• No results found

Cellular Networks: Background and Classical Vulnerabilities

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cellular Networks: Background and Classical Vulnerabilities"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

3YSTEMSAND)NTERNET )NFRASTRUCTURE3ECURITY

I

I

.ETWORKAND3ECURITY2ESEARCH#ENTER

$EPARTMENTOF#OMPUTER3CIENCEAND%NGINEERING 0ENNSYLVANIA3TATE5NIVERSITY5NIVERSITY0ARK0!

Cellular Networks:

Background and

Classical Vulnerabilities

Patrick Traynor

(2)

Cellular Networks

• Provide communications infrastructure for an estimated 2.6 billion users daily.

‣ The Internet connects roughly 1 billion.

• For many people, this is their only means of reaching the outside world.

• Portable and inexpensive nature of user equipment makes this technology accessible to most

(3)

socio-Aren’t They The Same?

• Cellular networks and the Internet are built to support very different kinds of traffic.

‣ Real-time vs Best Effort

• The notions of control and authority are different.

‣ Centralized vs distributed

• The underlying networks are dissimilar.

(4)

Network Characteristics

• Composed of wired backbone and wireless last-hop • Inconsistent performance

‣ Variable delay

‣ High error rates

‣ Lower bandwidth

(5)

Access Basics - FDMA

• The most basic access technique is known as

Frequency-Division Multiple Access (FDMA).

• Each user in these systems receives their own dedicated frequency band (i.e., “carrier”).

‣ Requires one for uplink and another for downlink. • To reduce interference, each carrier must be

(6)

TDMA Access

Time-Division Multiple Access (TDMA) systems greatly increase spectrum utilization.

• Each carrier is subdivided into timeslots, thereby increasing spectrum use by a factor of the divisor.

• Requires tight time synchronization in order to work.

‣ To protect against clock drift, we need to buffer our timeslots with guard-time.

(7)

CDMA Access

Code-Division Multiple Access (CDMA) systems have users transmit simultaneously on the same frequency. • The combined transmissions are viewed additively by

the receiver.

• By applying a unique code, the receiver can mask-out the correct signal.

(8)

In the beginning... (1G)

• First commercial analog systems introduced in the early 1980’s.

• Two competing standards arose: The Advanced

Mobile Phone System (AMPS) and Total Access Communication System (TACS).

• Both systems were FDMA-based, so supporting a large number of calls concurrently was difficult.

(9)

The Advent of Digital (2G)

• Second Generation systems were introduced in the early 1990’s.

• Three competing standards: IS-136 and GSM (TDMA) and IS-95-A/cdmaOne (CDMA).

• 2G networks introduced dedicated control channels, which greatly increased the amount of information exchanged between devices and the network.

(10)

Introducing Data (2.5G)

• Digital brings higher bandwidth, and the opportunity to deploy data services.

• Standards for data systems: GPRS and HSCSD (TDMA) IS-95-B/cdmaOne (CDMA).

• 2.5G Data services have been met with varying success.

(11)

High Speed (3G)

• In theory, can provide rates of 10 Mbps downlink.

• Slow to roll out, 3G systems are only now becoming widespread.

‣ In Pennsylvania, only a few major cities have coverage. • Competing standards: cdma2000/EV-DO and

(12)

Evolution Summary

1G (analog) AMPS TACS 2G (digital) IS-95-A/ cdmaOne IS-136 TDMA GSM 2.5G (data) IS-95-B/ cdmaOne GPRS HSCSD

cdma2000 1x (1.25 MHz) cdma2000 3x (5 MHz)

1X EVDO: HDR

136 HS EDGE

EDGE 2.75G (data) 3G (wideband data) WCDMA

(13)

SS7 Network

• Powering all of these networks is the SS7 core.

‣ 3G networks will eventually shift to the all-IP IMS core, but SS7 will never fully go away.

• These systems are very different from IP networks.

‣ The requirements are different: real-time vs best-effort services.

(14)

Protocol Architecture

• All of the functionality one expects to find in the OSI/Internet protocol stack is available in SS7.

• Where those services are implemented may be

MTP L1 MTP L2 MTP L3 ISUP SCCP TCAP MAP Physical Layer Link Layer Network Layer Transport Layer Application Layer

(15)

Message Transfer Part

• Covers most of the functionality of the lowest three OSI/Internet protocol stack.

• Broken into three “levels”.

‣ MTP1: 56/64 KBps physical links.

‣ MTP2: Link layer and reliable message delivery.

‣ MTP3: Network layer functionality.

ISUP SCCP

TCAP MAP

Transport Layer Application Layer

(16)

ISUP, SCCP, TCAP

ISDN User Part (ISUP): Carries call routing information for resource reservation.

Signaling Connection Control Part (SCCP): Carries routing information for specific functions.

Transaction Capabilities Application Part

(TCAP): Interface to request the execution

of remote procedures. ISUP SCCP TCAP MAP

Transport Layer Application Layer

(17)

Mobile Application Part

• The application layer for SS7 networks.

• This supports services directly visible by the user:

‣ Call handling

‣ Text messaging

‣ Location-based services

• Protected by MAPsec ISUP SCCP TCAP MAP

Transport Layer Application Layer

(18)

Network Components

• HLR stores records for all phones in the network.

• MSC/VLR connect wired and wireless components of the network and perform handoffs.

• BS communicate wirelessly with users. • MS is a user’s mobile device.

Serving VLR MSC

VLR

MSC

(19)

Security Issues

• Such networks have long been viewed as secure because few had access to them or the necessary knowledge.

• However, attacks are not a new phenomenon.

‣ Many different classes of attacks are well documented.

• We investigate a number of such attacks throughout the remainder of this lecture.

(20)

Weak Crypto

• GSM networks use COMP128 for all operations.

‣ Authentication (A3), session key gen (A8) and encryption (A5).

• COMP128 was a proprietary algorithm...

‣ ...that can be broken in under one second.

‣ Weaker variants can be broken in 10 milliseconds.

(21)

One-Way Authentication

• In GSM systems, the network cryptographically authenticates the client.

• The client assumes that any device speaking to it is the network.

• Accordingly, it is relatively easy to perform a “Man in the Middle” attack against all GSM networks.

(22)

Core Vulnerabilities

• None of the messages sent within the network core are authenticated.

• MAPsec attempts to address this problem by providing integrity and/or confidentiality.

• The only known deployment of MAPsec was online for two days before being shut off.

(23)

Eavesdropping

• Early analog systems were easy to eavesdrop upon.

‣ Processing power, export rules and bandwidth worked against cryptography.

• GSM systems use weak crypto, so eavesdropping is still possible over the air.

• Nothing is encrypted through the network itself, so anyone with access can listen to any call.

(24)

Jamming

• The legality of cell phone jamming varies from country to country.

‣ USA: Illegal

‣ France: Legal in certain circumstances

• Just because it is illegal in some countries does not mean it is not a threat.

‣ You can buy hand-held jammers on the street in most major cities.

(25)

Malware

• Known malware does not target the cellular infrastructure...

‣ ...yet.

• The proliferation of laptop cellular cards is wreaking havoc on these networks.

‣ Spyware “phoning home” is already taxing the network. • Differences between the Internet and cellular

(26)

Conclusion

• Cellular networks are significantly different than their traditional IP counterparts.

• Built on the assumption of a controlled environment, these systems are becoming more accessible.

• Much more work is needed.

‣ Solutions in one domain do not always apply to the other. • Examples of new attacks coming soon...

(27)

Questions

Patrick Traynor

[email protected]

References

Download now ( PDF - 27 Page - 724.87 KB )

Related documents

Wind Career Ladder, Curriculum and Job Descriptions

Job Description : The Wind Farm Project Manager position is a high level position; this position will oversee all aspects of the technical specialities of wind power

Precursors of Terrorism in the Democratic Republic of the Congo

Findings did not indicate a significant difference in the proportion of the variance in terrorist incidents that was predictable from political stability in the DRC and

From structural to detailed land-use planning in the city of Valencia : options and limits for a new integrating community planning : case of 'Ciutat Vella'

Un elemento que sin duda va a repercutir sobre la posibilidad de que esta nueva planificación comunitaria arraigue y poder lograr así el objetivo de una ciudad más cohesiva

Elegies for Empire: The Poetics of Memory in the Late Work of Du Fu (712-770)

happened, and as such was an act of self-definition. Du Fu’s poetics of historical memory refers to these transformations enacted in and through poems on the identities of place

FOOD REGULATION POLICY OPTIONS CONSULTATION PAPER for the review of the 2003 Ministerial Policy Guideline Food Safety Management in Australia: Food

The 2003 Ministerial Policy Guidelines on Food Safety Management in Australia – Food Safety Programs identifies four high-risk industry sectors where implementation of the

Drafting a monitoring plan for the ROAD project under the EU CCS Directive

Overall, the ROAD traffic light approach promotes transparency and provides the flexibility to adjust the monitoring plan based on data and modelling results becoming available as

Transcript of update interview with Mr. Adam Smith

Well, we look forward to a very busy fall in the company, both in advancing Cerro Prieto to the start of construction and in the commencement of exploration at Xochipala, so, I

Red Flags Hidden Issues that Threaten Dealer Profitability. To hear the audio portion of this Webinar, dial:

• Unique Identity Theft Challenges and Solutions for Internet Sales • The Interplay between Red Flags and Safeguards For Data Security.. To hear the audio portion of this Webinar,