Unique Vulnerabilities and Attacks on Cellular Data … · 2015-07-28 · formation security rather...
Transcript of Unique Vulnerabilities and Attacks on Cellular Data … · 2015-07-28 · formation security rather...
Unique Vulnerabilities and Attacks on Cellular Data PacketServices
By
DENYS MA
B.S. Computer Science and Engineering. (University of California, Davis) 2004
THESIS
Submitted in partial satisfaction of the requirements for the degree of
MASTER OF SCIENCE
in
Computer Science
in the
OFFICE OF GRADUATE STUDIES
of the
UNIVERSITY OF CALIFORNIA
DAVIS
Approved:
Assistant Professor Hao Chen(Chair)
Professor Karl Levitt
Assistant Professor Xin Liu
Committee in Charge
2007
–i–
Contents
1 Introduction 11.1 Contributions of this Thesis to the Field . . . . . . . . . . . . .. . . . . . . . . . 2
2 Related Works 32.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 32.2 Cloning and Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 42.3 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 42.4 Spam and Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 52.5 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.6 3G scheduling and network security . . . . . . . . . . . . . . . . . .. . . . . . . 6
3 Sleep Deprivation Attack 73.1 Background overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 7
3.1.1 GSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Location update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1.2 GPRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.1.3 MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2.1 MMS security analysis . . . . . . . . . . . . . . . . . . . . . . . . . . .. 12
Unencrypted and unauthenticated MMS messages . . . . . . . . . . .. . 13Unauthenticated MMS R/S . . . . . . . . . . . . . . . . . . . . . . . . . . 13Critical phone information disclosure . . . . . . . . . . . . . . . . .. . . 13
3.2.2 Attack implementation . . . . . . . . . . . . . . . . . . . . . . . . . .. . 13Building target hit-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Draining batteries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Theoretical impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2.3 Attack experiment results . . . . . . . . . . . . . . . . . . . . . . .. . . 163.2.4 Attack improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Attack using TCP ACK packets . . . . . . . . . . . . . . . . . . . . . . . 17Attack using packets with maximum-sized payload . . . . . . . . .. . . . 17NAT and firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Mitigation strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 19
iii
3.3.1 MMS Protocol Modification . . . . . . . . . . . . . . . . . . . . . . . .. 193.3.2 Adaptive PDP Context Management . . . . . . . . . . . . . . . . . .. . . 20
Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Design Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Strategy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Specification Modification . . . . . . . . . . . . . . . . . . . . . . . . . . 24Analytical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Implementation Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
4 Scheduler Attack 274.1 Attack overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 27
4.1.1 3G data networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Opportunistic scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Handoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.1.2 Overview of attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294.2 Attack analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 30
4.2.1 Attack within a single cell . . . . . . . . . . . . . . . . . . . . . . .. . . 31Single attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Multiple attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.2.2 Attack from two cells . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 35Initial average throughput . . . . . . . . . . . . . . . . . . . . . . . . . . 35Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.2.3 Attack without knowing victims’ CQIs . . . . . . . . . . . . . .. . . . . 374.3 Attack impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 404.4 Possible defense strategies . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 41
4.4.1 Attack detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414.4.2 Attack prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 42
4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
5 Summary and Conclusion 49
Bibliography 51
iv
Acknowledgements
I want to give utmost gratitude to Professor Hao Chen for his most valuable advises, and
guidance for not only this thesis, but also as a graduate student. This work would not exist without
his insights and dedicated work. My gratitude also goes to Professor Karl Levitt for his help and
advises in every step of my graduate life. He encouraged and supported me throughout the years
I’ve been in Davis.
I would like to thank everyone who contributed to this thesis. In particular, most credits to
Radmilo Racic for his extremely valuable contributions. Hehas worked on this work in every aspect
and help me through difficult problems. Also, my thanks to Professor Xin Liu for her contributions
to this thesis.
Many thanks are due to my friends for all the support and advises. My thanks to Dr.
Jeff Rowe and Professor Felix Wu for all the advises on my research, Senthil Cheetancheri for his
insights and discussions on worms and my research, and AllenTing for his encouragement and
support on my efforts. My gratitude to Carol Lin for her endless encouragements and support, even
in difficult times. She believed in me even through periods ofuncertainty, and gave me courage to
proceed.
Finally, I dedicate this thesis to my parents who, through hardship, provided me a chance
to learn and discover as I wish. They have placed my needs overeverything else to support me
throughout my life. They have also shaped me into the person Iam today through valuable wisdom
and guidance.
v
Abstract
As cellular data services and applications are being widelydeployed, they become attractive tar-
gets for attackers, who could exploit unique vulnerabilities in cellular networks, mobile devices,
and the interaction between cellular data networks and the Internet. Furthermore, mobile devices,
often times considered to be part of the cellular network’s trusted computing base (TCB), are be-
coming more vulnerable to attacks. This thesis presents several vulnerabilities on the cellular data
packet services and its applications, and present two particular denial of service attacks. First, we
demonstrate an attack, which surreptitiously drains mobile devices’ battery power up to 22 times
faster and therefore could render these devices useless before the end of business hours. This attack
targets a unique resource bottleneck in mobile devices (thebattery power) by exploiting an insecure
cellular data service (MMS) and the insecure interaction between cellular data networks and the
Internet (PDP context retention and the paging channel). Second, we propose a series of attacks
on 3G cellular packet services that exploit the unverified channel condition reports from mobile de-
vices to their base stations, and user-initiated handoffs.Our simulations show that only five rogue
devices per cell can use up over 90% of the network resource, and thus induce and perpetuate 2.1s
end-to-end inter-packet transmission delay for every userin the cell. This thesis also presents sev-
eral mitigation strategies to defend against not only the two aforementioned attacks, but also similar
attacks of these type.
vi
CHAPTER 1. INTRODUCTION 1
Chapter 1
Introduction
Cellular networks are part of our critical information infrastructure. Cellular networks
are also widely deployed, with more than 194 million subscribers covering over 65% of the US
population. [1] As mobile devices become more powerful, cellular companies are rapidly deploying
broadband data services, such as High-Speed Downlink Packet Access (HSDPA) and Evolution-
Data Optimized (EV-DO) as well as new applications, such as Multimedia Messaging Service
(MMS), Unlicensed Mobile Access (enabling network-to-network mobile agent migration), i-Mode
(providing fast, packet-based communication by eliminating the traditional WAP gateway), and Wifi
Voice-over-IP (enabling affordable, realtime voice communication). Furthermore, cellular networks
are pushing more network functions into mobile devices and grant them more trust. In some situa-
tions, they even consider mobile devices as part of the Trusted Computing Base (TCB). While these
new services and applications enhance mobile computing experience, they also introduce serious
security concerns. Besides launching typical Internet attacks — such as denial of service (DoS),
malware, spamming and phishing — against mobile devices, anattacker can exploit emerging vul-
nerabilities in cellular networks, mobile devices, and theinteraction between cellular data networks
and the Internet.
Emerging vulnerabilities in cellular networks, however are not thoroughly studied, both
by the security community or service providers; since the cellular community are focused on in-
formation security rather than network security. We argue that network vulnerabilities can cause
havoc in cellular networks, in particular, both current andfuture data services. Therefore, this
thesis presents several emerging vulnerabilities in cellular data networks and two particular denial-
of-service attacks exploiting these vulnerabilities thatcan cause devastating affects. These attacks
would be devastating not only in critical situations, such as disasters, but also for industries relying
CHAPTER 1. INTRODUCTION 2
on mobile communications. For example, professions like real estate agents and brokers rely on the
ability to perform on-the-spot credit reports or provide instant quotes. Similarly, occupations such
as network system administrators trust their cellular handset’s availability in order to be reached.
The first attack, exploiting vulnerabilities in MMS and General Packet Radio Service
(GPRS) in GSM, targets mobile devices’ battery power. The adversary is able to drain a mobile
phone’s battery stealthily in 7 hours from the Internet. Thesecond attack, exploiting vulnerabilities
in 3G and 3.5G data packet services and their opportunistic scheduler, demonstrate that malicious
mobile devices can usurp time slots at the expense of honest users, hence denying them network
access.For example, we show that only one attacker per cell that has 50 users can occupy as much
as 89% of the all the scheduling slots indefinitely. Similarly, five attackers per cell can cause and
perpetuate 2.1s end-to-end inter-packet transmission delay for every victim user in the cell, thus
rendering many services useless.
This thesis proceeds by presenting an overview of the related works in cellular network
security in chapter 2. Chapter 3 presents the first attack andthe mitigation strategies that can defend
against it. Chapter 4 presents the second attack, with the possible defense mechanisms. Finally,
chapter 5 concludes this thesis.
1.1 Contributions of this Thesis to the Field
This thesis makes the following contribution:
• We identifies vulnerabilities in 2.5G and 3G data services and applications that relies on
these services, in particular, MMS, GPRS, EV-DO, HSDPA, andthe Proportional Fair (PF)
scheduler.
• We implemented an attack to surreptitiously drain a phone’sbattery up to 22 times faster than
normal, illustrating two key vulnerable components in the current cellular data networks.
• We propose a series of attacks on opportunistic scheduling in 3G data networks, analyze
these attacks mathematically, and explore the effectiveness of these attacks under different
network configurations. Our simulations show that these attacks would devastate the network
by rendering many services useless.
• We propose approaches to mitigate or eliminate the impact ofeach attack.
CHAPTER 2. RELATED WORKS 3
Chapter 2
Related Works
In recent years, significant amount of research efforts havebeen focused on security re-
quirements and threat model evaluation on current and emerging cellular technologies, including
GSM [2–4], GPRS [5–8], CDMA [9], SMS [10], MMS [11], and EVDO [12–14]. These works
identify the following key security requirements in cellular networks: subscriber confidentiality, au-
thentication, privacy, cloning prevention, integrity of information as well as billing, fraud detection,
and safe key management. These works also address security threats such as eavesdropping, im-
personation of a user and network, denial of service, man-in-the-middle attacks, hijacking services,
and compromising authentication vectors. Apropos, researchers evaluated the risk levels of each
of these threats as well. Our work is complementary to these previous efforts to secure cellular
networks. In fact, we focus in two new directions: the end user devices (i.e., power-depletion attack
and defense) and the security interactions between different cellular applications (i.e., the merging
of cellular network and the Internet).
In this chapter, we present an overview of the current research efforts in cellular networks.
2.1 Cryptography
Extensive research has been conducted on the cryptography technologies [15–17]. For
instance, studies like [15, 16] suggest the use of a PKI scheme in the GSM/UMTS network while
[17] proposes the use of a SIM card for authentication and payment of web services by mobile
users. Grecas and colleagues propose introducing public-private key pairs for transactions between
the VLR-HLR as well as MS-VLR. Lo and colleagues, on the otherhand, propose the use of PKI and
stream ciphers for authentication and message encryption/decryption, respectively. They both point
CHAPTER 2. RELATED WORKS 4
out that the nature of the services constituting the PKI renders telecommunications operators prime
candidates for the PKI implementation. Furthermore, MacDonald and colleagues [17] are convinced
that SIM card can be at the center of an authentication and payment platform for consumption of web
services by mobile users. Cryptographic solutions, while efficiently and elegantly mitigating some
principal concerns in cellular networks, cannot defend against some unique threats to end users, such
as a DoS attack and resource starvation attacks. Our work complements the existing cryptography
mechanisms in order to alleviate additional non-conventional threats unique to emerging cellular
data technologies and applications.
2.2 Cloning and Fraud
Significant research has been done on mobile device cloning and the associated frauds
[18]. In complementary to cryptographic solutions, schemes are developed to defend against cloning
and fraud, such as device and user fingerprinting [19], mobility pattern recognition [20], and usage
pattern recognition [21, 22]. These research studies propose new security mechanisms strictly for
cellular networks. However, most studies stipulate fundamental changes in either architecture or end
user equipment. In order to minimize disturbance of currentimplementation of cellular networks,
our research will focus on utilizing existing security mechanisms to mitigate new attacks that were
not discovered or considered.
2.3 Denial of Service
Denial of Service attacks executed on 2G/2.5G networks alsoattracted a lot of attention,
because resources in cellular networks are much more limited than on the Internet. In particular,
control channels are in danger due to its narrow bandwidth..Agarwal et al. [23] conducted a capacity
analysis of shared control channels used for SMS delivery. They concluded that increasing volume
and message sizes can significantly affect network performance. Then,, Enck et al [24] presented a
denial-of-service attack by sending a sufficient number of SMS messages per second to a range of
cellular phones in the same area. An attacker would need onlya single computer with a broadband
network access in order to disrupt a network in a major city bysaturating control channels shared
between voice calls and SMSs. Traynor el at. [25] follows up on this work by simulating the
attack outlined in [24] using a highly accurate GSM simulator, and presented several mitigation
strategies with supporting simulations. Additionally, [26] warns that paging channel is another
CHAPTER 2. RELATED WORKS 5
scarce resource that an attacker on the Internet can overwhelm and cause a DoS attack. Finally,
Martin el at. [27] discussed the possibilty of a denial of service attack on mobile devices such
as laptops and PDAs. They outlined three different types of battery draining attacks and presented
experiments to demonstrate the affects of such attack. Nashel at. [28] follows up on the work
by presenting a host-based intrusion detection system to detect battery draining attacks. Our work,
inspired by these previous works, extends previous findingsand presents additional vulnerabilities
both in current and future cellular data services.
2.4 Spam and Phishing
In addition to DoS attacks, spam is another well-known problem in the SMS network [10].
Network providers allow email and web-based interfaces to send SMS messages to individual or
multiple handsets directly. Spammers can also employ phishing [29] to trick users into divulging
private personal information. SMS-based phishing has already been discovered in a small German
cellular provider [30], where users are tricked into sending a reply SMS to a value-added service’s
SMS number, charging a small fee per user. Our first attack in Chapter 3 of building a hit-list of
phone IP addresses and model information was inspired by phishing; however, our approach does
not need the user’s participation or even attention, because such information is reported to our server
automatically by most phones.
2.5 Worms
Computer worms that target cellular networks have also appeared in recent years. Tim-
ifonica worm [31] spreads itself via email attachments. Upon infection, a computer sends SMS
messages to random cell phone numbers belonging to a serviceprovider, Movistar, and thus at-
tempts to cause a DoS attack. A proof of concept worm was developed in early 2005 demonstrating
the effects of a worm outbreak on cellular phone platforms. The Cabir [32] worm, spreading via
Bluetooth on Nokia series 60 handsets running Symbian OS, changes the operating system and
searches for other handsets to infect. An epidemic worm spreading model in mobile environments
was proposed by Mickens et al. [33]. Our work is an extension to these previous works. Using a
hitlist of phone numbers, IP addresses, and model information gathered in our attack described in
Chapter 3, worm designers could write better worms by tailoring to different platforms.
CHAPTER 2. RELATED WORKS 6
2.6 3G scheduling and network security
Significant amount of research has been conducted on efficient resource sharing in cellular
networks. In particular, opportunistic scheduling algorithms have been studied extensively [34–
36]. However, the existing work focuses on improving systemperformance under various system
constraints and requirements. For example, Choi et al [37] study the effects of Proportional Fair
(PF) scheduler on TCP performance. They conclude that TCp’sminimum RTO is too short and it
leads to unnecessary timeouts under the PF’s scheduling policy. Assaad et al. [38] report the effects
of TCP on HSDPA operation and confirm that the lower the congestion rate of TCP, the higher
the application bit rate is. Their results show that the effects of TCP on application performance
are much higher than on the system capacity due to the use of the high speed shared channels.
Andrews [39] also considered the PF scheduler suggested in the High Data Rate (HDR) data system
and shows that the PF scheduler is unstable under certain conditions. Andrews defines stability as
the ability to keep each user’s queue bounded. Using simulations and models, Andrews describes
six different versions of PF scheduler and shows that all of them are unstable. Finally, Bu et al. [40]
studied PF scheduler in multiple cells and propose a centralPF scheduler to increase fairness. In
contrast to our work discussed in Chapter 4, these studies does not consider potential threats of
malicious users and the corresponding effects on the schedulers used in wireless systems.
Initial studies on network security in 3G networks has also been published in recent years
[41–43], outlining possible threats in the cellular network. Particularly, Sridharan et al. [44] model
the uplink channel from mobile devices and the base station in EV-DO and suggest that malicious
users can modify their power transmission level and cause interference for honest users. Our work
in Chapter 4 differs from their work by concentrating on the downlink, since in 3G networks,
downlink bandwidth is much higher than uplink. Furthermore, these studies do not provide an
actual attack, but only outline possible threats against 3Gnetworks.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 7
Chapter 3
Exploiting MMS Vulnerabilities to
Stealthily Exhaust Mobile Phone’s
Battery
In this chapter, we present an attack that exploits vulnerabilities in MMS (a cellular data
service), PDP context retention in GPRS (interactions between the Internet and cellular data net-
works), and the paging channel. Furthermore, this attack has unique features that (1) it is clandestine
– victim mobile users will not notice when their batteries are being drained; (2) it is not limited to
certain mobile device hardware or software; and (3) it targets individual mobile devices rather than
the network, an attack that is often harder to detect and defend effectively by network operators.
We implemented this attack in two stages. In the first stage, we were able to build a fairly
accurate ”hit-list” of all the users with an active Internetconnection by taking advantage of the
insecure MMS protocol. In the second stage, we exploit the PDP context retention to surreptitiously
drain a phone’s battery up to 22 times faster than normal. This attack illustrates two key vulnerable
components in the cellular data network, and we will proposemitigating strategies for securing
these components.
3.1 Background overview
To help understand the vulnerabilities and attacks that we discovered, we present an
overview of the relevant components in cellular networks: GSM, GPRS and MMS.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 8
3.1.1 GSM
The key elements in GSM are: the Base Station Subsystem (BSS), which includes the
Base Transceiver Station (BTS) and the Base Station Controller (BSC), and Mobile Switching Cen-
ter (MSC) which is the core of the Network Sub System (NSS). Additionally, these GSM elements
utilize databases like Home Location Register (HLR) and Visitor Location Register (VLR) for stor-
ing users’ home as well as roaming information, respectively.
BTS provides the means to transmit and receive radio signalsas well as encrypt and
decrypt communication with the BSC. BSC provides network intelligence by allocating radio chan-
nels, controlling inter-BTS hand-offs and, most importantly, serving as a gateway to the MSC. MSC,
on the other hand, sets up circuit-switched communications, takes care of mobility management and
manages other databases.
A cellular network needs to keep track of the location of eachMobile Station (MS1) in
order to deliver calls and data to the correct destination reliably. Typically, the network utilizes an
event-based mechanism to collect mobile device’s location. Events such as powering up, shutting
down, and crossing into another location area are events that trigger the location update procedure.
A cellular network is partitioned into cells serviced by BTSs. Cells are then grouped
together to optimize signaling and to facilitate tracking of mobile phones within the network. Each
group, managed by one BSC, is identified by a location area code broadcast by each BTS at regular
intervals. Two fundamental operations within the locationarea arelocation updateandpaging.
Location update
The MS sends location update messages to its current BTS periodically in order to route
all incoming calls or data appropriately. If the MS sends updates seldom, its location is unknown
and the MS must be paged for each downlink packet (or call), thus degrading the quality of service.
If, on the other hand, the MS sends frequent updates and its location is known, then data packets
can be delivered without any additional paging delay.
Paging
To minimize the amount of updates, preserve MS’s battery, and minimize bandwidth uti-
lization, the network will page the MS over the Paging Channel (PCH) to determine its location. In
1MS and phone will be used interchangeably.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 9
GGSN
SGSN
VLR
MS BSS
MSC
SGSN on another PLMN
Internet
HLR
Figure 3.1: GPRS infrastructure
other words, PCH is used for communication from BTS to MS whenMS is not assigned a traffic
channel; that is, the MS’s location is unknown or out of date.
The paging bandwidth burden is relatively small in small location areas - less than 1% of
the bandwidth allocated for voice channels. On the other hand, in an area with a large number (over
1000) of cells per location area, the paging bandwidth burden could be considerably higher. [45]
3.1.2 GPRS
GPRS [46] is integrated into the existing GSM infrastructure with a new class of network
nodes called GPRS Support Nodes (GSNs). GSNs are responsible for the delivery and routing of
data packets to and from the mobile network. There are two types of GSNs: Serving GPRS Support
Node (SGNS) and Gateway GPRS Support Node (GGSN). SGSN is responsible for transferring
and routing of data packets, mobility management, logical link control, authentication and billing
services within its service area. GGSN acts as an interface between the GPRS backbone and external
packet networks (primarily the Internet). Its primary function is to convert GPRS packets coming
from the SGSN to IP packets and vice versa. An illustration ofGPRS is shown in Figure 3.1.
Before an MS can utilize GPRS services, it must register withan SGSN so all packets
can be routed through it. During this procedure, called GPRSattach, a PDP (Packet Data Protocol)
context is created. In particular, SGSN checks if the user isauthorized, copies the user profile from
the HLR to itself, assigns a Packet Temporary Mobile Subscriber Identity (P-TMSI)2, maps it to an
IP address, and assigns a GGSN that will serve as the gateway to the Internet. The PDP context,
2The reasoning is to minimize use of IMSI (International Mobile Subscriber Identity) for security purposes.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 10
composed of the above mentioned information, is stored at the SGSN. GPRS detach, on the other
hand, disconnects the MS from the GPRS network and deactivates the PDP context.
Location areas have been proven to be efficient in voice networks; however, the bursty
nature of data traffic increases the number of paging messages per phone in each location area.
Therefore, each location area is further subdivided into routing areas used by GPRS to decrease
the penalty for locating an MS. GPRS phones utilize IDLE, STANDBY and READY states in
increasing order of battery consumption. When an MS is in theREADY state, SGSN is aware of
the MS’s location. In particular, the MS performs frequent location updates to provide the network
with the actual cell ID so that no paging is necessary. When inthe READY state, the MS can send
and receive data. Furthermore, it will stay in the READY state until READY timer expires, at which
it will transition to the STANDBY state. While in the STANDBYstate, the MS has established the
PDP context and it can receive calls or data. However, its location updates are more coarse, in the
sense that it informs the SGSN of only routing area changes, but not cell changes. If SGSN needs
to deliver data to the MS while the MS is in the STANDBY state, SGSN will send a page request
in the routing area where the MS is located. When MS responds to the page, it will transition to the
READY state. IDLE state is the lowest battery consumption state, in which the SGSN is not aware
of the MS’s location. The MS can transition out of IDLE state only if it performs a GPRS attach
procedure. Alternatively, an MS could initiate a GPRS detach procedure to transition to the IDLE
state. Figure 3.2 shows the state machine of the GPRS MS.
Upon completion of the communication, the MS will go into a STANDBY mode. The
PDP context, on the other hand,will remain allocated to the MS. We conducted experiments to
discover how long each handset retained its assigned PDP context and IP address. We found that
addresses seemed to be relinquished in as short as 15 minutesto as long as several hours. The reason
for not deactivating a PDP context is simple: a cellphone canbe unavailable for a period of time due
to radio link failure; deactivating and activating a new context would imply that the phone would
need to recreate all TCP sessions, possibly restarting applications and requiring the user to re-enter
all the passwords.
3.1.3 MMS
MMS has become a very popular cellular message service. The MMS architecture spans
both the cellular network and the Internet and uses technologies in both networks, such as WAP,
SMTP, and HTTP.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 11
IDLE
READY
STANDBY
GPRS Attach
READY timer expired
Force to STANDBY
GPRS Detach
Data transmit or receive
STANDBY timer
expired
PDP CONTEXT INACTIVE
PDP CONTEXT ACTIVE
Figure 3.2: The GPRS mobile station state machine
The MMS architecture consists mainly of the MMS Relay/Server (MMS R/S) and user
agents. Several optional entities of the architecture – thebilling server, the Home Location Register,
and the User Database — may exist inside or outside MMS R/S. Figure 3.3 shows an overview of
the MMS architecture.
The MMS R/S is responsible for all of the transactions of MMS.When a user transmits
an email or an MMS message, the mobile phone formats these messages in Synchronized Multime-
dia Integration Language (SMIL) [47]. The MMS R/S translates (transcodes) the message to either
email or different MMS formats depending on the provider. The message is then sent to the destina-
tion SMTP mail server or the destination MMS R/S using SMTP. Upon receiving the message, the
destination MMS R/S then stores the message in the user’s buffer while sending a notification mes-
sage to the user via a SMS or WAP push message. The notificationmessage contains the location of
the message, usually specified as an HTTP address. User can configure their mobile phones either
to automatically download the message upon receiving the notification or to manually download the
message themselves.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 12
MMS R/S
Wireless Network Internet
HLR User dB
User Agent
MM1
MM1
MM4
SMTP
Email Client
Billing Server
MM9 MM5
MM8
Figure 3.3: MMS Infrastructure
3.2 Attacks
In this section, we present our findings on attacking the cellular network. We first inves-
tigated the MMS protocol and discovered several vulnerabilities through which we leveraged into
the heavily protected cellular network. Then, by exploiting these vulnerabilities, we implemented a
proof-of-concept attack on a scarce resource – the battery power – of mobile devices. The attack is
stealthy, as it is noticeable to neither mobile users nor network operators. Our experiments demon-
strate that unique threats against cellular networks and mobile devices exist and are exploitable.
Finally, we discuss how to make this attack even more effective.
3.2.1 MMS security analysis
To test how cellular providers implement MMS and gain insight into their interface de-
signs, we setup our own MMS R/S, based on an open-source project [48]. We discovered several
vulnerabilities that a wily attacker could exploit, as described in the following sections.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 13
Unencrypted and unauthenticated MMS messages
We confirmed that MMS messages and MMS notification messages,composed of headers
and content sections, were sent in plain-text. In addition to the SMIL headers, the packet also
included an HTTP POST header containing the source and destination IP address, the profile of the
user agent, the content type and size, and the user agent name.
Unauthenticated MMS R/S
To mitigate the problem of unencrypted messages, cellular providers hide their own MMS
R/S’s IP addresses in the phones, hoping that cellular userscannot read or overwrite them. Unsur-
prisingly, we discovered that this attempt atsecurity by obscurityis broken.
In order to inspect the MMS message raw format, we modified a phone’s firmware to
route all MMS messages through our MMS R/S. The MMS R/S setting is well hidden in our phone’s
firmware, which suggests that providers do not intend to allow users to modify the setting. After
modifying the MMS R/S entry in our phone, we discovered that the phone had no security mech-
anism to alert the new, unauthorized MMS R/S. Furthermore, MSs also do not authenticate MMS
notification messages and MMS messages sent from the network. MSs will accept any MMS mes-
sages as long as the format is correct. Consequently, we wereable to send unlimited MMS messages
for free, without alarming the cellular provider.
Critical phone information disclosure
We discovered that handsets include pertinent user agent platform information whenever
they communicate over HTTP. Accordingly, we set up a web server runningetherealto capture
HTTP requests from various handsets on different networks.We found that every phone disclosed
either its full profile or information that included one or more of the following: hardware platform
description, display capabilities, and the current and compatible software. An attacker could write
a script that extracts the model number of each handset very easily.
3.2.2 Attack implementation
Based on our MMS security evaluation, we implemented a battery draining attack utiliz-
ing a hit-list built using superfluous but pertinent information disclosed during MMS exchanges.
Figure 3.5 illustrates the attack.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 14
Figure 3.4: Ethereal reconstruction of an MMS message captured by our MMS R/S. The messageis transported in clear text. Various fields such as the server, the sender’s phone number and phonemodel are exposed and could be collected in a the hit list.
Attacker
MMS Server
Victim 1 (1 1 )
(2 1 )
(3 1 )
Victim n
. . .
(1 n )
(2 n )
(3 n )
Figure 3.5: A two-step attack on cellular devices. In Step 1,the attacker builds a hit list using MMSmessage notifications (Messages (1)s), and captures information about mobile users from the HTTPrequests from mobile users (Messages (2)s). In step 2, the attacker drains the batteries of cellulardevices on the hit-list surreptitiously by sending UDP packets (Messages (3)s) periodically to thecellular devices.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 15
Building target hit-list
To launch effective, large scale attacks, an attacker needsto build a hit-list that contains
important information about the network and end users. One way to obtain such information is by
asking the mobile phones.
An attacker can send MMS notification messages, whose content address is at a malicious
web server, to numerous recipients. The target phone numbers can be generated automatically using
known area codes and prefixes for cellular phone numbers. TheMMS notification messages can be
sent using SMS or WAP push. There are many free SMS messaging websites, including those
offered by cellular providers.
Once MMS notification messages are sent, the attacker waits for HTTP request messages
at his web server, which has stated its location in the MMS notification message. Since many cell
phones are configured to download MMS messages automatically upon receiving notification, they
will make HTTP requests to the attacker’s web server. The HTTP requests often contain the profiles
and IP addresses of the phones, and even file extensions that the phones are able to process. By
sending a slightly different URL to each phone, the attackercan build a hit list that maps each
phone number to a profile of its cellular device. More importantly, the phone’s response to the
MMS notification message activates a PDP context, making ourattack easy and simple to execute
even in the presence of NAT and firewalls.
Draining batteries
Using the hit-list generated from MMS notification messages, an attacker can target the
cellular network and cellular devices more precisely and effectively. Apropos, we implemented a
battery draining attack that focuses on the end hosts instead of the network. We implemented our
attack using UDP packets (we will explain an improved technique later.)
The key to maximizing a cell phone’s battery life is to use itstransceiver sparingly. In fact,
when a cellular phone is turned on, its transceiver is activeless than 3% of the time. As a reference,
in wireless sensor nodes, transmitting one bit of information consumes 1500 to 2700 times as much
energy as executing one instruction [49]. Thus, if a packet is sent to a phone, the SGSN will deliver
the packet if the phone’s location is known, or attempt to locate the phone by sending a page request
to it. However, since cellular phones spend most of their time in the STANDBY mode (or other
dormant modes), the page on the paging channel will awaken the phone to the READY state and
force it to perform a location update. The sine qua non of thisattack is to keep the phone in the
CHAPTER 3. SLEEP DEPRIVATION ATTACK 16
READY state (high battery consumption), therefore disabling its ability to preserve battery life, or
to let the phone temporarily go into the STANDBY state only tobe immediately awakened with a
page and forced to perform a location update; both of these actions consume much energy.
Theoretical impact
To investigate the severity of the aforementioned attack, we estimate the damage that an
attacker with a home DSL Internet connection can inflict. A typical DSL upload speed ranges from
256kbps to 416kbps. We use the medium speed,B = 384kbps, for the upload bandwidth as an
estimate. Each UDP packet consists of a character in the datasegment, which might be padded to
4 bytes depending on the provider’s DSL modem. The UDP packetheader has 8 bytes, and the IP
header has 20 bytes. In the pessimistic estimate where our data is padded, the total size of the packet
is S= 32 bytes. Therefore, the maximum number of UDP packets per second that an attacker may
send is(B/8)/S= 1500.
To attack a phone effectively, an attacker must send one UDP packet to the phone every
T seconds. In this case, the maximum number of phones that the attacker can attack simultaneously
is (B/8)∗T/S. We estimated the timeT by trial and error using different test configurations. For
our experiment, we chose 3.75 seconds for the GSM-based network and 5 seconds for the CDMA-
based network. Using our equation, we calculated that an attacker can attack about 5625 phones
using a standard ADSL line for a GSM-based network and around7000 phones for a CDMA-based
network.
3.2.3 Attack experiment results
We successfully drained our test phones’ batteries considerably faster than our average
usage. We conducted six test runs on a high-end Nokia smart phone and completely drained its
battery in an average of 7 hours, instead of 156 hours in normal usage with bluetooth switched
off most of the time. We also observed severe battery exhaustion in our Sony Ericsson test phone,
where the battery was drained down to 20% within less than 7 hours without talking and with
bluetooth switched off. If a phone is connected to the Internet continuously (for example, to use the
instant messaging service), its battery life would be reduced much faster. To test this hypothesis,
we attacked our Motorola test phone while connecting it to the Internet continuously. Our test
completely drained its battery within 2 hours. Table 3.1 summarizes the results of our attack.
We successfully conducted our attack on two major cellular service providers without
CHAPTER 3. SLEEP DEPRIVATION ATTACK 17
Phone Battery Life Without Attack Battery Life Under AttackNormal Use (hours) Standby (hours) Normal Use (hours) Reduction
Nokia 6620 156 200 7 22.3:1Sony-Ericsson T610 60 315 7 8.6:1Motorola v710 36 150 2 18.0:1
Table 3.1: Reduction of battery life due to our attack
triggering any alarms. Our test machine’s IP was not blocked, our phones were fully operational
after the attacks, and no notifications or warnings were sentto us regarding this issue. Moreover,
during the attack the phone appeared to be operating normally and no additional Internet application
was started, so the victim user would not notice the attack, until his/her battery died unexpectedly.
3.2.4 Attack improvement
There are several optimizations that could be done to improve our attack. Currently, we
empirically determined a fixed interval between each UDP packet by trial and error. However, by
using Qualcomm’s CAIT software or knowing the implementation of a particular cellular network,
we could obtain more accurate wait-time and thereby improveefficiency of our attacks. Also,
knowing which IP addresses are vacant would increase the efficacy of our hit-list creation. We are
currently in the midst of testing the following improvements to our attack.
Attack using TCP ACK packets
To force a phone to send as well as receive useless data, an attacker can periodically send
TCP ACK packets to the phone’s IP address. In accordance withRFC793, if the connection is reset
or in half-open state, the receiver of an out-of-order ACK packet will send an RST packet. If, on the
other hand, the connection is open, the receiver of an out-of-order ACK packet will reply with an
empty packet. Either way, an attacker will force a phone thatimplements a full TCP stack to receive
as well as send packets, thereby exacerbating the power consumption.
Attack using packets with maximum-sized payload
In implementing our previous attack, we used UDP packets with no payload in order
to maximize the number of UDP packets an attacker can send percomputer. However, this is
not the most efficient method of draining a cellular phone’s battery, since the whole packet must
CHAPTER 3. SLEEP DEPRIVATION ATTACK 18
be downloaded to the mobile phone before the phone can discard the packet. Therefore, with an
accurate hit-list collected using MMS above, the attacker can sacrifice the number of targets per
his/her computer to deliver an even more efficient attack using a maximum-sized payload.
Using the original attack implemented with UDP, the attacker can send a maximum theo-
retical UDP data packet of 64Kb due to its 2 byte total length field. In the TCP variety of the attack,
ACK messages ”piggyback” onto the existing payload with a maximum size of 1500 bytes. Besides
causing additional unnecessary downloads for the mobile agent, the attack could possibly be even
more efficient due to packet fragmentation. This exacerbates the attack so that the attacker would
only need to send a single packet that becomes multiple packets at the mobile agent.
NAT and firewall
Through field experimentation, we have determined that mostproviders who utilize NAT
also implement Network Address and Port Translation (NAPT.) NAPT provides dynamic(pri-
vateIP, privatePORT)to (publicIP, publicPORT)translation. For example, the inside interface tuple
(10.0.0.5,3000) could be mapped to the outside interface tuple(199.156.3.4,6000).
However, there are certain issues with network-wide NAT deployment. For example, it
often hinders application deployment. Additionally, certain security protocols such as IPSec and
Kerberos are affected – NAT changes the address in the IP header, causing loss of integrity. For
these reasons, operators choose to implement NAT only on certain subnets affecting a selected
customer base. In other words, most operators offer both private and public IP plans.
It would seem that our attack could be mitigated with NAT and firewall placement. How-
ever, a very simple restriction to the attack could yield thesame result. The crux of the change
would be an observation that each inside IP address maps to a port on the outside interface because
the publicIP is the public IP address of NAT system. Thus, targeting an inside IP address reduces
to targeting a certain port of the outside interface. Since NAPT does address and port translation
dynamically, the IP address and port mappings are only aliveduring active PDP contexts. Thus,
the attack must be delivered within an active session window. Since phones automatically create
an outbound connection to connect to a malicious HTTP server, the server itself must deliver the
attack, thus prolonging the connection. The firewall would consider this connection valid as it is
internally initiated over allowed ports, and NAT would continue the address and port translation for
the duration of the attack.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 19
3.3 Mitigation strategies
Our attack uncovered two vulnerable components in cellularnetworks.
• PDP Context is retained.We observed that a mobile user’s PDP context is kept alive even
after the user has completed his/her data session. The PDP context may be kept active from 15
minutes to several hours, depending on the service provider. This active PDP context allowed
us to send unwanted IP packets to the victim’s mobile phone todrain its battery.
• Attack packets are not in any active session.Our attack periodically sends packets to mobile
user without an active connection. A mobile user must initiate active connections before
he receives data. Since the GGSN records the connection states, it can distinguish attack
packets from normal packets that belong to active connections, unless the attacker can guess
the correct sequence number, destination IP address and port number of an active connection.
Based on these observations, we suggest the following mitigation stratgies on MMS and
GPRS.
3.3.1 MMS Protocol Modification
To mitigate threats against MMS, we propose a redesign by incorporating security mech-
anisms into the protocol.
• Message and server authentication. To avoid man-in-the-middle attacks, we should authenti-
cate MMS messages and R/Ss, using PKI for instance.
• Information hiding at WAP gateway. WAP gateway should prevent outside web servers from
obtaining critical information about mobile devices, suchas their IP addresses, and hardware
and software profiles. Since profiles are used only by the WAP gateway for converting web
contents, the WAP gateway should filter out all but essentialinformation about the user agent
in HTTP requests.
• MMS message filtering. Service providers typically hard-code their approved MMSR/S into
mobile devices’ OS or firmware to prevent users from choosingalternative MMS R/Ss. How-
ever, sophisticated users can modify their OS or firmware to defeat this protection. A more
reliable approach for service providers is to filter MMS messages, since all MMS packets
must traverse the provider’s network. The filter can scan MMSmessage headers to ensure
CHAPTER 3. SLEEP DEPRIVATION ATTACK 20
that the destination IP address is one of the MMS R/S or accredited third party Value Added
Service (VAS) providers. The filter should not be implemented at the WAP gateway, but
rather at the SGSN or GGSN, since users can easily modify the phone’s settings and bypass
the cellular provider’s WAP gateway.
3.3.2 Adaptive PDP Context Management
In addition to protocol modification, we suggest a defense framework that could avoid the
shortcomings of external firewalls and IDSs mentioned aboveby supplementing these protection
mechanisms:
• This defense mechanism can also serve as an event detector for IDSs already in place to
monitor the internal network.
• It must also be effective against insider attacks, where malicious users are connected using
the cellular network instead of the Internet.
• It should be designed with the goal of being non-intrusive sothat it does not require ancillary
network infrastructure; it should utilize existing GPRS mechanisms to provide an additional
layer of protection.
In the following section, we propose a novel defense mechanism implemented at the
GGSN,Adaptive PDP Context Management(APM) designed to detect and mitigate previously
mentioned attacks.
Motivation
Firewalls and IDSs are common mechanisms for defending against malicious behavior
from the Internet, but they have several disadvantages: (1)firewalls and IDSs become the single
point of failure, (2) they are external entities, and they usually do not protect against insider attacks,
(3) they are not flexible enough to dynamically adapt to traffic conditions without system adminis-
trators – they require knowledgeable administration staff, (4) they are not suitable for monitoring
peer-to-peer (such as Bluetooth) communication, and (5) they cannot protect against attacks exploit-
ing insecure protocols whose action is seemingly valid – they either allow or deny a connection.
Our defense framework attempts to avoid these downfalls of external firewalls and IDSs
by supplementing these protection mechanisms in order to detect and mitigate attacks that could
CHAPTER 3. SLEEP DEPRIVATION ATTACK 21
stealthily bypass firewalls and IDSs. Our defense mechanismcan also serve as an event detector for
IDSs already in place in order to monitor the internal network. Our defense mechanism is also effec-
tive against insider attacks, where malicious users are connected using the cellular network instead
of the Internet. Finally, APM is non-intrusive – it does not require ancillary network infrastructure
as it utilizes existing GPRS mechanisms to provide an additional layer of protection.
Using these two observations, we developed APM to detect andmitigate attacks on the
GGSN. APM, not only can completely mitigate our battery draining attack, but also detect and
mitigate other attacks exploiting the paging channel and PDP context, such as flooding attacks on
the paging channel using packets from the Internet.
Design Principle
We designed APM with three goals in mind,
• It should be implemented in the network core.
• It should be transparent to mobile users.
• It must be simple.
Since our attack focuses on draining the battery of mobile users, the defense strategy
should not exacerbate the attack by requiring additional processing from the mobile phone. If
this was not the case, the defense mechanism itself could be utilized as a battery draining tool.
Since the network core is assumed to have unlimited battery power, we must implement the defense
mechanism at the core. Furthermore, it is almost impossibleto implement any defense strategies
on the mobile phone since cellular technology has already been widely deployed. Service providers
cannot require all users to upgrade or update their hardware. Any type of defense strategy would be
useless if users do not implement the mechanism. For instance, software patches are often useless
against malware due to deployment issues. On the other hand,cellular providers can easily deploy
defense strategies at the core, without user interaction.
Our defense should also be transparent to each user. If our defense mechanism causes
any inconvenient for mobile user, user will most likely complain to service providers. Usability is
a main concern for mobile users since attacks on mobile phones are, at this time, unlikely and not
wide spread. Furthermore, service providers will be less inclined to implement our strategy due to
the inconvenience for users and the support cost to educate customers.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 22
Outgoing
Packet
Yes
New Connection
No
PDP Context Exists
No
Drop Packet
Yes
No
Transmit Packet
Yes
stateCount * 2
Existing connection
Yes
Transmit Packet
No
stateCount > 0 Yes
No
(1) Backoff (2) PDP Modification (3) Drop Packet
(1) stateCount– (2) Transmit Packet
stateCount < max
Yes
Connection close
No
stateCount / 2
Yes
Figure 3.6: Adaptive PDP Context management scheme
Finally, our defense strategy should be as simple as possible due to the high workload
of each GGSN. GGSN is responsible for providing an interfacefor millions of mobile phones. If
our mechanism is computationally consuming, the attacker can exploit this vulnerability and in turn
cause a DoS on the GGSN.
Strategy overview
For clearity, we present APM in both pseudo code shown below,and state diagram shown
in Figure 3.6. APM is separated into three phases, the detection phase, exponential increase linear
decrease (EILD) phase, and the recovery phase.
APM(packet)
1 if packet is outgoing
2 then if packet initiates a new connection
3 then if statecount< statecountmax
4 then statecount∗2
5 if packet ends a connection
6 then statecount/2
7 else if PDP context exist
8 then if packet does not belongs to existing connection
CHAPTER 3. SLEEP DEPRIVATION ATTACK 23
9 then if statecount> 0
10 then statecount−1
11 else backoff
12 perform PDP Modification
13 drop packet
14
15 else drop packet
The APM detection algorithm works in the following manner. For each packet, the algo-
rithm decides if it’s valid or not. The GGSN can accomplish this by using our second observation
discussed in Section 5.1, a packet is not valid if it is incoming, and does not belong to any active
connections. Since GGSN is stateful, and already keeps track of connection states, it can distinguish
if a packet is valid or not by simply examining the header of each packet. However, to offload work
from the GGSN, we also propose a modification to the PDP context. Currently, PDP context only
contains the external address of each mobile device. Instead of simply storing the address, we can
store(IPaddress, portnumber) tuple. A modified PDP context can have multiple address and port
tuples. Whenever a mobile agent requests an outgoing connection, a tuple is assigned to it instead
of just an address. Using this technique, we can easily distinguish between valid and non-valid
incoming packets.
To manage PDP context lifetime, we introduce a new variable along with the PDP context
calledstateCount. This counter serves as the time to live (TTL) time for each PDP context. The
algorithm uses thestateCountvariable in the following way: when GGSN receives an outgoing
connection request or packet, a new tuple is assigned to the mobile phone, and thestateCountis
doubled. IfstateCountis 0, then we initialize it to 1. However, if GGSN receives an incoming
non-valid packet, thestateCountis decremented by 1. WhenstateCountdecreases to 0, GGSN can
conclude that the phone is under attack and perform recovery. This phase is calledexponential in-
crease, linear decrease(EILD). By implementing EILD, our algorithm can withstand some amounts
of false positive readings before raising an alert and entering the recovery phase. For example, it
would be hard to distinguish between valid and malicous streaming traffic. Furthermore, many port
scanners, worms, and other backscatter activities [50] areunavoidable on the Internet. Using EILD,
we can avoid disrupting the user as much as possible before weenter the recovery phase. Finally,
we note that PDP context can still be kept indefinitely, depending on service provider’s policy, as
long as the mobile agent is not under attack.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 24
The recovery phase is implemented when thestateCountdecrements to 0. The recovery
phase is implemented as follows: before disconnecting the user, we implement a random backoff
wait period between (Cmin,Cmax). The wait period allows any existing connection to finish. After a
random backoff waiting period, GGSN implements a gateway assisted PDP context modification,
changing the external address in the PDP context. At this time, all connections currently still active
will be dropped, thus preventing the attacker from reachingthe mobile agent. Furthermore, only
one extra message would be sent to the mobile agent notifyingthe modification, and one extra
message would be sent from the mobile agent acknowledging the change. The mobile agent, after
the recovery phase, can resume data connection and request outgoing connections as usual.
Specification Modification
Our defense strategy can be safely implemented in existing GPRS infrastructure without
any violation to the specification [51]. In particular, GPRSspecification states that user should
be able to establish and deactivate GPRS service as requested. Our defense mechanism does not
violate any of the specification stated.
The specification does not clearly state any PDP context management schemes. In fact, the
specification does not restrict when PDP context should be deactivated. However, the specification,
under invocation and operation, states that,
It shall be possible for a MS to be a GPRS service requester andservice receiver.
Our defense mechanism would violate this specification. However, we argue that cellu-
lar devices should not act as a server or any service receiver. In fact, most service providers in
the US restricts mobile agent’s usage and does not allow any type of services to be active on any
mobile users. Furthermore, the specification allows our battery draining attack, and many other
attacks possible since it is allowed for an entity to activate the PDP context and communicate with
mobile devices. We argue that such action should not be encouraged and protection against such
exploitation should be straightly enforced.
Analytical Analysis
We now present an analytical analysis of our proposed defense strategy and provide a
simplistic calculation of the maximumstateCountvalue which must be set in order for our defense
to detect an attack.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 25
We define the number of packets needed in order to mount a battery draining attack as
follows:
n×60secmin
×60mins
hr×hhours= 602nh. (3.1)
Given n = #packetss andh, the number of hours required to drain a phone’s battery (h ∼ 1
n) we can
calculate the upper bound on the number of outgoing connections that a cellular operator may set.
Parametersn and h are network dependent so each operator would have to tailor them to their
network.
In order to detect this attack, ourstateCountvariable must not exceed 602nh. Since we
exponentially increasestateCountin the fashion of 2connectionCount, we calculateconnectionCountmax
as follows:
connectionCountmax = ⌊log2602nh⌋ (3.2)
And following our argument from above, theconnectionCountshould be calculated as
follows:
connectionCount≤ ⌊log2602nh⌋ (3.3)
For example, forn= 1packets andh∼ 4 hours we notice thatconnectionCount= ⌊log214400⌋=
13. This means that the maximum number of connections each phone can make simultaneously in
order to detect an attack that sends1packets is 13 connections.
Note that this calculation provides a maximum for the connectionCount variable. Providers
should set this variable limit to a much smaller number, in order to detect any type of attack much
faster than this rate.
Implementation Details
As mentioned previously, our defense strategy is best implemented on the GGSN. Since
service providers already perform some proprietary PDP management scheme, as tested empirically3, implementing our scheme would be very simple. Furthermore, as most of the functions needed
3During our battery draining experiments, the PDP context sometimes would detach even if the mobile phone isstationary. We notice that PDP context can be alive from 15 minutes to even days.
CHAPTER 3. SLEEP DEPRIVATION ATTACK 26
are already implemented, such as the gateway assisted PDP context modification function, there
would not be any additional implementation work.
Furthermore, our proposed extension on the PDP context would also be a simple modifi-
cation. The implementation of the modified PDP context can betransparent to mobile devices, and
the mapping can be done entirely at the GGSN. Since GGSNs are already stateful, a simple change
in IP address assignment would not be difficult. Furthermore, our proposed modification to the PDP
context would also provide a NAT like behavior, as each IP address can be assigned multiple times
using different ports.
We envision APM to be implemented as a ”plug-in” module, which should not be any
longer than a couple of hundred lines of code. Since GGSNs arestandardized within each service
provider, a patch-like distribution can be easily deployedonce the module has been fully tested on
testbeds.
3.4 Conclusion
In this chapter, we demonstrated an attack, such that is ableto drain mobile devices’
battery power as much as 22 times faster. This attack proceeds in two stages. First, the attack
exploits vulnerabilities in MMS to build a hit list of mobiledevices. Then, the attack exploits PDP
content retention and the paging channel to drain mobile devices’ battery power. We were able to
drain batteries without alerting either the mobile user victims or the cellular network operators. Our
analysis shows that an attacker would need only several homeDSL Internet connections to mount
a large scale attack against a large number of cellular phones. We identified key components in
cellular networks that enable this attack and proposed corresponding mitigating solutions.
CHAPTER 4. SCHEDULER ATTACK 27
Chapter 4
Exploiting Opportunistic Scheduling in
Cellular Packet Networks
In this chapter, we study 3G and 3.5G networks and investigate the unwarranted trust
granted to mobile devices and the ensuing vulnerabilities.These networks rely on schedulers to
multiplex the spectrum efficiently. A commonly used scheduling algorithm is Proportional Fair
(PF) [52, 53], which maximizes the product of the throughputdelivered to all users. In this paper,
we reveal vulnerabilities in the PF scheduler and demonstrate that malicious mobile devices can
usurp time slots at the expense of honest users, hence denying them network access. For example,
we show that only one attacker per cell that has 50 users can occupy as much as 89% of the all the
scheduling slots indefinitely. Similarly, five attackers per cell can cause and perpetuate 2.1s end-to-
end inter-packet transmission delay for every victim user in the cell, thus rendering many services
useless.
4.1 Attack overview
Our attacks exploit vulnerabilities that result from unwarranted trust that the network
grants to mobile devices. By reporting false channel conditions and initiating frequent handoffs,
attackers can usurp the majority of downlink1 scheduling slots, causing intolerable delays to the
victim users and rendering many network services virtuallyuseless. We will give an overview of
the vulnerable 3G data network technologies and our attacks.
1From the network to the mobile users.
CHAPTER 4. SCHEDULER ATTACK 28
4.1.1 3G data networks
Cellular providers have developed two new data services, EV-DO and HSDPA, to pro-
vide broadband like downlink speed for emerging applications such as Voice-over-IP (VoIP), and
streaming video and audio, without major network restructuring. In both services, the downlink
utilizes time division multiplexing by dividing the channel in time slots, or Transmission Time In-
terval (TTI). (Note thatTTI = 1.67msfor EV-DO andTTI = 2msfor HSDPA). Theschedulerat
each base station then selects a single user to transmit at each TTI. Both services rely on two main
techniques to increase efficiency in the downlink direction: link adaptationandfast retransmission.
Link adaptation utilizes base station’s processing power to collect quasi instantaneous downlink
quality information — achannel quality indicator(CQI). Based on this CQI, the base station can
adapt data rate based on channel conditions: the better the channel condition, the higher the data
rate. Fast retransmission mechanism enables a mobile device to NACK each erroneous downlink
packet in order to request a retransmission from its base station instead of the originating server.
Opportunistic scheduling
Most 3G data services implement anopportunistic scheduler(Both HSDPA [54] and
EVDO [55] outline the use of an opportunistic scheduler in the downlink. Several service providers
also confirmed the use of opportunistic scheduler in their data networks) . In cellular networks,
channel conditions of mobile devices are time-varying and location-dependent. Since instantaneous
channel conditions derive the instantaneous data rates of mobile devices [56], mobile devices pe-
riodically measure and report their CQIs to their base stations. An opportunistic scheduler at a
base station selects a user with relatively good channel condition to transmit while maintaining pre-
defined QoS or fairness constraints. Thus, opportunistic schedulers often achieve higher network
performance than schedulers that do not take into account instantaneous channel conditions such as
round robin. A very popular opportunistic scheduler is Proportional Fair (PF), whose design goal is
to maximize the product of the throughput delivered to all users [52,53].
In PF, each mobile device measures its instantaneous channel conditions through pilot
signals, estimates the achievable data rate under its channel condition (denoted asCQIi(t) for user
i at timet), and sends the information back to the base station. To achieve the goal of maximizing
the product of the throughput delivered to all users [57], the PF scheduler chooses the user with
the highest ratio ofCQIi(t)/Ri(t) 2, whereRi(t) is the average throughput of useri at timet. It is
2PF makes scheduling decisions based on the ratioDRCi(t)/Ri(t) whereDRCi(t) = min{CQIk[n],Bk[n]tTTI
} andBk[n] is
CHAPTER 4. SCHEDULER ATTACK 29
estimated by the base station as follows:
Ri(t) =
αCQIi(t)+ (1−α)Ri(t −1) if the useri is scheduled att
(1−α)Ri(t −1) otherwise(4.1)
whereα is a network provider’s parameter describing the weight of the current time slot toward the
average. Typically,α is set as 0.001.
Handoff
Cellular networks implementhandoffsto transfer a connection from one base station to
another. There are two types of handoffs: soft and hard. In hard handoff, the network drops the
connection to the current base station before initiating a new one. In soft handoff, on the other
hand, a mobile device can have connections from several basestations simultaneously and choose
to transmit through the best base station. Noticeably, handoffs in 3G cellular services do not break
data transmission sessions.
4.1.2 Overview of attacks
3G data networks include mobile devices in their TCB. However, attackers can modify
mobile devices to perform actions different from intended by the providers, even when providers
attempt tamper-proof techniques [32, 58]. By trusting all mobile devices, 3G data networks suffer
from at least two vulnerabilities.
Fabricated CQIs Opportunistic schedulers base their scheduling decisionson CQIs reported by
mobile devices without verification. By reporting fabricated CQIs, malicious mobile devices can
manipulate the schedulers to achieve unfair network utilization and to disrupt other mobile devices.
For instance, a malicious mobile device can report an inflated CQI such that its ratio of CQI to
average data rate is the highest among all the devices in its cell, therefore ensuring that it will be
scheduled in the next time slot. By repeating this strategy,the malicious device may obtain a large
portion of slots in a short period of time, which causes largedelay and delay jitter to other users
(Section 4.2.1).
Greedy handoffs Mobile devices may initiate soft handoffs, but opportunistic schedulers are
oblivious of handoffs. For example, when a mobile device performs a handoff to another base
the buffer size. We eliminated buffer dependence from our calculations for simplicity.
CHAPTER 4. SCHEDULER ATTACK 30
station, the new base station does not retrieve the device’saverage data rate from its previous base
station [40], but rather assigns an often small or average value as the device’s initial average rate.
In the previous attack via reporting fabricated CQIs, the malicious mobile device has to report
monotonically increasing CQIs to sustain the attack because its average data rate keeps increasing.
Eventually, the attack becomes ineffective when its reported CQI exceeds the maximum allowable
CQI. However, if the malicious device sits in the coverage ofmultiple base stations, it may handoff
to another cell to acquire a fresh, lower average data rate and to start the attack again. Moreover,
multiple malicious devices may cooperate to attack multiple cells simultaneously (Section 4.2.2).
4.2 Attack analysis
Threat model Our threat model assumes that (1) attackers control one or a few mobile devices
that a cellular network has admitted; and (2) attackers havemodified the devices to report any CQI
value to the base station and to initiate handoff at any time.We believe this threat model is realistic.
Attackers can buy network-approved mobile devices and prepaid data plans or can spread worms
to take over existing mobile devices. Moreover, experiences show that attackers can modify mobile
devices to perform different actions than intended by the providers, even when providers attempt
temper-proof techniques [32, 58, 59]. However, our threat model does not assume that attackers
attack the cellular network infrastructure directly, e.g.by hacking into the network. Instead, they
exploit vulnerabilities in the network’s scheduler bymanipulating the information that their mobile
devices report to the network.
Attack settings From this point on, we useattackerto refer to either a human adversary or the
mobile device of the adversary (the context should differentiate the two meanings), and useuser
to refer to either a human user or the mobile device of the user. When an attack involves multiple
attackers, we assume that they coordinate. We will considerattacks on the proportional fair (PF)
scheduler under three settings. First, we consider attacksfrom a single cell, with a single or multiple
attackers. Next, we consider attacks from multiple cells, which is much more effective. Finally, we
consider a more realistic situation where the attackers do not know the channel conditions of other
users.
CHAPTER 4. SCHEDULER ATTACK 31
4.2.1 Attack within a single cell
We consider the situation when all the attackers stay in the same cell. Starting with one
attacker, we use mathematical analysis and simulation to evaluate his attack strategy. Then, we
extend our analysis to multiple attackers in the same cell. We assume that no user leaves or joins
the cell during the attack. Although this assumption is not crucial to our attack, it simplifies our
analysis. We also assume that the attackers know the channelconditions of all the users in the cell.
Section 4.2.3 will describe an attack strategy for the situations when this assumption does not hold.
Single attacker
The goal of the single attacker is to obtain a large number of consecutive time slots, there-
fore causing severe delay and jitter for the other victim users in the same cell. Since the PF scheduler
assigns the next time slot to the user that has the highest ratio of instantaneous achievable data rate
(measured in CQI) to average throughput, the attacker can report a large enough CQI to obtain the
time slot. To obtain consecutive time slots, the attacker must report monotonically increasing CQIs
(because its average throughput is increasing while other users’ throughput is decreasing, according
to Equation 4.1) until its reported CQI exceeds the range of CQI values.
It is difficult to calculate the precise number of consecutive time slots that the attacker can
get, because the number depends on the channel conditions ofall the users in the cell. However, we
can estimate an upper bound of this number by considering a simplified situation where each user
has the same CQI.3 First, we calculate the average throughput of a user. LetRi(t) be the average
throughput of useri at time slott. Recall from Section 4.1.1 that
Ri(t) =
αCQIi(t)+ (1−α)Ri(t −1) if the useri is scheduled att
(1−α)Ri(t −1) otherwise(4.2)
Since we assume that each user has the same CQI, the PF scheduler becomes a round robin sched-
uler, where each user is scheduled once everyN slots (N is the number of users in the cell). For
example, if useri is scheduled at time slots, he will not be scheduled until time slots+N. There-
fore, useri’s average rateRi(t) maximizes at time slots, and minimizes at the time slots+ N−1.
According to Equation 4.1,
Ri(s) = (1−α)NRi(s−N)+ αCQI (4.3)
3And each user always has outstanding data to receive.
CHAPTER 4. SCHEDULER ATTACK 32
Let us consider a steady state, whereRi(t) = Ri(t + kN) for all integerk. In this case,Ri(s) =
Ri(s−N). Using this equality in Equation 4.3, we have
Ri(s) =αCQI
1− (1−α)N ≈CQI
N(4.4)
Ri(s) is useri’s maximum throughput. His minimum throughput is
Ri(s−1) = Ri(s+N−1) = (1−α)N−1∗Ri(s) ≈ (1−α)N−1CQIN
(4.5)
Let C(t) = maxi{CQI/Ri(t)} be the maximum of CQI-to-throughput ratio at timet among all the
users. In the steady state,C(t) becomes a constantC, which is:
C =CQI
Ri(s−1)≈
N(1−α)N−1 (4.6)
Next, we describe a strategy for the attacker to obtain consecutive time slots. To obtain
time slot 1, the attackeri must report aCQIi(1) such thatCQIi(1)/Ri(0) ≥ C(0). After time slot
1, C(1) = C(0)/(1−α), because for each victim userj, its CQI remains constant, but its average
throughputRj has been scaled by 1−α. Therefore, to obtain time slot 2, the attackeri must report
CQIi(2) such thatCQIi(2)/Ri(1) ≥C(1) =C(0)/(1−α). Subsequently, at timet, the attacker must
claimCQIi(t) such thatCQIi(t)/Ri(t −1) ≥C(0)/(1−α)t−1. The attacker can obtain consecutive
time slots until the requiredCQIi(t) exceedsCQImax, the maximum value ofCQI. Therefore, the
maximum number of consecutive time slots that the attacker can obtain is the maximum integert0
that satisfies
CQImax≥C
(1−α)t0−1Ra(0)t0−1
∏k=1
(
αC(1−α)k−1 +(1−α)
)
(4.7)
Equation (4.7) shows that the maximum number of consecutiveslots an attacker can ob-
tain (t0) depends on the average throughput of the attacker at the beginning of the attack (Ri(0)),
the maximum CQI (CQImax), andα. Since the maximum CQI andα are set by the system, they
are out of the control of the attacker. The maximum CQI depends on the hardware.α is used to
balance the tradeoff between long-term and short-term performance. The smaller the valueα, the
better the system’s long-term throughput; however, when under attack, the smaller the valueα, the
larger the value oft0, i.e., the attacker can obtain more time slots. By comparison, the attacker has
control overRi(0), its average throughput at the beginning of the attack. Equation (4.7) shows that
the smaller the valueRa(0), the larger the valuet0. Therefore, after each attack session, the attacker
needs toresetits Ra(0) by reporting lowest CQI values for a sufficient period (typically on the order
CHAPTER 4. SCHEDULER ATTACK 33
of seconds). Finally, this model is simplified, assuming allvictim users have the same, consistent
CQI. When users have users have time-varying channel conditions, Equation 4.7 provides an upper
bound for estimatingt0.
Multiple attackers
A single attacker can obtain consecutive time slots until his reported CQI exceeds the
maximum CQI value; however, we can increase the number of consecutive time slots obtained by
using multiple colluding attackers. We describe three different coordinating schemes.
Sequential attack The simplest scheme is to attack sequentially. The attackerwith the smallest
average throughputRi(t) starts the attack and tries to obtain as many consecutive time slots as pos-
sible, while the other attackers lurk (by reporting arbitrarily small CQIs to avoid being scheduled).
When the active attacker’s reported CQI exceeds the maximumvalue of CQI, it stops the attack
while the attacker with the smallest average throughput starts to attack. The attack continues until
no attacker can get scheduled (because their average throughput is too high).
Minimum CQI Attack Since the attack will stop when all attackers’ reported CQIsexceed the
maximum value, this scheme tries to slow the increment of thereported CQIs. At each time slot,
each attacker computes the CQI that it needs obtain the time slot. Then, the attacker with the
smallest CQI reports its CQI to the base station while the other attackers lurk.
Delta CQI Attack This algorithm tries to slow the increment of calculated CQIvalues. At each
time slott, each attackeri computes the incrementδi(t) needed to its previous CQI. In other words,
δi(t) = CQIi(t)−CQIi(t −1). The attacker with the smallestδi(t) then reports its CQI to the base
station.
Simulation
We used simulation to evaluate the effectiveness of our attacks in a single cell. In the
simulation, we chose parameters that were recommended by specifications or that were commonly
used by cellular networks. The PF scheduler hadα = .001. The cell had 50 users. Each user
quantized his channel condition into CQI, an integer between 1 and 15, and reported the CQI to the
base station. The goal of the attack was to obtain the maximumnumber of consecutive time slots.
CHAPTER 4. SCHEDULER ATTACK 34
First, we simulated a single attacker in a cell with 49 victimusers. We used the same
ideal scenario as in our analysis in Section 4.2.1, i.e., allvictim users had the same CQI value. The
simulation showed that the attacker could obtain 42 consecutive time slots, whereas Equation 4.7
predicts that the attacker can obtain 39 consecutive time slots. The minor difference between the
simulation and the analysis is due to the approximation during the derivation of Equation 4.7.
Next, we simulated the same attack under a more realistic condition where each user’s
channel condition was a random variable following a Rayleigh distribution withσ = 3 and an initial
average rate of 0.5. The simulation showed that the attackergained an average of 19 time slots, with
a standard deviation of 2.77.
Next, we simulated multiple attackers in the same cell. Again, each user’s channel con-
dition was a random variable following a Rayleigh distribution. We varied the number of attackers
from one to five and simulated each of the attack schemes in Section 4.2.1. Figure 4.1 shows that
the number of collective consecutive time slots obtained bythe attackers increases almost linearly
with the number of attackers. Among the three attack schemes, the Delta CQI scheme performed
the best, where five attackers obtained 99 consecutive time slots.
0 1 2 3 4 50
20
40
60
80
100
Number of Attackers
Tim
eslo
t Occ
upie
d
DeltaMinimumSequential
Figure 4.1: Consecutive time slots obtained By attackers using different collaborating schemes in asingle cell.
CHAPTER 4. SCHEDULER ATTACK 35
Although 99 consecutive time slots (or 165ms) occupied by the attackers will cause delay
on victim users, this delay is tolerable by many applications and protocols. Moreover, after the
attack, the attackers must relinquish a large number of (at least 2000) time slots toresettheir average
throughput low enough before they can attack again. Therefore, the attackers cannot sustain this
delay. Fortunately (or unfortunately, depending on your stand), we were able to exploit another
vulnerability to make our attack much more effective and sustainable.
4.2.2 Attack from two cells
When attackers sit in the overlapping area of two cells, theycan exploit handoff to make
their attack much more effective and sustainable. Section 4.2.1 shows that an attacker’s reported
CQI and average throughput increase very fast during an attack. When a large average throughput
forces the attacker to report a CQI larger than its maximum value, the attack stops. However, since
users can initiate soft handoff and the network does not carry users’ average throughput across
cells, the attacker can hand off to another other cell, get a small initial average throughput, and
immediately start the attack in its new cell.
Initial average throughput
Since the network does not track users’ average throughput across cells [40], when a new
user joins a cell, the scheduler must first assign the user an initial value for its average throughput.
Since the choice of this initial value is unspecified, we explore three reasonable schemes. Although
these schemes are not all-inclusive, they represent good schemes that lead to predictable behavior
of the PF scheduler.
Based on the average of average throughput of all usersA simple scheme is to choose the
average of average throughput of all existing users in this cell as the initial average throughput of
the new user. The motivation for this scheme is the assumption that the new user’s channel condition
is close to the average channel condition of all existing users. The disadvantage of this scheme is
that when the new user just moves into his current cell from a neighboring cell, he is likely at the
edge of his current cell with poor channel condition, so thisscheme would over-estimate the new
user’s average throughput.
CHAPTER 4. SCHEDULER ATTACK 36
Based on the minimum of average throughput of all users Since new users often join a cell
from the edge of the cell, they expect to have the poorest channel condition. Therefore, this scheme
chooses the minimum of the average throughput of all existing users as the initial average throughput
of the new user. However, if the new user happens to have good channel condition, this scheme
would under-estimate the user’s average throughput.
Determined by the user Finally, since users are burdened with tasks such as channelquality and
pilot measurements for multiple cells, an intuitive schemeis to let users report their initial average
throughput. A major problem with this scheme is that the basestation trusts users blindly. An
attacker can report a bogus low average throughput to gain unfair advantage in scheduling.
Simulations
We simulated the attack from two cells. We used the same PF scheduler and the same
Raleigh distribution for users’ channel conditions as in Section 4.2.1. We simulated various number
of attackers per cell, from one to five. The attackers used thesequential attack algorithm described
in Section 4.2.1. However, after the last attacker in the cell finished his attack (i.e., when he could
obtain no more time slots), all the attackers in both cells handed off to the other cell. Although the
sequential attack algorithm is not the most effective, it isthe simplest and illustrates the lower bound
of the attack effect. We assume that handoff takes one time slot, which is realistic for soft handoff.
We ran the simulation for 18072 time slots, or 30 seconds. Figure 4.2 shows the per-
centage of time slots that the attackers got where there was one attacker per cell and the attackers
determined their initial throughput. It shows that after about 2000 time slots, the attackers consis-
tently obtained about 78% of all the time slots, a condition that we call the stabilization of the attack.
We simulated different number of attackers per cell and different schemes for assigning the initial
average throughput, and in all the simulations the attack stabilized well before 30 seconds.
Figure 4.3 shows the total number of time slots that the attackers obtained in 30 seconds.
Unsurprisingly, the more attackers per cell, the more time slots that they obtained. However, even
with just one attacker per cell, the attackers obtained from13459 (74%) to 16241 (90%) time slots,
depending on the scheme by which the scheduler assigns the initial average throughput. Among the
three schemes, the scheme that let the user provide this initial value is the most vulnerable, where
one attacker obtained 16241 (90%) time slots while five attackers obtained 17317 (96%) time slots.
CHAPTER 4. SCHEDULER ATTACK 37
0 5000 10000 150000.5
0.6
0.7
0.8
0.9
1
Time (timeslot)
% o
f Tim
eslo
ts o
btai
ned
Figure 4.2: Percentage of time slots obtained by two attackers, one per cell
4.2.3 Attack without knowing victims’ CQIs
So far, our attack requires the attackers to know all users’ channel conditions and average
throughput at each time slot. In practice, however, attackers may not have such information. In this
case, the attacker must predict the maximum of the CQI-to-throughput ratios of all the victim users,
because the attacker can obtain the next time slot only if hisown ratio is larger than those of all the
victim users. We show how the attacker can predict the value.
First, the attacker performs a statistical analysis of the PF scheduler and estimates a dis-
tribution of the max ratio of all users, shown in Figure 4.4. Based on this distribution, the attacker
determines the CQI that he needs to obtain the next time slot with high probability. The higher CQI
that the attacker reports, the higher probability that he will obtain the next time slot; however, in this
case, he will also exceed the maximum CQI value more rapidly,which will force him to hand off
to another cell. Since the attacker cannot obtain time slotsduring handoff, he must strike a balance
between obtaining the next time slot with high probability (by reporting higher CQIs) and reducing
the frequency of handoffs (by reporting lower CQIs). In the simulation, we choose the 90% value
of thec(t) in Figure 4.4. In other words, the attacker has 90% chance of obtaining a time slot.
During the attack, the attacker must adjust the estimated maximum CQI-to-throughput
CHAPTER 4. SCHEDULER ATTACK 38
0 1 2 3 4 50
2000
4000
6000
8000
10000
12000
14000
16000
18000
Attackers per Cell
Tim
eslo
ts O
ccup
ied
User ProvidedMin. user avg.Mean user avg.
Figure 4.3: Time slots occupied by the attack in 30 seconds (18072 time slots). The attackers havefull knowledge of every user’s information in each cell. Thethree lines represent different schemesfor assigning the initial average throughput by the base station
ratio of all the victim users constantly. This is because that in every time slot, each user’s average
throughput will increase byα∗CQI if he is scheduled, and decrease by a factor of(1−α) otherwise.
We propose the following scheme for adjusting the maximum ratio estimation.
Let c(t) be the estimated maximum CQI-to-throughput ratio at timet, derived from the
distribution in Figure 4.4, andRi(t) be the average throughput of useri at timet. If the attacker is
scheduled in timet, the average throughput of all the other users will decrease, Ri(t) = (1−α) ∗
Ri(t −1). Sincec(t) estimates the largestRi(t) of all the victim users, it increases at the same rate,
c(t + 1) = c(t)/(1−α). When the attacker is not scheduled, on the other hand, only the average
rate of the victim user who is scheduled will increase. Therefore,
c(t +1) = maxi
CQIi(t +1)
Ri(t)≈ max
i
CQIi(t +1)
Ri(t −1)∗ (1−α)+ α/N∗CQIi(t)
= maxi
CQIi(t +1)/Ri(t −1)
(1−α)+ α/N∗CQIi(t)/Ri(t −1)≈
c(t)(1−α)+ α/N∗c(t)
Some approximations are involved in the above estimation. First, on average, a victim user
gets scheduled once everyN times when the attacker is not scheduled. Therefore, the average rate of
a victim user will be increased byα/N ∗CQIi(t) when the attacker is not scheduled approximately.
CHAPTER 4. SCHEDULER ATTACK 39
30 40 50 60 70 80 900
100
200
300
400
500
600
700
Scheduled CQI/R ratio
Num
ber
of ti
mes
sch
edul
ed
Figure 4.4: Histogram of the CQI-to-throughput ratio of thescheduled user over 10000 time slots
Second, when a user is scheduled, his CQI-to-throughput ratio is the maximum among all users and
thus its value ofCQIi(t)/Ri(t −1) is approximatelyc(t). Equation 4.8 summarizes our analysis:
c(t +1) =
c(t)/(1− ε) if the attacker is scheduled
c(t)/(1+ σ∗ (c(t)−1)) if the attacker is not scheduled(4.8)
whereε andσ are functions ofα. We usedε andσ instead ofα to compensate for the possible errors
in our estimation of the maximum CQI-to-throughput ratio, and we determined them empirically.
We reran the simulations in Section 4.2.2 but with the estimated maximum CQI-to-throughput
ratio using Equation 4.8. As we experimented with differentchoices ofε andσ, we noticed that
over-estimation of the maximum CQI-to-throughput ratio yielded better attack results than under-
estimation.
Figures 4.5(a) shows the number of time slots obtained by theattackers withε = 1.5∗α
andσ = α/60. When there is a single attacker per cell, the attackers may obtain between 11583
(64%) and 15874 (88%) time slots, depending on the scheme forassigning initial average through-
put. When there are five attackers per cell, they can obtain between 14353 (79%) and 17136 (95%)
time slots. Next, we compare the effect of the attack under this realistic situation where attacks do
not know the CQIs of the victims with the effect of the attack under the ideal situation. Figure 4.5(b)
CHAPTER 4. SCHEDULER ATTACK 40
shows the percentage of time slots that the attackers obtainwhen they do not know the CQIs of the
victim users, compared to the case with perfect information. If the PF scheduler uses user-provided
initial average throughput, the attackers, using our estimation, can obtain almost the same number
of time slots, as in the ideal situation when the attackers know the value ofc(t) perfectly. Even when
the PF scheduler uses the two other schemes, which are more robust against our attack, the attackers
could still obtain more than 85% of the time slots that they would obtain in the ideal situation.
4.3 Attack impact
In this section, we discuss the impact of our attacks on normal victim mobile users. We
first produce a benchmark from an honest user. Then, we recount a study on a particular application,
VoIP, and show how the attack can render VoIP useless.
Overall and individual average throughput Figure 4.6 compares the distribution of users’ through-
put in a cell before and during the attack described in Section 4.2.2. We calculate the throughput
based on HSDPA’s mapping of CQI to data rate [60, 61]. Before the attack, most users obtain an
average throughput of 40 to 55 kbps. During the attack, most users obtain an average throughput of
only 10 to 15 kbps. By comparison, the attacker obtains an unusually high average throughput of
1.5Mbps4 5. This figure shows that the attack has defeated the fairness objective of PF entirely.
Average user delay Figure 4.7 depictsthe average delay between each transmissionfor victim
users. In a normal application, users experience a slight delay of 0.081 seconds between each
transmission, which is acceptable in most applications. This number, by the way, would most likely
be different if QoS requirements are deployed. Note that PF scheduler functions very similar to a
round robin scheduler in this case, even with a random channel condition. For example, in a cell
with 50 users, each user waits around 49 timeslots for a transmission. The delay variance of a user
in a PF scheduler is higher (in particular,N2−N whereN is the number of users).
During the attack, on the other hand, a victim user can experience up to 1.8 seconds delay
(22 times the delay before the attack) between each pair of successive transmissions. This significant
delay will render many applications virtually useless.
4Not shown in graph due to space constraints5The reason why the attacker’s average throughput is not significantly higher is because of handoffs, which resets the
attacker’s average throughput.
CHAPTER 4. SCHEDULER ATTACK 41
Impacts on applications Cellular providers have already started offering the VoIP service due
to its lower cost. However, VoIP packets have a rigorous delay requirement: 0-150ms delay is
acceptable, 150ms-400ms delay might be tolerable, but longer delay is disruptive [62]. This delay
budget is for end-to-end delay, including coding/decodingtime (around 20ms), transmission delay
over the Internet (about 100ms across the continental USA) and uplink and downlink delay to the
user. Therefore, the delay on the cellular link is important.
Using VoIP as an example, we develop a function to calculate the end-to-end delay be-
tween two cellular users. Letf (DNW,N,U,X) be the end-to-end, one way delay between two
users, whereDNW is the backbone network delay,N is the number of users in a cell,U is the uplink
network delay, andX is the delay that the attack induces to the downlink. Equation 4.9 shows the
formula for EV-DO, based on Goode’s calculation [63].
f (DNW,N,U,X) = 101.1ms+DNWms+(N)(1.67ms)+Ums+Xms (4.9)
Recall that we have shown in Figure 4.7 that honest users can experience up to 1.8 seconds
of delay between each transmission. Using equation 4.9, we obtain 2094.6ms ofend-to-end delay
per packet for every honest user in the cell. This delay is devastating for VoIP communication
as it renders it useless. Furthermore, the attack can be extented indefinitely with only 5 attackers
comprising only 10% of total number of users in the cell.
4.4 Possible defense strategies
The above-illuminated attack exploits several vulnerabilities that in combination, enable
any user to perform a denial-of-service attack on downlink cellular data service. To defend against
this type of attacks, we must either eliminate these vulnerabilities or mediate them such that this type
of attack is no longer effective. Here we outline some defense strategies that could be implemented
either in future specification revisions or current implementations.
4.4.1 Attack detection
There are two characteristics that the base station can use to distinguish normal and under-
attack operations in the attack outlined in section 4.2; namely, decrease of average user throughput
andexcessive numbers of handoffs. We can take advantage of these characteristics in composing a
defense strategy.
CHAPTER 4. SCHEDULER ATTACK 42
Anomaly detection using average throughput in a normal condition The base station can mea-
sure an average user’s throughput during normal operation,either by simulation or by actual mea-
surement. Then, it can compare the current throughput with recorded normal throughput. If their
difference is above a certain threshold, this could indicate that the system is under attack. The base
station then can use several methods to mitigate the attack,including using a scheduler that does not
require user collaboration, such as round robin, and tracing the attack source.
Number of handoffs per user In a normal operation, users do not perform excessive handoffs.
On the other hand, attackers performs handoffs as many as oneevery 5 time slots. The base station
can observe the number of handoffs performed per user over a period of time. If a user performs
an unusually high number of handoffs in a given time, the basestation can reject further handoff
requests, thereby stopping the attack in that cell.
4.4.2 Attack prevention
In addition to attack detection, network designers can implement modifications to the
existing architecture to prevent the attack. We present some possible mitigation strategies that are
designed to stop this attack from causing significant damage.
Trust but verify The root of this attack is that the cellular network considers mobile users in
its TCB, and subsequently makes decisions based on unverified user input. One possible defense
strategy that the base station can perform is to periodically check the validity of the various reports
made by the mobile devices. This approach,trust, but verify, places a level of trust on a mobile
device as it passes random checks. The CQI reported by the mobile device can be randomly checked
using their uplink channel condition and error rate.6. Mobile station gains trust as it passes random
check, and loses trust when it fails. The base station can disconnect mobile users if they fail checks
for a number of times thereby punishing malicious or badly configured users.
Assume an average based on the normal operating conditionThe base station can define an
average such that it reflects the normal behavior of the cell,given the number of users in the cell.
This scheme punishes the attacker because he will be assigned a high average each time he switches
cells and thus force the attacker to perform handoffs much earlier. Figure 4.8 illustrates that this
6Estimating channel condition using uplink data rate is not perfectly accurate; however, it can still detect anomalousclaims
CHAPTER 4. SCHEDULER ATTACK 43
scheme is much more resilient to attack than the strategy that solely relies on the cell’s current
information. This scheme does not require a change to the current architecture nor does it require
collaboration between network entities.
This scheme is not without cost. During handoff, an honest user is usually at the edge of
the cell with relatively poor channel condition. Assigninga fixed average may starve the user for a
while. Additionally, while this scheme alleviates the effect of attacks by forcing more handoffs, it
does not solve the whole problem.
Scheduler information sharing The attack discussed in Section 4.2.2 accentuates the fact that
PF is oblivious of handoffs. When a mobile device performs a handoff the base station must derive
the mobile users’ average throughput using information confined to the current cell. Therefore,
whenever the attacker performs a handoff, the attacker’s excessively high average throughput gets
replaced with a new, calculated average throughput from thenew base station.
The attack can be stopped if base stations communicate and transfer users’ average through-
put along with a mobile device during handoff. In this case, the attacker cannot continue the attack
for more than a few slots since the average throughput is extremely high. This defense mechanism
can limit the effect of the attack to that in a single cell and therefore reduce the problem to service
degradation instead of denial of service. Figure 4.8 shows the performance of this defense strat-
egy compared to the average throughput assignment strategy, which does not require collaboration.
Notice that by sharing information between cells, the attack can be significantly deterred.
Modified schedulers with multi-dimensional constraints Another possible defense strategy is
to introduce additional constraints into the scheduler. These temporal constraints limits the portion
of time slots allocated to the attackers, stopping the attack.
The base station can implement two types of temporal constraints, either individually, or
combined. Thelong-term temporal constraintlimits the minimum and (possibly) maximum portion
of time slots allocated to each user over a long period of time(usually during the lifetime of a user,
on the order of minutes). Theshort-term temporal constraintguarantees that each user obtains a
minimum (and possibly maximum) number of time slots within atime window, on the order of a
few hundred milliseconds.
Long-term temporal constraints can be easily satisfied due to the PF scheduler’s fairness
constraints in a normal operation. The impact of the short-term constraint, on the other hand, de-
pends on the parameters used. The defense capability becomes more effective as the number of slots
CHAPTER 4. SCHEDULER ATTACK 44
assigned to each user in a short-term increases, but lowers overall throughput7. However, short-
term constraint is also useful in improving short-term fairness among users and reduce throughput
burstiness, which is desirable to upper layer protocols, such as TCP.
Priority queue Additionally, a priority queue can be implemented at the base station. Traffic
with delay constraints, such as VoIP traffic, can be scheduled with high priority, while other traffic,
such as web browsing, can be scheduled with low priority. While an attacker can claim to be
high priority, because the number of high priority users is relatively small, these users have much
better delay performance, and thus mitigate the effects of the attacks (in particular, attacks without
handoff). In addition, the priority scheme may be combined with temporal constraints so that an
attacker cannot claim a large portion of resource (for attacks with handoff).
4.5 Conclusion
In this chapter, we have shown that cellular data networks are vulnerable to DoS attacks
because of the following vulnerabilities:
• The network trusts mobile devices to report truthful CQIs, which the PF scheduler uses with-
out verification for assigning time slots. Therefore, malicious mobile devices can manipulate
their reported CQIs to gain a large number of time slots.
• The network does not track the average throughput of mobile devices across different cells,
which allows malicious devices to maintain perpetual scheduling priority by frequent hand-
offs.
We have studied a series of attacks on the proportional fair scheduler exploiting the above
vulnerabilities. Our simulations show that just one attacker per cell can disrupt time-sensitive data
services, such as voice-over-IP. Moreover, multiple attackers in the same cell can collaborate to
cause serious denial of service by occupying up to 95% of scheduling slots indefinitely. Meanwhile,
they can also induce 1.8s delay between each consecutive packet transmission on every victim user
who is in the same cell as the attackers. We have proposed several mitigation strategies to defend
against these attacks.
7because the scheduler has to schedule users given the short-term constraint although there might be a user with ahigher value ofCQI/R
CHAPTER 4. SCHEDULER ATTACK 45
0 1 2 3 4 50
2000
4000
6000
8000
10000
12000
14000
16000
18000
Attackers per Cell
Tim
eslo
ts C
ccup
ied
User providedMin. user avg.Mean user avg.
(a) Time slots obtained by the attack in 30 seconds (18072 slots). The attackers do not have
any knowledge of victims’ CQIs.
0 1 2 3 4 50
20
40
60
80
100
Attackers per Cell
Acc
urac
y of
Pre
dict
ion
(%)
User ProvidedMin. user Avg.Mean user Avg.
(b) Percentage of time slots obtained by attackers without knowing victims’ CQIs compared
to those with knowing victims’ CQIs
Figure 4.5: Performance of the attack without knowing victims’ CQIs. Each sub-figure shows threecurves, each representing a different scheme for assigningthe initial average throughput.
CHAPTER 4. SCHEDULER ATTACK 46
0 10 20 30 40 50 600
5
10
15
20
25
Average Throughput (kbps)
% o
f Use
rs
After Attack
Figure 4.6: The average throughput distribution of users, before and after attack.
CHAPTER 4. SCHEDULER ATTACK 47
0 1 2 3 4 50
0.5
1
1.5
2
2.5
Attackers per Cell
Vic
tim’s
Ave
rage
Del
ay (
s)
Full KnowledgePrediction
Figure 4.7: The average delay an honest user experiences between each packet transmission
.
CHAPTER 4. SCHEDULER ATTACK 48
0 1 2 3 4 50
2000
4000
6000
8000
10000
12000
14000
16000
18000
Attackers per Cell
Tim
eslo
ts O
ccup
ied
Min. User Avg.Mean Norm. User Avg.Collaboration
Figure 4.8: Continuous number of timeslots occupied by the attack using different defense strategiescompared to a normal attack in full knowledge
CHAPTER 5. SUMMARY AND CONCLUSION 49
Chapter 5
Summary and Conclusion
While cellular users embrace new broadband data services and applications, attackers get
opportunities to exploit emerging vulnerabilities in mobile devices, cellular data networks, and the
interaction between cellular networks and the Internet. Wedemonstrated two particular denial of
service attacks that can cause havoc in cellular network with relatively few resources.
In the first attack in Chapter 3, we demonstrated drains mobile devices’ battery power as
much as 22 times faster. This attack proceeds in two stages. First, the attack exploits vulnerabilities
in MMS to build a hit list of mobile devices. Then, the attack exploits PDP content retention and
the paging channel to drain mobile devices’ battery power. We were able to drain batteries without
alerting either the mobile user victims or the cellular network operators. Our analysis shows that
an attacker would need only several home DSL Internet connections to mount a large scale attack
against a large number of cellular phones. We identified key components in cellular networks that
enable this attack and proposed corresponding mitigating solutions.
In the second attack in Chapter 4, we studied a series of attacks on the proportional fair
scheduler exploiting the 3G and PF vulnerabilities. Our simulations show that just one attacker
per cell can disrupt time-sensitive data services, such as voice-over-IP. Moreover, multiple attackers
in the same cell can collaborate to cause serious denial of service by occupying up to 95% of
scheduling slots indefinitely. Meanwhile, they can also induce 1.8s delay between each consecutive
packet transmission on every victim user who is in the same cell as the attackers. We have proposed
several mitigation strategies to defend against these attacks.
Due to the complex interaction between mobile devices, cellular data networks, and the
Internet, we conjecture that our discovered attacks may be just the tip of an iceberg. We hope that
our work will bring attention to this emerging threat and will inspire future research for securing
CHAPTER 5. SUMMARY AND CONCLUSION 50
cellular data services and applications. Furthermore, we hope to motivate the cellular industry to
improve the security in their current data services, and to scrutinize the security in their future
specifications more rigorously.
BIBLIOGRAPHY 51
Bibliography
[1] CITA. Wireless quick facts. http://files.ctia.org/pdf/Wireless Quick Facts
October 05.pdf.
[2] Charles Brookson. GSM ( and PCN ) security and encryption. http://www.brookson.com/
gsm/gsmdoc.htm.
[3] Paul Yousef. GSM-security: a survey and evaluation of the current situation. Master’s thesis,
Linkoping Institute of Technology, 2004.
[4] Chengyuan Peng. GSM and GPRS security. InHUT TML, 2000.
[5] Alan Bavosa. GPRS security threats and solution recommendations.http://www.juniper.
net/solutions/literature/white papers/200074.pdf.
[6] Charles Brookson. GPRS security.http://www.brookson.com/gsm/gprs.pdf.
[7] Oillie Whitehouse. GPRS security: Not ready for prime time. http://www.
securitymanagement.com/library/wireless tech0902.pdf.
[8] Stephane piot. Security over GPRS. Master’s thesis, University College London, 1998.
[9] Christopher Wingert and Mullaguru Naidu. CDMA 1XRTT security overview.http://www.
cdg.org/technology/cdma technology/white papers/cdma 1x security overview.
pdf.
[10] Atique Ahmed Khan. Security and vulnerability analysis of wireless messaging protocols and
applications. InPak Con, 2004.
[11] Stefan Andersson. MMS security considerations. In3GPP TSG SA WG3 Security, 2003.
BIBLIOGRAPHY 52
[12] Rei Safavi-Naini, Willy Susilo, and Gelareh Taban. Towards securing 3G mobile phones. In
The 9th IEEE International Conference on Network (ICON 2001), 2001.
[13] 3rd Generation Partnership Project. 3G security: Security threats and requirements.ftp:
//ftp.3gpp.org/Specs/2000-12/R1999/21 series/21133-310.zip.
[14] Ollie Whitehouse and Graham Murphy. Attacks and counter measures in 2.5G and 3G
cellular IP networks.http://www.atstake.com/research/reports/acrobat/atstake
cellular networks.pdf.
[15] Sotirios I. Maniatis Constantinos F. Grecas and Iakovos S. Venieris. Introduction of the asym-
metric cryptography in GSM, GPRS, UMTS, and its public key infrastructure integration. In
Mobile Network and Applications, 2003.
[16] Chi-Chun Lo and Yu-Jen Chen. A secure communication architecture for GSM networks. In
IEEE Transactions on Consumer Electronics, 1999.
[17] John A. MacDonald and Chris J. Mitchell. Using the GSM/UMTS SIM to secure web services.
In the 2nd Workshop on Mobile Commerce and Services WMCS, 2005.
[18] ISAAC. GSM cloning.http://www.isaac.cs.berkeley.edu/isaac/gsm.html.
[19] M. J. Riezenman. Cellular security: better, but foes still lurk. IEEE Spectrum, 37(6), 2000.
[20] B Sun, F Yu, K Wu, and VCM Leung. Mobility-based anomaly detection in cellular mobile
networks. In2004 ACM workshop on Wireless security, 2004.
[21] Mirela Sechi Moretti Annoni Notare, Fernando Augusto da Silva Cruz, Bernardo Gonalves
Riso, and Carlos Becker Westphall. Security management against cloned cellular telephones.
In IEEE International Conference on Networks, page 356, Washington, DC, USA, 1999. IEEE
Computer Society.
[22] Azzedine Boukerche and Mirela Sechi M. Annoni Notare. Behavior-based intrusion detection
in mobile phone systems.Parallel and Distributed Computing, 62(9):1476 – 1490, 2002.
[23] Nilesh Agarwal, Leena Chandran-Wadia, and Varsha Apte. Capacity analysis of the GSM
short message service. InNational Conference on Communications, 2004.
BIBLIOGRAPHY 53
[24] William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta. Exploiting open
functionality in SMS-capable cellular networks. In12th ACM Conference on Computer and
Communications Security (CCS’05), November 7-11, 2005.
[25] Patrick Traynor, William Enck, Patrick McDaniel, and Thomas La Porta. Mitigating attacks
on open functionality in SMS-capable cellular networkss. In 12th Annual International Con-
ference on Mobile Computing and Networking MOBICOMM, 2006.
[26] Pars Mutaf and Claude Castelluccia. Insecurity of the paging channel in the wireless inter-
net: A denial-of-service attack that exploits dormant mobile IP hosts. In3rd Workshop on
Applications and Services in Wireless Networks, 2003.
[27] Thomas Martin, Michael Hsiao, Dong Ha, and Jayan Krishnaswami. Denial-of-service attacks
on battery-powered mobile computers. InProceedings of the 2nd IEEE Pervasive Computing
Conference, 2004.
[28] Daniel C. Nash, Thomas Martin, Dong Ha, and Michael Hsiao. Towards an intrusion detection
system for battery exhausion attacks on mobile computing devices. InProceedings of 2nd
International Workshop on Pervasive Computing and Communications Security (PerSec ’05),
2005.
[29] Anti Phishing Working Group. What is phishing and pharming? http://www.
antiphishing.org/.
[30] Redteam. Advisory: o2 germany promotes SMS-phishing. http://www.
redteam-pentesting.de/advisories/rt-sa-2005-009.txt.
[31] Brian Fonseca. Worm calling.http://www.infoworld.com/articles/hn/xml/00/06/
06/000606hnphoneworm.html.
[32] Dan Ilett and Matt Hines. Skulls program carries cabir worm into phones.
http://news.com.com/Skulls+program+carries+Cabir+worm+into+phones/
2100-7349 3-5469691.html.
[33] James W. Mickens and Brian D. Noble. Modeling epidemic spreading in mobile environments.
In WiSe ’05: Proceedings of the 4th ACM workshop on Wireless security, pages 77–86, New
York, NY, USA, 2005. ACM Press.
BIBLIOGRAPHY 54
[34] R. Knopp and P. Humblet. Information capacity and powercontrol in single-cell multiuser
communications. InProceedings of the ICC, 1995.
[35] David Tse and Pramod Viswanath.Fundamentals of Wireless Communication. Cambridge, 1
edition, 2005.
[36] X. Liu, E. K. P. Chong, and N. B. Shroff. A framework for opportunistic scheduling in wireless
networks.Computer Networks, 41(4):451–474, March 2003.
[37] Mohamad Assaad, Badii Jouaber, and Djamal Zeghlache. Effect of TCP on UMTS-HSDPA
system performance and capacity. 2004.
[38] Jin-Hee Choi, Jin-Ghoo Choi, and Chuck Yoo. Analyzing the impact of proportional fair
scheduler on TCP performance. 2005.
[39] Matthew Andrews. Instability of the proportional fairscheduling algorithm. InIEEE Trans-
actions on Wireless Communications, 2004.
[40] Tian Bu, Li Li, and Ramachandran Ramjee. Generalized proportional fair scheduling in third
generation wireless data networks. InINFOCOMM, 2006.
[41] Kameswari Kotapati, Peng Liu, Yan Sun, and Thomas F. La Porta. A taxonomy of cyber
attacks on 3G networks. InTechnical Report NAS-TR-0021-2005, Network and Security
Research Center, Department of Computer Science and Engineering, Penn State University,
2005.
[42] Fabio Ricciato. Unwanted traffic in 3G networks. InACM SIGCOMM Computer Communi-
cation Review, Volume 36, Issue 2, 2006.
[43] A Bovosa. Attacks and counter measures in 2.5G and 3G cellular IP networks. InJuniper
White Paper, 2004.
[44] Ashwin Sridharan, Ramesh Subbaraman, and Roch Guerin.Uplink scheduling in the EV-DO
rev. a system: An initial investigation. InSprint ATL Research Report Nr. RR06-ATL-080139,
2006.
[45] C. Rose C.U. Saraydar. Minimizing the paging channel bandwidth for cellular traffic. InIEEE
ICUPC, 1996.
BIBLIOGRAPHY 55
[46] Peter McGuiggan.GPRS In Practice: A companion to the specification. John Willey & Sons,
2004.
[47] W3C Proposed Recommendation. Synchronized multimedia integration language (SMIL2.1).
http://www.w3.org/TR/SMIL2/.
[48] Humpa. MMS pic server.http://www.humpa.com.
[49] Curt Schurgers Vijay Raghunathan, Saurabh Ganeriwal and Mani Srivastava. WFQ: An energy
efficient fair scheduling policy for wireless systems. InISLPED, 2002.
[50] D. Moore, C Shannon, G. Voelker, and S. Savage. Inferring internet denial of service activity.
In USENIX Security Symposium, 2001.
[51] ETSI. GSM 03.60 general packet radio service: Service description, stage 2.http://webapp.
etsi.org/workprogram/Report WorkItem.asp?WKI ID=3068.
[52] A. Jalali, R. Padovani, and R. Pankaj. Data throughput of CDMA-HDR a high efficiency-
high data rate personal communication wireless system. InProceedings of IEEE Vehicular
Technology Conference 2000-Spring, volume 3, 2000.
[53] E. F. Chaponniere, P. Black, J. M. Holtzman, and D. Tse. Transmitter directed multiple receiver
system using path diversity to equitably maximize throughput. U.S. Patent No. 6449490, 2002.
[54] Harri Holma and Antti Toskala.HSDPA/HSUPA for UMTS. John Willey & Sons, 2006.
[55] Vieri Vanghi, Aleksandar Damnjanovic, and Branimir Vojcic. The cdma2000 System for Mo-
bile Communications. Prentice Hall, 2004.
[56] S. Nanda, K. Balachandran, and S. Kumar. Adaptation techniques in wireless packet data
services.IEEE Communications Magazine, 38(1):54–64, January 2000.
[57] F. Kelly. Charging and rate control for elastic traffic.European Transactions on Telecommu-
nications, 8:33–37, 1997.
[58] Telefono. Homebrew mobile phone club.http://telefono.revejo.org/.
[59] Radmilo Racic, Denys Ma, and Hao Chen. Exploiting MMS vulnerabilities to stealthily ex-
haust mobile phones’ battery. InIEEE SecureComm, 2006.
BIBLIOGRAPHY 56
[60] 3GPP. UMTS MAC protocol specification specification 3GPP TS 25.321 version 7.00 release
7. http://3gpp.org/ftp/Specs/html-info/25321.htm.
[61] Troels E. Kolding, Frank Frederiksen, and Preben E. Morgensen. Performance aspects of
WCDMA systems with high speed downlink packet access (HSPDA). In Vehicular Technology
Conference, 2002.
[62] ITU-T. One-way transmission time. ITU-T Recommendation G.114, 1996.
[63] Bur Goode. Voice over internet protocol (VoIP). InIEEE, 2002.