A Denial of Service Attack to GSM Networks via

Attach Procedure

N. Gobbo1, A. Merlo2, M. Migliardi1,3

1Universita’ degli Studi di Padova

2Universita’ degli Studi di Genova

3Centro Ingegneria Piattaforme Informatiche

Mobile Networks• Continuously evolving

o Follows (and creates) user needs

• Pervasive

• Felt as one of the “utilities”

• Tagged as a critical infrastructure

• Secure?o Confidentiality, Integrity, Availability

Some Network Structure

State of the Art• Let’s have a look at the current

choices

• 3 possible attack roadso Radio access

o Traffic Channels

o Signaling Channels

Availability Attack 1: Jamming

• A Radio Attack

• Focuses on the radio access

component of the network

• Very localized in a cell network

• Heavy trade-off between

energy consumption and

successfulness

Availability Attack 2: Traffic Channels

• Requires a large number of compromised terminalso A botnet

• It’s a replication of the “busy hour failed call” effecto common in early switched networks

• You need a “concentrated” botnet

• To change the target you need to move the botneto Very complex problem

o Extremely hard to implement

Availability Attack 3: Signaling Channels

• More bandwidth efficiento Less bytes to be sent

• Still requires a large number of compromised terminalso Another botnet

• Concentrated terminals are a problem

• Attacks both access and core components

Previously• The most dangerous availability attack through signaling

channelso Traynor et al., 2009

• Describes a DOS that may cause regional effects

• Attacks a core components transparent to users

• It Needs to compromise actual users accountso Real SIM modules

• It Needs a very large number of compromised terminalso Yet another botnet

• It may be foiled by bot concentrationo Not good during “events”

• We want to achieve the same level of disruption while removing (or weakening) these constraints

Look Mummy, no SIM!• Remove the need for activated SIM modules

• The attach procedure may be initiated by fake (SIMless) terminals

• Faster than the one adopted by Traynor• Less expensive in terms of resources (~5 times)

• Less efficient for an attacker

• No SIM -> no need for a user device• A dedicated device may bypass protocol time guards

• Flooding limited only by the radio interface

• More efficient in attacking

The Price

How many Devices are needed?

The HLR Throughput• We take as a base Traynor et al. findings

• How fast can we hit the HLR with our device?

GSM Signaling Interface

Analysis● TDMA

● Constraints: Signaling channels capabilities

● Message exchange is standard defined

● RACH →

● AGCH →

● SDCCH →

● Our request period is 0.120 s

– ~40 times faster

27

235.38ms≈ 114𝑇𝑃𝑆

3

235.38ms≈ 12𝑇𝑃𝑆

12

1.44s≈ 8𝑇𝑃𝑆

Sum it up• Less expensive HLR function

o ~5 times less resource demanding

• Much more aggressive requestso ~40 times more aggressive

• From 11750 compromised smartphones

• Down to 1563 SIMless deviceso An order of magnitude decrease in terms of resources needed

• Being SIMless has additional benefits

No BotNet Required• SIMless devices need no user account

o Just the IMSI (spoofable as by Khan et al. 2009)

• No need to intrude actual mobile phoneso Not limited to smartphones

o No trojan to be devised

o No mobile C&C to be maintained

• No user in control of their deviceo No danger of being discovered before the attack

o No danger of having bots switched off at attack time

No Problems with Events• Signaling DOS -> the bottleneck is the

signaling channel

• Many devices in a cell will jam each othero A crowded place may foil the attack

o From regional disruption to a single cell business (busy-ness)

• Dedicated devices may be placed by the

attackero No random movement

o Precise location

o Maximum efficiency

Conclusions & Future Works

• In this paper we have shown that it is possible too 1) disrupt the GSM network at regional level

o 2) do it without compromising real users accounts

o 3) with an order of magnitude less devices than previously devised (from

~11K to ~1K)

o There is the need for a specialized radio device

• Not complex, but not consumer market

• What’s next?o Implement the specialized device

o Port the attack to UMTS

o Port the attack to LTE

o Test for real (while avoiding ending in Court/Jail )