etworkand3ecurity2esearch#enter ...pdm12/cse545/slides/cse545-telco-background.pdf · • in...

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Cellular Networks:Background and

Classical Vulnerabilities

Patrick TraynorCSE 545

1


Cellular Networks

• Provide communications infrastructure for an estimated 2.6 billion users daily.

‣ The Internet connects roughly 1 billion.

• For many people, this is their only means of reaching the outside world.

• Portable and inexpensive nature of user equipment makes this technology accessible to most socio-economic groups.

2


Aren’t They The Same?• Cellular networks and the Internet are built to

support very different kinds of traffic.

‣ Real-time vs Best Effort

• The notions of control and authority are different.

‣ Centralized vs distributed

• The underlying networks are dissimilar.

‣ Circuit vs packet-switched

3


Network Characteristics

• Composed of wired backbone and wireless last-hop

• Inconsistent performance

‣ Variable delay

‣ High error rates

‣ Lower bandwidth

• Potentially high mobility.

4


Access Basics - FDMA

• The most basic access technique is known as Frequency-Division Multiple Access (FDMA).

• Each user in these systems receives their own dedicated frequency band (i.e., “carrier”).

‣ Requires one for uplink and another for downlink.

• To reduce interference, each carrier must be separated by guard bands.

5


TDMA Access

• Time-Division Multiple Access (TDMA) systems greatly increase spectrum utilization.

• Each carrier is subdivided into timeslots, thereby increasing spectrum use by a factor of the divisor.

• Requires tight time synchronization in order to work.

‣ To protect against clock drift, we need to buffer our timeslots with guard-time.

6


CDMA Access

• Code-Division Multiple Access (CDMA) systems have users transmit simultaneously on the same frequency.

• The combined transmissions are viewed additively by the receiver.

• By applying a unique code, the receiver can mask-out the correct signal.

‣ Picking these codes must be done carefully.

7


In the beginning... (1G)

• First commercial analog systems introduced in the early 1980’s.

• Two competing standards arose: The Advanced Mobile Phone System (AMPS) and Total Access Communication System (TACS).

• Both systems were FDMA-based, so supporting a large number of calls concurrently was difficult.

8


The Advent of Digital (2G)

• Second Generation systems were introduced in the early 1990’s.

• Three competing standards: IS-136 and GSM (TDMA) and IS-95-A/cdmaOne (CDMA).

• 2G networks introduced dedicated control channels, which greatly increased the amount of information exchanged between devices and the network.

9


Introducing Data (2.5G)

• Digital brings higher bandwidth, and the opportunity to deploy data services.

• Standards for data systems: GPRS and HSCSD (TDMA) IS-95-B/cdmaOne (CDMA).

• 2.5G Data services have been met with varying success.

‣ 2.75G provides significant improvements.

10


High Speed (3G)

• In theory, can provide rates of 10 Mbps downlink.

• Slow to roll out, 3G systems are only now becoming widespread.

‣ In Pennsylvania, only a few major cities have coverage.

• Competing standards: cdma2000/EV-DO and WCDMA/UMTS.

11


Evolution Summary

12

1G(analog)

AMPS

TACS

2G(digital)

IS-95-A/cdmaOne

IS-136TDMA

GSM

2.5G(data)

IS-95-B/cdmaOne

GPRS

HSCSD

cdma2000 1x (1.25 MHz)cdma2000 3x (5 MHz)

1X EVDO: HDR

136 HS EDGE

EDGE

2.75G(data)

3G(wideband data)

WCDMA


SS7 Network

• Powering all of these networks is the SS7 core.

‣ 3G networks will eventually shift to the all-IP IMS core, but SS7 will never fully go away.

• These systems are very different from IP networks.

‣ The requirements are different: real-time vs best-effort services.

13


Protocol Architecture

• All of the functionality one expects to find in the OSI/Internet protocol stack is available in SS7.

• Where those services are implemented may be different.

14

MTP L1

MTP L2

MTP L3

ISUP SCCP

TCAP

MAP

Physical Layer

Link Layer

Network Layer

Transport Layer

Application Layer


Message Transfer Part

• Covers most of the functionality of the lowest three OSI/Internet protocol stack.

• Broken into three “levels”.

‣ MTP1: 56/64 KBps physical links.

‣ MTP2: Link layer and reliable message delivery.

‣ MTP3: Network layer functionality.

15

MTP L1

MTP L2

MTP L3

ISUP SCCP

TCAP

MAP

Physical Layer

Link Layer

Network Layer

Transport Layer

Application Layer


ISUP, SCCP, TCAP

• ISDN User Part (ISUP): Carries call routing information for resource reservation.

• Signaling Connection Control Part (SCCP): Carries routing information for specific functions.

• Transaction Capabilities Application Part (TCAP): Interface to request the executionof remote procedures.

16

MTP L1

MTP L2

MTP L3

ISUP SCCP

TCAP

MAP

Physical Layer

Link Layer

Network Layer

Transport Layer

Application Layer


Mobile Application Part

• The application layer for SS7 networks.

• This supports services directly visible by the user:

‣ Call handling

‣ Text messaging

‣ Location-based services

• Protected by MAPsec

‣ Sort of...

17

MTP L1

MTP L2

MTP L3

ISUP SCCP

TCAP

MAP

Physical Layer

Link Layer

Network Layer

Transport Layer

Application Layer


Network Components

• HLR stores records for all phones in the network.

• MSC/VLR connect wired and wireless components of the network and perform handoffs.

• BS communicate wirelessly with users.

• MS is a user’s mobile device.

18

Network

GatewayMSC

HLR

ServingMSC

VLR

MSC

VLR

MSC

MS


Security Issues

• Such networks have long been viewed as secure because few had access to them or the necessary knowledge.

• However, attacks are not a new phenomenon.

‣ Many different classes of attacks are well documented.

• We investigate a number of such attacks throughout the remainder of this lecture.

19


Weak Crypto

• GSM networks use COMP128 for all operations.

‣ Authentication (A3), session key gen (A8) and encryption (A5).

• COMP128 was a proprietary algorithm...

‣ ...that can be broken in under one second.

‣ Weaker variants can be broken in 10 milliseconds.

• Replaced by COMP128-2 and COMP128-3 (maybe)

‣ Also proprietary.

20


One-Way Authentication

• In GSM systems, the network cryptographically authenticates the client.

• The client assumes that any device speaking to it is the network.

• Accordingly, it is relatively easy to perform a “Man in the Middle” attack against all GSM networks.

21

?


Core Vulnerabilities

• None of the messages sent within the network core are authenticated.

• MAPsec attempts to address this problem by providing integrity and/or confidentiality.

• The only known deployment of MAPsec was online for two days before being shut off.

‣ Serious performance degradation prevent its use.

22


Eavesdropping

• Early analog systems were easy to eavesdrop upon.

‣ Processing power, export rules and bandwidth worked against cryptography.

• GSM systems use weak crypto, so eavesdropping is still possible over the air.

• Nothing is encrypted through the network itself, so anyone with access can listen to any call.

23


Jamming

• The legality of cell phone jamming varies from country to country.

‣ USA: Illegal

‣ France: Legal in certain circumstances

• Just because it is illegal in some countries does not mean it is not a threat.

‣ You can buy hand-held jammers on the street in most major cities.

24


Malware

• Known malware does not target the cellular infrastructure...

‣ ...yet.

• The proliferation of laptop cellular cards is wreaking havoc on these networks.

‣ Spyware “phoning home” is already taxing the network.

• Differences between the Internet and cellularnetworks make malware MORE dangerousin this setting.

25


Conclusion

• Cellular networks are significantly different than their traditional IP counterparts.

• Built on the assumption of a controlled environment, these systems are becoming more accessible.

• Much more work is needed.

‣ Solutions in one domain do not always apply to the other.

• Examples of new attacks coming soon...

26


Questions

Patrick Traynor

[email protected]

http://www.cse.psu.edu/~traynor

27

etworkand3ecurity2esearch#enter ...pdm12/cse545/slides/cse545-telco-background.pdf · • in...

Documents