Mobile Network Challenges (and why LACSEC should care)
Joe Eggleston, Craig Labovitz <joe,labovit>@monkey.org
Z. Morley Mao [email protected] University of Michigan
Scott Iekel-Johnson [email protected] Arbor Networks
Page 2 - Arbor Networks
Observation
Little discussion about mobile among operators – 1,870 emails about IPv6 in last year (Nanog) – And 11 emails about 3G / 4G (Nanog) – 161 emails about IPv6 in last year (LACNOG) – And 0 emails about 3G / 4G (LACNOG)
Page 3 - Arbor Networks
Why no discussion of mobile security?
Possibly because… a) Mobile networks are just not that important
Page 4 - Arbor Networks
Why no discussion of mobile security?
Possibly because… a) Mobile networks are just not that important b) 3G security and engineering are way better than
wireline networks (i.e. no problems to discuss)
Page 5 - Arbor Networks
Why no discussion of mobile security?
Possibly because… a) Mobile networks are just not that important b) 3G security and engineering are way better than
fixed (i.e. no problems to discuss) c) Mobile core is another group’s problem (and they
don’t subscribe to NANOG)
Page 6 - Arbor Networks
Why LACNOG Should Care
a) Fixed line traffic is growing quickly – Observatory data pegs fixed inter-domain at 45-55% – But mobile traffic growing 80-150% / year – Users want to access your network via a mobile
connection.
b) 3G / 4G security is not better than fixed – Likely far worse
c) Organizational changes – Mobile / fixed traditionally completely separate org – Almost 1/3 now merged or will merge in next year – Fixed-line security groups charged with securing mobile
So if you don’t care now, you probably soon will.
Page 7 - Arbor Networks
Motivation Engineering Challenges Security Challenges Questions
Agenda
Page 8 - Arbor Networks
Why Mobile is Different
1. Spectrum, Cell-sites, Backhaul, Battery – Much of the cost
2. Optimized for QoS, fine-grained billing, intelligence in the network – Voice-centric assumptions (LTE vs. TD-LTE) – Latency
3. Signaling load – Incurs latency, strains infrastructure – Weak link – new attack vector
4. State tracking – Intelligence in the network – Easy to attack (imagine a syn flood disabling a router)
5. Complex, brittle protocols and stacks – Massive specs, seldom used code paths, little scrutiny – TLVs within TLVs within TLVs – Result: buffer overrun cup runneth over
Page 9 - Arbor Networks
Mobile Network Review
IPsec
IuH
Gp
EIuCS
GnGi
IuPS
HNB (Femtocell)
> AT+C...
BasebandRNC(BSC)
GGSN
HLR, AuC
SGSNSLR
VLR
MSC
InternetGRX/IPX
Other MNOs
Firewall/NAT
Node B(BTS)
HNB-GW/SecGW
SMS-SC
Gd
C
Internet
PSTN
Mobile Data Center
Content Optimizers,Filters, etc.
Packet Switched Domain
Circuit Switched Domain
RAN
Page 10 - Arbor Networks
Engineering Challenges
Page 11 - Arbor Networks
Challenge: Heavy-weight Architecture
Network and phone architectural decisions have significant impact on performance
Complex interactions between – Phone – Network element buffering, retransmits – TCP
The mobile network contributes over 80% of the total latency from a mobile device to Internet landmark servers.
See Huang et al. [1]
ETSI
ETSI TS 123 060 V9.6.0 (2010-10)2333GPP TS 23.060 version 9.6.0 Release 9
In case the application above PPP uses a different protocol than IP (e.g. IPX or AppleTalk), the interconnection to the packet data network is outside the scope of this specification.
Relay
NetworkService
GTP-USNDCP
LLC
RLC
MAC
GSM RF
SNDCP
LLC
BSSGP
L1bis
RLC
MAC
GSM RF
BSSGP
L1bis
Relay
L2
L1
IP
L2
L1
IP
GTP-U
Um Gb Gn GiMT BSS SGSN GGSN
NetworkService
UDPUDP
E.g.,L2TP orIP tunnel
R
RelayPPP
R ref.point
RelayPPP
L1
L2 L2
L1
IP
Figure 82: A/Gb mode User Plane for PDP Type PPP
ATM
PDCP PDCP
L1bisL1bisL2L1
L2L1
UDPIP
GTP-U
Uu Iu Gn GiMS RNS 3G-SGSN GGSN
ATM
UDPIP
UDPIP
GTP-UGTP-UGTP-U
UDPIP
PPP
RLC RLCMAC MAC
L1L1
Relay
R
Relay
PPP
R ref.point
L1
L2
E.g.,L2TP orIP tunnel
L2
L1
IP
Figure 83: Iu mode User Plane for PDP Type PPP
12.5.2 Functions The PPP peers at the MS and the GGSN handle the PPP protocol as specified in RFC 1661 [44]. PPP requires in-sequence packet delivery by the underlying protocols. Concerning GTP, this shall be achieved by negotiation of the delivery order attribute in the QoS profile upon PDP context activation. In A/Gb mode, concerning SNDCP, out-of-sequence packets, that may be present if LLC operates in unacknowledged mode, shall be discarded. SNDCP for A/Gb mode, and PDCP for Iu mode, shall not use TCP/IP header compression because PPP may not carry IP packets at all, or because PPP may carry IP packets with already compressed TCP/IP headers. These PPP options are negotiated during the RFC 1661 [44] Network Control Protocol establishment phase.
12.6 Gb Interface (A/Gb mode) The Gb interface connects the BSS and the SGSN, allowing the exchange of signalling information and user data. The Gb interface shall allow many users to be multiplexed over the same physical resource. Resources are given to a user upon activity (when data is sent or received) and are reallocated immediately thereafter. This is in contrast to the A interface where a single user has the sole use of a dedicated physical resource throughout the lifetime of a call irrespective of activity.
A/Gb mode signalling and user data are sent in the same user plane. No dedicated physical resources are required to be allocated for signalling purposes.
GPRS Protocol Stacks Source: 3GPP TS 23.060
Page 12 - Arbor Networks
Challenge: Protocol/Network Interactions
Channel-type Switching Remember TCP Tahoe,
Reno, Vegas…? Now add a network with
(configurable) states, timers, QoS classes… – All of which affect the
bandwidth and latency – And can change
underneath TCP
IdleTimer
IdleTimer
CELLDCH
Idle CELL FACH
CELL/URAPCH
Snd/Rcv
Qlen > Thresh
Transition from Idle to CELL_DCH Joe’s iPhone
Radio Resource Control protocol states See Qian et al. [2] and 3GPP TS 25.331
Page 13 - Arbor Networks
Challenge: Signaling Load
Even normal operation and vendor implementation decisions can create signaling load problems
Control plane design provides broad attack surface
PDP-context Activation Source: Tektronix
Page 14 - Arbor Networks
Challenge: Mobile Traffic is Different
(ATLAS data) 2-3 times as much
Google, Microsoft and CDN traffic from mobile than fixed
Fraction of P2P – Makes sense
5x as much Xbox in mobile (due to 3g dongle?)
!"
#"
$"
%"
&"
'!"
'#"
'$"
'%"
'&"
())*+," -./,-.*01" 234/4." 5.67)8)9"
2:,74*,";,
76,<
14*,")=">
74?6"
@.A,B"
5)C.+,"
!"
!#$"
!#%"
!#&"
!#'"
!#("
!#)"
!#*"
!#+"
!#,"
-./0" 123" 4%4"567889:;/6;<"
!"#"$"%&'(")*
+),%&"#%"
&)-#'.$)
=>07?"
@/.>87"
Page 15 - Arbor Networks
Security Challenges
Page 16 - Arbor Networks
State of Mobile Security – Survey
75% of MNOs say poor, bad, or non-existent mobile security / visibility
More than half of mobile carriers have had outages in last year due to security event
Broad range of attack targets within mobile network
Mostly IP-level services targeted – Suspicion – security
tools lacking elsewhere
!"
#!"
$!"
%!"
&!"
'!"
(!"
)*+,-./+0."102/-0,"
345" 67-809":;.0"<==)5">")=)5?"
1797-0@90.")0.20.,"<15)A"B0+A"09-?"
54C">"D/.0E7FF"
60.-0@
97G0";H"I
;+/F0"30,J;
@K0@
9," I;+/F0"4L7-8"C7.G09,"
!"
#!"
$!"
%!"
&!"
'!"
(!"
)*+" ,-./01"2+"3/451617" 8**+"9"8**+:"
3;:" :2+"9"<=2+"9"2,:"
:,*+" :,:" ;->1"
?@4ABC"?D4/>C6",-./01":17E/A1C"9"+7-6-A-0C"
Page 17 - Arbor Networks
State of Mobile Security – Changing Landscape
Barriers to entry are falling – Internet C.W. – This is a good thing – Closed to open – Lots of SS7 interconnects and GRX
peers – Cheap hardware – pico/femto cells, smart phones – Increasing scrutiny
More interesting target – Data is cool, phone calls are boring
0
5
10
15
20
2006 2007 2008 2009 2010 Published Mobile Exploits
OS/malware Infrastructure
Page 18 - Arbor Networks
Mobile Security Attack Surface
IPsec
IuH
Gp
EIuCS
GnGi
IuPS
HNB (Femtocell)
> AT+C...
BasebandRNC(BSC)
GGSN
HLR, AuC
SGSNSLR
VLR
MSC
InternetGRX/IPX
Other MNOs
Firewall/NAT
Node B(BTS)
HNB-GW/SecGW
SMS-SC
Gd
C
Internet
PSTN
Mobile Data Center
Content Optimizers,Filters, etc.
Attack Surface 1. RF – Channel exhaustion
2. GPRS, PDP, Gn 3. HLR – Signaling DoS
4. GRX/IPX – DDoS, toll fraud,
protocol interop 5. Gi – DDoS, worms, firewall
evasion, state exhaustion, battery draining
6. Femtocells 7. SMS 8. SIGTRAN, SS7 9. Mobile to Mobile 10. Weak/broken crypto
Page 19 - Arbor Networks
Threats: Gi
IPsec
IuH
Gp
EIuCS
GnGi
IuPS
HNB (Femtocell)
> AT+C...
BasebandRNC(BSC)
GGSN
HLR, AuC
SGSNSLR
VLR
MSC
InternetGRX/IPX
Other MNOs
Firewall/NAT
Node B(BTS)
HNB-GW/SecGW
SMS-SC
Gd
C
Internet
PSTN
Mobile Data Center
Content Optimizers,Filters, etc.
Internet Sourced Attacks FW/NAT – State Exhaustion GPRS Core – State/Signaling RAN – Bandwidth/Spectrum Mobile Users – Malware,
Battery Draining Mobile Data Center
Page 20 - Arbor Networks
Threats: Signaling Attacks (RF)
IPsec
IuH
Gp
EIuCS
GnGi
IuPS
HNB (Femtocell)
> AT+C...
BasebandRNC(BSC)
GGSN
HLR, AuC
SGSNSLR
VLR
MSC
InternetGRX/IPX
Other MNOs
Firewall/NAT
Node B(BTS)
HNB-GW/SecGW
SMS-SC
Gd
C
Internet
PSTN
Mobile Data Center
Content Optimizers,Filters, etc.
RACH flood Attack size – 1 phone Anonymous – pre-
authentication Affected users – 10s to 1000
See Spaar [3] and Grugq [4]
Page 21 - Arbor Networks
Threats: Femtocells, Rogue Base Stations
IPsec
IuH
Gp
EIuCS
GnGi
IuPS
HNB (Femtocell)
> AT+C...
BasebandRNC(BSC)
GGSN
HLR, AuC
SGSNSLR
VLR
MSC
InternetGRX/IPX
Other MNOs
Firewall/NAT
Node B(BTS)
HNB-GW/SecGW
SMS-SC
Gd
C
Internet
PSTN
Mobile Data Center
Content Optimizers,Filters, etc.
Authorized, Unsecured Infrastructure Attack MS – Remote, over-the-air, code
injection Attack the Core – Trusted environment?
See Weinmann [5]
Page 22 - Arbor Networks
Threats: Core Signaling
IPsec
IuH
Gp
EIuCS
GnGi
IuPS
HNB (Femtocell)
> AT+C...
BasebandRNC(BSC)
GGSN
HLR, AuC
SGSNSLR
VLR
MSC
InternetGRX/IPX
Other MNOs
Firewall/NAT
Node B(BTS)
HNB-GW/SecGW
SMS-SC
Gd
C
Internet
PSTN
Mobile Data Center
Content Optimizers,Filters, etc.
HLR DoS AT+CCFC=… Attack size – – 500 requests/s to halve
performance – 2500 requests/s to disable
network Affected users – 1 Million+ See Traynor et al. [6]
Page 23 - Arbor Networks
Summary
Mobile traffic is different from fixed-line – Exhibits unique characteristics / trends
Mobile security is vastly different from fixed line – Especially with respect to maturity / tools
Strong mismatch between mobile conventional security / engineering wisdom and emerging realities
Still in the very early days of mobile – Smart phones small percentage of market – Only now seeing significant research and engineering
evaluation of mobile security
Page 24 - Arbor Networks
More Information
3GPP – http://www.3gpp.org/ – Mailing lists – http://list.etsi.org/ – Focus on specs
GSMA – Proprietary – participation requires (expensive)
membership Osmocom – http://www.osmocom.org/ – Amazing open source project. Building all the pieces
of a mobile network. – Focus on developing
Page 25 - Arbor Networks
Questions?
Scott Iekel-Johnson [email protected]
Joe Eggleston [email protected]
Craig Labovitz [email protected]
http://www.monkey.org/~labovit
Z. Morley Mao [email protected]
Page 26 - Arbor Networks
References
[1] Anatomizing Application Performance Differences on Smartphones, Huang et al., Proceedings of ACM MobiSys, 2010 [2] Characterizing Radio Resource Allocation for 3G Networks, Qian et al., Proceedings of Internet Measurement Conference, 2010 [3] A Practical DoS Attack to the GSM Network, Spaar, Deepsec, 2009. [4] Base Jumping: Attacking GSM Base Station Systems and mobile phone Base Bands, Grugq, Blackhat USA, 2010. [5] The Baseband Apocalypse, Weinman, 27C3, 2010. [6] On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core, Traynor et al., Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), 2009.