway only Gateway Gateway … #2 B th UL/DL #2: Both UL/DL per connection charged ti h d Internet Accounting Policy NAT #3 P li #3: Policy defined by operators d fi d b t Bill

ACM CCS'12 C Peng (UCLA) Two Security Issues Two Security Issues 5 Authentication NAT NAT Bill #1: Can the attacker bypass the security mechanism to exploit charging architecture loophole to make the g g Stealth-spam-attack Stealth spam attack users pay MORE ? #2: Can the attacker exploit charging policy to pay LESS ? Toll-Free-Data-Access-Attack

ACM CCS'12 C Peng (UCLA) Threat Models Threat Models 6  Cellular network is not compromised  Charging subsystem works as designed  Security mechanism works as designed  Attacker’s capability  Only use installed apps @ mobile, or O l i t ll d @ bil  Deploy malicious servers outside cellular networks

ACM CCS'12 C Peng (UCLA) Outline Outline 7  Stealth-spam-attack (pay MORE) S l h k ( O )  Vulnerability  Attack design & implementation & damage  Countermeasures & insight  Toll-free-data-access-attack (pay LESS)  Vulnerability  Attack design & implementation & damage  Countermeasures & insight i i h  Summary  Summary

Stealth-Spam-Attack 8

ACM CCS'12 C Peng (UCLA) Security Against Spamming Security Against Spamming 9 Authentication Can security mechanism (e.g., Outgoing-Spam Outgoing-Spam NAT/Firewalls) block incoming spam? Incoming-Spam g p Outgoing-Spam due to •Private IP addr. is not accessible malwares@mobile or spoofing. •Access allowed only when initiated Access allowed only when initiated NAT NAT by the mobile Simple, not addressed here. Bill Bill

ACM CCS'12 C Peng (UCLA) Vulnerability Vulnerability Authentication Different from conventional spamming, ① Init a data service i d i ① e.g., Email/SMS spam Unawareness (stealthy) L Long-lived (lasting hours or longer) li d (l ti h l ) ② Incoming Spam ② Incoming traffic Spam from the attacker ✔ Data Services (charged) ✗ ✗ ① trap the victim to open data access (normal) ② Incoming Spam time Actual charging time window g g E attacker E-attacker (attacked) (attacked) 10 10 NAT Bill

ACM CCS'12 C Peng (UCLA) Stealth-Spam-Attack Stealth Spam Attack 11  Step1- Trap: init data access  Example-1: click a malicious web link p  Example-2: login Skype once / stay online  Step2- Spam: keep spamming  No matter what status @mobile

ACM CCS'12 C Peng (UCLA) Web-based Attack Web based Attack 12  Implementation  Phone: click a malicious web link  Attacker (server): send spam data at constant rate (disable TCP congest control and tear-down) ( g )  Result: charging keeps going  Result: charging keeps going  Even after the phone tears down TCP  TCP FIN, timeout  Even when many “TCP RESET” sent from the mobile

ACM CCS'12 C Peng (UCLA) Damage vs Spamming Rate Damage vs. Spamming Rate 13 Ch Charging volume vs. spamming rate i l i Operator-I Operator-II In proportion to spamming rate when rate is low Charging blocked when rate is high (> 1Mbps) Ch i bl k d h i hi h ( 1Mb ) The charged volume could be > the received one [Mobicom’12]

ACM CCS'12 C Peng (UCLA) Damage vs Duration Damage vs. Duration 14 Spamming rate = 150Kbps No observed sign to end when the attack lasts 2 No observed sign to end when the attack lasts 2 hours if the rate is low ( spamming> 120MB )

ACM CCS'12 C Peng (UCLA) Skype-based Attack Skype based Attack 15  Implementation I l t ti  Phone: do nothing (stay online once in Skype)  Attacker: Skype call the victim and hang up  Attacker: Skype call the victim and hang up  Attacker (server): send spam data at constant rate  Exploit Skype “loophole”  allows data access from the host who attempts to call  allows data access from the host who attempts to call the victim before the attempt is accepted  Demo

ACM CCS'12 C Peng (UCLA) Demo: for a specific victim Demo: for a specific victim 16  Result: charging keeps going  Even after Skype logout  Even after Skype logout  Even when there is no any skype call session  Even when many “ ICMP unreachable ” sent from E h “ ICMP h bl ” t f the mobile

ACM CCS'12 C Peng (UCLA) Damage vs Spamming Rate Damage vs. Spamming Rate 17 Ch Charging volume vs. spamming rate i l i Operator-I Operator-II No bounds on spamming rate compared with TCP-based attack

ACM CCS'12 C Peng (UCLA) Damage vs Duration Damage vs. Duration 18 Spamming rate = 50Kbps No observed sign to end when the attack No observed sign to end when the attack lasts 24 hours ( spamming > 500MB )

ACM CCS'12 C Peng (UCLA) Root Cause Root Cause 19 Current system: IP forwarding can push Secure only the initialization packets to the victim (not ① Init a data service i d i ① controlled by the victim) #1: Initial authentication ≠ authentication all along #1: Initial authentication ≠ authentication all along ② Incoming Spam ② I i S Current system: Different views @ mobile: ① trap the victim to open data access ① trap the victim to open data access K Keep charging if data comes h i if d t d t data conn. ends or never starts d t t Local view @ core gateway or exception happens E-attacker E attacker Lack of feedback/control Lack of feedback/control NAT #2: Data flow termination @ the phone ≠ h ≠ charging termination @ the operator i i i @ h Bill

ACM CCS'12 C Peng (UCLA) Countermeasures Countermeasures 20  Spamming inevitable due to IP push model i i i bl d h d l  Remedy: stop early when spamming happens  Detection of unwanted traffic @mobile/operator  Detection of unwanted traffic @mobile/operator  Feedback (esp. from the mobile to the operator)  At least allow users to stop data charging (no service)  At least allow users to stop data charging (no service)  Exploit/design mechanisms in cellular networks: implicit- block, explicit-allow, explicit-stop p p p  Precaution, e.g., set a volume limit , g ,  Application: be aware of spamming attack

Toll-Free-Data-Access-Attack 21

ACM CCS'12 C Peng (UCLA) Vulnerability Vulnerability 22 Both operators provide free DNS service #1: free fake DNS loophole #1: free fake DNS loophole Real data over 53 Real data over 53 DNS packets DNS packets OP-I: Free via port 53 DNS flow ID: ( srcIP, destIP, srcPort, Policy : Policy : OP II: Free via UDP+Port 53 OP-II: Free via UDP+Port 53 destPort, protocol ) d tP t t l ) Free DNS Service OP-I: Packets via port 53 are free #2: no volume-check loophole OP II P OP-II: Packets via UDP+Port 53 free k t i UDP+P t 53 f Bill (DNS) Bill (DNS) = 0 0 Any enforcement for packets over p port 53? Bill (ANY- on-DNS ) = 0 Bill (ANY on-DNS ) 0 OP-I: no observed limits , except 29KB for one request packet OP-II: no observed limits

ACM CCS'12 C Peng (UCLA) Toll-Free-Data-Access-Attack Toll Free Data Access Attack 23  Proxy outside cellular network P t id ll l t k  Tunneling over 53 between the mobile and external network  similar to calling 800-hotline  Implementation  Implementation  HTTP-proxy on port 53 (only for web, OP-I)  Sock-proxy on port 53 (for more apps, OP-I)  Sock proxy on port 53 (for more apps, OP I)  DNS-tunneling on UDP-53 (all apps, OP-I, II)  Results  Free data access > 200MB, no sign of limits  Demo if interested D if i t t d

ACM CCS'12 C Peng (UCLA) Countermeasures Countermeasures 24  Simplest fix: stop free DNS service  OP-II stopped it since this July pp y  Other suggestions O h i  Authenticate DNS service  Only allow using authenticated DNS resolvers  DNS message integrity check g g y  Provide free DNS quota

ACM CCS'12 C Peng (UCLA) Beyond DNS Beyond DNS 25  Existing DNS tunneling tools: iodine etc, i i li l i di  Designed for data access when Internet access is blocked differentiated-charging policy differentiated-charging policy e.g., free access to one website/ via some APN, or cheaper VoIP than Web Incentive to pay less (A (Attackers or even normal users) ) Bill Gap bt Gap btw policy and its enforcement polic and its enforcement Bullet-proof design & practice