CS Cellular and Mobile Network Security: Cellular Networking

(1)

Georgia

Tech

CS 8803 - Cellular and

Mobile Network Security:

Cellular Networking

Professor Patrick Traynor 9/13/2012

(2)

Georgia

Tech

The Big Picture

(3)

Georgia

Tech

Overview

•

Evolution

•

Architecture

•

Air Interfaces

•

Network Protocols

•

Application: Messaging

(4)

Georgia

Tech

Cellular Systems

•

Wireless Access

‣ TDMA (IS-136, GSM)

‣ CDMA (IS-95, CDMA2000)

‣ WCDMA (UMTS)

•

Connection oriented networks for voice

‣ PSTN (ISDN)

•

Packet overlay networks for data

‣ General Packet Radio Service (GPRS) - GSM and UMTS

‣ Enhanced Version Data “Optimized” (EVDO) - CDMA

•

Rebranded from “Data Only”

•

Signaling protocols

(5)

Georgia

Tech

Wireless Standards Evolution to 3G

1G Analog AMPS TACS 2G IS-95-A/ cdmaOne IS-136 TDMA GSM GSM GPRS HSCSD 2.5G IS-95-B/ cdmaOne WiMAX 2.75G GSM EDGE 3G Existing Spectrum 700 MHz CDMA2000 1xRTT (1.25 MHz) 4G CDMA2000 1xEVDO (1.25 MHz) CDMA2000 3x (5 MHz) LTE (1.4, 3, 5, 10, 15, 20 MHz) WCDMA (UMTS)

(6)

Georgia

Tech

Reference Architecture

•

MS: Mobile Subscriber/Station

•

BTS: Base Transceiver Station

•

BSC: Base Station Controller

•

MSC: Mobile Switching Center

•

HLR: Home Location Register

(7)

Georgia

Tech

Reference Architecture

•

AuC: Authentication Center

•

VLR: Visitor’s Location Register

BTS MS

(8)

Georgia

Tech

Reference Architecture

•

BTS

BSC MS

(9)

Georgia

Tech

Reference Architecture

•

BTS

BSC

BTS BTS MS

(10)

Georgia

Tech

Reference Architecture

•

BTS

BSC

BTS BTS

MSC

(11)

Georgia

Tech

Reference Architecture

•

BTS BSC BTS BTS BSC BSC MSC MS

(12)

Georgia

Tech

Reference Architecture

•

BTS BSC BTS BTS BSC BSC MSC MSC MS

(13)

Georgia

Tech

Reference Architecture

•

BTS BSC BTS BTS BSC BSC MSC VLR MSC MS

(14)

Georgia

Tech

VLR

Reference Architecture

•

(15)

Georgia

Tech

HLR VLR

Reference Architecture

•

(16)

Georgia

Tech

AuC HLR VLR

Reference Architecture

•

(17)

Georgia

Tech

AuC HLR VLR

Reference Architecture

•

BTS BSC BTS BTS BSC BSC MSC VLR MSC PSTN/ISDN MS

(18)

Georgia

Tech

Wireless Network HLR MSC AuC HLR VLR

Reference Architecture

•

BTS BSC BTS BTS BSC BSC MSC VLR MSC PSTN/ISDN MS

(19)

Georgia

Tech

VLR

MSC MSC

Basic Network Architecture

•

Gateway MSC receives incoming calls for phones.

•

Serving MSC assigned based on location

•

HLR: Permanent registry for service profiles, pointer to VLR

•

VLR: Temporary repository for profile information, pointer to SMSC.

MS VLR Network BS BS BS SMSC HLR GMSC

(20)

Georgia

Tech

Cellular Services

•

Automatic call delivery

‣ find a user, deliver a call

•

IN-type services

‣ e.g., call forwarding

•

Messaging

‣ short message service

•

Connection oriented user data transfer

‣ voice, fax, circuit-switched data

•

Packet Data

‣ General Packet Radio Service (GPRS) - GSM and UMTS

(21)

Georgia

Tech

High Level Call Flow

•

Mobile User Registers

‣ Power up/down

‣ Movement

‣ Periodic

•

Call recipient located

‣ Call routed to gateway or home MSC

‣ Gateway MSC searches for called mobile (via HLRs and VLRs) ‣ Mobile user is paged (determines current base station)

•

Call delivered

(22)

Georgia

Tech

Delivering a Call

MSC MS VLR Network BS BS BS SMSC HLR GMSC

(23)

Georgia

Tech

Delivering a Call

MSC MS VLR Network BS BS BS SMSC HLR GMSC 1. 404-894-2000

(24)

Georgia

Tech

Delivering a Call

MSC MS VLR Network BS BS BS SMSC HLR GMSC 2. 404-894-2000 maps to HLR X

(25)

Georgia

Tech

Delivering a Call

3. How do I deliver call to User 222?

(26)

Georgia

Tech

Delivering a Call

4. How do I deliver call to User 222?

(27)

Georgia

Tech

Delivering a Call

MSC MS VLR Network BS BS BS SMSC HLR GMSC 5. 999-xxx

(28)

Georgia

Tech

Delivering a Call

(29)

Georgia

Tech

Delivering a Call

(30)

Georgia

Tech

Delivering a Call

MSC MS VLR Network BS BS BS SMSC HLR GMSC 8. Call to 999-xxx

(31)

Georgia

Tech

Delivering a Call

MSC MS VLR Network BS BS BS SMSC HLR GMSC 9. Page

(32)

Georgia

Tech

Delivering a Call

MSC MS VLR Network BS BS BS SMSC HLR GMSC 10. Call

(33)

Georgia

Tech

Protocols of Note

MSC MS VLR PSTN/ISDN BS BS BS MSC HLR SS7

Mobility Management Protocols GSM-MAP, ANSI41-MAP

Air Interfaces GSM, IS136, IS-95, UMTS

(34)

Georgia

Tech

Mobile Registration - High Level

Old SMSC Old VLR HLR VLR MSC BS Update Location Cancel Location OK

(35)

Georgia

Tech

Mobile Call Delivery - High Level

Gateway MSC HLR VLR MSC BS Call Request Request Routing Info Routing Number

SS7 Call Delivery _RequestCall

Page Connect

(36)

Georgia

Tech

Security Moment - Location Granularity

•

Commonly heard assertion: “The phone company knows exactly where all of their customers are located at every moment.”

•

Virtually all phones are equipped with some type of GPS resolution.

•

Is this true?

‣ What are the security implications?

(37)

Georgia

Tech

Hierarchy of Location Information

VLR HLR GMSC SMSC Paging MSC VLR MSC Phone Number Registration Registration Temporary Routing #

(38)

Georgia

Tech

(39)

Georgia

Tech

E911

•

Enhanced 911 (E911) transmits your GPS location to the nearest Public Safety Answering Point (PSAP).

(40)

Georgia

Tech

E911

•

‣ This is how you always get the nearest 911 call center, regardless

(41)

Georgia

Tech

E911

•

of where you are traveling in North America.

•

But what about the “Location On” vs. “E911 Only” options available on most phones?

(42)

Georgia

Tech

E911

•

‣ “Location On” does not allow the phone company to constantly

track you. It instead allows services within the network to use your GPS data when you initiate them (e.g., Verizon Navigator, Family Locator).

(43)

Georgia

Tech

E911

•

‣ “Location On” does not allow the phone company to constantly

track you. It instead allows services within the network to use your GPS data when you initiate them (e.g., Verizon Navigator, Family Locator).

‣ The phone company simply can not keep track

of all the changes in location information at every moment!

(44)

Georgia

Tech

Voice Path

•

This is under the assumption that the underlying network supports digital voice.

MS VLR PSTN/ISDN BS MSC HLR Coded Voice

(45)

Georgia

Tech

Analog vs Digital

•

Phone systems are generally classified as either analog or digital.

‣ What exactly does that mean?

•

This is all about how data is represented and delivered through the network.

•

Analog is the translation of voice/sound into electrical impulses.

‣ Pure waveform representations of sounds.

•

Digital is an approximation of this waveform, represented in 0s and 1s.

(46)

Georgia

Tech

Analog vs Digital - Tradeoffs

•

Analog

‣ Inexpensive - think cheap home phones

‣ Bandwidth constrained - very limited amount of data can be sent.

•

Security thoughts?

‣ Noise - every link introduces noise, reduces clarity.

•

Digital

‣ Expensive - relatively speaking

‣ Improved voice clarity - signal arrives exactly as approximated.

(47)

Georgia

Tech

Voice Encoding - GSM-FR/PCM/G.711

•

Pulse Code Modulation (PCM) is the basis for GSM Full-Rate (GSM-FR) voice encoding.

•

8 kHz samples (64 kbps) reduced to 13.2 kbps using

Regular Pulse Excitation - Long Term Prediction (RPE-LTP).

•

Converted back to 64 kbps at MSC prior to Release 4.

‣ Changes in the core towards “TrFO” for all IP.

... ... 20 msec RTP-LTP Encoder 160 Samples 260-bit frame ... 20 msec RTP-LTP Decoder 160 Samples Sender Receiver ...

(48)

Georgia

Tech

Air Interface Functions

•

Control

‣ read system parameters

‣ authenticate

‣ update location

‣ receive and originate calls

‣ manage handoffs

•

Dedicated traffic

‣ voice, data

•

Shared Traffic

(49)

Georgia

Tech

Wireless Access Basics

•

Frequency Division Multiple Access (FDMA):

‣ Analog cellular - 1G

•

Time Division Multiple Access (TDMA):

‣ IS-54, IS-136, FSM - 2G

‣ GPRS - 2.5G

•

Code Division Multiple Access (CDMA):

‣ IS-95 (cdmaOne) - 2G

(50)

Georgia

Tech

FDD/TDD modes for Forward/Reverse Channels

•

Frequency Division Duplex (FDD)

‣ Two distinct bands of frequency for each user (forward and reverse). ‣ Frequency separation between forward and reverse constant for all

channels.

‣ Reverse channel typically lower frequency than forward channel (so

that the mobile device can transmit at lower power).

•

Time Division Duplex (TDD)

‣ Each duplex channel has a forward timeslot and reverse timesolt for

bidirectional communication.

(51)

Georgia

Tech

Background - AMPS

•

Advanced Mobile Phone System

‣ Analog Channels

‣ Frequency Modulation (FM)

‣ 1 channel per carrier (1 conversation)

(52)

Georgia

Tech

Background - TDMA

•

Combination of FDMA and TDMA

•

System operated within certain frequency bands

•

Within system bands:

‣ many carrier frequencies are defined ‣ each carrier is divided into timeslots

‣ a channel is defined by a set of time slots on a carrier frequency

•

Forward (downlink) and Reverse (uplink) channels use different carriers.

(53)

Georgia

Tech

TDMA Overview

TDM A FDMA System Bandwidth One Carrier/

Channel One Slot One User

•

Co-channel Interference

•

Inter-symbol Interference

•

Capacity limited by

(54)

Georgia

Tech

TDMA

•

Single carrier frequency is shared by several users.

•

Data transmission occurs in bursts, resulting in lower battery consumption.

•

High synchronization overhead is necessary because of burst transmissions.

•

Discontinuous transmission also make handoffs simpler since the mobile device can listen to other base stations during idle time slots

•

Due to high transmission rates, inter-symbol interference is common and needs equalization.

(55)

Georgia

Tech

Code Division Multiple Access (CDMA)

•

used in several wireless broadcast channels (cellular, satellite, etc) standards

•

unique “code” assigned to each user; i.e., code set partitioning

•

all users share same frequency, but each user has own “chipping” sequence (i.e., code) to encode data

•

encoded signal = (original data) X (chipping sequence)

•

decoding: inner-product of encoded signal and chipping sequence

•

allows multiple users to “coexist” and transmit simultaneously with minimal interference (if codes are “orthogonal”)

(56)

Georgia

Tech

CDMA Encode/Decode

slot 1 slot 0 Z_i,m= d_i.c_m d₀ = 1 1 1 1 1 1 - - 11 - 1 -1 -1 -1 1 1 - - 11 - 1 -1 -1 -1 1 1 -1 - -1 -1 slot 0 channel output slot 1 channel output

channel output Z_i,m

sender code data bits d₁ = -1 d₀ = 1 slot 0 channel output slot 1 channel output receiver code received input D_i= ΣZ_i,m.c_m m=1 M M d₁ = -1 1 1 1 1 1 - - 11 - 1 -1 -1 -1 1 1 -1 - -1 -1 1 1 1 1 1 - - 11 - 1 -1 -1 -1 1 1 - - 11 - 1 -1 -1 -1 1 1 - - 11 - 1

(57)

-Georgia

Tech

(58)

Georgia

Tech

CDMA Privacy

•

Given that all signals look like noise unless you have the despreading sequence, what sort of privacy does CDMA give you?

‣ IS-95 operates at 1.25 Mc/s and has a long code of 42 bits.

•

Ideally, you should get a 2N_{search space...}

‣ ...based on an ideal pseudo-random generator.

•

Zhang et al show that this can actually be cracked by capturing 42 frames and solving 42 linear equations.

(59)

Georgia

Tech

CDMA Benefits

•

Higher capacity

‣ interference limited = high efficiency

‣ uses voice activity detection to reduce transmission bandwidth

•

Improved quality

‣ soft handoff

‣ CDMA has frequency, spatial and time diversity to adapt to errors

•

Ease of deployment

‣ no frequency planning; frequency reuse = 1

•

Increased privacy

‣ spreads small signal (9.6kbps) over large spectrum (1.25Mbps) so

that signal appears as noise

•

Increased talk time

‣ power control (performed 800x/sec) ensures that the MS transmits

(60)

Georgia

Tech

3G CDMA Interfaces

•

CDMA2000 (3GPP2/TIA) ‣ Chip rate: 1.2288, 3.6864 Mc/s ‣ Channel bandwidth: 1.25/5MHz ‣ Network synchronous: Base

stations synchronized via GPS

‣ 20 ms frames ‣ Common CDM pilot ‣ Power control (800 Hz)

•

WCDMA (3GPP/ETSI) ‣ Chip rate: 3.84 Mc/s ‣ Channel bandwidth: 5MHz ‣ Network synchronous mode ‣ 10 ms frames

‣ Common CDM pilot ‣ Power control (1600 Hz)

•

CDMA Harmonization group is trying to reconcile these and the SCDMA standard. WCDMA once had a chip rate of 4.096 Mc/s, dedicated CDM pilot and was only

(61)

Georgia

Tech

CDMA2000 Observations

•

Compatibility

‣ CDMA2000 as the 3G air interface is compatible with IS-95.

‣ CDMA2000 networks can be deployed as overlay on existing 2G

spectrum.

‣ Network architecture/protocols designed to easily migrate from IS-95. ‣ What are the implications here?

(62)

Georgia

Tech

CDMA2000 Observations

•

Network architecture is more IP friendly than UMTS, but still not “all-IP”.

•

3G1X, 3G1X EV-DO (HDR), 3G3X high data rate options for evolution.

•

3G1X and HDR deployments taking place in the US; 3G3x will use the new 700 Mhz spectrum sometime in the

(63)

Georgia

Tech

WCDMA Observations

•

WCDMA is the UMTS air interface and is a disruptive change from GSM.

•

GPRS allows for evolution to higher data rates from GSM, and uses UMTS network architecture but not the

WCDMA air interface.

•

Network architecture not pure “IP” and is not IETF friendly.

‣ All IP wireless network architecture is the big theme in this

(64)

Georgia

Tech

WCDMA Observations

•

Regulations allow full UMTS (5Mhz) deployment only in new frequency spectrum.

‣ WCDMA 1900 has 3.84 MHz channels.

•

Providers have paid huge amounts for UMTS spectrum.

‣ The most recent 700 Mhz auction raised approximately

$US 19.6 billion.

‣ “Block D” (10 MHz bandwidth) did not meet its reserve price

and will be open to auction again sometime in the future.

•

Tremendous money and effort is being poured in!

(65)

Georgia

Tech

GSM - Air Interface

•

Let’s get into the details of the most widely used air interface...

•

The GSM Air Interface supports:

‣ Call origination and termination

‣ Registration (location update and authentication) ‣ SMS

‣ Mobile assisted handoff ‣ User confidentiality

‣ Data confidentiality

(66)

Georgia

Tech

GSM Air Interface - Outline

•

System Description

•

Channel Structure

•

Protocols and Control Channels

(67)

Georgia

Tech

GSM Spectrum

•

50 MHz

‣ Uplink and downlink split bandwidth and use different frequencies

•

Reverse channel (uplink)

‣ 890-915 MHz

•

Forward channel (downlink)

‣ 935-960 MHz

•

Carriers spread at 200 KHz

(68)

Georgia

Tech

GSM Structure

•

Common Control Channel (CCCH)

‣ Used for control information: registration, paging, call origination/termination.

•

Traffic Channel (TCH)

‣ Information transfer

Common Control Channel (CCCH)

Traffic Channel (per user in a call)

(69)

Georgia

Tech

GSM Structure

•

The CCCH is really a series of many logical channels, each discernible by their position in time.

‣ The details of which are coming in future lectures.

•

The diagram in the previous slide should not be viewed “to scale”.

‣ The control channels generally represent ~3-6% of the resources

in a cell.

‣ Everything else is dedicated to TCHs. ‣ Why?

(70)

Georgia

Tech

Frequency Assignments

•

FDMA/TDMA systems

‣ Take advantage of frequency attenuation

‣ Key: Split spectrum into set of frequencies (channels) and reuse

frequencies in distant cells. Requires careful frequency planning.

•

Fixed vs. Dynamic allocation

‣ Channels are typically assigned to cells in a fixed manner.

‣ Fixed assignment is simple to implement as base stations are

independently and statically assigned their channels.

‣ Dynamic channel assignment based on load is possible but is

(71)

Georgia

Tech

Paging

Frequency Reuse

•

Cells typically modeled as hexagonal

‣ Circles result in overlaps, square/

triangle possible but result in larger approximation.

•

Each color represents a different set of carriers.

‣ Reuse factor F=3 shown

•

For hexagonal cells:

‣

•

To find co-channel cell, go i steps in one direction, turn 60°

counter-clockwise and go j steps.

Paging

(72)

Georgia

Tech

Co-channel Interference & System Capacity

•

If R = cell radius, D=distance between co-channel cell centers, co-channel reuse ration Q:

•

Larger Q implies better transmission due to reduced

interference, but also implies lower capacity per cell (S/N where S is the total number of available channels).

•

Let i0 be the number of co-channel interfering cells, making

the Signal to Interference (SIR) ratio at the receiver:

Q = D/R = 3F S I = S i0 I_i

(73)

Georgia

Tech

Co-Channel Interference & System Capacity

•

Assuming log-distance path loss (exponent: n) and

interference from first layer of equidistant interfering cells:

S I

=

R n i0 i=1

D

n

=

DR n i₀

=

(⇥3F )n i₀

(74)

Georgia

Tech

Example Capacity Calculation

•

Assume system can use all frequencies

‣ System-bandwidth = 50 MHz

‣ System uses FDD => bandwidth = 25 MHz

‣ Carriers spaced at 200 KHz

•

System capacity depends on re-use factors and cell size.

N_carr = Bsys

Bcarrier

(75)

Georgia

Tech

Frequency Reuse Factor Calculation

•

Let signal to interference ration of 18dB or more be acceptable.

•

Assume nearest 6 co-channel equidistant cells interfere.

•

Assume path-loss exponent is 4.

•

Frequency reuse factor F >= 6.5 = 7

S

I

= 18dB = 63.1

( 3F )4 6

(76)

Georgia

Tech

Cell Capacity

•

‣ F = 7, N_cell = 17

‣ 8 channels per carrier (TDMA)

‣ 136 channels/cell (A_cell)

‣ Each cell has a capacity of 136 simultaneous voice calls

•

F=3

‣ N_cell = 41

8 channels per carrier Ncarr = 125

(77)

Georgia

Tech

System Capacity

•

Network size = Z square miles

•

Cell size = C square miles

‣ cells/network = Z/C

•

Channels/network, Anet ‣

•

Z = 1000, C = 10, F = 7, Anet = 13,600

•

Z = 1000, C = 10, F = 3, Anet = 32,800

•

Z = 1000, C = 25, F = 7, Anet = 5,440

•

System capacity has a linear inverse relationship with cell size and frequency reuse patterns under ideal conditions

(78)

Georgia

Tech

Capacity and Blocking

•

Cellular systems rely on trunking to accommodate a large number of users with a limited number of channels.

‣ Trunking exploits statistical multiplexing of large numbers of

users (calls).

‣ Think about lines at the bank.

•

System is engineered with enough channels to handle the peak hour offered load at the given maximum blocking rate.

•

Typically, blocking for new calls is maintained at below 1%.

(79)

Georgia

Tech

Performance: Blocking

•

A is the offered load

in Erlangs: 0 1 2 ... 0 µ 2µ _3µ _{N µ} /µ 1 2 N . . . λ µ µ µ

•

Models input (call rate) of λ, N trunks, holding time of μ-1

pn = pB = An n! n i=0 Ai i! pn = pB = n n! n i=0 i i!

(80)

Georgia

Tech

Cell Capacity Planning

•

Based on spectrum allocation and frequency reuse

patterns, calculate number of channels available per cell.

•

Based on user density, calling and holding patterns, calculate load per cell in Erlangs.

•

Use Erlang B formula to calculate blocking given the load and number of channels.

(81)

Georgia

Tech

Practice Problem

•

Consider a system with 8 MHz total bandwidth and carrier frequencies of 160 kHz. Each carrier supports 3 voice

channels using TDMA. If the frequency reuse factor F=7, and the network covers 1,000 mi2_{, determine the blocking}

probability on the air interface for cell size of 1.0 mi2

assuming that users make/receive a combined 3 calls/hour,