+ All Categories
Home > Documents > Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security...

Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security...

Date post: 21-Apr-2018
Category:
Upload: lydieu
View: 217 times
Download: 2 times
Share this document with a friend
19
Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge Brad Reaves * , Ethan Shernan ** , Adam Bates * , Henry Carter ** , Patrick Traynor * *Florida Institute for Cyber Security University of Florida **Georgia Institute of Technology
Transcript
Page 1: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Boxed Out:Blocking Cellular Interconnect

Bypass Fraud at the Network Edge

Brad Reaves*, Ethan Shernan**, Adam Bates*, Henry Carter**, Patrick Traynor*

*Florida Institute for Cyber Security University of Florida

**Georgia Institute of Technology

Page 2: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

There is a black market for long-distance and international call termination

Some companies provide “gray routes” that deliver calls without paying required tariffs or using regulated interconnects between carriers

How do you connect to a carrier without them knowing?

Are you happy with your long distance carrier?

Page 3: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

The point of this setup is to deliver a call into carrier B without paying for a real interconnection with that

carrier.

Carriers use the term “interconnect bypass fraud” We’ll use the term “simbox fraud” for our talk

PSTN Network A Internet

InternationalBorder

GSMVoIPSimbox

PSTN Network B

Legitimate Local Call

Enter: Simbox Fraud

Page 4: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Cellular networks are necessarily provisioned under an assumptions of average call volume/cell

The cellular network is fundamentally incapable of supporting the load of an illicit, unlicensed telecommunications provider

Not to mention:

• Call quality is terrible

• People near the simbox operation have trouble placing calls

• It costs carriers $2 Billion annually

This is a real problem

Page 5: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

In this work, we present the Ammit system

Key Insight: Simboxed call audio will sound different than legitimate call audio

Ammit detects individual calls in real time at the tower servicing the simbox

Ammit can isolate individual calls and SIM cards after just 20 calls

Ammit

Page 6: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Why Ammit WorksOver-the-Air

Degrades

VoIP Degrades

SourceNetwork

Degrades

PSTN Network A Internet

InternationalBorder

GSMVoIPSimbox

PSTN Network B

Legitimate Local Call

Page 7: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Cellular voice sees typical loss rates of several percent

How are we supposed to tell legitimate losses from losses due to simboxing?

Have the tower keep track of lost frames and ignore them when analyzing the audio!

Dealing with Air Loss

Page 8: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Because VoIP is entirely digital, audio only degrades from lost (or really late) packets

When losses occur, a VoIP client can either:

1. Insert silence

2. Try to conceal packet losses

Audio degradations in VoIP

Page 9: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

We can compute the short-term energy of audio and look for sudden drops and rises again

Detecting Unconcealed Losses

0 50 100 150 200 2500

0.002

0.004

0.006

0.008

0.01

0.012

0.014

0.016

0.018

0.02

Time (ms)

Shor

t−tim

e en

ergy

Packet LossDetected Loss

True Positive

Undetectable Loss

Page 10: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

We looked at the GSM-FR packet loss concealment algorithm

GSM-FR conceals losses by repeating and attenuating the last good 20 millisecond frame.

Cepstral analysis (used for echo detection) can detect this

Detecting concealed losses

Page 11: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

GSM-FR Loss

0 10 20 30 40 50 60−0.04

−0.02

0

0.02

0.04

Time (ms)

Audi

o Am

plitu

de

0 5 10 15 20 25−0.4

−0.2

0

0.2

0.4

0.6

Quefrency (ms)

Cep

stru

m M

agni

tude

Original Signal Repeated, AttenuatedSignal

Repeated, AttenuatedSignal

Page 12: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

We simulated sets of 20 calls from 99 speakers to test effects of detecting multiple calls from a single SIM

Simulation Setup

TIMIT Audio

GSM PLC Detector

Silence Insertion Detector Simbox

Decision

GSM FrameErrors

Ammit Simbox Detector

Transit Encode

Channel Loss

Transit Decode

GSM Air Simulator

Encode Audio

Audio Audio

AudioPacketize

Internet Loss

Silence/PLC

VoIP Simulator

Encode Audio

We tested Ammit on 462 individual simulated calls to systematically measure effect of loss rate and codec

Page 13: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Results: Individual Simulated Calls

1 2 5 1

15

2630

49

66

8792

100

% C

alls

Det

ecte

d

% Loss Rate

GSM−FRGSM−FR PLCG.711Legitimate Calls (FP)

Page 14: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Results: Detecting Simulated SIMs

1% 2% 5%0

28

43

96100

% S

IMs

Det

ecte

d

% Loss Rate

G.711GSM−FRGSM−FR PLC

Page 15: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

• 100 simboxed and normal calls

• 87% of simboxed calls detected — no false positives

Results: Real Simbox Calls

Page 16: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Ammit hardware and software no less accessible to attackers than network core (e.g. billing systems)

Ammit analyzes all call audio

(Our implementation could handle up to 150 simultaneous calls.)

Ammit reports single-call judgements to a central location (like the HLR)

Ammit is widely deployed (to prevent trivial evasion)

Security Assumptions

Page 17: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Simboxers may try to evade Ammit, but it will be hard to do.

Here are some tricks they could try:

Redundantly transmit audio to avoid packet loss (expensive)

Try PLC's that Ammit doesn't know about (Most are known)

Transmit bad VoIP frames to the tower as damaged GSM frames (really hard and probably detectable)

Potential evasions

Page 18: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

The use of simboxes for interconnect bypass fraud represent a threat to the reliable function of cellular networks that billions rely on.

Ammit uses call audio to detect simbox calls in real time, stopping them at the source before they can be profitable

Take-aways

Page 19: Blocking Cellular Interconnect Bypass Fraud at the … · Florida Institute for Cyber Security Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge ... VoIP

Florida Institute for Cyber Security

Thanks!


Recommended