Upload
lykhanh
View
235
Download
2
Embed Size (px)
Citation preview
A Denial of Service Attack to GSM Networks via
Attach Procedure
N. Gobbo1, A. Merlo2, M. Migliardi1,3
1Universita’ degli Studi di Padova
2Universita’ degli Studi di Genova
3Centro Ingegneria Piattaforme Informatiche
Mobile Networks• Continuously evolving
o Follows (and creates) user needs
• Pervasive
• Felt as one of the “utilities”
• Tagged as a critical infrastructure
• Secure?o Confidentiality, Integrity, Availability
Some Network Structure
State of the Art• Let’s have a look at the current
choices
• 3 possible attack roadso Radio access
o Traffic Channels
o Signaling Channels
Availability Attack 1: Jamming
• A Radio Attack
• Focuses on the radio access
component of the network
• Very localized in a cell network
• Heavy trade-off between
energy consumption and
successfulness
Availability Attack 2: Traffic Channels
• Requires a large number of compromised terminalso A botnet
• It’s a replication of the “busy hour failed call” effecto common in early switched networks
• You need a “concentrated” botnet
• To change the target you need to move the botneto Very complex problem
o Extremely hard to implement
Availability Attack 3: Signaling Channels
• More bandwidth efficiento Less bytes to be sent
• Still requires a large number of compromised terminalso Another botnet
• Concentrated terminals are a problem
• Attacks both access and core components
Previously• The most dangerous availability attack through signaling
channelso Traynor et al., 2009
• Describes a DOS that may cause regional effects
• Attacks a core components transparent to users
• It Needs to compromise actual users accountso Real SIM modules
• It Needs a very large number of compromised terminalso Yet another botnet
• It may be foiled by bot concentrationo Not good during “events”
• We want to achieve the same level of disruption while removing (or weakening) these constraints
Look Mummy, no SIM!• Remove the need for activated SIM modules
• The attach procedure may be initiated by fake (SIMless) terminals
• Faster than the one adopted by Traynor• Less expensive in terms of resources (~5 times)
• Less efficient for an attacker
• No SIM -> no need for a user device• A dedicated device may bypass protocol time guards
• Flooding limited only by the radio interface
• More efficient in attacking
The Price
How many Devices are needed?
The HLR Throughput• We take as a base Traynor et al. findings
• How fast can we hit the HLR with our device?
GSM Signaling Interface
Analysis● TDMA
● Constraints: Signaling channels capabilities
● Message exchange is standard defined
● RACH →
● AGCH →
● SDCCH →
● Our request period is 0.120 s
– ~40 times faster
27
235.38ms≈ 114𝑇𝑃𝑆
3
235.38ms≈ 12𝑇𝑃𝑆
12
1.44s≈ 8𝑇𝑃𝑆
Sum it up• Less expensive HLR function
o ~5 times less resource demanding
• Much more aggressive requestso ~40 times more aggressive
• From 11750 compromised smartphones
• Down to 1563 SIMless deviceso An order of magnitude decrease in terms of resources needed
• Being SIMless has additional benefits
No BotNet Required• SIMless devices need no user account
o Just the IMSI (spoofable as by Khan et al. 2009)
• No need to intrude actual mobile phoneso Not limited to smartphones
o No trojan to be devised
o No mobile C&C to be maintained
• No user in control of their deviceo No danger of being discovered before the attack
o No danger of having bots switched off at attack time
No Problems with Events• Signaling DOS -> the bottleneck is the
signaling channel
• Many devices in a cell will jam each othero A crowded place may foil the attack
o From regional disruption to a single cell business (busy-ness)
• Dedicated devices may be placed by the
attackero No random movement
o Precise location
o Maximum efficiency
Conclusions & Future Works
• In this paper we have shown that it is possible too 1) disrupt the GSM network at regional level
o 2) do it without compromising real users accounts
o 3) with an order of magnitude less devices than previously devised (from
~11K to ~1K)
o There is the need for a specialized radio device
• Not complex, but not consumer market
• What’s next?o Implement the specialized device
o Port the attack to UMTS
o Port the attack to LTE
o Test for real (while avoiding ending in Court/Jail )