CIS 6930 - Cellular and Mobile Network Security: Cellular ... · Mobile Network Security: Cellular Networking Professor Patrick Traynor ... • Connection oriented networks for voice

Florida Institute for Cybersecurity (FICS) Research

CIS 6930 - Cellular and Mobile Network Security:

Cellular Networking

Professor Patrick Traynor9/18/2018


The Big PictureDetails create the big picture. -Sanford I. Weill

2

http://www.brainyquote.com/quotes/quotes/s/sanfordiw283124.html


Overview• Evolution• Architecture• Air Interfaces• Network Protocols• Application: Messaging

3


Cellular Systems• Wireless Access

• TDMA (IS-136, GSM)• CDMA (IS-95, CDMA2000)• WCDMA (UMTS)

• Connection oriented networks for voice• PSTN (ISDN)

• Packet overlay networks for data• General Packet Radio Service (GPRS) - GSM and UMTS• Enhanced Version Data “Optimized” (EVDO) - CDMA

• Rebranded from “Data Only”• Signaling protocols

• Signaling system number 7 (SS7) for voice and GPRS• IETF protocols for EVDO

4


Wireless Standards Evolution to 4G

5

1G

Analog AMPS

TACS

2G

IS-95-A/cdmaOne

IS-136 TDMA

GSMGSM GPRS

HSCSD

2.5G

IS-95-B/cdmaOne

WiMAX

2.75G

GSM EDGE

3GExisting

Spectrum 700 MHz

CDMA2000 1xRTT (1.25 MHz)

4G

CDMA2000 1xEVDO (1.25 MHz)

CDMA2000 3x (5 MHz)

LTE (1.4, 3, 5, 10, 15, 20 MHz)

WCDMA (UMTS)


Wireless Network

HLRMSC

AuCHLR

VLR

Reference Architecture

• MS: Mobile Subscriber/Station• BTS: Base Transceiver Station• BSC: Base Station Controller• MSC: Mobile Switching Center• HLR: Home Location Register• AuC: Authentication Center• VLR: Visitor’s Location Register

6

BTS

BSC

BTS BTS

BSC

BSC

MSC

VLR

MSC

PSTN/ISDN

MS


VLRMSC

MSC

Basic Network Architecture

• Gateway MSC receives incoming calls for phones.• Serving MSC assigned based on location• HLR: Permanent registry for service profiles, pointer to VLR• VLR: Temporary repository for profile information, pointer to SMSC.

7

MS

VLR

NetworkBS

BS

BS

SMSC

HLRGMSC


Cellular Services• Automatic call delivery

• find a user, deliver a call• IN-type services

• e.g., call forwarding• Messaging

• short message service• Connection oriented user data transfer

• voice, fax, circuit-switched data• Packet Data

• General Packet Radio Service (GPRS) - GSM and UMTS• Enhanced Version Data “Optimized” (EVDO) - CDMA

8


High Level Call Flow• Mobile User Registers

• Power up/down• Movement• Periodic

• Call recipient located• Call routed to gateway or home MSC• Gateway MSC searches for called mobile (via HLRs and VLRs)• Mobile user is paged (determines current base station)

• Call delivered• Uses standard SS7 procedures

9


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMS HLR

GMSC

1. 404-894-2000

2. 404-894-2000 maps to HLR X

3. How do I deliver call to User 222?

4. How do I deliver call to User 222?5. 999-xxx

6. 999-xxx

7. 999-xxx8. Call to 999-xxx

9. Page10. Call


Protocols of Note

11

MSC

MS

VLR

PSTN/ISDN

BS

BS

BS

MSC HLRSS7

Mobility Management ProtocolsGSM-MAP, ANSI41-MAP

Air InterfacesGSM, IS136, IS-95, UMTS


Mobile Registration - High Level

12

Old SMSC

Old VLR HLR VLR MSC BS

Update Location

Cancel Location

OK


Mobile Call Delivery - High Level

13

Gateway MSC HLR VLR MSC BS

Call Request Request

Routing Info

Routing Number

SS7 Call Delivery Call Request

PageConnect


Security Moment - Location Granularity• Commonly heard assertion: “The phone company knows exactly where all

of their customers are located at every moment.”

• Virtually all phones are equipped with some type of GPS resolution.

• Is this true? • What are the security implications?• What services could be enabled?

14


Hierarchy of Location Information

15

VLR

HLR

GMSC

SMSC

Paging

MSC

VLR

MSC

Phone Number

Registration

RegistrationTemporary Routing #


E911• Enhanced 911 (E911) transmits your GPS location to the nearest Public Safety

Answering Point (PSAP).• This is how you always get the nearest 911 call center, regardless of where

you are traveling in North America. • But what about the “Location On” vs. “E911 Only” options available on most

phones?• “Location On” does not allow the phone company to constantly track you.

It instead allows services within the network to use your GPS data when you initiate them (e.g., Verizon Navigator, Family Locator).

• The phone company simply can not keep track of all the changes in location information at every moment!

16


Voice Path

• This is under the assumption that the underlying network supports digital voice.

• What does that mean?

17

MS

VLR

PSTN/ISDNBS

MSC HLR

Coded VoiceFull rate voice (64 Kbps)


Analog vs Digital• Phone systems are generally classified as either analog or digital.

• What exactly does that mean?

• This is all about how data is represented and delivered through the network.

• Analog is the translation of voice/sound into electrical impulses.• Pure waveform representations of sounds.

• Digital is an approximation of this waveform,represented in 0s and 1s.

18


Analog vs Digital - Tradeoffs• Analog

• Inexpensive - think cheap home phones• Bandwidth constrained - very limited amount of data can be sent.

• Security thoughts?• Noise - every link introduces noise, reduces clarity.

• Digital• Expensive - relatively speaking• Improved voice clarity - signal arrives exactly as approximated.

• What about quality?• Higher bandwidth - compression of data.

19


Voice Encoding - GSM-FR/PCM/G.711• Pulse Code Modulation (PCM) is the basis for GSM Full-Rate (GSM-FR)

voice encoding.• 8 kHz samples (64 kbps) reduced to 13.2 kbps using Regular Pulse

Excitation - Long Term Prediction (RPE-LTP).• Converted back to 64 kbps at MSC prior to Release 4.

• Changes in the core towards “TrFO” for all IP.

20

...

...20 msec

RTP-LTPEncoder

160 Samples

260-bit frame

...20 msec

RTP-LTPDecoder

160 Samples

Sender Receiver

...


Air Interface Functions• Control

• read system parameters• authenticate• update location• receive and originate calls• manage handoffs

• Dedicated traffic• voice, data

• Shared Traffic• Messaging, data, signaling

21


Wireless Access Basics• Frequency Division Multiple Access (FDMA):

• Analog cellular - 1G

• Time Division Multiple Access (TDMA):

• IS-54, IS-136, FSM - 2G• GPRS - 2.5G

• Code Division Multiple Access (CDMA):

• IS-95 (cdmaOne) - 2G• IS-2000 (CDMA2000), WCDMA - 3G

22


FDD/TDD modes for Forward/Reverse Channels• Frequency Division Duplex (FDD)

• Two distinct bands of frequency for each user (forward and reverse).• Frequency separation between forward and reverse constant for all channels.• Reverse channel typically lower frequency than forward channel (so that the

mobile device can transmit at lower power).• Time Division Duplex (TDD)

• Each duplex channel has a forward timeslot and reverse timesolt for bidirectional communication.

• Simplifies subscriber equipment.• Rigid timing required for time-slotting.

23


Background - AMPS• Advanced Mobile Phone System

• Analog Channels• Frequency Modulation (FM)• 1 channel per carrier (1 conversation)

24

fc


Background - TDMA• Combination of FDMA and TDMA• System operated within certain frequency bands• Within system bands:

• many carrier frequencies are defined• each carrier is divided into timeslots• a channel is defined by a set of time slots on a carrier frequency

• Forward (downlink) and Reverse (uplink) channels use different carriers.• Information is digitally coded.

25


TDMA Overview

• Co-channel Interference

• Inter-symbol Interference

• Capacity limited by number of carriers, slots.

26

TDM

A

FDMA

System Bandwidth

One Carrier/ Channel One Slot One User


TDMA• Single carrier frequency is shared by several users.• Data transmission occurs in bursts, resulting in lower battery consumption.• High synchronization overhead is necessary because of burst

transmissions.• Discontinuous transmission also make handoffs simpler since the mobile

device can listen to other base stations during idle time slots• Due to high transmission rates, inter-symbol

interference is common and needs equalization.

27


GSM - Air Interface• Let’s get into the details of the most widely used air interface...• The GSM Air Interface supports:

• Call origination and termination• Registration (location update and authentication)• SMS• Mobile assisted handoff• User confidentiality• Data confidentiality• Sleep mode

28


GSM Spectrum• 50 MHz

• Uplink and downlink split bandwidth and use different frequencies• Reverse channel (uplink)

• 890-915 MHz• Forward channel (downlink)

• 935-960 MHz• Carriers spread at 200 KHz

• Why is this?

29


Frequency Assignments• FDMA/TDMA systems

• Take advantage of frequency attenuation• Key: Split spectrum into set of frequencies (channels) and reuse frequencies in

distant cells. Requires careful frequency planning.• Fixed vs. Dynamic allocation

• Channels are typically assigned to cells in a fixed manner.• Fixed assignment is simple to implement as base stations are independently and

statically assigned their channels.• Dynamic channel assignment based on load is possible but is more complicated

and requires real-time coordination between different base stations.

30


• Cells typically modeled as hexagonal• Circles result in overlaps, square/triangle possible but result in larger

approximation.• Each color represents a different set of carriers.

• Reuse factor F=3 shown• For hexagonal cells:

•

• To find co-channel cell, go i steps in one direction, turn 60° counter-clockwise and go j steps.

Paging

Frequency Reuse

31

Paging

i2 + (i � j) + j2; i ⇥ 1; j ⇥ 1


Example Capacity Calculation• Assume system can use all frequencies

• System-bandwidth = 50 MHz• System uses FDD => bandwidth = 25 MHz• Carriers spaced at 200 KHz

•

•

• System capacity depends on re-use factors and cell size.

32

Ncarr = Bsys

Bcarrier

Ncarr = 125


Cell Capacity• •

• F = 7, Ncell = 17 • 8 channels per carrier (TDMA)• 136 channels/cell (Acell)• Each cell has a capacity of 136 simultaneous voice calls

• F=3• Ncell = 41• 8 channels per carrier• 328 channels/cell

33

Ncarr = 125

Ncell = Ncarr/F


System Capacity• Network size = Z square miles• Cell size = C square miles

• cells/network = Z/C• Channels/network, Anet

• • Z = 1000, C = 10, F = 7, Anet = 13,600• Z = 1000, C = 10, F = 3, Anet = 32,800• Z = 1000, C = 25, F = 7, Anet = 5,440• System capacity has a linear inverse relationship with cell size and frequency reuse

patterns under ideal conditions

34

Anet = Acell � ZC


Capacity and Blocking• Cellular systems rely on trunking to accommodate a large number of users

with a limited number of channels.• Trunking exploits statistical multiplexing of large numbers of users

(calls).• Think about lines at the bank.

• System is engineered with enough channels to handle the peak hour offered load at the given maximum blocking rate.

• Typically, blocking for new calls is maintained at below 1%.• To calculate blocking, we need to apply some queuing theory.

35


Performance: Blocking• A is the offered load

in Erlangs:

36

0 1 2 0...

� � � �

µ 2µ 3µ Nµ

�/µ

1

2

N

.

.

.

λ

µ

µ

µ

• Models input (call rate) of λ, N trunks, holding time of μ-1

pn = pB =An

n!n�

i=0

Ai

i!

pn = pB =�n

n!n�

i=0

�i

i!


Cell Capacity Planning• Based on spectrum allocation and frequency reuse patterns, calculate

number of channels available per cell.

• Based on user density, calling and holding patterns, calculate load per cell in Erlangs.

• Use Erlang B formula to calculate blocking given the load and number of channels.

37


Practice Problem• Consider a system with 8 MHz total bandwidth and carrier frequencies of

160 kHz. Each carrier supports 3 voice channels using TDMA. If the frequency reuse factor F=7, and the network covers 1,000 mi2, determine the blocking probability on the air interface for cell size of 1.0 mi2 assuming that users make/receive a combined 3 calls/hour, calls last an average of 2.5 minutes and there are 10 users/mi2.

38


Work Through It!• 10 carriers/3 (reuse) = 3 carriers/cell• 3 carriers

39

Load :� = �

µ

8MHz total BW = 4MHz in each direction for full duplex4�106

160�103 = 25 carriers7 reuse = 3 carriers

cell

3 carrierscell � 3 channels

carrier = 9 channelscell

= 10 usersmi2 � Areacell � 3 calls

hour � 1 hour60 mins � 2.5 mins

call= 1.25 � Areacell = A

Use Erlang-B with N = 9, A = 1.25


Last Part• The probability of being struck by lightning = 3.57 * 10-6.

• ...meaning that you are almost twice as likely to be struck by lightning than to get a busy signal in this network...

40

pn = pB =An

n!n�

i=0

Ai

i!

pn = pB =1.259

9!1.250

0! + 1.2511! +···+ 1.259

9!

pn = pB = 5.88 � 10�6

Documents

CIS 6930 - Cellular and Mobile Network Security: Cellular ... · Mobile Network Security: Cellular Networking Professor Patrick Traynor ... • Connection oriented networks for voice