Beruflich Dokumente
Kultur Dokumente
THESIS Submitted in partial satisfaction of the requirements for the degree of MASTER OF SCIENCE in Computer Science in the OFFICE OF GRADUATE STUDIES of the UNIVERSITY OF CALIFORNIA DAVIS
Approved:
ii
Contents
1 Introduction 1.1 Contributions of this Thesis to the Field . . . . . . . . . . . . . . . . . . . . . . . 2 Related Works 2.1 Cryptography . . . . . . . . . . . . 2.2 Cloning and Fraud . . . . . . . . . 2.3 Denial of Service . . . . . . . . . . 2.4 Spam and Phishing . . . . . . . . . 2.5 Worms . . . . . . . . . . . . . . . . 2.6 3G scheduling and network security 1 2 3 3 4 4 5 5 6 7 7 8 8 8 9 10 12 12 13 13 13 13 15 15 16 16 17 17 17 18 19
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
3 Sleep Deprivation Attack 3.1 Background overview . . . . . . . . . . . . . . . . . . . . 3.1.1 GSM . . . . . . . . . . . . . . . . . . . . . . . . Location update . . . . . . . . . . . . . . . . . . . Paging . . . . . . . . . . . . . . . . . . . . . . . 3.1.2 GPRS . . . . . . . . . . . . . . . . . . . . . . . . 3.1.3 MMS . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 MMS security analysis . . . . . . . . . . . . . . . Unencrypted and unauthenticated MMS messages Unauthenticated MMS R/S . . . . . . . . . . . . . Critical phone information disclosure . . . . . . . 3.2.2 Attack implementation . . . . . . . . . . . . . . . Building target hit-list . . . . . . . . . . . . . . . Draining batteries . . . . . . . . . . . . . . . . . . Theoretical impact . . . . . . . . . . . . . . . . . 3.2.3 Attack experiment results . . . . . . . . . . . . . 3.2.4 Attack improvement . . . . . . . . . . . . . . . . Attack using TCP ACK packets . . . . . . . . . . Attack using packets with maximum-sized payload NAT and rewall . . . . . . . . . . . . . . . . . . 3.3 Mitigation strategies . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
iii
3.4
MMS Protocol Modication . . . . Adaptive PDP Context Management Motivation . . . . . . . . . . . . . Design Principle . . . . . . . . . . Strategy overview . . . . . . . . . . Specication Modication . . . . . Analytical Analysis . . . . . . . . . Implementation Details . . . . . . . Conclusion . . . . . . . . . . . . . . . . .
3.3.1 3.3.2
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
19 20 20 21 22 24 24 25 26 27 27 28 28 29 29 30 31 31 33 33 35 35 36 37 40 41 41 42 44 49 51
4 Scheduler Attack 4.1 Attack overview . . . . . . . . . . . . . . . . . 4.1.1 3G data networks . . . . . . . . . . . . Opportunistic scheduling . . . . . . . . Handoff . . . . . . . . . . . . . . . . . 4.1.2 Overview of attacks . . . . . . . . . . 4.2 Attack analysis . . . . . . . . . . . . . . . . . 4.2.1 Attack within a single cell . . . . . . . Single attacker . . . . . . . . . . . . . Multiple attackers . . . . . . . . . . . . Simulation . . . . . . . . . . . . . . . 4.2.2 Attack from two cells . . . . . . . . . . Initial average throughput . . . . . . . Simulations . . . . . . . . . . . . . . . 4.2.3 Attack without knowing victims CQIs 4.3 Attack impact . . . . . . . . . . . . . . . . . . 4.4 Possible defense strategies . . . . . . . . . . . 4.4.1 Attack detection . . . . . . . . . . . . 4.4.2 Attack prevention . . . . . . . . . . . . 4.5 Conclusion . . . . . . . . . . . . . . . . . . . 5 Summary and Conclusion Bibliography
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
iv
Acknowledgements
I want to give utmost gratitude to Professor Hao Chen for his most valuable advises, and guidance for not only this thesis, but also as a graduate student. This work would not exist without his insights and dedicated work. My gratitude also goes to Professor Karl Levitt for his help and advises in every step of my graduate life. He encouraged and supported me throughout the years Ive been in Davis. I would like to thank everyone who contributed to this thesis. In particular, most credits to Radmilo Racic for his extremely valuable contributions. He has worked on this work in every aspect and help me through difcult problems. Also, my thanks to Professor Xin Liu for her contributions to this thesis. Many thanks are due to my friends for all the support and advises. My thanks to Dr. Jeff Rowe and Professor Felix Wu for all the advises on my research, Senthil Cheetancheri for his insights and discussions on worms and my research, and Allen Ting for his encouragement and support on my efforts. My gratitude to Carol Lin for her endless encouragements and support, even in difcult times. She believed in me even through periods of uncertainty, and gave me courage to proceed. Finally, I dedicate this thesis to my parents who, through hardship, provided me a chance to learn and discover as I wish. They have placed my needs over everything else to support me throughout my life. They have also shaped me into the person I am today through valuable wisdom and guidance.
Abstract
As cellular data services and applications are being widely deployed, they become attractive targets for attackers, who could exploit unique vulnerabilities in cellular networks, mobile devices, and the interaction between cellular data networks and the Internet. Furthermore, mobile devices, often times considered to be part of the cellular networks trusted computing base (TCB), are becoming more vulnerable to attacks. This thesis presents several vulnerabilities on the cellular data packet services and its applications, and present two particular denial of service attacks. First, we demonstrate an attack, which surreptitiously drains mobile devices battery power up to 22 times faster and therefore could render these devices useless before the end of business hours. This attack targets a unique resource bottleneck in mobile devices (the battery power) by exploiting an insecure cellular data service (MMS) and the insecure interaction between cellular data networks and the Internet (PDP context retention and the paging channel). Second, we propose a series of attacks on 3G cellular packet services that exploit the unveried channel condition reports from mobile devices to their base stations, and user-initiated handoffs. Our simulations show that only ve rogue devices per cell can use up over 90% of the network resource, and thus induce and perpetuate 2.1s end-to-end inter-packet transmission delay for every user in the cell. This thesis also presents several mitigation strategies to defend against not only the two aforementioned attacks, but also similar attacks of these type.
vi
CHAPTER 1. INTRODUCTION
Chapter 1
Introduction
Cellular networks are part of our critical information infrastructure. Cellular networks are also widely deployed, with more than 194 million subscribers covering over 65% of the US population. [1] As mobile devices become more powerful, cellular companies are rapidly deploying broadband data services, such as High-Speed Downlink Packet Access (HSDPA) and EvolutionData Optimized (EV-DO) as well as new applications, such as Multimedia Messaging Service (MMS), Unlicensed Mobile Access (enabling network-to-network mobile agent migration), i-Mode (providing fast, packet-based communication by eliminating the traditional WAP gateway), and Wi Voice-over-IP (enabling affordable, realtime voice communication). Furthermore, cellular networks are pushing more network functions into mobile devices and grant them more trust. In some situations, they even consider mobile devices as part of the Trusted Computing Base (TCB). While these new services and applications enhance mobile computing experience, they also introduce serious security concerns. Besides launching typical Internet attacks such as denial of service (DoS), malware, spamming and phishing against mobile devices, an attacker can exploit emerging vulnerabilities in cellular networks, mobile devices, and the interaction between cellular data networks and the Internet. Emerging vulnerabilities in cellular networks, however are not thoroughly studied, both by the security community or service providers; since the cellular community are focused on information security rather than network security. We argue that network vulnerabilities can cause havoc in cellular networks, in particular, both current and future data services. Therefore, this thesis presents several emerging vulnerabilities in cellular data networks and two particular denialof-service attacks exploiting these vulnerabilities that can cause devastating affects. These attacks would be devastating not only in critical situations, such as disasters, but also for industries relying
CHAPTER 1. INTRODUCTION
on mobile communications. For example, professions like real estate agents and brokers rely on the ability to perform on-the-spot credit reports or provide instant quotes. Similarly, occupations such as network system administrators trust their cellular handsets availability in order to be reached. The rst attack, exploiting vulnerabilities in MMS and General Packet Radio Service (GPRS) in GSM, targets mobile devices battery power. The adversary is able to drain a mobile phones battery stealthily in 7 hours from the Internet. The second attack, exploiting vulnerabilities in 3G and 3.5G data packet services and their opportunistic scheduler, demonstrate that malicious mobile devices can usurp time slots at the expense of honest users, hence denying them network access.For example, we show that only one attacker per cell that has 50 users can occupy as much as 89% of the all the scheduling slots indenitely. Similarly, ve attackers per cell can cause and perpetuate 2.1s end-to-end inter-packet transmission delay for every victim user in the cell, thus rendering many services useless. This thesis proceeds by presenting an overview of the related works in cellular network security in chapter 2. Chapter 3 presents the rst attack and the mitigation strategies that can defend against it. Chapter 4 presents the second attack, with the possible defense mechanisms. Finally, chapter 5 concludes this thesis.
Chapter 2
Related Works
In recent years, signicant amount of research efforts have been focused on security requirements and threat model evaluation on current and emerging cellular technologies, including GSM [24], GPRS [58], CDMA [9], SMS [10], MMS [11], and EVDO [1214]. These works identify the following key security requirements in cellular networks: subscriber condentiality, authentication, privacy, cloning prevention, integrity of information as well as billing, fraud detection, and safe key management. These works also address security threats such as eavesdropping, impersonation of a user and network, denial of service, man-in-the-middle attacks, hijacking services, and compromising authentication vectors. Apropos, researchers evaluated the risk levels of each of these threats as well. Our work is complementary to these previous efforts to secure cellular networks. In fact, we focus in two new directions: the end user devices (i.e., power-depletion attack and defense) and the security interactions between different cellular applications (i.e., the merging of cellular network and the Internet). In this chapter, we present an overview of the current research efforts in cellular networks.
2.1 Cryptography
Extensive research has been conducted on the cryptography technologies [1517]. For instance, studies like [15, 16] suggest the use of a PKI scheme in the GSM/UMTS network while [17] proposes the use of a SIM card for authentication and payment of web services by mobile users. Grecas and colleagues propose introducing public-private key pairs for transactions between the VLR-HLR as well as MS-VLR. Lo and colleagues, on the other hand, propose the use of PKI and stream ciphers for authentication and message encryption/decryption, respectively. They both point
out that the nature of the services constituting the PKI renders telecommunications operators prime candidates for the PKI implementation. Furthermore, MacDonald and colleagues [17] are convinced that SIM card can be at the center of an authentication and payment platform for consumption of web services by mobile users. Cryptographic solutions, while efciently and elegantly mitigating some principal concerns in cellular networks, cannot defend against some unique threats to end users, such as a DoS attack and resource starvation attacks. Our work complements the existing cryptography mechanisms in order to alleviate additional non-conventional threats unique to emerging cellular data technologies and applications.
attack outlined in [24] using a highly accurate GSM simulator, and presented several mitigation strategies with supporting simulations. Additionally, [26] warns that paging channel is another
scarce resource that an attacker on the Internet can overwhelm and cause a DoS attack. Finally, Martin el at. [27] discussed the possibilty of a denial of service attack on mobile devices such as laptops and PDAs. They outlined three different types of battery draining attacks and presented experiments to demonstrate the affects of such attack. Nash el at. [28] follows up on the work by presenting a host-based intrusion detection system to detect battery draining attacks. Our work, inspired by these previous works, extends previous ndings and presents additional vulnerabilities both in current and future cellular data services.
2.5 Worms
Computer worms that target cellular networks have also appeared in recent years. Timifonica worm [31] spreads itself via email attachments. Upon infection, a computer sends SMS messages to random cell phone numbers belonging to a service provider, Movistar, and thus attempts to cause a DoS attack. A proof of concept worm was developed in early 2005 demonstrating the effects of a worm outbreak on cellular phone platforms. The Cabir [32] worm, spreading via Bluetooth on Nokia series 60 handsets running Symbian OS, changes the operating system and searches for other handsets to infect. An epidemic worm spreading model in mobile environments was proposed by Mickens et al. [33]. Our work is an extension to these previous works. Using a hitlist of phone numbers, IP addresses, and model information gathered in our attack described in Chapter 3, worm designers could write better worms by tailoring to different platforms.
Chapter 3
3.1.1 GSM
The key elements in GSM are: the Base Station Subsystem (BSS), which includes the Base Transceiver Station (BTS) and the Base Station Controller (BSC), and Mobile Switching Center (MSC) which is the core of the Network Sub System (NSS). Additionally, these GSM elements utilize databases like Home Location Register (HLR) and Visitor Location Register (VLR) for storing users home as well as roaming information, respectively. BTS provides the means to transmit and receive radio signals as well as encrypt and decrypt communication with the BSC. BSC provides network intelligence by allocating radio channels, controlling inter-BTS hand-offs and, most importantly, serving as a gateway to the MSC. MSC, on the other hand, sets up circuit-switched communications, takes care of mobility management and manages other databases. A cellular network needs to keep track of the location of each Mobile Station (MS1 ) in order to deliver calls and data to the correct destination reliably. Typically, the network utilizes an event-based mechanism to collect mobile devices location. Events such as powering up, shutting down, and crossing into another location area are events that trigger the location update procedure. A cellular network is partitioned into cells serviced by BTSs. Cells are then grouped together to optimize signaling and to facilitate tracking of mobile phones within the network. Each group, managed by one BSC, is identied by a location area code broadcast by each BTS at regular intervals. Two fundamental operations within the location area are location update and paging. Location update The MS sends location update messages to its current BTS periodically in order to route all incoming calls or data appropriately. If the MS sends updates seldom, its location is unknown and the MS must be paged for each downlink packet (or call), thus degrading the quality of service. If, on the other hand, the MS sends frequent updates and its location is known, then data packets can be delivered without any additional paging delay. Paging To minimize the amount of updates, preserve MSs battery, and minimize bandwidth utilization, the network will page the MS over the Paging Channel (PCH) to determine its location. In
1 MS
SGSN
Figure 3.1: GPRS infrastructure other words, PCH is used for communication from BTS to MS when MS is not assigned a trafc channel; that is, the MSs location is unknown or out of date. The paging bandwidth burden is relatively small in small location areas - less than 1% of the bandwidth allocated for voice channels. On the other hand, in an area with a large number (over 1000) of cells per location area, the paging bandwidth burden could be considerably higher. [45]
3.1.2 GPRS
GPRS [46] is integrated into the existing GSM infrastructure with a new class of network nodes called GPRS Support Nodes (GSNs). GSNs are responsible for the delivery and routing of data packets to and from the mobile network. There are two types of GSNs: Serving GPRS Support Node (SGNS) and Gateway GPRS Support Node (GGSN). SGSN is responsible for transferring and routing of data packets, mobility management, logical link control, authentication and billing services within its service area. GGSN acts as an interface between the GPRS backbone and external packet networks (primarily the Internet). Its primary function is to convert GPRS packets coming from the SGSN to IP packets and vice versa. An illustration of GPRS is shown in Figure 3.1. Before an MS can utilize GPRS services, it must register with an SGSN so all packets can be routed through it. During this procedure, called GPRS attach, a PDP (Packet Data Protocol) context is created. In particular, SGSN checks if the user is authorized, copies the user prole from the HLR to itself, assigns a Packet Temporary Mobile Subscriber Identity (P-TMSI)2 , maps it to an IP address, and assigns a GGSN that will serve as the gateway to the Internet. The PDP context,
2 The
reasoning is to minimize use of IMSI (International Mobile Subscriber Identity) for security purposes.
10
composed of the above mentioned information, is stored at the SGSN. GPRS detach, on the other hand, disconnects the MS from the GPRS network and deactivates the PDP context. Location areas have been proven to be efcient in voice networks; however, the bursty nature of data trafc increases the number of paging messages per phone in each location area. Therefore, each location area is further subdivided into routing areas used by GPRS to decrease the penalty for locating an MS. GPRS phones utilize IDLE, STANDBY and READY states in increasing order of battery consumption. When an MS is in the READY state, SGSN is aware of the MSs location. In particular, the MS performs frequent location updates to provide the network with the actual cell ID so that no paging is necessary. When in the READY state, the MS can send and receive data. Furthermore, it will stay in the READY state until READY timer expires, at which it will transition to the STANDBY state. While in the STANDBY state, the MS has established the PDP context and it can receive calls or data. However, its location updates are more coarse, in the sense that it informs the SGSN of only routing area changes, but not cell changes. If SGSN needs to deliver data to the MS while the MS is in the STANDBY state, SGSN will send a page request in the routing area where the MS is located. When MS responds to the page, it will transition to the READY state. IDLE state is the lowest battery consumption state, in which the SGSN is not aware of the MSs location. The MS can transition out of IDLE state only if it performs a GPRS attach procedure. Alternatively, an MS could initiate a GPRS detach procedure to transition to the IDLE state. Figure 3.2 shows the state machine of the GPRS MS. Upon completion of the communication, the MS will go into a STANDBY mode. The PDP context, on the other hand, will remain allocated to the MS. We conducted experiments to discover how long each handset retained its assigned PDP context and IP address. We found that addresses seemed to be relinquished in as short as 15 minutes to as long as several hours. The reason for not deactivating a PDP context is simple: a cellphone can be unavailable for a period of time due to radio link failure; deactivating and activating a new context would imply that the phone would need to recreate all TCP sessions, possibly restarting applications and requiring the user to re-enter all the passwords.
3.1.3 MMS
MMS has become a very popular cellular message service. The MMS architecture spans both the cellular network and the Internet and uses technologies in both networks, such as WAP, SMTP, and HTTP.
11
IDLE
GPRS Attach
GPRS Detach
READY
STANDBY
PDP CONTEXT ACTIVE
Figure 3.2: The GPRS mobile station state machine The MMS architecture consists mainly of the MMS Relay/Server (MMS R/S) and user agents. Several optional entities of the architecture the billing server, the Home Location Register, and the User Database may exist inside or outside MMS R/S. Figure 3.3 shows an overview of the MMS architecture. The MMS R/S is responsible for all of the transactions of MMS. When a user transmits an email or an MMS message, the mobile phone formats these messages in Synchronized Multimedia Integration Language (SMIL) [47]. The MMS R/S translates (transcodes) the message to either email or different MMS formats depending on the provider. The message is then sent to the destination SMTP mail server or the destination MMS R/S using SMTP. Upon receiving the message, the destination MMS R/S then stores the message in the users buffer while sending a notication message to the user via a SMS or WAP push message. The notication message contains the location of the message, usually specied as an HTTP address. User can congure their mobile phones either to automatically download the message upon receiving the notication or to manually download the message themselves.
12
HLR
User dB
MM8
Billing Server
User Agent
MM9 MM5
Email Client
MM1
SMTP
MMS R/S
Wireless Network
MM1 MM4
Internet
3.2 Attacks
In this section, we present our ndings on attacking the cellular network. We rst investigated the MMS protocol and discovered several vulnerabilities through which we leveraged into the heavily protected cellular network. Then, by exploiting these vulnerabilities, we implemented a proof-of-concept attack on a scarce resource the battery power of mobile devices. The attack is stealthy, as it is noticeable to neither mobile users nor network operators. Our experiments demonstrate that unique threats against cellular networks and mobile devices exist and are exploitable. Finally, we discuss how to make this attack even more effective.
13
We conrmed that MMS messages and MMS notication messages, composed of headers and content sections, were sent in plain-text. In addition to the SMIL headers, the packet also included an HTTP POST header containing the source and destination IP address, the prole of the user agent, the content type and size, and the user agent name. Unauthenticated MMS R/S To mitigate the problem of unencrypted messages, cellular providers hide their own MMS R/Ss IP addresses in the phones, hoping that cellular users cannot read or overwrite them. Unsurprisingly, we discovered that this attempt at security by obscurity is broken. In order to inspect the MMS message raw format, we modied a phones rmware to route all MMS messages through our MMS R/S. The MMS R/S setting is well hidden in our phones rmware, which suggests that providers do not intend to allow users to modify the setting. After modifying the MMS R/S entry in our phone, we discovered that the phone had no security mechanism to alert the new, unauthorized MMS R/S. Furthermore, MSs also do not authenticate MMS notication messages and MMS messages sent from the network. MSs will accept any MMS messages as long as the format is correct. Consequently, we were able to send unlimited MMS messages for free, without alarming the cellular provider. Critical phone information disclosure We discovered that handsets include pertinent user agent platform information whenever they communicate over HTTP. Accordingly, we set up a web server running ethereal to capture HTTP requests from various handsets on different networks. We found that every phone disclosed either its full prole or information that included one or more of the following: hardware platform description, display capabilities, and the current and compatible software. An attacker could write a script that extracts the model number of each handset very easily.
14
Figure 3.4: Ethereal reconstruction of an MMS message captured by our MMS R/S. The message is transported in clear text. Various elds such as the server, the senders phone number and phone model are exposed and could be collected in a the hit list.
MMS Server
(2 n)
(2 1 )
(3 n)
Attacker
(3 1)
Victim n
(1 1 )
Victim 1
(1 n)
Figure 3.5: A two-step attack on cellular devices. In Step 1, the attacker builds a hit list using MMS message notications (Messages (1)s), and captures information about mobile users from the HTTP requests from mobile users (Messages (2)s). In step 2, the attacker drains the batteries of cellular devices on the hit-list surreptitiously by sending UDP packets (Messages (3)s) periodically to the cellular devices.
15
To launch effective, large scale attacks, an attacker needs to build a hit-list that contains important information about the network and end users. One way to obtain such information is by asking the mobile phones. An attacker can send MMS notication messages, whose content address is at a malicious web server, to numerous recipients. The target phone numbers can be generated automatically using known area codes and prexes for cellular phone numbers. The MMS notication messages can be sent using SMS or WAP push. There are many free SMS messaging websites, including those offered by cellular providers. Once MMS notication messages are sent, the attacker waits for HTTP request messages at his web server, which has stated its location in the MMS notication message. Since many cell phones are congured to download MMS messages automatically upon receiving notication, they will make HTTP requests to the attackers web server. The HTTP requests often contain the proles and IP addresses of the phones, and even le extensions that the phones are able to process. By sending a slightly different URL to each phone, the attacker can build a hit list that maps each phone number to a prole of its cellular device. More importantly, the phones response to the MMS notication message activates a PDP context, making our attack easy and simple to execute even in the presence of NAT and rewalls. Draining batteries Using the hit-list generated from MMS notication messages, an attacker can target the cellular network and cellular devices more precisely and effectively. Apropos, we implemented a battery draining attack that focuses on the end hosts instead of the network. We implemented our attack using UDP packets (we will explain an improved technique later.) The key to maximizing a cell phones battery life is to use its transceiver sparingly. In fact, when a cellular phone is turned on, its transceiver is active less than 3% of the time. As a reference, in wireless sensor nodes, transmitting one bit of information consumes 1500 to 2700 times as much energy as executing one instruction [49]. Thus, if a packet is sent to a phone, the SGSN will deliver the packet if the phones location is known, or attempt to locate the phone by sending a page request to it. However, since cellular phones spend most of their time in the STANDBY mode (or other dormant modes), the page on the paging channel will awaken the phone to the READY state and force it to perform a location update. The sine qua non of this attack is to keep the phone in the
16
READY state (high battery consumption), therefore disabling its ability to preserve battery life, or to let the phone temporarily go into the STANDBY state only to be immediately awakened with a page and forced to perform a location update; both of these actions consume much energy. Theoretical impact To investigate the severity of the aforementioned attack, we estimate the damage that an attacker with a home DSL Internet connection can inict. A typical DSL upload speed ranges from 256kbps to 416kbps. We use the medium speed, B = 384kbps, for the upload bandwidth as an estimate. Each UDP packet consists of a character in the data segment, which might be padded to 4 bytes depending on the providers DSL modem. The UDP packet header has 8 bytes, and the IP header has 20 bytes. In the pessimistic estimate where our data is padded, the total size of the packet is S = 32 bytes. Therefore, the maximum number of UDP packets per second that an attacker may send is (B/8)/S = 1500. To attack a phone effectively, an attacker must send one UDP packet to the phone every T seconds. In this case, the maximum number of phones that the attacker can attack simultaneously is (B/8) T /S. We estimated the time T by trial and error using different test congurations. For our experiment, we chose 3.75 seconds for the GSM-based network and 5 seconds for the CDMAbased network. Using our equation, we calculated that an attacker can attack about 5625 phones using a standard ADSL line for a GSM-based network and around 7000 phones for a CDMA-based network.
17 Battery Life Under Attack Normal Use (hours) Reduction 7 22.3:1 7 8.6:1 2 18.0:1
Table 3.1: Reduction of battery life due to our attack triggering any alarms. Our test machines IP was not blocked, our phones were fully operational after the attacks, and no notications or warnings were sent to us regarding this issue. Moreover, during the attack the phone appeared to be operating normally and no additional Internet application was started, so the victim user would not notice the attack, until his/her battery died unexpectedly.
18
be downloaded to the mobile phone before the phone can discard the packet. Therefore, with an accurate hit-list collected using MMS above, the attacker can sacrice the number of targets per his/her computer to deliver an even more efcient attack using a maximum-sized payload. Using the original attack implemented with UDP, the attacker can send a maximum theoretical UDP data packet of 64Kb due to its 2 byte total length eld. In the TCP variety of the attack, ACK messages piggyback onto the existing payload with a maximum size of 1500 bytes. Besides causing additional unnecessary downloads for the mobile agent, the attack could possibly be even more efcient due to packet fragmentation. This exacerbates the attack so that the attacker would only need to send a single packet that becomes multiple packets at the mobile agent. NAT and rewall Through eld experimentation, we have determined that most providers who utilize NAT also implement Network Address and Port Translation (NAPT.) NAPT provides dynamic (privateIP, privatePORT) to (publicIP, publicPORT) translation. For example, the inside interface tuple (10.0.0.5, 3000) could be mapped to the outside interface tuple (199.156.3.4, 6000). However, there are certain issues with network-wide NAT deployment. For example, it often hinders application deployment. Additionally, certain security protocols such as IPSec and Kerberos are affected NAT changes the address in the IP header, causing loss of integrity. For these reasons, operators choose to implement NAT only on certain subnets affecting a selected customer base. In other words, most operators offer both private and public IP plans. It would seem that our attack could be mitigated with NAT and rewall placement. However, a very simple restriction to the attack could yield the same result. The crux of the change would be an observation that each inside IP address maps to a port on the outside interface because the publicIP is the public IP address of NAT system. Thus, targeting an inside IP address reduces to targeting a certain port of the outside interface. Since NAPT does address and port translation dynamically, the IP address and port mappings are only alive during active PDP contexts. Thus, the attack must be delivered within an active session window. Since phones automatically create an outbound connection to connect to a malicious HTTP server, the server itself must deliver the attack, thus prolonging the connection. The rewall would consider this connection valid as it is internally initiated over allowed ports, and NAT would continue the address and port translation for the duration of the attack.
19
20
that the destination IP address is one of the MMS R/S or accredited third party Value Added Service (VAS) providers. The lter should not be implemented at the WAP gateway, but rather at the SGSN or GGSN, since users can easily modify the phones settings and bypass the cellular providers WAP gateway.
21
stealthily bypass rewalls and IDSs. Our defense mechanism can also serve as an event detector for IDSs already in place in order to monitor the internal network. Our defense mechanism is also effective against insider attacks, where malicious users are connected using the cellular network instead of the Internet. Finally, APM is non-intrusive it does not require ancillary network infrastructure as it utilizes existing GPRS mechanisms to provide an additional layer of protection. Using these two observations, we developed APM to detect and mitigate attacks on the GGSN. APM, not only can completely mitigate our battery draining attack, but also detect and mitigate other attacks exploiting the paging channel and PDP context, such as ooding attacks on the paging channel using packets from the Internet. Design Principle We designed APM with three goals in mind, It should be implemented in the network core. It should be transparent to mobile users. It must be simple. Since our attack focuses on draining the battery of mobile users, the defense strategy should not exacerbate the attack by requiring additional processing from the mobile phone. If this was not the case, the defense mechanism itself could be utilized as a battery draining tool. Since the network core is assumed to have unlimited battery power, we must implement the defense mechanism at the core. Furthermore, it is almost impossible to implement any defense strategies on the mobile phone since cellular technology has already been widely deployed. Service providers cannot require all users to upgrade or update their hardware. Any type of defense strategy would be useless if users do not implement the mechanism. For instance, software patches are often useless against malware due to deployment issues. On the other hand, cellular providers can easily deploy defense strategies at the core, without user interaction. Our defense should also be transparent to each user. If our defense mechanism causes any inconvenient for mobile user, user will most likely complain to service providers. Usability is a main concern for mobile users since attacks on mobile phones are, at this time, unlikely and not wide spread. Furthermore, service providers will be less inclined to implement our strategy due to the inconvenience for users and the support cost to educate customers.
22
Packet
Outgoing No Yes PDP Context Exists No Drop Packet Existing connection No No Yes Transmit Packet
Yes
Yes
Yes stateCount * 2
Transmit Packet stateCount > 0 No (1) Backoff (2) PDP Modification (3) Drop Packet Yes
stateCount / 2
Figure 3.6: Adaptive PDP Context management scheme Finally, our defense strategy should be as simple as possible due to the high workload of each GGSN. GGSN is responsible for providing an interface for millions of mobile phones. If our mechanism is computationally consuming, the attacker can exploit this vulnerability and in turn cause a DoS on the GGSN. Strategy overview For clearity, we present APM in both pseudo code shown below, and state diagram shown in Figure 3.6. APM is separated into three phases, the detection phase, exponential increase linear decrease (EILD) phase, and the recovery phase. APM ( packet ) 1 2 3 4 5 6 7 8 if packet is outgoing then if packet initiates a new connection then if statecount < statecountmax then statecount 2 if packet ends a connection then statecount /2 else if PDP context exist then if packet does not belongs to existing connection
23
The APM detection algorithm works in the following manner. For each packet, the algorithm decides if its valid or not. The GGSN can accomplish this by using our second observation discussed in Section 5.1, a packet is not valid if it is incoming, and does not belong to any active connections. Since GGSN is stateful, and already keeps track of connection states, it can distinguish if a packet is valid or not by simply examining the header of each packet. However, to ofoad work from the GGSN, we also propose a modication to the PDP context. Currently, PDP context only contains the external address of each mobile device. Instead of simply storing the address, we can store (IPaddress, portnumber) tuple. A modied PDP context can have multiple address and port tuples. Whenever a mobile agent requests an outgoing connection, a tuple is assigned to it instead of just an address. Using this technique, we can easily distinguish between valid and non-valid incoming packets. To manage PDP context lifetime, we introduce a new variable along with the PDP context called stateCount. This counter serves as the time to live (TTL) time for each PDP context. The algorithm uses the stateCount variable in the following way: when GGSN receives an outgoing connection request or packet, a new tuple is assigned to the mobile phone, and the stateCount is doubled. If stateCount is 0, then we initialize it to 1. However, if GGSN receives an incoming non-valid packet, the stateCount is decremented by 1. When stateCount decreases to 0, GGSN can conclude that the phone is under attack and perform recovery. This phase is called exponential increase, linear decrease (EILD). By implementing EILD, our algorithm can withstand some amounts of false positive readings before raising an alert and entering the recovery phase. For example, it would be hard to distinguish between valid and malicous streaming trafc. Furthermore, many port scanners, worms, and other backscatter activities [50] are unavoidable on the Internet. Using EILD, we can avoid disrupting the user as much as possible before we enter the recovery phase. Finally, we note that PDP context can still be kept indenitely, depending on service providers policy, as long as the mobile agent is not under attack.
24
The recovery phase is implemented when the stateCount decrements to 0. The recovery phase is implemented as follows: before disconnecting the user, we implement a random backoff wait period between (Cmin , Cmax ). The wait period allows any existing connection to nish. After a random backoff waiting period, GGSN implements a gateway assisted PDP context modication, changing the external address in the PDP context. At this time, all connections currently still active will be dropped, thus preventing the attacker from reaching the mobile agent. Furthermore, only one extra message would be sent to the mobile agent notifying the modication, and one extra message would be sent from the mobile agent acknowledging the change. The mobile agent, after the recovery phase, can resume data connection and request outgoing connections as usual. Specication Modication Our defense strategy can be safely implemented in existing GPRS infrastructure without any violation to the specication [51]. In particular, GPRS specication states that user should be able to establish and deactivate GPRS service as requested. Our defense mechanism does not violate any of the specication stated. The specication does not clearly state any PDP context management schemes. In fact, the specication does not restrict when PDP context should be deactivated. However, the specication, under invocation and operation, states that, It shall be possible for a MS to be a GPRS service requester and service receiver. Our defense mechanism would violate this specication. However, we argue that cellular devices should not act as a server or any service receiver. In fact, most service providers in the US restricts mobile agents usage and does not allow any type of services to be active on any mobile users. Furthermore, the specication allows our battery draining attack, and many other attacks possible since it is allowed for an entity to activate the PDP context and communicate with mobile devices. We argue that such action should not be encouraged and protection against such exploitation should be straightly enforced. Analytical Analysis We now present an analytical analysis of our proposed defense strategy and provide a simplistic calculation of the maximum stateCount value which must be set in order for our defense to detect an attack.
25
We dene the number of packets needed in order to mount a battery draining attack as follows:
n Given n =
# packets s
(3.1)
calculate the upper bound on the number of outgoing connections that a cellular operator may set. Parameters n and h are network dependent so each operator would have to tailor them to their network. In order to detect this attack, our stateCount variable must not exceed 602 nh. Since we exponentially increase stateCount in the fashion of 2connectionCount , we calculate connectionCountmax as follows:
(3.2)
And following our argument from above, the connectionCount should be calculated as follows:
(3.3)
For example, for n = 1 packet and h 4 hours we notice that connectionCount = log2 14400 = s 13. This means that the maximum number of connections each phone can make simultaneously in order to detect an attack that sends
1 packet s
is 13 connections.
Note that this calculation provides a maximum for the connectionCount variable. Providers should set this variable limit to a much smaller number, in order to detect any type of attack much faster than this rate. Implementation Details As mentioned previously, our defense strategy is best implemented on the GGSN. Since service providers already perform some proprietary PDP management scheme, as tested empirically
3,
implementing our scheme would be very simple. Furthermore, as most of the functions needed
3 During
our battery draining experiments, the PDP context sometimes would detach even if the mobile phone is stationary. We notice that PDP context can be alive from 15 minutes to even days.
26
are already implemented, such as the gateway assisted PDP context modication function, there would not be any additional implementation work. Furthermore, our proposed extension on the PDP context would also be a simple modication. The implementation of the modied PDP context can be transparent to mobile devices, and the mapping can be done entirely at the GGSN. Since GGSNs are already stateful, a simple change in IP address assignment would not be difcult. Furthermore, our proposed modication to the PDP context would also provide a NAT like behavior, as each IP address can be assigned multiple times using different ports. We envision APM to be implemented as a plug-in module, which should not be any longer than a couple of hundred lines of code. Since GGSNs are standardized within each service provider, a patch-like distribution can be easily deployed once the module has been fully tested on testbeds.
3.4 Conclusion
In this chapter, we demonstrated an attack, such that is able to drain mobile devices battery power as much as 22 times faster. This attack proceeds in two stages. First, the attack exploits vulnerabilities in MMS to build a hit list of mobile devices. Then, the attack exploits PDP content retention and the paging channel to drain mobile devices battery power. We were able to drain batteries without alerting either the mobile user victims or the cellular network operators. Our analysis shows that an attacker would need only several home DSL Internet connections to mount a large scale attack against a large number of cellular phones. We identied key components in cellular networks that enable this attack and proposed corresponding mitigating solutions.
27
Chapter 4
28
makes scheduling decisions based on the ratio DRCi (t )/Ri (t ) where DRCi (t ) = min{CQIk [n],
Bk [n] tT T I }
and Bk [n] is
29
(4.1)
where is a network providers parameter describing the weight of the current time slot toward the
Cellular networks implement handoffs to transfer a connection from one base station to another. There are two types of handoffs: soft and hard. In hard handoff, the network drops the connection to the current base station before initiating a new one. In soft handoff, on the other hand, a mobile device can have connections from several base stations simultaneously and choose to transmit through the best base station. Noticeably, handoffs in 3G cellular services do not break data transmission sessions.
30
station, the new base station does not retrieve the devices average data rate from its previous base station [40], but rather assigns an often small or average value as the devices initial average rate. In the previous attack via reporting fabricated CQIs, the malicious mobile device has to report monotonically increasing CQIs to sustain the attack because its average data rate keeps increasing. Eventually, the attack becomes ineffective when its reported CQI exceeds the maximum allowable CQI. However, if the malicious device sits in the coverage of multiple base stations, it may handoff to another cell to acquire a fresh, lower average data rate and to start the attack again. Moreover, multiple malicious devices may cooperate to attack multiple cells simultaneously (Section 4.2.2).
mobile device of the adversary (the context should differentiate the two meanings), and use user to refer to either a human user or the mobile device of the user. When an attack involves multiple attackers, we assume that they coordinate. We will consider attacks on the proportional fair (PF) scheduler under three settings. First, we consider attacks from a single cell, with a single or multiple attackers. Next, we consider attacks from multiple cells, which is much more effective. Finally, we consider a more realistic situation where the attackers do not know the channel conditions of other users.
31
(4.2)
Since we assume that each user has the same CQI, the PF scheduler becomes a round robin scheduler, where each user is scheduled once every N slots (N is the number of users in the cell). For
example, if user i is scheduled at time slot s, he will not be scheduled until time slot s + N . Therefore, user is average rate Ri (t ) maximizes at time slot s, and minimizes at the time slot s + N 1. According to Equation 4.1, Ri (s) = (1 )N Ri (s N ) + CQI
3 And
(4.3)
32
Let us consider a steady state, where Ri (t ) = Ri (t + kN ) for all integer k. In this case, Ri (s) = Ri (s N ). Using this equality in Equation 4.3, we have Ri (s) = CQI CQI 1 (1 )N N (4.4)
Ri (s) is user is maximum throughput. His minimum throughput is Ri (s 1) = Ri (s + N 1) = (1 )N 1 Ri (s) (1 )N 1 CQI N (4.5)
Let C(t ) = maxi {CQI /Ri (t )} be the maximum of CQI-to-throughput ratio at time t among all the users. In the steady state, C(t ) becomes a constant C, which is: C= CQI N Ri (s 1) (1 )N 1 (4.6)
Next, we describe a strategy for the attacker to obtain consecutive time slots. To obtain time slot 1, the attacker i must report a CQIi (1) such that CQIi (1)/Ri (0) C(0). After time slot 1, C(1) = C(0)/(1 ), because for each victim user j, its CQI remains constant, but its average throughput R j has been scaled by 1 . Therefore, to obtain time slot 2, the attacker i must report CQIi (2) such that CQIi (2)/Ri (1) C(1) = C(0)/(1 ). Subsequently, at time t , the attacker must claim CQIi (t ) such that CQIi (t )/Ri (t 1) C(0)/(1 )t 1 . The attacker can obtain consecutive time slots until the required CQIi (t ) exceeds CQImax , the maximum value of CQI . Therefore, the maximum number of consecutive time slots that the attacker can obtain is the maximum integer t0 that satises CQImax
t0 1 C C R ( 0 ) a (1 )k1 + (1 ) (1 )t0 1 k =1
(4.7)
Equation (4.7) shows that the maximum number of consecutive slots an attacker can obtain (t0 ) depends on the average throughput of the attacker at the beginning of the attack (Ri (0)), the maximum CQI (CQImax ), and . Since the maximum CQI and are set by the system, they are out of the control of the attacker. The maximum CQI depends on the hardware. is used to balance the tradeoff between long-term and short-term performance. The smaller the value , the better the systems long-term throughput; however, when under attack, the smaller the value , the larger the value of t0 , i.e., the attacker can obtain more time slots. By comparison, the attacker has control over Ri (0), its average throughput at the beginning of the attack. Equation (4.7) shows that the smaller the value Ra (0), the larger the value t0 . Therefore, after each attack session, the attacker needs to reset its Ra (0) by reporting lowest CQI values for a sufcient period (typically on the order
33
of seconds). Finally, this model is simplied, assuming all victim users have the same, consistent CQI. When users have users have time-varying channel conditions, Equation 4.7 provides an upper bound for estimating t0 . Multiple attackers A single attacker can obtain consecutive time slots until his reported CQI exceeds the maximum CQI value; however, we can increase the number of consecutive time slots obtained by using multiple colluding attackers. We describe three different coordinating schemes. Sequential attack The simplest scheme is to attack sequentially. The attacker with the smallest
average throughput Ri (t ) starts the attack and tries to obtain as many consecutive time slots as possible, while the other attackers lurk (by reporting arbitrarily small CQIs to avoid being scheduled). When the active attackers reported CQI exceeds the maximum value of CQI, it stops the attack while the attacker with the smallest average throughput starts to attack. The attack continues until no attacker can get scheduled (because their average throughput is too high). Minimum CQI Attack Since the attack will stop when all attackers reported CQIs exceed the
maximum value, this scheme tries to slow the increment of the reported CQIs. At each time slot, each attacker computes the CQI that it needs obtain the time slot. Then, the attacker with the smallest CQI reports its CQI to the base station while the other attackers lurk. Delta CQI Attack This algorithm tries to slow the increment of calculated CQI values. At each
time slot t , each attacker i computes the increment i (t ) needed to its previous CQI. In other words, i (t ) = CQIi (t ) CQIi (t 1). The attacker with the smallest i (t ) then reports its CQI to the base station. Simulation We used simulation to evaluate the effectiveness of our attacks in a single cell. In the simulation, we chose parameters that were recommended by specications or that were commonly used by cellular networks. The PF scheduler had = .001. The cell had 50 users. Each user quantized his channel condition into CQI, an integer between 1 and 15, and reported the CQI to the base station. The goal of the attack was to obtain the maximum number of consecutive time slots.
34
First, we simulated a single attacker in a cell with 49 victim users. We used the same ideal scenario as in our analysis in Section 4.2.1, i.e., all victim users had the same CQI value. The simulation showed that the attacker could obtain 42 consecutive time slots, whereas Equation 4.7 predicts that the attacker can obtain 39 consecutive time slots. The minor difference between the simulation and the analysis is due to the approximation during the derivation of Equation 4.7. Next, we simulated the same attack under a more realistic condition where each users channel condition was a random variable following a Rayleigh distribution with = 3 and an initial average rate of 0.5. The simulation showed that the attacker gained an average of 19 time slots, with a standard deviation of 2.77. Next, we simulated multiple attackers in the same cell. Again, each users channel condition was a random variable following a Rayleigh distribution. We varied the number of attackers from one to ve and simulated each of the attack schemes in Section 4.2.1. Figure 4.1 shows that the number of collective consecutive time slots obtained by the attackers increases almost linearly with the number of attackers. Among the three attack schemes, the Delta CQI scheme performed the best, where ve attackers obtained 99 consecutive time slots.
100
Timeslot Occupied
80
60
40
20
0 0
Number of Attackers
Figure 4.1: Consecutive time slots obtained By attackers using different collaborating schemes in a single cell.
35
Although 99 consecutive time slots (or 165ms) occupied by the attackers will cause delay on victim users, this delay is tolerable by many applications and protocols. Moreover, after the attack, the attackers must relinquish a large number of (at least 2000) time slots to reset their average throughput low enough before they can attack again. Therefore, the attackers cannot sustain this delay. Fortunately (or unfortunately, depending on your stand), we were able to exploit another vulnerability to make our attack much more effective and sustainable.
average of average throughput of all existing users in this cell as the initial average throughput of the new user. The motivation for this scheme is the assumption that the new users channel condition is close to the average channel condition of all existing users. The disadvantage of this scheme is that when the new user just moves into his current cell from a neighboring cell, he is likely at the edge of his current cell with poor channel condition, so this scheme would over-estimate the new users average throughput.
from the edge of the cell, they expect to have the poorest channel condition. Therefore, this scheme chooses the minimum of the average throughput of all existing users as the initial average throughput of the new user. However, if the new user happens to have good channel condition, this scheme would under-estimate the users average throughput. Determined by the user Finally, since users are burdened with tasks such as channel quality and pilot measurements for multiple cells, an intuitive scheme is to let users report their initial average throughput. A major problem with this scheme is that the base station trusts users blindly. An attacker can report a bogus low average throughput to gain unfair advantage in scheduling. Simulations We simulated the attack from two cells. We used the same PF scheduler and the same Raleigh distribution for users channel conditions as in Section 4.2.1. We simulated various number of attackers per cell, from one to ve. The attackers used the sequential attack algorithm described in Section 4.2.1. However, after the last attacker in the cell nished his attack (i.e., when he could obtain no more time slots), all the attackers in both cells handed off to the other cell. Although the sequential attack algorithm is not the most effective, it is the simplest and illustrates the lower bound of the attack effect. We assume that handoff takes one time slot, which is realistic for soft handoff. We ran the simulation for 18072 time slots, or 30 seconds. Figure 4.2 shows the percentage of time slots that the attackers got where there was one attacker per cell and the attackers determined their initial throughput. It shows that after about 2000 time slots, the attackers consistently obtained about 78% of all the time slots, a condition that we call the stabilization of the attack. We simulated different number of attackers per cell and different schemes for assigning the initial average throughput, and in all the simulations the attack stabilized well before 30 seconds. Figure 4.3 shows the total number of time slots that the attackers obtained in 30 seconds. Unsurprisingly, the more attackers per cell, the more time slots that they obtained. However, even with just one attacker per cell, the attackers obtained from 13459 (74%) to 16241 (90%) time slots, depending on the scheme by which the scheduler assigns the initial average throughput. Among the three schemes, the scheme that let the user provide this initial value is the most vulnerable, where one attacker obtained 16241 (90%) time slots while ve attackers obtained 17317 (96%) time slots.
37
% of Timeslots obtained
0.9
0.8
0.7
0.6
0.5 0
5000
10000
15000
Time (timeslot)
Figure 4.2: Percentage of time slots obtained by two attackers, one per cell
38
18000 16000
Timeslots Occupied
14000 12000 10000 8000 6000 4000 2000 0 0 1 2 3 4 User Provided Min. user avg. Mean user avg. 5
CQIi (t + 1) CQIi (t + 1) max i Ri (t 1) (1 ) + /N CQIi (t ) Ri (t ) CQIi (t + 1)/Ri (t 1) c(t ) = max i (1 ) + /N CQIi (t )/Ri (t 1) (1 ) + /N c(t )
Some approximations are involved in the above estimation. First, on average, a victim user gets scheduled once every N times when the attacker is not scheduled. Therefore, the average rate of a victim user will be increased by /N CQIi (t ) when the attacker is not scheduled approximately.
39
700
40
50
60
70
80
90
40
shows the percentage of time slots that the attackers obtain when they do not know the CQIs of the victim users, compared to the case with perfect information. If the PF scheduler uses user-provided initial average throughput, the attackers, using our estimation, can obtain almost the same number of time slots, as in the ideal situation when the attackers know the value of c(t ) perfectly. Even when the PF scheduler uses the two other schemes, which are more robust against our attack, the attackers could still obtain more than 85% of the time slots that they would obtain in the ideal situation.
users. In a normal application, users experience a slight delay of 0.081 seconds between each transmission, which is acceptable in most applications. This number, by the way, would most likely be different if QoS requirements are deployed. Note that PF scheduler functions very similar to a round robin scheduler in this case, even with a random channel condition. For example, in a cell with 50 users, each user waits around 49 timeslots for a transmission. The delay variance of a user in a PF scheduler is higher (in particular, N 2 N where N is the number of users). During the attack, on the other hand, a victim user can experience up to 1.8 seconds delay (22 times the delay before the attack) between each pair of successive transmissions. This signicant delay will render many applications virtually useless.
shown in graph due to space constraints reason why the attackers average throughput is not signicantly higher is because of handoffs, which resets the attackers average throughput.
5 The 4 Not
41
Cellular providers have already started offering the VoIP service due
to its lower cost. However, VoIP packets have a rigorous delay requirement: 0-150ms delay is acceptable, 150ms-400ms delay might be tolerable, but longer delay is disruptive [62]. This delay budget is for end-to-end delay, including coding/decoding time (around 20ms), transmission delay over the Internet (about 100ms across the continental USA) and uplink and downlink delay to the user. Therefore, the delay on the cellular link is important. Using VoIP as an example, we develop a function to calculate the end-to-end delay between two cellular users. Let f (DNW, N , U , X ) be the end-to-end, one way delay between two users, where DNW is the backbone network delay, N is the number of users in a cell, U is the uplink network delay, and X is the delay that the attack induces to the downlink. Equation 4.9 shows the formula for EV-DO, based on Goodes calculation [63].
(4.9)
Recall that we have shown in Figure 4.7 that honest users can experience up to 1.8 seconds of delay between each transmission. Using equation 4.9, we obtain 2094.6ms of end-to-end delay per packet for every honest user in the cell. This delay is devastating for VoIP communication as it renders it useless. Furthermore, the attack can be extented indenitely with only 5 attackers comprising only 10% of total number of users in the cell.
sure an average users throughput during normal operation, either by simulation or by actual measurement. Then, it can compare the current throughput with recorded normal throughput. If their difference is above a certain threshold, this could indicate that the system is under attack. The base station then can use several methods to mitigate the attack, including using a scheduler that does not require user collaboration, such as round robin, and tracing the attack source. Number of handoffs per user In a normal operation, users do not perform excessive handoffs. On the other hand, attackers performs handoffs as many as one every 5 time slots. The base station can observe the number of handoffs performed per user over a period of time. If a user performs an unusually high number of handoffs in a given time, the base station can reject further handoff requests, thereby stopping the attack in that cell.
its TCB, and subsequently makes decisions based on unveried user input. One possible defense strategy that the base station can perform is to periodically check the validity of the various reports made by the mobile devices. This approach, trust, but verify, places a level of trust on a mobile device as it passes random checks. The CQI reported by the mobile device can be randomly checked using their uplink channel condition and error rate. 6 . Mobile station gains trust as it passes random check, and loses trust when it fails. The base station can disconnect mobile users if they fail checks for a number of times thereby punishing malicious or badly congured users. Assume an average based on the normal operating condition The base station can dene an
average such that it reects the normal behavior of the cell, given the number of users in the cell. This scheme punishes the attacker because he will be assigned a high average each time he switches cells and thus force the attacker to perform handoffs much earlier. Figure 4.8 illustrates that this
6 Estimating
channel condition using uplink data rate is not perfectly accurate; however, it can still detect anomalous
claims
43
scheme is much more resilient to attack than the strategy that solely relies on the cells current information. This scheme does not require a change to the current architecture nor does it require collaboration between network entities. This scheme is not without cost. During handoff, an honest user is usually at the edge of the cell with relatively poor channel condition. Assigning a xed average may starve the user for a while. Additionally, while this scheme alleviates the effect of attacks by forcing more handoffs, it does not solve the whole problem. Scheduler information sharing The attack discussed in Section 4.2.2 accentuates the fact that
PF is oblivious of handoffs. When a mobile device performs a handoff the base station must derive the mobile users average throughput using information conned to the current cell. Therefore, whenever the attacker performs a handoff, the attackers excessively high average throughput gets replaced with a new, calculated average throughput from the new base station. The attack can be stopped if base stations communicate and transfer users average throughput along with a mobile device during handoff. In this case, the attacker cannot continue the attack for more than a few slots since the average throughput is extremely high. This defense mechanism can limit the effect of the attack to that in a single cell and therefore reduce the problem to service degradation instead of denial of service. Figure 4.8 shows the performance of this defense strategy compared to the average throughput assignment strategy, which does not require collaboration. Notice that by sharing information between cells, the attack can be signicantly deterred. Modied schedulers with multi-dimensional constraints Another possible defense strategy is
to introduce additional constraints into the scheduler. These temporal constraints limits the portion of time slots allocated to the attackers, stopping the attack. The base station can implement two types of temporal constraints, either individually, or combined. The long-term temporal constraint limits the minimum and (possibly) maximum portion of time slots allocated to each user over a long period of time (usually during the lifetime of a user, on the order of minutes). The short-term temporal constraint guarantees that each user obtains a minimum (and possibly maximum) number of time slots within a time window, on the order of a few hundred milliseconds. Long-term temporal constraints can be easily satised due to the PF schedulers fairness constraints in a normal operation. The impact of the short-term constraint, on the other hand, depends on the parameters used. The defense capability becomes more effective as the number of slots
44
assigned to each user in a short-term increases, but lowers overall throughput 7 . However, shortterm constraint is also useful in improving short-term fairness among users and reduce throughput burstiness, which is desirable to upper layer protocols, such as TCP. Priority queue Additionally, a priority queue can be implemented at the base station. Trafc with delay constraints, such as VoIP trafc, can be scheduled with high priority, while other trafc, such as web browsing, can be scheduled with low priority. While an attacker can claim to be high priority, because the number of high priority users is relatively small, these users have much better delay performance, and thus mitigate the effects of the attacks (in particular, attacks without handoff). In addition, the priority scheme may be combined with temporal constraints so that an attacker cannot claim a large portion of resource (for attacks with handoff).
4.5 Conclusion
In this chapter, we have shown that cellular data networks are vulnerable to DoS attacks because of the following vulnerabilities: The network trusts mobile devices to report truthful CQIs, which the PF scheduler uses without verication for assigning time slots. Therefore, malicious mobile devices can manipulate their reported CQIs to gain a large number of time slots. The network does not track the average throughput of mobile devices across different cells, which allows malicious devices to maintain perpetual scheduling priority by frequent handoffs. We have studied a series of attacks on the proportional fair scheduler exploiting the above vulnerabilities. Our simulations show that just one attacker per cell can disrupt time-sensitive data services, such as voice-over-IP. Moreover, multiple attackers in the same cell can collaborate to cause serious denial of service by occupying up to 95% of scheduling slots indenitely. Meanwhile, they can also induce 1.8s delay between each consecutive packet transmission on every victim user who is in the same cell as the attackers. We have proposed several mitigation strategies to defend against these attacks.
the scheduler has to schedule users given the short-term constraint although there might be a user with a higher value of CQI /R
7 because
45
18000 16000
Timeslots Cccupied
14000 12000 10000 8000 6000 4000 2000 0 0 1 2 3 4 User provided Min. user avg. Mean user avg. 5
100
80
60
40
20
0 0
Figure 4.5: Performance of the attack without knowing victims CQIs. Each sub-gure shows three curves, each representing a different scheme for assigning the initial average throughput.
46
25
20
% of Users
15
10
After Attack
5
0 0
10
20
30
40
50
60
47
2.5
1.5
0.5
0 0
48
18000 16000
Timeslots Occupied
49
Chapter 5
50
cellular data services and applications. Furthermore, we hope to motivate the cellular industry to improve the security in their current data services, and to scrutinize the security in their future specications more rigorously.
BIBLIOGRAPHY
51
Bibliography
[1] CITA. Wireless quick facts. http://files.ctia.org/pdf/Wireless Quick Facts
October 05.pdf. [2] Charles Brookson. GSM ( and PCN ) security and encryption. http://www.brookson.com/ gsm/gsmdoc.htm. [3] Paul Yousef. GSM-security: a survey and evaluation of the current situation. Masters thesis, Linkoping Institute of Technology, 2004. [4] Chengyuan Peng. GSM and GPRS security. In HUT TML, 2000. [5] Alan Bavosa. GPRS security threats and solution recommendations. http://www.juniper. net/solutions/literature/white papers/200074.pdf. [6] Charles Brookson. GPRS security. http://www.brookson.com/gsm/gprs.pdf. [7] Oillie Whitehouse. GPRS security: Not ready for prime time. http://www.
securitymanagement.com/library/wireless tech0902.pdf. [8] Stephane piot. Security over GPRS. Masters thesis, University College London, 1998. [9] Christopher Wingert and Mullaguru Naidu. CDMA 1XRTT security overview. http://www. cdg.org/technology/cdma technology/white papers/cdma 1x security overview. pdf. [10] Atique Ahmed Khan. Security and vulnerability analysis of wireless messaging protocols and applications. In Pak Con, 2004. [11] Stefan Andersson. MMS security considerations. In 3GPP TSG SA WG3 Security, 2003.
BIBLIOGRAPHY
52
[12] Rei Safavi-Naini, Willy Susilo, and Gelareh Taban. Towards securing 3G mobile phones. In The 9th IEEE International Conference on Network (ICON 2001), 2001. [13] 3rd Generation Partnership Project. 3G security: Security threats and requirements. ftp: //ftp.3gpp.org/Specs/2000-12/R1999/21 series/21133-310.zip. [14] Ollie Whitehouse and Graham Murphy. cellular networks.pdf. [15] Sotirios I. Maniatis Constantinos F. Grecas and Iakovos S. Venieris. Introduction of the asymmetric cryptography in GSM, GPRS, UMTS, and its public key infrastructure integration. In Mobile Network and Applications, 2003. [16] Chi-Chun Lo and Yu-Jen Chen. A secure communication architecture for GSM networks. In IEEE Transactions on Consumer Electronics, 1999. [17] John A. MacDonald and Chris J. Mitchell. Using the GSM/UMTS SIM to secure web services. In the 2nd Workshop on Mobile Commerce and Services WMCS, 2005. [18] ISAAC. GSM cloning. http://www.isaac.cs.berkeley.edu/isaac/gsm.html. [19] M. J. Riezenman. Cellular security: better, but foes still lurk. IEEE Spectrum, 37(6), 2000. [20] B Sun, F Yu, K Wu, and VCM Leung. Mobility-based anomaly detection in cellular mobile networks. In 2004 ACM workshop on Wireless security, 2004. [21] Mirela Sechi Moretti Annoni Notare, Fernando Augusto da Silva Cruz, Bernardo Gonalves Riso, and Carlos Becker Westphall. Security management against cloned cellular telephones. In IEEE International Conference on Networks, page 356, Washington, DC, USA, 1999. IEEE Computer Society. [22] Azzedine Boukerche and Mirela Sechi M. Annoni Notare. Behavior-based intrusion detection in mobile phone systems. Parallel and Distributed Computing, 62(9):1476 1490, 2002. [23] Nilesh Agarwal, Leena Chandran-Wadia, and Varsha Apte. Capacity analysis of the GSM short message service. In National Conference on Communications, 2004. Attacks and counter measures in 2.5G and 3G
BIBLIOGRAPHY
53
[24] William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta. Exploiting open functionality in SMS-capable cellular networks. In 12th ACM Conference on Computer and Communications Security (CCS05), November 7-11, 2005. [25] Patrick Traynor, William Enck, Patrick McDaniel, and Thomas La Porta. Mitigating attacks on open functionality in SMS-capable cellular networkss. In 12th Annual International Conference on Mobile Computing and Networking MOBICOMM, 2006. [26] Pars Mutaf and Claude Castelluccia. Insecurity of the paging channel in the wireless internet: A denial-of-service attack that exploits dormant mobile IP hosts. In 3rd Workshop on Applications and Services in Wireless Networks, 2003. [27] Thomas Martin, Michael Hsiao, Dong Ha, and Jayan Krishnaswami. Denial-of-service attacks on battery-powered mobile computers. In Proceedings of the 2nd IEEE Pervasive Computing Conference, 2004. [28] Daniel C. Nash, Thomas Martin, Dong Ha, and Michael Hsiao. Towards an intrusion detection system for battery exhausion attacks on mobile computing devices. In Proceedings of 2nd International Workshop on Pervasive Computing and Communications Security (PerSec 05), 2005. [29] Anti Phishing Working Group. antiphishing.org/. [30] Redteam. Advisory: o2 germany promotes SMS-phishing. http://www. What is phishing and pharming? http://www.
redteam-pentesting.de/advisories/rt-sa-2005-009.txt. [31] Brian Fonseca. Worm calling. http://www.infoworld.com/articles/hn/xml/00/06/ 06/000606hnphoneworm.html. [32] Dan Ilett and Matt Hines. Skulls program carries cabir worm into phones.
http://news.com.com/Skulls+program+carries+Cabir+worm+into+phones/ 2100-7349 3-5469691.html. [33] James W. Mickens and Brian D. Noble. Modeling epidemic spreading in mobile environments. In WiSe 05: Proceedings of the 4th ACM workshop on Wireless security, pages 7786, New York, NY, USA, 2005. ACM Press.
BIBLIOGRAPHY
54
[34] R. Knopp and P. Humblet. Information capacity and power control in single-cell multiuser communications. In Proceedings of the ICC, 1995. [35] David Tse and Pramod Viswanath. Fundamentals of Wireless Communication. Cambridge, 1 edition, 2005. [36] X. Liu, E. K. P. Chong, and N. B. Shroff. A framework for opportunistic scheduling in wireless networks. Computer Networks, 41(4):451474, March 2003. [37] Mohamad Assaad, Badii Jouaber, and Djamal Zeghlache. Effect of TCP on UMTS-HSDPA system performance and capacity. 2004. [38] Jin-Hee Choi, Jin-Ghoo Choi, and Chuck Yoo. Analyzing the impact of proportional fair scheduler on TCP performance. 2005. [39] Matthew Andrews. Instability of the proportional fair scheduling algorithm. In IEEE Transactions on Wireless Communications, 2004. [40] Tian Bu, Li Li, and Ramachandran Ramjee. Generalized proportional fair scheduling in third generation wireless data networks. In INFOCOMM, 2006. [41] Kameswari Kotapati, Peng Liu, Yan Sun, and Thomas F. La Porta. A taxonomy of cyber attacks on 3G networks. In Technical Report NAS-TR-0021-2005, Network and Security Research Center, Department of Computer Science and Engineering, Penn State University, 2005. [42] Fabio Ricciato. Unwanted trafc in 3G networks. In ACM SIGCOMM Computer Communication Review, Volume 36, Issue 2, 2006. [43] A Bovosa. Attacks and counter measures in 2.5G and 3G cellular IP networks. In Juniper White Paper, 2004. [44] Ashwin Sridharan, Ramesh Subbaraman, and Roch Guerin. Uplink scheduling in the EV-DO rev. a system: An initial investigation. In Sprint ATL Research Report Nr. RR06-ATL-080139, 2006. [45] C. Rose C.U. Saraydar. Minimizing the paging channel bandwidth for cellular trafc. In IEEE ICUPC, 1996.
BIBLIOGRAPHY
55
[46] Peter McGuiggan. GPRS In Practice: A companion to the specication. John Willey & Sons, 2004. [47] W3C Proposed Recommendation. Synchronized multimedia integration language (SMIL2.1). http://www.w3.org/TR/SMIL2/. [48] Humpa. MMS pic server. http://www.humpa.com. [49] Curt Schurgers Vijay Raghunathan, Saurabh Ganeriwal and Mani Srivastava. WFQ: An energy efcient fair scheduling policy for wireless systems. In ISLPED, 2002. [50] D. Moore, C Shannon, G. Voelker, and S. Savage. Inferring internet denial of service activity. In USENIX Security Symposium, 2001. [51] ETSI. GSM 03.60 general packet radio service: Service description, stage 2. http://webapp. etsi.org/workprogram/Report WorkItem.asp?WKI ID=3068. [52] A. Jalali, R. Padovani, and R. Pankaj. Data throughput of CDMA-HDR a high efciencyhigh data rate personal communication wireless system. In Proceedings of IEEE Vehicular Technology Conference 2000-Spring, volume 3, 2000. [53] E. F. Chaponniere, P. Black, J. M. Holtzman, and D. Tse. Transmitter directed multiple receiver system using path diversity to equitably maximize throughput. U.S. Patent No. 6449490, 2002. [54] Harri Holma and Antti Toskala. HSDPA/HSUPA for UMTS. John Willey & Sons, 2006. [55] Vieri Vanghi, Aleksandar Damnjanovic, and Branimir Vojcic. The cdma2000 System for Mobile Communications. Prentice Hall, 2004. [56] S. Nanda, K. Balachandran, and S. Kumar. Adaptation techniques in wireless packet data services. IEEE Communications Magazine, 38(1):5464, January 2000. [57] F. Kelly. Charging and rate control for elastic trafc. European Transactions on Telecommunications, 8:3337, 1997. [58] Telefono. Homebrew mobile phone club. http://telefono.revejo.org/. [59] Radmilo Racic, Denys Ma, and Hao Chen. Exploiting MMS vulnerabilities to stealthily exhaust mobile phones battery. In IEEE SecureComm, 2006.
BIBLIOGRAPHY
56
[60] 3GPP. UMTS MAC protocol specication specication 3GPP TS 25.321 version 7.00 release 7. http://3gpp.org/ftp/Specs/html-info/25321.htm. [61] Troels E. Kolding, Frank Frederiksen, and Preben E. Morgensen. Performance aspects of WCDMA systems with high speed downlink packet access (HSPDA). In Vehicular Technology Conference, 2002. [62] ITU-T. One-way transmission time. ITU-T Recommendation G.114, 1996. [63] Bur Goode. Voice over internet protocol (VoIP). In IEEE, 2002.