. ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In...
Transcript of . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In...
![Page 1: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/1.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Cellular Networks:Background and
Classical Vulnerabilities
Patrick TraynorCSE 545
1
![Page 2: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/2.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Cellular Networks
• Provide communications infrastructure for an estimated 2.6 billion users daily.
‣ The Internet connects roughly 1 billion.
• For many people, this is their only means of reaching the outside world.
• Portable and inexpensive nature of user equipment makes this technology accessible to most socio-economic groups.
2
![Page 3: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/3.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Aren’t They The Same?• Cellular networks and the Internet are built to
support very different kinds of traffic.
‣ Real-time vs Best Effort
• The notions of control and authority are different.
‣ Centralized vs distributed
• The underlying networks are dissimilar.
‣ Circuit vs packet-switched
3
![Page 4: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/4.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Network Characteristics
• Composed of wired backbone and wireless last-hop
• Inconsistent performance
‣ Variable delay
‣ High error rates
‣ Lower bandwidth
• Potentially high mobility.
4
![Page 5: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/5.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Access Basics - FDMA
• The most basic access technique is known as Frequency-Division Multiple Access (FDMA).
• Each user in these systems receives their own dedicated frequency band (i.e., “carrier”).
‣ Requires one for uplink and another for downlink.
• To reduce interference, each carrier must be separated by guard bands.
5
![Page 6: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/6.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
TDMA Access
• Time-Division Multiple Access (TDMA) systems greatly increase spectrum utilization.
• Each carrier is subdivided into timeslots, thereby increasing spectrum use by a factor of the divisor.
• Requires tight time synchronization in order to work.
‣ To protect against clock drift, we need to buffer our timeslots with guard-time.
6
![Page 7: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/7.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
CDMA Access
• Code-Division Multiple Access (CDMA) systems have users transmit simultaneously on the same frequency.
• The combined transmissions are viewed additively by the receiver.
• By applying a unique code, the receiver can mask-out the correct signal.
‣ Picking these codes must be done carefully.
7
![Page 8: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/8.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
In the beginning... (1G)
• First commercial analog systems introduced in the early 1980’s.
• Two competing standards arose: The Advanced Mobile Phone System (AMPS) and Total Access Communication System (TACS).
• Both systems were FDMA-based, so supporting a large number of calls concurrently was difficult.
8
![Page 9: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/9.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
The Advent of Digital (2G)
• Second Generation systems were introduced in the early 1990’s.
• Three competing standards: IS-136 and GSM (TDMA) and IS-95-A/cdmaOne (CDMA).
• 2G networks introduced dedicated control channels, which greatly increased the amount of information exchanged between devices and the network.
9
![Page 10: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/10.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Introducing Data (2.5G)
• Digital brings higher bandwidth, and the opportunity to deploy data services.
• Standards for data systems: GPRS and HSCSD (TDMA) IS-95-B/cdmaOne (CDMA).
• 2.5G Data services have been met with varying success.
‣ 2.75G provides significant improvements.
10
![Page 11: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/11.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
High Speed (3G)
• In theory, can provide rates of 10 Mbps downlink.
• Slow to roll out, 3G systems are only now becoming widespread.
‣ In Pennsylvania, only a few major cities have coverage.
• Competing standards: cdma2000/EV-DO and WCDMA/UMTS.
11
![Page 12: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/12.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Evolution Summary
12
1G(analog)
AMPS
TACS
2G(digital)
IS-95-A/cdmaOne
IS-136TDMA
GSM
2.5G(data)
IS-95-B/cdmaOne
GPRS
HSCSD
cdma2000 1x (1.25 MHz)cdma2000 3x (5 MHz)
1X EVDO: HDR
136 HS EDGE
EDGE
2.75G(data)
3G(wideband data)
WCDMA
![Page 13: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/13.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
SS7 Network
• Powering all of these networks is the SS7 core.
‣ 3G networks will eventually shift to the all-IP IMS core, but SS7 will never fully go away.
• These systems are very different from IP networks.
‣ The requirements are different: real-time vs best-effort services.
13
![Page 14: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/14.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Protocol Architecture
• All of the functionality one expects to find in the OSI/Internet protocol stack is available in SS7.
• Where those services are implemented may be different.
14
MTP L1
MTP L2
MTP L3
ISUP SCCP
TCAP
MAP
Physical Layer
Link Layer
Network Layer
Transport Layer
Application Layer
![Page 15: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/15.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Message Transfer Part
• Covers most of the functionality of the lowest three OSI/Internet protocol stack.
• Broken into three “levels”.
‣ MTP1: 56/64 KBps physical links.
‣ MTP2: Link layer and reliable message delivery.
‣ MTP3: Network layer functionality.
15
MTP L1
MTP L2
MTP L3
ISUP SCCP
TCAP
MAP
Physical Layer
Link Layer
Network Layer
Transport Layer
Application Layer
![Page 16: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/16.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
ISUP, SCCP, TCAP
• ISDN User Part (ISUP): Carries call routing information for resource reservation.
• Signaling Connection Control Part (SCCP): Carries routing information for specific functions.
• Transaction Capabilities Application Part (TCAP): Interface to request the executionof remote procedures.
16
MTP L1
MTP L2
MTP L3
ISUP SCCP
TCAP
MAP
Physical Layer
Link Layer
Network Layer
Transport Layer
Application Layer
![Page 17: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/17.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Mobile Application Part
• The application layer for SS7 networks.
• This supports services directly visible by the user:
‣ Call handling
‣ Text messaging
‣ Location-based services
• Protected by MAPsec
‣ Sort of...
17
MTP L1
MTP L2
MTP L3
ISUP SCCP
TCAP
MAP
Physical Layer
Link Layer
Network Layer
Transport Layer
Application Layer
![Page 18: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/18.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Network Components
• HLR stores records for all phones in the network.
• MSC/VLR connect wired and wireless components of the network and perform handoffs.
• BS communicate wirelessly with users.
• MS is a user’s mobile device.
18
Network
GatewayMSC
HLR
ServingMSC
VLR
MSC
VLR
MSC
MS
![Page 19: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/19.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Security Issues
• Such networks have long been viewed as secure because few had access to them or the necessary knowledge.
• However, attacks are not a new phenomenon.
‣ Many different classes of attacks are well documented.
• We investigate a number of such attacks throughout the remainder of this lecture.
19
![Page 20: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/20.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Weak Crypto
• GSM networks use COMP128 for all operations.
‣ Authentication (A3), session key gen (A8) and encryption (A5).
• COMP128 was a proprietary algorithm...
‣ ...that can be broken in under one second.
‣ Weaker variants can be broken in 10 milliseconds.
• Replaced by COMP128-2 and COMP128-3 (maybe)
‣ Also proprietary.
20
![Page 21: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/21.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
One-Way Authentication
• In GSM systems, the network cryptographically authenticates the client.
• The client assumes that any device speaking to it is the network.
• Accordingly, it is relatively easy to perform a “Man in the Middle” attack against all GSM networks.
21
?
![Page 22: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/22.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Core Vulnerabilities
• None of the messages sent within the network core are authenticated.
• MAPsec attempts to address this problem by providing integrity and/or confidentiality.
• The only known deployment of MAPsec was online for two days before being shut off.
‣ Serious performance degradation prevent its use.
22
![Page 23: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/23.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Eavesdropping
• Early analog systems were easy to eavesdrop upon.
‣ Processing power, export rules and bandwidth worked against cryptography.
• GSM systems use weak crypto, so eavesdropping is still possible over the air.
• Nothing is encrypted through the network itself, so anyone with access can listen to any call.
23
![Page 24: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/24.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Jamming
• The legality of cell phone jamming varies from country to country.
‣ USA: Illegal
‣ France: Legal in certain circumstances
• Just because it is illegal in some countries does not mean it is not a threat.
‣ You can buy hand-held jammers on the street in most major cities.
24
![Page 25: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/25.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Malware
• Known malware does not target the cellular infrastructure...
‣ ...yet.
• The proliferation of laptop cellular cards is wreaking havoc on these networks.
‣ Spyware “phoning home” is already taxing the network.
• Differences between the Internet and cellularnetworks make malware MORE dangerousin this setting.
25
![Page 26: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/26.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Conclusion
• Cellular networks are significantly different than their traditional IP counterparts.
• Built on the assumption of a controlled environment, these systems are becoming more accessible.
• Much more work is needed.
‣ Solutions in one domain do not always apply to the other.
• Examples of new attacks coming soon...
26
![Page 27: . ETWORKAND3ECURITY2ESEARCH#ENTER ...pdm12/cse545/slides/cse545-telco-background.pdf · • In theory, can provide rates of ... only a few major cities have coverage. • Competing](https://reader031.fdocuments.us/reader031/viewer/2022021819/5acfd2c37f8b9ad24f8cefe6/html5/thumbnails/27.jpg)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Questions
Patrick Traynor
http://www.cse.psu.edu/~traynor
27