The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE"...

The Peril of Cellular Network Evolution

-‐ On CSFB and VoLTE

Chunyi Peng Fall 2015

Emerging Problems in Network Evolu?on

MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 2

•  Circuit-‐switching for voice

•  Packet-‐switching for everything

•  IP-‐based

•  Circuit-‐switching for voice

•  Packet-‐switching for data

2G 3G 4G

Q1: Will existing techniques fail to well support emerging requirements? YES!

Q2: Will new features raise new side-effects?

MUTUAL INTERFERENCE BETWEEN VOICE AND DATA IN 4G LTE NETWORKS

[mobicom’13] [CNS’15]


Advancing toward 4G LTE •  4G LTE grows fast

–  Better support for mobile Internet –  480 LTE networks (by 09/2015, 4gamerica)

4

4G LTE’s Trouble in Voice •  4G LTE: Packet-‐switched (PS) only

– No circuit-‐switched (CS)

5

4G Base Station

4G PS Gateway

Internet

IP packets

Telephony Network Voice, traditionally via CS

No CS, ?

Two Solu?ons: CSFB & VoLTE •  #1. CSFB (Circuit-‐Switched Fallback): leverage 3G/2G CS to support voice

•  #2. VoLTE (Voice over LTE): deliver voice directly in packets (over IP)

6

4G Base Station

4G PS Gateway

Internet

Telephony Network 3G CS Domain

Coexis?ng Voice Solu?ons •  Circuit-‐Switched Fallback (CSFB)

–  Reuse the legacy 2G/3G networks –  Broadly launched in many LTE networks –  1st-‐choice of LTE networks

•  Voice over LTE (VoLTE) –  Ul?mate solu?on, similar to (VoIP) in LTE –  Need to deploy IMS (IP mul?media system) –  Heavy cost and overhead –  Ini?al rollout: AT&T, T-‐Mobile, Verizon since late 2014

7

...

CSFB (Circuit-‐Switched Fallback)

8

3G Base Station 3G CS Gateway Telephony Network

3G PS Gateway

Internet

IP packets (data-plane) 3G voice (data-plane)

Signaling (control-plane)


9


3G PS Gateway

Internet

4G Base Station

4G PS Gateway

Control (MME) Internet


10


3G PS Gateway

Internet

4G Base Station

4G PS Gateway

Control (MME) Internet 4G Base Station

4G PS Gateway

Control (MME) Internet

An Example: Incoming Call Comes During Downloading

•  Expected flows on Bob

•  [tu13-‐mobisys]: data transmission suspends and user traffic is over-‐accounted when inter-‐system handover, e.g., 4G <-‐>3G (step 3 and 6), occurs.

•  What else? Impact on data or voice services?

11

CSFB: Incoming Call Flow

12

1. Call Request 2. Paging Request (CS call)

5. Paging Response (CS call)

4G MME Callee 3G CS Gateways 4G BS

3. Extend Service Request

4. Switch to 3G 3G BS

6. Setup CS Call

7. Call Conversion

8. Switch back to 4G

Seemingly Reasonable •  Users only switch to 3G when needed (calls) •  Users still obtain higher-speed 4G LTE for data •  Carriers reuse the existing 3G (cost-effective)

By design: Independent voice & data •  Expected data throughput slump during voice

– 4G downgrade to 3G


Three Unexpected Issues in CSFB Unexpected: Interference btw. voice & data •  #1: Data applica?on aborts

– When voice call ends

•  #2: Lose 4G connec?vity – Got stuck in 10+ hours

•  #3: Miss calls when turning on data

14

#1: Applica?on Aborts

•  10-‐day abort ra?o – 2-‐5% on average – 15% in worst case

•  Event: IP address change – “Implicit Detached” by cellular

– “Network re-‐akach” by mobile

15

App on 4G

App on 3G

Voice on 3G

Handoff (4G ->3G)

Handoff (3G ->4G)

App on 4G

✕

App aborts

Cause •  CS domain

– When CSFB call ends, implicit detach from network (occasionally)

–  network reakach, assign a new IP address

•  PS domain – Data service pauses with implicit detach – Abort due to a new IP

•  TCP/UDP sessions cannot be recovered

•  Root cause: shared states between CS and PS MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 16

Circuit-Switching (CS)

Packet-Switching (PS)

17

Data Plane Data Plane Control Plane Control Plane

…

…

Implicit Detached

CSFB voice ends Detached

Data start

Data stops

Network-Reattach

Attached New IP addr.

Shared control states in CS and PS

STATE Data Voice

…

Evalua?on: Data App Abort Due to Voice Call

•  8 popular data applica?ons – Browser, Gmail, Ftp, Youtube, Skype, PPS (Streaming), Pandora (internet radio), Facebook

•  We find that Browsing, Gmail, FTP, Skype and Facebook may abort due to CSFB calls. – Browsing/Facebook: content is not displayed – FTP/Gmail: downloading is terminated – Skype: voice call is aborted

18

#2: Lose 4G connec?vity

•  Result – 10+ hour in 3G

•  even handoff

•  Events

– CS call state changes HO trigger

– PS data resets HO ?mer

19

PS Data on 4G

PS Data on 3G

Handoff (4G ->3G)

NO Handoff (3G ->4G)

Call & hang up

NoVoice on 3G

✕

PS Data on 4G

✕


20





4. Switch to 3G

3G BS

6. Setup CS Call

7. Call Conversion


Data Plane (CS)

W-REQ

IDLE

W-PAGE

RECV

ALERT

Conn

F-REQ

F-PAGE

F-RECV

Fail

Call control setup: 6 signaling Handoff 4G->3G: 21 signaling Handoff 3G->4G: 21 signaling

Cause •  RRC states shared in CS and PS

– Voice calls: RRC connected – Data: RRC connected

•  4G-‐>3G procedure – RRC connected: handoff – RRC idle: cell-‐reselec?on

•  4G-‐>3G switches counts on handoff – Handoff’s ?mer sepngs – During data, no handoff is performed

•  Root cause: shared states, complex signalings MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 21

Call & hang up: Change call state F-RECV

Handoff State Machine 22 22

Data Plane (CS)

F-RECV

Data

3G IDLE

3G DATA FACH/DCH

4G DATA

4G IDLE

Call & hang up: Change call state

10 s

ec

5 sec

1st

>1st

L

S

Y

N

HO-‐in-‐3G reset Data

3G IDLE

3G DATA FACH/DCH

4G DATA

4G IDLE

10 s

ec

PS data: reset HO timer

Circuit-Switching (CS)

Packet-Switching (PS) Data Plane Data Plane Control Plane Control Plane

Complex signaling/control involved in both CS and PS

Evalua?on •  We conduct an experiment to track the dura?on Bob stays in 3G for 3 mins aqer Bob’s call conversa?on finishes. –  Packet Size: 1B or 1KB –  Packet Interval: 1~24 seconds

•  Q: Why does it depend on traffic pattern ? 23

OP-I OP-II

19s-1KB 13s-1KB 14s-1B 7s-1B

RRC State Transi?on •  Go back to 4G LTE via Inter-‐RAT Handover or Cell reselec4on.

•  RRC State Transi?ons observed in OP-‐I and OP-‐II

24

Simplified RRC State for OP-I Simplified RRC State for OP-II

Inter-RAT Handover

Inter-RAT Handover

#3: Miss Voice Calls

25

4G LTE Phone

PS on 4G

Missed call

Turn on PS data

✕ Incoming Call

•  Event –  “Implicit Detached”

by cellular – Transient

unavailability

•  Root cause: shared control states between CS and PS

Security Implica?ons

C. Peng (OSU) 26

Possible Problems

27





6. Setup Circuit-Switched Call

7. Call Conversion


#1. Action before paging response (w/o user awareness and consent)

#2. Data over 3G; handoff causes Data service interruption

#3. What if 3G-4G handoff is deferred or cancelled?


One Example

0

5

10

15

20

25

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75

4G

3G

X-th second

Speed (M

bps)

Call ends Ringing @callee 28

#1. Action before ringtones (w/o user awareness) #2. Data service interruption (6-7 seconds)

US OP-1

Another Example

0

5

10

15

20

25

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75

4G

3G

X-th second

Speed (M

bps)

Call ends Ringing@ callee 29

#3. 3G->4G switch is deferred not back to 4G LTE in case of PS traffic

US OP-2

So, possible exploit •  Anyone can make a call without callee’s consent

•  With CSFB, it can manipulate 4G-‐>3G handoff – Handoff already happens before the call setup

•  So it is viable to impede data services – Long data service disruption

•  It is even worse while repeating it – 3G – 4G – 3G – 4G … (ping-pong)

30

Ping-Pong Attack

31

1. Call Request 2. Paging Request (CS call) 3. Extend Service Request


1. Dial

2. Hang-‐up 5. Paging Response (CS call)

6. Setup CS Call

5. Stop call request

6. Switch back to 4G 3. Wait

1. Dial 2. Hang-‐up, 3. Wait

4G –> 3G

3G –> 4G …


Ping-‐Pong Akacks (cont’d) •  How to guarantee successive switch without

the victim’s awareness? •  Two key timers:

– T1: dial time between dialing and hanging up – T2: wait time between hanging up and re-dialing

32

Ping-‐Pong Akack Valida?on

33

0

5

10

15

20

25

30

35

40

0 10 20 30 40 50 60 70 80 90 100 110 120

Per Second

Moving Avg.

Speed (M

bps)

X-th second

TCP-w/o attack

0

5

10

15

20

25

30

35

0 10 20 30 40 50 60 70 80 90 100 110 120

Per Second

Moving Avg.

Speed (M

bps)

TCP-w/ attack

0.08 0.01

X-th second

TCP: from 31Mbps to 0.08 Mbps in 30s

On Real Apps

App Task TCP/UDP w/o conn loss w/ conn loss

Web Access one CNN page TCP Abort Abort

Gmail Sending/receiving emails TCP Fail & mul?-‐entry

Abort & Auto Recovery

Fabebook Ongoing chat session TCP Slower slower

Whatsapp Ongoing chat session TCP Slower Abort & recover

AndFTP File download TCP Abort Abort

Youtube Video streaming TCP Freeze Abort

PPStream Video streaming UDP Freeze Abort

Skype Ongoing video calls UDP Freeze Abort

34

Discussion •  Any other side-‐effects from CSFB?

•  What insights and lessons learnt from CSFB? – How should we design voice solu?ons? – How should we design cellular network arch?


Takeaway •  CSFB is a cost-‐effec?ve solu?on

– Seek to reuse the exis?ng architecture

•  Unexpected consequence –  Incompa?bility with exis?ng procedures – Mutual interference caused by shared states in CS and PS, as well as complex signaling

•  Complex dependency and coupling effects

– Akacks: open access to control one’s state without consent


INSECURITY OF VOICE SOLUTION VOLTE IN LTE MOBILE NETWORKS

[CCS’15]


Recap: Voice Evolu?on in 4G LTE

•  Legacy voice solu?on: Circuit-‐Switched (CS) – Carrier-‐grade quality

•  4G LTE: Packet-‐switched (PS) only

38

Telephony Network CS Gateway

Circuit Circuit Circuit

4G PS Gateway (aka. edge routers)

Internet Data Service Bearer

?

39


Internet

Telephony Network

4G LTE PS Core

VoLTE Signaling Bearer VoLTE Voice Bearer

Normal Data Service Bearer

Signaling Servers

Media Gateway

VoLTE

VoLTE: Carry Voice in Packets

“Carrier-‐Grade” Voice Quality in VoLTE •  Via differen?ated QoS profiles

40

Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1

(highest) Data Service Bearer Best Effort 6-9

Packet-switched (PS) Core


Poten?al Security Threats in VoLTE

41


Internet

If yes, abuse its charging scheme (free) and higher-‐priority/QoS scheme for “data”?

#1: Carry “data” over VoLTE Signaling bearer?

Poten?al Security Threats in VoLTE

42


Media Gateway

VoLTE

If yes, authen?c voice traffic will be blocked.

#2: Inject (junk) data into VoLTE voice bearer?

✗

Overview of Our Findings

•  Data: Carry data over VoLTE signaling bearer –  Free data service – Higher-priority data service – Overbilling – Data Denial-of-Service

•  Voice: Inject junk data into VoLTE voice bearer – Voice Denial-of-Service (muted voice)

•  Vulnerabili?es from – VoLTE standards – Carrier networks – Mobile devices (software and hardware)

43

CARRY DATA IN VOLTE SIGNALING BEARER

44

Two Access Control at Device & Network

45


Internet

Q1: [Device] Will the phone allow an app (user-‐space) to send data packets out into VoLTE signaling bearer?

Q2: [Network] Will the network allow packets over VoLTE signaling bearer to non-‐VoLTE des?na?ons (Internet)?

Har

dwar

e No Access Control on the Phone

Android OS

Softw

are

Apps IMS Client VoLTE app (dialing)

4G LTE Modem (chipset)

•  #1: VoLTE signaling func?ons open to OS and Apps (soqware) –  IP-‐based, a system app

IP for VoLTE

IP for Normal data

Har

dwar

e No Access Control on the Phone

•  #2: No proper permission control to VoLTE Signaling network interface in OS (soqware) – Given IP, app (w/Internet permission) send

packets •  #3: No access control in chipset (hardware)

47

Android OS

Softw

are

Apps IMS Client

VoLTE app (dialing)


IP for VoLTE

No Access Control in Network •  #4: Imprudent rou?ng in network

– Simply rou?ng based on des?na?on IP – US-‐I: Internet and Mobile ✔– US-‐II: Mobile ✔

48


Internet

Signaling Servers

VoLTE

? ✔

Finally, it works out! •  Mobile-‐to-‐Internet

– Example: ping Google

49

4G-GW

Finally, it works out! •  Mobile-‐to-‐Internet

•  Mobile-‐to-‐Mobile – VoLTE-‐to-‐VoLTE – VoLTE-‐to-‐PS

50

4G-GW

4G-GW

Free Data Access Akack

51

•  VoLTE Signaling free of charges – Voice calls: charged by minutes – Signaling: no charges (usually small volume) – Validated in two US carriers

•  Ra?onal, but exploited for free data access

Free Data Service: Skype as Demo

52

Free Data Service

53

0 30 60 90

120 150 180 210 240

0 2 4 6 8 10 12 14 16

Uplink Downlink

Source Rate (Mbps)

Free

Dat

a (M

B)

0

100

200

300

400

500

0 1 2 3 4 5 6 7 8 9 10

Uplink Downlink

Time (Hours) Fr

ee D

ata

(MB

)

There exists NO signs of limit on the volume, throughput and dura.on for free data service


Overbilling Akack •  Spamming via Mobile-‐to-‐Mobile (VoLTE-‐to-‐PS)

– Bypass inbound traffic access control at border

Internet NAT/Firewall

$


Data Denial-‐of-‐Service Akack •  Spamming via Mobile-‐to-‐Mobile (VoLTE-‐to-‐VoLTE) – Exploit higher priority of VoLTE signaling bearer

Internet NAT/Firewall

Delivery Priority VoLTE Signaling Bearer Best Effort 1 Data Service Bearer Best Effort 6-9

Data Denial-‐of-‐Service Akack

0 4 8 12 16 20 24 28 32

0 5 10 15 20 25 30 35 40 45 50 55 60

Data Bearer VoLTE Signaling Bearer Th

roughp

ut (M

bps)

X-‐th Second

0 Mbps

www.cnn.com

Youtube Logo

INJECT JUNK DATA INTO VOLTE VOICE BEARER

57

Similar, but Seemingly More Secure


Media Gateway

VoLTE ✗

Inject (junk) data packets into VoLTE voice bearer as to VoLTE signaling bearer

But, voice bearer info is confideneal Voice via RTP/RTCP (iden?fier unknown)


Insufficient VoLTE Voice Access Control

•  #1: only dest. port# needed – RTP Session Iden?fier: (IP,Port#) – Fixed dest. IP to media gateway

•  #2: Sending data packets with correct port# is allowed – Same access control trouble

59 VoLTE voice bearer

Hardware

Android OS

Soqw

are

Apps IMS Client VoLTE app (dialing)

Port# is Secret, but can be Easily Leaked

•  #3: Same IP between voice and signaling bearers – Port# matched, è VoLTE voice bearer – Port# unmatched, è VoLTE signaling bearer

•  #4: Be leaked through disenct behaviors caused by various QoS profiles – Guaranteed-‐Bit-‐Rate vs. High-‐Priority Best Effort – Low-‐rate voice traffic NOT affected by heavy VoLTE signaling

60

Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1

Infer RTP/RTCP Desenaeon Ports

61

Port Number (K)

One

Hop

RTT

(ms)

0

100

200

300

0 10000 20000 30000 40000 50000 60000

0

40

80

120

160

200

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Right-‐Port Min-‐RTT-‐for-‐Wrong-‐Port

x-th Run

One

Hop

RTT

(ms)

Ports 64580, 64581

Voice DoS: Muted Call

62

Root Causes & Recommended Solu?ons •  VoLTE standards

– Design defects: lack protec?on when VoLTE makes open voice access; no speed limit on highest priority, ..

•  Carrier networks –  Imprudent rou?ng & charging for VoLTE signaling –  Fix: disable rou?ng, limit speed, enable VoLTE volume accoun?ng

•  Mobile Devices –  Lack access control at both soqware (improper permission) and hardware (missing)

–  Fix: VoLTE-‐specific permission, anomaly detec?on

63

Updates •  Report and work with 2 US carriers to fix problems

•  Par?al solu?ons in place (07/2015, 08/2015) •  US-‐I

– Disable routing to Non-VoLTE destination –  Fixed: free data, overbilling, data DoS – Not fixed: voice DoS

•  US-‐II – Limit the speed of Mobile-to-Mobile to 600 kbps –  Fixed: data DoS – Not fixed: voice DoS, free data, overbilling

64

Discussion •  Why? What is new with VoLTE?

–  Changes on network side –  Changes on phone side (Chipset, OS)

•  VoLTE designed to carry voice can be exploited to carry data –  Real threats: free data, overbilling, data DoS, voice DoS …

•  Lessons at its early deployment –  Blame carrier network, device OS, chipset vendors and standards

•  Peril of evolu?on


BACKUP SLIDES


Experimental Methodology •  two major US 4G LTE operators

– Called as OP-‐I and OP-‐II in this work •  Mobile devices:

– Apple iPhone5 – Samsung Galaxy S3/S4 – HTC One – LG Op?mus G.

67

Throughput Slump

68

Logs of data throughput (4G:+, 3G:x) on Bob in OP-I

One More Slump •  In addi?on to two handovers, we observe one extra handover in the 40.6% of experiment runs (149/367) in OP-‐I.

69

Logs of data throughput (4G:+, 3G:x) in OP-I

Even Worse •  In OP-‐II, we observe that Bob cannot go back to 4G LTE aqer call ends.

70

Logs of data throughput (4G:+, 3G:x) in OP-II

Is it OP-II specific issue? How long it lasts for?

Lose 4G Connectivity

Lose 4G Connec?vity •  In OP-‐I, Bob cannot go back to 4G LTE if Alice cancels the outgoing call before call is fully established (i.e., Bob doesn’t hear ringtone yet).

•  We find that Bob will stay in 3G longer than 10 hours under certain condi?ons.

71

Alice hangs out the outgoing call before call setup is finished

Data Services •  We find that it depends on whether data service is running on Bob’s phone.

•  Specifically, the dura?on Bob stuck in 3G is dependent on packet size and packet interval of data service running.

•  We conduct an experiment to track the dura?on Bob stays in 3G for 3 mins aqer Bob’s call conversa?on finishes. –  Packet Size: 1B or 1KB –  Packet Interval: 1~24 seconds

72

Experiment Results

73

OP-I OP-II

Why does it depend on traffic pattern ?

19s-1KB 13s-1KB 14s-1B 7s-1B

RRC State Transi?on •  Bob can go back to 4G LTE via Inter-‐RAT Handover or Cell reselec4on.

•  RRC State Transi?ons observed in OP-‐I and OP-‐II

74

Simplified RRC State for OP-I Simplified RRC State for OP-II

Inter-RAT Handover

Inter-RAT Handover

CSFB standards allow operators to decide how to move users back to 4G LTE

Data Applica?ons Abort Due to Voice Call

•  We are running eight popular data applica?ons – Browser, Gmail, Ftp, Youtube, Skype, PPS (Streaming), Pandora (internet radio), Facebook

•  We find that Browsing, Gmail, FTP, Skype and Facebook may abort due to CSFB calls. – Browsing/Facebook: content is not displayed – FTP/Gmail: downloading is terminated – Skype: voice call is aborted

75

How Oqen Applica?on Aborts •  We run the experiment that user makes a call and hangs up later while data applica?ons are running.

•  We observe the average abort ra?o around 3-‐5%.

76 10-day FTP downloading abort ratio (OP-I).

What happens?

Detached •  The users are detached by carriers and lose both of 3G and 4G LTE connec?vity for a while when this issue occurs.

77

Logs of network status at mobile phone (OP-I).

Detached

Reattached

How long does it recover the connectivity?

Resign into network (OP-II).

Reakach Dura?on

78

¨  For OP-I, 95% of re-attaches finish within 11 seconds. ¨  For OP-II, 90% of re-attaches finish within 15 seconds.

Q: Is it big issue to lose connectivity for 11-15 seconds? It should be easily recovered by TCP retransmission.

Invalid TCP retransmission

79

Wireshark traces at the FTP server

¨  FTP server retransmits packets to mobile devices, however it doesn’t receive any acks.

¨  OP-I assigns different IP address to the mobile devices after reattaches. ¨  OP-II assigns same IP address, however NAT mapping is gone after

reattaches, i.e., retransmitted packets are dropped without valid mapping.

Miss Call •  Under certain scenario, users may miss incoming calls without no?fica?ons.

•  Alice is calling Bob and Bob is enabling PS network in the mean?me. – Bob may miss Alice’s call without no?fica?on (e.g., ringtone).

– However, Alice s?ll hears aler?ng tone. •  She may think Bob inten?onally doesn’t answer the call.

80

Aler?ng Tone Comes Early

•  In the paging phase (Step 2), to avoid long period of silence at Alice, the Bob’s MSC# sends indica?on of user aler?ng to Alice

•  Then Alice can hear aler?ng tone. •  However, if Bob fails to handover to 3G networks (Step 3) then he will not hear ringtone.

81 #: On receipt of service request from MME.

CSFB Incoming Call flows on Bob

Discussion •  Key factors?

•  Root cause?

•  Solu?on?

•  What else (other problems)? •  Lessons and Insights?

C. Peng (OSU) 82

Summary •  Throughput slumps when voice call starts and ends.

–  In OP-‐II, the throughput isn’t recovered even aqer call ends. •  Users may lose 4G connec?vity for 10 hours (no signs of

limits) and may be u?lized by malicious akackers. •  Users may be implicit detached by operators aqer CSFB

call ends –  Some applica?ons abort due to unsuccessful receipt of packets from their applica?ons server aqer re-‐akach finishes.

•  Users may miss voice call without indica?ons because aler?ng tone early comes to caller.

83

Voice/Data Interference •  Mutual interference between voice & data

– Shared radio resource – Shared network state – Complex control/signaling

•  Complex dependency and coupling effects •  Smart core in cellular networks, but

– Can be fragile

84

The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE"...

Documents

Transcript of The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE"...