mobile security 2010 - #7 - carnegie mellon...
TRANSCRIPT
©2010 Patrick Tague
Mobile Security96-835 / 18-639 / 14-829
Patrick Tague
14 Sept 2010
Class #7 – Securing Cellular Services
©2010 Patrick Tague
Agenda• Vulnerabilities in Cellular Services– SMS and related attacks– Cellular data services and attacks– VoIP services and attacks
• No class 9/16, but HW #1 is due
©2010 Patrick Tague
Short Messaging Service• Original SMS standard (1985) outlined three
types of functionality:– Short message mobile terminated
– Short message mobile originated
– Short message cell broadcast
1992: 1st SMS message
2000: 5x109 SMS/month
2005: 1012 SMS/month
©2010 Patrick Tague
Message Delivery
ESMEexternal short
messaging entity
SMSCshort msg
service center
SMS
SMS
HLR
Where is X?
X not reachable
SMS
X …
Message Queue
©2010 Patrick Tague
Message Delivery
ESMEexternal short
messaging entity
SMSCshort msg
service center
SMS
SMS
HLR
Where is X?
X is at M
SC2
MSC2
SMSMSC1
X
VLR
Is X
activ
e?Ye
s, a
t BTS
3 BTS3
SMSBTS2
BTS1
SMS (TCH)Traffic channel
©2010 Patrick Tague
Message Delivery
ESMEexternal short
messaging entity
SMSCshort msg
service center
SMS
SMS
HLR
Where
is X?
X is a
t MSC
2
MSC2
SMSMSC1
X
VLR
Is X
activ
e?NO
BTS3
X?BTS2
BTS1X?
X?
Paging X (PCH)
Paging X (PCH)
Paging X (PCH)
X Reply (RACH)
Paging channel
Random access channel
Auth X
Ch. Assign (AGCH)Access grant channel
Delivery (SDCCH)Standalone dedicated
control channel
©2010 Patrick Tague
SMS Queuing• At the SMSC:– Queues are finite– Messages can be lost– Dropping/overflow management varies by carrier
• For details, see [Traynor et al., JSC 2008]
• At the MS:– Queues are finite, batteries are small– If MS queue is full, HLR tells SMSC it is unavailable– Batteries can be drained...
©2010 Patrick Tague
SMS-Based Attacks• Two general types of attacks apply to SMS– Content-based attacks
• Phishing, spoofing, malware, ad-ware, …
– Behavior-based attacks• Denial-of-Service (DoS), resource depletion, …
©2010 Patrick Tague
Content-Based SMS Attacks• Basic idea:– Malicious SMS messages aim to retrieve info from
users; wide-spread solicitation, similar to spam email; infect mobile devices (e.g., for mobile bot-nets!)
– Similar to web/email-based attacks
©2010 Patrick Tague
Targeted SMS DoS• Flooding a user with SMS messages:
1.Buffer (@ MS or SMSC) overflow• With enough flooding, SMSC will drop valid messages• Some devices auto-delete previously read messages when
they run out of storage
2.Valid messages are delayed beyond useful lifetime• Ex: meeting reminders are useless after the meeting
3.Valid messages are buried in the SMS flood4.Billing issues
• Also a battery-depletion attack...
©2010 Patrick Tague
Voice & SMS Sharing
XBTS3
Paging X (PCH)
X Reply (RACH)Random access channel
Ch. Assign (AGCH)Access grant channel
SMS delivery (SDCCH)Standalone dedicated
control channel
XBTS3
Paging X (PCH)
X Reply (RACH)Random access channel
Ch. Assign (AGCH)Access grant channel
TCH Setup (SDCCH)Standalone dedicated
control channel
Voice traffic (TCH)Traffic channel
• Voice & SMS Resources– TCH is not used for SMS– Both SMS and voice init. use RACH, AGCH, and SDCCH
SMS flooding also works as DoS against voice calls!
©2010 Patrick Tague
Voice & SMS Sharing
From [Traynor et al., “Security for Telecommunications Networks”, 2008]
©2010 Patrick Tague
How to DoS a City...• How much SMS traffic must be sent to saturate
the SDCCHs in a large metro area?
• Ex: Washington DC– 40 cell towers, 3 sectors/tower– Either 8, 12, or 24 SDCCH/Sector– Each SDCCH supports ~ 900 msgs/hour
SMS Capacity ~ (#Cell Towers) * (#Sectors/Tower)
* (#SDCCH/Sector) * (Capacity/SDCCH)
SMS Capacity ~ 240 msgs/sec (for 8 SDCCH/sector) ~ 2.8 Mbps
©2010 Patrick Tague
How to DDoS a Country...• How much SMS traffic must be sent to saturate
the SDCCHs in a large country?
• Ex: USA– ~1.75 sectors / sq. mile– 8 SDCCH/Sector– Each SDCCH supports ~ 900 msgs/hour
SMS Capacity ~ (Eff. Sector Density) * (Urban pop. Area)
* (#SDCCH/Sector) * (Capacity/SDCCH)
SMS Capacity ~ 325.5 Kmsgs/sec ~ 3.8 GbpsOr ~ 380 Mbps for 10x multi-recipient messaging
©2010 Patrick Tague
Mitigating SMS Flooding• Incorporate fairness and priority management
into SMS queuing– Weighted Fair Queuing (WFQ):
• Each flow goes into a separate message queue - users get a proportional share of the queue to handle their messages
– Weighted Early Random Detection (WRED):• Messages are randomly dropped in proportion to queue
occupancy – variable for different service classes (emergency use, mobile originated, web originated)
©2010 Patrick Tague
Mitigating SMS Flooding
From [Traynor et al., “Security for Telecommunications Networks”, 2008]
From [Traynor et al., “Security for Telecommunications Networks”, 2008]
©2010 Patrick Tague
Cellular Data Service
• Cellular data service acts as a gateway to the Internet– Connecting to an “open” network through a “closed”
network?
Internet CellularNetwork
©2010 Patrick Tague
Data Delivery
GGSNgateway GPRSsupport node
HLR
Where
is X?
X is a
t SGSN
2
SGSN2
DataSGSN1
BTS3
X?BTS2
BTS1X?
X?
Paging X (PPCH)
Paging X (PPCH)
Paging X (PPCH)
X Reply (PRACH)
Auth X
Ch. Assign (PAGCH)
Delivery (PDTCH)
Internet
Data
serving GPRSsupport node
MS IP Address SGSN IP Address
192.168.100.1 192.168.1.2
192.168.100.2 192.168.1.2
ACK (PACCH)
Temporary Flow ID (TFI)marks each flow
©2010 Patrick Tague
MS Data Activity State• Activity States– To save battery,
devices do not constantly listen for packets
– Ready: constantly listening for packets
– Standby: periodically listens for pages
– Idle: device is unregistered / unreachable
©2010 Patrick Tague
Data-Based DoS Attacks• Establishing a data connection is costly!– Timeouts are typically delayed to prevent frequent
reallocation and reestablishment due to minor variation
– Timers ~ 5 seconds– TFI field is 5 bits If an adversary establishes 32 data →
sessions in a sector, DoS to everyone else!
– Ex: Washington DC: 120 sectors, 41 B/Msg 252 kbps→• Order of magnitude less work to deny data traffic compared
to SMS DoS attack on voice
Capacity ~ (#Sectors) * (#Msgs/Sector) * (Bytes/Msg)
Timer duration
©2010 Patrick Tague
What's Next?• 9/16: No class – HW #1 due
• 9/21: Securing cellular services - continued
• 9/23: Mobile app security?