Mobile Security 2010 - #7 - Carnegie Mellon...

©2010 Patrick Tague

Mobile Security96-835 / 18-639 / 14-829

Patrick Tague

14 Sept 2010

Class #7 – Securing Cellular Services


Agenda• Vulnerabilities in Cellular Services– SMS and related attacks– Cellular data services and attacks– VoIP services and attacks

• No class 9/16, but HW #1 is due


Short Messaging Service• Original SMS standard (1985) outlined three

types of functionality:– Short message mobile terminated

– Short message mobile originated

– Short message cell broadcast

1992: 1st SMS message

2000: 5x109 SMS/month

2005: 1012 SMS/month


Message Delivery

ESMEexternal short

messaging entity

SMSCshort msg

service center

SMS

SMS

HLR

Where is X?

X not reachable

SMS

X …

Message Queue


Message Delivery

ESMEexternal short

messaging entity

SMSCshort msg

service center

SMS

SMS

HLR

Where is X?

X is at M

SC2

MSC2

SMSMSC1

X

VLR

Is X

activ

e?Ye

s, a

t BTS

3 BTS3

SMSBTS2

BTS1

SMS (TCH)Traffic channel


Message Delivery

ESMEexternal short

messaging entity

SMSCshort msg

service center

SMS

SMS

HLR

Where

is X?

X is a

t MSC

2

MSC2

SMSMSC1

X

VLR

Is X

activ

e?NO

BTS3

X?BTS2

BTS1X?

X?

Paging X (PCH)

Paging X (PCH)

Paging X (PCH)

X Reply (RACH)

Paging channel

Random access channel

Auth X

Ch. Assign (AGCH)Access grant channel

Delivery (SDCCH)Standalone dedicated

control channel


SMS Queuing• At the SMSC:– Queues are finite– Messages can be lost– Dropping/overflow management varies by carrier

• For details, see [Traynor et al., JSC 2008]

• At the MS:– Queues are finite, batteries are small– If MS queue is full, HLR tells SMSC it is unavailable– Batteries can be drained...


SMS-Based Attacks• Two general types of attacks apply to SMS– Content-based attacks

• Phishing, spoofing, malware, ad-ware, …

– Behavior-based attacks• Denial-of-Service (DoS), resource depletion, …


Content-Based SMS Attacks• Basic idea:– Malicious SMS messages aim to retrieve info from

users; wide-spread solicitation, similar to spam email; infect mobile devices (e.g., for mobile bot-nets!)

– Similar to web/email-based attacks


Targeted SMS DoS• Flooding a user with SMS messages:

1.Buffer (@ MS or SMSC) overflow• With enough flooding, SMSC will drop valid messages• Some devices auto-delete previously read messages when

they run out of storage

2.Valid messages are delayed beyond useful lifetime• Ex: meeting reminders are useless after the meeting

3.Valid messages are buried in the SMS flood4.Billing issues

• Also a battery-depletion attack...


Voice & SMS Sharing

XBTS3

Paging X (PCH)

X Reply (RACH)Random access channel


SMS delivery (SDCCH)Standalone dedicated

control channel

XBTS3

Paging X (PCH)

X Reply (RACH)Random access channel


TCH Setup (SDCCH)Standalone dedicated

control channel

Voice traffic (TCH)Traffic channel

• Voice & SMS Resources– TCH is not used for SMS– Both SMS and voice init. use RACH, AGCH, and SDCCH

SMS flooding also works as DoS against voice calls!


Voice & SMS Sharing

From [Traynor et al., “Security for Telecommunications Networks”, 2008]


How to DoS a City...• How much SMS traffic must be sent to saturate

the SDCCHs in a large metro area?

• Ex: Washington DC– 40 cell towers, 3 sectors/tower– Either 8, 12, or 24 SDCCH/Sector– Each SDCCH supports ~ 900 msgs/hour

SMS Capacity ~ (#Cell Towers) * (#Sectors/Tower)

* (#SDCCH/Sector) * (Capacity/SDCCH)

SMS Capacity ~ 240 msgs/sec (for 8 SDCCH/sector) ~ 2.8 Mbps


How to DDoS a Country...• How much SMS traffic must be sent to saturate

the SDCCHs in a large country?

• Ex: USA– ~1.75 sectors / sq. mile– 8 SDCCH/Sector– Each SDCCH supports ~ 900 msgs/hour

SMS Capacity ~ (Eff. Sector Density) * (Urban pop. Area)

* (#SDCCH/Sector) * (Capacity/SDCCH)

SMS Capacity ~ 325.5 Kmsgs/sec ~ 3.8 GbpsOr ~ 380 Mbps for 10x multi-recipient messaging


Mitigating SMS Flooding• Incorporate fairness and priority management

into SMS queuing– Weighted Fair Queuing (WFQ):

• Each flow goes into a separate message queue - users get a proportional share of the queue to handle their messages

– Weighted Early Random Detection (WRED):• Messages are randomly dropped in proportion to queue

occupancy – variable for different service classes (emergency use, mobile originated, web originated)


Mitigating SMS Flooding




Cellular Data Service

• Cellular data service acts as a gateway to the Internet– Connecting to an “open” network through a “closed”

network?

Internet CellularNetwork


Data Delivery

GGSNgateway GPRSsupport node

HLR

Where

is X?

X is a

t SGSN

2

SGSN2

DataSGSN1

BTS3

X?BTS2

BTS1X?

X?

Paging X (PPCH)

Paging X (PPCH)

Paging X (PPCH)

X Reply (PRACH)

Auth X

Ch. Assign (PAGCH)

Delivery (PDTCH)

Internet

Data

serving GPRSsupport node

MS IP Address SGSN IP Address

192.168.100.1 192.168.1.2

192.168.100.2 192.168.1.2

ACK (PACCH)

Temporary Flow ID (TFI)marks each flow


MS Data Activity State• Activity States– To save battery,

devices do not constantly listen for packets

– Ready: constantly listening for packets

– Standby: periodically listens for pages

– Idle: device is unregistered / unreachable


Data-Based DoS Attacks• Establishing a data connection is costly!– Timeouts are typically delayed to prevent frequent

reallocation and reestablishment due to minor variation

– Timers ~ 5 seconds– TFI field is 5 bits If an adversary establishes 32 data →

sessions in a sector, DoS to everyone else!

– Ex: Washington DC: 120 sectors, 41 B/Msg 252 kbps→• Order of magnitude less work to deny data traffic compared

to SMS DoS attack on voice

Capacity ~ (#Sectors) * (#Msgs/Sector) * (Bytes/Msg)

Timer duration


What's Next?• 9/16: No class – HW #1 due

• 9/21: Securing cellular services - continued

• 9/23: Mobile app security?

Mobile Security 2010 - #7 - Carnegie Mellon...

Documents

Transcript of Mobile Security 2010 - #7 - Carnegie Mellon...