A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via...
Transcript of A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via...
![Page 1: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/1.jpg)
A Denial of Service Attack to GSM Networks via
Attach Procedure
N. Gobbo1, A. Merlo2, M. Migliardi1,3
1Universita’ degli Studi di Padova
2Universita’ degli Studi di Genova
3Centro Ingegneria Piattaforme Informatiche
![Page 2: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/2.jpg)
Mobile Networks• Continuously evolving
o Follows (and creates) user needs
• Pervasive
• Felt as one of the “utilities”
• Tagged as a critical infrastructure
• Secure?o Confidentiality, Integrity, Availability
![Page 3: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/3.jpg)
Some Network Structure
![Page 4: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/4.jpg)
State of the Art• Let’s have a look at the current
choices
• 3 possible attack roadso Radio access
o Traffic Channels
o Signaling Channels
![Page 5: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/5.jpg)
Availability Attack 1: Jamming
• A Radio Attack
• Focuses on the radio access
component of the network
• Very localized in a cell network
• Heavy trade-off between
energy consumption and
successfulness
![Page 6: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/6.jpg)
Availability Attack 2: Traffic Channels
• Requires a large number of compromised terminalso A botnet
• It’s a replication of the “busy hour failed call” effecto common in early switched networks
• You need a “concentrated” botnet
• To change the target you need to move the botneto Very complex problem
o Extremely hard to implement
![Page 7: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/7.jpg)
Availability Attack 3: Signaling Channels
• More bandwidth efficiento Less bytes to be sent
• Still requires a large number of compromised terminalso Another botnet
• Concentrated terminals are a problem
• Attacks both access and core components
![Page 8: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/8.jpg)
Previously• The most dangerous availability attack through signaling
channelso Traynor et al., 2009
• Describes a DOS that may cause regional effects
• Attacks a core components transparent to users
• It Needs to compromise actual users accountso Real SIM modules
• It Needs a very large number of compromised terminalso Yet another botnet
• It may be foiled by bot concentrationo Not good during “events”
• We want to achieve the same level of disruption while removing (or weakening) these constraints
![Page 9: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/9.jpg)
Look Mummy, no SIM!• Remove the need for activated SIM modules
• The attach procedure may be initiated by fake (SIMless) terminals
• Faster than the one adopted by Traynor• Less expensive in terms of resources (~5 times)
• Less efficient for an attacker
• No SIM -> no need for a user device• A dedicated device may bypass protocol time guards
• Flooding limited only by the radio interface
• More efficient in attacking
![Page 10: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/10.jpg)
The Price
How many Devices are needed?
![Page 11: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/11.jpg)
The HLR Throughput• We take as a base Traynor et al. findings
• How fast can we hit the HLR with our device?
![Page 12: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/12.jpg)
GSM Signaling Interface
Analysis● TDMA
● Constraints: Signaling channels capabilities
● Message exchange is standard defined
● RACH →
● AGCH →
● SDCCH →
● Our request period is 0.120 s
– ~40 times faster
27
235.38ms≈ 114𝑇𝑃𝑆
3
235.38ms≈ 12𝑇𝑃𝑆
12
1.44s≈ 8𝑇𝑃𝑆
![Page 13: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/13.jpg)
Sum it up• Less expensive HLR function
o ~5 times less resource demanding
• Much more aggressive requestso ~40 times more aggressive
• From 11750 compromised smartphones
• Down to 1563 SIMless deviceso An order of magnitude decrease in terms of resources needed
• Being SIMless has additional benefits
![Page 14: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/14.jpg)
No BotNet Required• SIMless devices need no user account
o Just the IMSI (spoofable as by Khan et al. 2009)
• No need to intrude actual mobile phoneso Not limited to smartphones
o No trojan to be devised
o No mobile C&C to be maintained
• No user in control of their deviceo No danger of being discovered before the attack
o No danger of having bots switched off at attack time
![Page 15: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/15.jpg)
No Problems with Events• Signaling DOS -> the bottleneck is the
signaling channel
• Many devices in a cell will jam each othero A crowded place may foil the attack
o From regional disruption to a single cell business (busy-ness)
• Dedicated devices may be placed by the
attackero No random movement
o Precise location
o Maximum efficiency
![Page 16: A Denial of Service Attack to GSM Networks via Attach ... · PDF fileto GSM Networks via Attach Procedure N. Gobbo1, ... GSM Signaling Interface ... A Denial of Service Attack to GSM](https://reader033.fdocuments.us/reader033/viewer/2022051508/5abe418b7f8b9ad8278ceb62/html5/thumbnails/16.jpg)
Conclusions & Future Works
• In this paper we have shown that it is possible too 1) disrupt the GSM network at regional level
o 2) do it without compromising real users accounts
o 3) with an order of magnitude less devices than previously devised (from
~11K to ~1K)
o There is the need for a specialized radio device
• Not complex, but not consumer market
• What’s next?o Implement the specialized device
o Port the attack to UMTS
o Port the attack to LTE
o Test for real (while avoiding ending in Court/Jail )