CSE-2007-10

7/28/2019 CSE-2007-10

1/62

Unique Vulnerabilities and Attacks on Cellular Data Packet Services

By

DENYS MA

B.S. Computer Science and Engineering. (University of California, Davis) 2004

THESIS

Submitted in partial satisfaction of the requirements for the degree of

MASTER OF SCIENCE

in

Computer Science

in the

OFFICE OF GRADUATE STUDIES

of the

UNIVERSITY OF CALIFORNIA

DAVIS

Approved:

Assistant Professor Hao Chen(Chair)

Professor Karl Levitt

Assistant Professor Xin Liu

Committee in Charge

2007

i

7/28/2019 CSE-2007-10

2/62

Unique Vulnerabilities and Attacks on Cellular Data Packet Services

Copyright 2007

by

Denys Ma

ii

7/28/2019 CSE-2007-10

3/62

Contents

1 Introduction 1

1.1 Contributions of this Thesis to the Field . . . . . . . . . . . . . . . . . . . . . . . 2

2 Related Works 3

2.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.2 Cloning and Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.3 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.4 Spam and Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.5 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.6 3G scheduling and network security . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Sleep Deprivation Attack 7

3.1 Background overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.1.1 GSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Location update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.1.2 GPRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1.3 MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.2.1 MMS security analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Unencrypted and unauthenticated MMS messages . . . . . . . . . . . . . 13

Unauthenticated MMS R/S . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Critical phone information disclosure . . . . . . . . . . . . . . . . . . . . 13

3.2.2 Attack implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Building target hit-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Draining batteries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Theoretical impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.2.3 Attack experiment results . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.2.4 Attack improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Attack using TCP ACK packets . . . . . . . . . . . . . . . . . . . . . . . 17

Attack using packets with maximum-sized payload . . . . . . . . . . . . . 17

NAT and firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.3 Mitigation strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

iii

7/28/2019 CSE-2007-10

4/62

3.3.1 MMS Protocol Modification . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.3.2 Adaptive PDP Context Management . . . . . . . . . . . . . . . . . . . . . 20

Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Design Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Strategy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Specification Modification . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Analytical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Implementation Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 Scheduler Attack 27

4.1 Attack overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.1.1 3G data networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Opportunistic scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Handoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294.1.2 Overview of attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.2 Attack analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.2.1 Attack within a single cell . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Single attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Multiple attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.2.2 Attack from two cells . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Initial average throughput . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.2.3 Attack without knowing victims CQIs . . . . . . . . . . . . . . . . . . . 37

4.3 Attack impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4.4 Possible defense strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.4.1 Attack detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.4.2 Attack prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5 Summary and Conclusion 49

Bibliography 51

iv

7/28/2019 CSE-2007-10

5/62

Acknowledgements

I want to give utmost gratitude to Professor Hao Chen for his most valuable advises, and

guidance for not only this thesis, but also as a graduate student. This work would not exist without

his insights and dedicated work. My gratitude also goes to Professor Karl Levitt for his help and

advises in every step of my graduate life. He encouraged and supported me throughout the years

Ive been in Davis.

I would like to thank everyone who contributed to this thesis. In particular, most credits to

Radmilo Racic for his extremely valuable contributions. He has worked on this work in every aspect

and help me through difficult problems. Also, my thanks to Professor Xin Liu for her contributions

to this thesis.

Many thanks are due to my friends for all the support and advises. My thanks to Dr.

Jeff Rowe and Professor Felix Wu for all the advises on my research, Senthil Cheetancheri for his

insights and discussions on worms and my research, and Allen Ting for his encouragement and

support on my efforts. My gratitude to Carol Lin for her endless encouragements and support, even

in difficult times. She believed in me even through periods of uncertainty, and gave me courage to

proceed.

Finally, I dedicate this thesis to my parents who, through hardship, provided me a chance

to learn and discover as I wish. They have placed my needs over everything else to support me

throughout my life. They have also shaped me into the person I am today through valuable wisdom

and guidance.

v

7/28/2019 CSE-2007-10

6/62

Abstract

As cellular data services and applications are being widely deployed, they become attractive tar-

gets for attackers, who could exploit unique vulnerabilities in cellular networks, mobile devices,

and the interaction between cellular data networks and the Internet. Furthermore, mobile devices,

often times considered to be part of the cellular networks trusted computing base (TCB), are be-

coming more vulnerable to attacks. This thesis presents several vulnerabilities on the cellular data

packet services and its applications, and present two particular denial of service attacks. First, we

demonstrate an attack, which surreptitiously drains mobile devices battery power up to 22 times

faster and therefore could render these devices useless before the end of business hours. This attack

targets a unique resource bottleneck in mobile devices (the battery power) by exploiting an insecure

cellular data service (MMS) and the insecure interaction between cellular data networks and the

Internet (PDP context retention and the paging channel). Second, we propose a series of attacks

on 3G cellular packet services that exploit the unverified channel condition reports from mobile de-

vices to their base stations, and user-initiated handoffs. Our simulations show that only five rogue

devices per cell can use up over 90% of the network resource, and thus induce and perpetuate 2.1s

end-to-end inter-packet transmission delay for every user in the cell. This thesis also presents sev-

eral mitigation strategies to defend against not only the two aforementioned attacks, but also similar

attacks of these type.

vi

7/28/2019 CSE-2007-10

7/62

CHAPTER 1. INTRODUCTION 1

Chapter 1

Introduction

Cellular networks are part of our critical information infrastructure. Cellular networks

are also widely deployed, with more than 194 million subscribers covering over 65% of the US

population. [1] As mobile devices become more powerful, cellular companies are rapidly deploying

broadband data services, such as High-Speed Downlink Packet Access (HSDPA) and Evolution-

Data Optimized (EV-DO) as well as new applications, such as Multimedia Messaging Service

(MMS), Unlicensed Mobile Access (enabling network-to-network mobile agent migration), i-Mode

(providing fast, packet-based communication by eliminating the traditional WAP gateway), and Wifi

Voice-over-IP (enabling affordable, realtime voice communication). Furthermore, cellular networks

are pushing more network functions into mobile devices and grant them more trust. In some situa-

tions, they even consider mobile devices as part of the Trusted Computing Base (TCB). While these

new services and applications enhance mobile computing experience, they also introduce serious

security concerns. Besides launching typical Internet attacks such as denial of service (DoS),

malware, spamming and phishing against mobile devices, an attacker can exploit emerging vul-

nerabilities in cellular networks, mobile devices, and the interaction between cellular data networks

and the Internet.

Emerging vulnerabilities in cellular networks, however are not thoroughly studied, both

by the security community or service providers; since the cellular community are focused on in-

formation security rather than network security. We argue that network vulnerabilities can cause

havoc in cellular networks, in particular, both current and future data services. Therefore, this

thesis presents several emerging vulnerabilities in cellular data networks and two particular denial-

of-service attacks exploiting these vulnerabilities that can cause devastating affects. These attacks

would be devastating not only in critical situations, such as disasters, but also for industries relying

7/28/2019 CSE-2007-10

8/62

CHAPTER 1. INTRODUCTION 2

on mobile communications. For example, professions like real estate agents and brokers rely on the

ability to perform on-the-spot credit reports or provide instant quotes. Similarly, occupations such

as network system administrators trust their cellular handsets availability in order to be reached.

The first attack, exploiting vulnerabilities in MMS and General Packet Radio Service

(GPRS) in GSM, targets mobile devices battery power. The adversary is able to drain a mobile

phones battery stealthily in 7 hours from the Internet. The second attack, exploiting vulnerabilities

in 3G and 3.5G data packet services and their opportunistic scheduler, demonstrate that malicious

mobile devices can usurp time slots at the expense of honest users, hence denying them network

access.For example, we show that only one attacker per cell that has 50 users can occupy as much

as 89% of the all the scheduling slots indefinitely. Similarly, five attackers per cell can cause and

perpetuate 2.1s end-to-end inter-packet transmission delay for every victim user in the cell, thusrendering many services useless.

This thesis proceeds by presenting an overview of the related works in cellular network

security in chapter 2. Chapter 3 presents the first attack and the mitigation strategies that can defend

against it. Chapter 4 presents the second attack, with the possible defense mechanisms. Finally,

chapter 5 concludes this thesis.

1.1 Contributions of this Thesis to the Field

This thesis makes the following contribution:

We identifies vulnerabilities in 2.5G and 3G data services and applications that relies on

these services, in particular, MMS, GPRS, EV-DO, HSDPA, and the Proportional Fair (PF)

scheduler.

We implemented an attack to surreptitiously drain a phones battery up to 22 times faster than

normal, illustrating two key vulnerable components in the current cellular data networks.

We propose a series of attacks on opportunistic scheduling in 3G data networks, analyze

these attacks mathematically, and explore the effectiveness of these attacks under different

network configurations. Our simulations show that these attacks would devastate the network

by rendering many services useless.

We propose approaches to mitigate or eliminate the impact of each attack.

7/28/2019 CSE-2007-10

9/62

CHAPTER 2. RELATED WORKS 3

Chapter 2

Related Works

In recent years, significant amount of research efforts have been focused on security re-

quirements and threat model evaluation on current and emerging cellular technologies, including

GSM [24], GPRS [58], CDMA [9], SMS [10], MMS [11], and EVDO [1214]. These works

identify the following key security requirements in cellular networks: subscriber confidentiality, au-

thentication, privacy, cloning prevention, integrity of information as well as billing, fraud detection,

and safe key management. These works also address security threats such as eavesdropping, im-

personation of a user and network, denial of service, man-in-the-middle attacks, hijacking services,

and compromising authentication vectors. Apropos, researchers evaluated the risk levels of each

of these threats as well. Our work is complementary to these previous efforts to secure cellular

networks. In fact, we focus in two new directions: the end user devices (i.e., power-depletion attack

and defense) and the security interactions between different cellular applications (i.e., the merging

of cellular network and the Internet).

In this chapter, we present an overview of the current research efforts in cellular networks.

2.1 Cryptography

Extensive research has been conducted on the cryptography technologies [1517]. For

instance, studies like [15, 16] suggest the use of a PKI scheme in the GSM/UMTS network while

[17] proposes the use of a SIM card for authentication and payment of web services by mobile

users. Grecas and colleagues propose introducing public-private key pairs for transactions between

the VLR-HLR as well as MS-VLR. Lo and colleagues, on the other hand, propose the use of PKI and

stream ciphers for authentication and message encryption/decryption, respectively. They both point

7/28/2019 CSE-2007-10

10/62


out that the nature of the services constituting the PKI renders telecommunications operators prime

candidates for the PKI implementation. Furthermore, MacDonald and colleagues [17] are convinced

that SIM card can be at the center of an authentication and payment platform for consumption of web

services by mobile users. Cryptographic solutions, while efficiently and elegantly mitigating some

principal concerns in cellular networks, cannot defend against some unique threats to end users, such

as a DoS attack and resource starvation attacks. Our work complements the existing cryptography

mechanisms in order to alleviate additional non-conventional threats unique to emerging cellular

data technologies and applications.

2.2 Cloning and Fraud

Significant research has been done on mobile device cloning and the associated frauds

[18]. In complementary to cryptographic solutions, schemes are developed to defend against cloning

and fraud, such as device and user fingerprinting [19], mobility pattern recognition [20], and usage

pattern recognition [21, 22]. These research studies propose new security mechanisms strictly for

cellular networks. However, most studies stipulate fundamental changes in either architecture or end

user equipment. In order to minimize disturbance of current implementation of cellular networks,

our research will focus on utilizing existing security mechanisms to mitigate new attacks that were

not discovered or considered.

2.3 Denial of Service

Denial of Service attacks executed on 2G/2.5G networks also attracted a lot of attention,

because resources in cellular networks are much more limited than on the Internet. In particular,

control channels are in danger due to its narrow bandwidth.. Agarwal et al. [23] conducted a capacity

analysis of shared control channels used for SMS delivery. They concluded that increasing volume

and message sizes can significantly affect network performance. Then,, Enck et al [24] presented a

denial-of-service attack by sending a sufficient number of SMS messages per second to a range of

cellular phones in the same area. An attacker would need only a single computer with a broadband

network access in order to disrupt a network in a major city by saturating control channels shared

between voice calls and SMSs. Traynor el at. [25] follows up on this work by simulating the

attack outlined in [24] using a highly accurate GSM simulator, and presented several mitigation

strategies with supporting simulations. Additionally, [26] warns that paging channel is another

7/28/2019 CSE-2007-10

11/62


scarce resource that an attacker on the Internet can overwhelm and cause a DoS attack. Finally,

Martin el at. [27] discussed the possibilty of a denial of service attack on mobile devices such

as laptops and PDAs. They outlined three different types of battery draining attacks and presented

experiments to demonstrate the affects of such attack. Nash el at. [28] follows up on the work

by presenting a host-based intrusion detection system to detect battery draining attacks. Our work,

inspired by these previous works, extends previous findings and presents additional vulnerabilities

both in current and future cellular data services.

2.4 Spam and Phishing

In addition to DoS attacks, spam is another well-known problem in the SMS network [10].

Network providers allow email and web-based interfaces to send SMS messages to individual or

multiple handsets directly. Spammers can also employ phishing [29] to trick users into divulging

private personal information. SMS-based phishing has already been discovered in a small German

cellular provider [30], where users are tricked into sending a reply SMS to a value-added services

SMS number, charging a small fee per user. Our first attack in Chapter 3 of building a hit-list of

phone IP addresses and model information was inspired by phishing; however, our approach does

not need the users participation or even attention, because such information is reported to our server

automatically by most phones.

2.5 Worms

Computer worms that target cellular networks have also appeared in recent years. Tim-

ifonica worm [31] spreads itself via email attachments. Upon infection, a computer sends SMS

messages to random cell phone numbers belonging to a service provider, Movistar, and thus at-

tempts to cause a DoS attack. A proof of concept worm was developed in early 2005 demonstrating

the effects of a worm outbreak on cellular phone platforms. The Cabir [32] worm, spreading via

Bluetooth on Nokia series 60 handsets running Symbian OS, changes the operating system and

searches for other handsets to infect. An epidemic worm spreading model in mobile environments

was proposed by Mickens et al. [33]. Our work is an extension to these previous works. Using a

hitlist of phone numbers, IP addresses, and model information gathered in our attack described in

Chapter 3, worm designers could write better worms by tailoring to different platforms.

7/28/2019 CSE-2007-10

12/62


2.6 3G scheduling and network security

Significant amount of research has been conducted on efficient resource sharing in cellular

networks. In particular, opportunistic scheduling algorithms have been studied extensively [34

36]. However, the existing work focuses on improving system performance under various system

constraints and requirements. For example, Choi et al [37] study the effects of Proportional Fair

(PF) scheduler on TCP performance. They conclude that TCps minimum RTO is too short and it

leads to unnecessary timeouts under the PFs scheduling policy. Assaad et al. [38] report the effects

of TCP on HSDPA operation and confirm that the lower the congestion rate of TCP, the higher

the application bit rate is. Their results show that the effects of TCP on application performance

are much higher than on the system capacity due to the use of the high speed shared channels.

Andrews [39] also considered the PF scheduler suggested in the High Data Rate (HDR) data system

and shows that the PF scheduler is unstable under certain conditions. Andrews defines stability as

the ability to keep each users queue bounded. Using simulations and models, Andrews describes

six different versions of PF scheduler and shows that all of them are unstable. Finally, Bu et al. [40]

studied PF scheduler in multiple cells and propose a central PF scheduler to increase fairness. In

contrast to our work discussed in Chapter 4, these studies does not consider potential threats of

malicious users and the corresponding effects on the schedulers used in wireless systems.

Initial studies on network security in 3G networks has also been published in recent years

[4143], outlining possible threats in the cellular network. Particularly, Sridharan et al. [44] model

the uplink channel from mobile devices and the base station in EV-DO and suggest that malicious

users can modify their power transmission level and cause interference for honest users. Our work

in Chapter 4 differs from their work by concentrating on the downlink, since in 3G networks,

downlink bandwidth is much higher than uplink. Furthermore, these studies do not provide an

actual attack, but only outline possible threats against 3G networks.

7/28/2019 CSE-2007-10

13/62

CHAPTER 3. SLEEP DEPRIVATION ATTACK 7

Chapter 3

Exploiting MMS Vulnerabilities to

Stealthily Exhaust Mobile PhonesBattery

In this chapter, we present an attack that exploits vulnerabilities in MMS (a cellular data

service), PDP context retention in GPRS (interactions between the Internet and cellular data net-

works), and the paging channel. Furthermore, this attack has unique features that (1) it is clandestine

victim mobile users will not notice when their batteries are being drained; (2) it is not limited to

certain mobile device hardware or software; and (3) it targets individual mobile devices rather than

the network, an attack that is often harder to detect and defend effectively by network operators.

We implemented this attack in two stages. In the first stage, we were able to build a fairly

accurate hit-list of all the users with an active Internet connection by taking advantage of the

insecure MMS protocol. In the second stage, we exploit the PDP context retention to surreptitiously

drain a phones battery up to 22 times faster than normal. This attack illustrates two key vulnerable

components in the cellular data network, and we will propose mitigating strategies for securing

these components.

3.1 Background overview

To help understand the vulnerabilities and attacks that we discovered, we present an

overview of the relevant components in cellular networks: GSM, GPRS and MMS.

7/28/2019 CSE-2007-10

14/62


3.1.1 GSM

The key elements in GSM are: the Base Station Subsystem (BSS), which includes the

Base Transceiver Station (BTS) and the Base Station Controller (BSC), and Mobile Switching Cen-

ter (MSC) which is the core of the Network Sub System (NSS). Additionally, these GSM elements

utilize databases like Home Location Register (HLR) and Visitor Location Register (VLR) for stor-

ing users home as well as roaming information, respectively.

BTS provides the means to transmit and receive radio signals as well as encrypt and

decrypt communication with the BSC. BSC provides network intelligence by allocating radio chan-

nels, controlling inter-BTS hand-offs and, most importantly, serving as a gateway to the MSC. MSC,

on the other hand, sets up circuit-switched communications, takes care of mobility management and

manages other databases.

A cellular network needs to keep track of the location of each Mobile Station (MS 1) in

order to deliver calls and data to the correct destination reliably. Typically, the network utilizes an

event-based mechanism to collect mobile devices location. Events such as powering up, shutting

down, and crossing into another location area are events that trigger the location update procedure.

A cellular network is partitioned into cells serviced by BTSs. Cells are then grouped

together to optimize signaling and to facilitate tracking of mobile phones within the network. Each

group, managed by one BSC, is identified by a location area code broadcast by each BTS at regular

intervals. Two fundamental operations within the location area are location update and paging.

Location update

The MS sends location update messages to its current BTS periodically in order to route

all incoming calls or data appropriately. If the MS sends updates seldom, its location is unknown

and the MS must be paged for each downlink packet (or call), thus degrading the quality of service.

If, on the other hand, the MS sends frequent updates and its location is known, then data packets

can be delivered without any additional paging delay.

Paging

To minimize the amount of updates, preserve MSs battery, and minimize bandwidth uti-

lization, the network will page the MS over the Paging Channel (PCH) to determine its location. In

1MS and phone will be used interchangeably.

7/28/2019 CSE-2007-10

15/62


GGSN

SGSN

VLR

MS

BSS

MSC

SGSN on

another PLMN

Internet

HLR

Figure 3.1: GPRS infrastructure

other words, PCH is used for communication from BTS to MS when MS is not assigned a traffic

channel; that is, the MSs location is unknown or out of date.

The paging bandwidth burden is relatively small in small location areas - less than 1% of

the bandwidth allocated for voice channels. On the other hand, in an area with a large number (over

1000) of cells per location area, the paging bandwidth burden could be considerably higher. [45]

3.1.2 GPRS

GPRS [46] is integrated into the existing GSM infrastructure with a new class of network

nodes called GPRS Support Nodes (GSNs). GSNs are responsible for the delivery and routing of

data packets to and from the mobile network. There are two types of GSNs: Serving GPRS Support

Node (SGNS) and Gateway GPRS Support Node (GGSN). SGSN is responsible for transferring

and routing of data packets, mobility management, logical link control, authentication and billing

services within its service area. GGSN acts as an interface between the GPRS backbone and external

packet networks (primarily the Internet). Its primary function is to convert GPRS packets coming

from the SGSN to IP packets and vice versa. An illustration of GPRS is shown in Figure 3.1.

Before an MS can utilize GPRS services, it must register with an SGSN so all packets

can be routed through it. During this procedure, called GPRS attach, a PDP (Packet Data Protocol)

context is created. In particular, SGSN checks if the user is authorized, copies the user profile from

the HLR to itself, assigns a Packet Temporary Mobile Subscriber Identity (P-TMSI)2, maps it to an

IP address, and assigns a GGSN that will serve as the gateway to the Internet. The PDP context,

2The reasoning is to minimize use of IMSI (International Mobile Subscriber Identity) for security purposes.

7/28/2019 CSE-2007-10

16/62


composed of the above mentioned information, is stored at the SGSN. GPRS detach, on the other

hand, disconnects the MS from the GPRS network and deactivates the PDP context.

Location areas have been proven to be efficient in voice networks; however, the bursty

nature of data traffic increases the number of paging messages per phone in each location area.

Therefore, each location area is further subdivided into routing areas used by GPRS to decrease

the penalty for locating an MS. GPRS phones utilize IDLE, STANDBY and READY states in

increasing order of battery consumption. When an MS is in the READY state, SGSN is aware of

the MSs location. In particular, the MS performs frequent location updates to provide the network

with the actual cell ID so that no paging is necessary. When in the READY state, the MS can send

and receive data. Furthermore, it will stay in the READY state until READY timer expires, at which

it will transition to the STANDBY state. While in the STANDBY state, the MS has established thePDP context and it can receive calls or data. However, its location updates are more coarse, in the

sense that it informs the SGSN of only routing area changes, but not cell changes. If SGSN needs

to deliver data to the MS while the MS is in the STANDBY state, SGSN will send a page request

in the routing area where the MS is located. When MS responds to the page, it will transition to the

READY state. IDLE state is the lowest battery consumption state, in which the SGSN is not aware

of the MSs location. The MS can transition out of IDLE state only if it performs a GPRS attach

procedure. Alternatively, an MS could initiate a GPRS detach procedure to transition to the IDLE

state. Figure 3.2 shows the state machine of the GPRS MS.

Upon completion of the communication, the MS will go into a STANDBY mode. The

PDP context, on the other hand, will remain allocated to the MS. We conducted experiments to

discover how long each handset retained its assigned PDP context and IP address. We found that

addresses seemed to be relinquished in as short as 15 minutes to as long as several hours. The reason

for not deactivating a PDP context is simple: a cellphone can be unavailable for a period of time due

to radio link failure; deactivating and activating a new context would imply that the phone would

need to recreate all TCP sessions, possibly restarting applications and requiring the user to re-enter

all the passwords.

3.1.3 MMS

MMS has become a very popular cellular message service. The MMS architecture spans

both the cellular network and the Internet and uses technologies in both networks, such as WAP,

SMTP, and HTTP.

7/28/2019 CSE-2007-10

17/62


IDLE

READY

STANDBY

GPRS Attach

READY timer expired

Force to STANDBY

GPRS Detach

Data transmit

or receive

STANDBY timer

expired

PDP CONTEXT INACTIVE

PDP CONTEXT ACTIVE

Figure 3.2: The GPRS mobile station state machine

The MMS architecture consists mainly of the MMS Relay/Server (MMS R/S) and user

agents. Several optional entities of the architecture the billing server, the Home Location Register,

and the User Database may exist inside or outside MMS R/S. Figure 3.3 shows an overview of

the MMS architecture.

The MMS R/S is responsible for all of the transactions of MMS. When a user transmits

an email or an MMS message, the mobile phone formats these messages in Synchronized Multime-

dia Integration Language (SMIL) [47]. The MMS R/S translates (transcodes) the message to either

email or different MMS formats depending on the provider. The message is then sent to the destina-

tion SMTP mail server or the destination MMS R/S using SMTP. Upon receiving the message, the

destination MMS R/S then stores the message in the users buffer while sending a notification mes-

sage to the user via a SMS or WAP push message. The notification message contains the location of

the message, usually specified as an HTTP address. User can configure their mobile phones either

to automatically download the message upon receiving the notification or to manually download the

message themselves.

7/28/2019 CSE-2007-10

18/62


MMS R/S

Wireless Network Internet

HLR User dB

User Agent

MM1

MM1

MM4

SMTP

Email Client

Billing Server

MM9MM5

MM8

Figure 3.3: MMS Infrastructure

3.2 Attacks

In this section, we present our findings on attacking the cellular network. We first inves-tigated the MMS protocol and discovered several vulnerabilities through which we leveraged into

the heavily protected cellular network. Then, by exploiting these vulnerabilities, we implemented a

proof-of-concept attack on a scarce resource the battery power of mobile devices. The attack is

stealthy, as it is noticeable to neither mobile users nor network operators. Our experiments demon-

strate that unique threats against cellular networks and mobile devices exist and are exploitable.

Finally, we discuss how to make this attack even more effective.

3.2.1 MMS security analysis

To test how cellular providers implement MMS and gain insight into their interface de-

signs, we setup our own MMS R/S, based on an open-source project [48]. We discovered several

vulnerabilities that a wily attacker could exploit, as described in the following sections.

7/28/2019 CSE-2007-10

19/62


Unencrypted and unauthenticated MMS messages

We confirmed that MMS messages and MMS notification messages, composed of headers

and content sections, were sent in plain-text. In addition to the SMIL headers, the packet also

included an HTTP POST header containing the source and destination IP address, the profile of the

user agent, the content type and size, and the user agent name.

Unauthenticated MMS R/S

To mitigate the problem of unencrypted messages, cellular providers hide their own MMS

R/Ss IP addresses in the phones, hoping that cellular users cannot read or overwrite them. Unsur-

prisingly, we discovered that this attempt at security by obscurity is broken.

In order to inspect the MMS message raw format, we modified a phones firmware to

route all MMS messages through our MMS R/S. The MMS R/S setting is well hidden in our phones

firmware, which suggests that providers do not intend to allow users to modify the setting. After

modifying the MMS R/S entry in our phone, we discovered that the phone had no security mech-

anism to alert the new, unauthorized MMS R/S. Furthermore, MSs also do not authenticate MMS

notification messages and MMS messages sent from the network. MSs will accept any MMS mes-

sages as long as the format is correct. Consequently, we were able to send unlimited MMS messages

for free, without alarming the cellular provider.

Critical phone information disclosure

We discovered that handsets include pertinent user agent platform information whenever

they communicate over HTTP. Accordingly, we set up a web server running ethereal to capture

HTTP requests from various handsets on different networks. We found that every phone disclosed

either its full profile or information that included one or more of the following: hardware platform

description, display capabilities, and the current and compatible software. An attacker could write

a script that extracts the model number of each handset very easily.

3.2.2 Attack implementation

Based on our MMS security evaluation, we implemented a battery draining attack utiliz-

ing a hit-list built using superfluous but pertinent information disclosed during MMS exchanges.

Figure 3.5 illustrates the attack.

7/28/2019 CSE-2007-10

20/62


Figure 3.4: Ethereal reconstruction of an MMS message captured by our MMS R/S. The message

is transported in clear text. Various fields such as the server, the senders phone number and phone

model are exposed and could be collected in a the hit list.

Attacker

MMS Server

Victim1(11)

(21)

(31)

Victimn

.

.

.

(1n)

(2n)

(3n)

Figure 3.5: A two-step attack on cellular devices. In Step 1, the attacker builds a hit list using MMS

message notifications (Messages (1)s), and captures information about mobile users from the HTTP

requests from mobile users (Messages (2)s). In step 2, the attacker drains the batteries of cellular

devices on the hit-list surreptitiously by sending UDP packets (Messages (3)s) periodically to the

cellular devices.

7/28/2019 CSE-2007-10

21/62


Building target hit-list

To launch effective, large scale attacks, an attacker needs to build a hit-list that contains

important information about the network and end users. One way to obtain such information is by

asking the mobile phones.

An attacker can send MMS notification messages, whose content address is at a malicious

web server, to numerous recipients. The target phone numbers can be generated automatically using

known area codes and prefixes for cellular phone numbers. The MMS notification messages can be

sent using SMS or WAP push. There are many free SMS messaging websites, including those

offered by cellular providers.

Once MMS notification messages are sent, the attacker waits for HTTP request messages

at his web server, which has stated its location in the MMS notification message. Since many cell

phones are configured to download MMS messages automatically upon receiving notification, they

will make HTTP requests to the attackers web server. The HTTP requests often contain the profiles

and IP addresses of the phones, and even file extensions that the phones are able to process. By

sending a slightly different URL to each phone, the attacker can build a hit list that maps each

phone number to a profile of its cellular device. More importantly, the phones response to the

MMS notification message activates a PDP context, making our attack easy and simple to execute

even in the presence of NAT and firewalls.

Draining batteries

Using the hit-list generated from MMS notification messages, an attacker can target the

cellular network and cellular devices more precisely and effectively. Apropos, we implemented a

battery draining attack that focuses on the end hosts instead of the network. We implemented our

attack using UDP packets (we will explain an improved technique later.)

The key to maximizing a cell phones battery life is to use its transceiver sparingly. In fact,

when a cellular phone is turned on, its transceiver is active less than 3% of the time. As a reference,

in wireless sensor nodes, transmitting one bit of information consumes 1500 to 2700 times as much

energy as executing one instruction [49]. Thus, if a packet is sent to a phone, the SGSN will deliver

the packet if the phones location is known, or attempt to locate the phone by sending a page request

to it. However, since cellular phones spend most of their time in the STANDBY mode (or other

dormant modes), the page on the paging channel will awaken the phone to the READY state and

force it to perform a location update. The sine qua non of this attack is to keep the phone in the

7/28/2019 CSE-2007-10

22/62


READY state (high battery consumption), therefore disabling its ability to preserve battery life, or

to let the phone temporarily go into the STANDBY state only to be immediately awakened with a

page and forced to perform a location update; both of these actions consume much energy.

Theoretical impact

To investigate the severity of the aforementioned attack, we estimate the damage that an

attacker with a home DSL Internet connection can inflict. A typical DSL upload speed ranges from

256kbps to 416kbps. We use the medium speed, B = 384kbps, for the upload bandwidth as an

estimate. Each UDP packet consists of a character in the data segment, which might be padded to

4 bytes depending on the providers DSL modem. The UDP packet header has 8 bytes, and the IP

header has 20 bytes. In the pessimistic estimate where our data is padded, the total size of the packet

is S = 32 bytes. Therefore, the maximum number of UDP packets per second that an attacker may

send is (B/8)/S= 1500.

To attack a phone effectively, an attacker must send one UDP packet to the phone every

T seconds. In this case, the maximum number of phones that the attacker can attack simultaneously

is (B/8) T/S. We estimated the time T by trial and error using different test configurations. For

our experiment, we chose 3.75 seconds for the GSM-based network and 5 seconds for the CDMA-

based network. Using our equation, we calculated that an attacker can attack about 5625 phones

using a standard ADSL line for a GSM-based network and around 7000 phones for a CDMA-basednetwork.

3.2.3 Attack experiment results

We successfully drained our test phones batteries considerably faster than our average

usage. We conducted six test runs on a high-end Nokia smart phone and completely drained its

battery in an average of 7 hours, instead of 156 hours in normal usage with bluetooth switched

off most of the time. We also observed severe battery exhaustion in our Sony Ericsson test phone,

where the battery was drained down to 20% within less than 7 hours without talking and withbluetooth switched off. If a phone is connected to the Internet continuously (for example, to use the

instant messaging service), its battery life would be reduced much faster. To test this hypothesis,

we attacked our Motorola test phone while connecting it to the Internet continuously. Our test

completely drained its battery within 2 hours. Table 3.1 summarizes the results of our attack.

We successfully conducted our attack on two major cellular service providers without

7/28/2019 CSE-2007-10

23/62


Phone Battery Life Without Attack Battery Life Under Attack

Normal Use (hours) Standby (hours) Normal Use (hours) Reduction

Nokia 6620 156 200 7 22.3:1

Sony-Ericsson T610 60 315 7 8.6:1

Motorola v710 36 150 2 18.0:1

Table 3.1: Reduction of battery life due to our attack

triggering any alarms. Our test machines IP was not blocked, our phones were fully operational

after the attacks, and no notifications or warnings were sent to us regarding this issue. Moreover,

during the attack the phone appeared to be operating normally and no additional Internet application

was started, so the victim user would not notice the attack, until his/her battery died unexpectedly.

3.2.4 Attack improvement

There are several optimizations that could be done to improve our attack. Currently, we

empirically determined a fixed interval between each UDP packet by trial and error. However, by

using Qualcomms CAIT software or knowing the implementation of a particular cellular network,

we could obtain more accurate wait-time and thereby improve efficiency of our attacks. Also,

knowing which IP addresses are vacant would increase the efficacy of our hit-list creation. We are

currently in the midst of testing the following improvements to our attack.

Attack using TCP ACK packets

To force a phone to send as well as receive useless data, an attacker can periodically send

TCP ACK packets to the phones IP address. In accordance with RFC793, if the connection is reset

or in half-open state, the receiver of an out-of-order ACK packet will send an RST packet. If, on the

other hand, the connection is open, the receiver of an out-of-order ACK packet will reply with an

empty packet. Either way, an attacker will force a phone that implements a full TCP stack to receive

as well as send packets, thereby exacerbating the power consumption.

Attack using packets with maximum-sized payload

In implementing our previous attack, we used UDP packets with no payload in order

to maximize the number of UDP packets an attacker can send per computer. However, this is

not the most efficient method of draining a cellular phones battery, since the whole packet must

7/28/2019 CSE-2007-10

24/62


be downloaded to the mobile phone before the phone can discard the packet. Therefore, with an

accurate hit-list collected using MMS above, the attacker can sacrifice the number of targets per

his/her computer to deliver an even more efficient attack using a maximum-sized payload.

Using the original attack implemented with UDP, the attacker can send a maximum theo-

retical UDP data packet of 64Kb due to its 2 byte total length field. In the TCP variety of the attack,

ACK messages piggyback onto the existing payload with a maximum size of 1500 bytes. Besides

causing additional unnecessary downloads for the mobile agent, the attack could possibly be even

more efficient due to packet fragmentation. This exacerbates the attack so that the attacker would

only need to send a single packet that becomes multiple packets at the mobile agent.

NAT and firewall

Through field experimentation, we have determined that most providers who utilize NAT

also implement Network Address and Port Translation (NAPT.) NAPT provides dynamic (pri-

vateIP, privatePORT) to (publicIP, publicPORT) translation. For example, the inside interface tuple

(10.0.0.5,3000) could be mapped to the outside interface tuple (199.156.3.4,6000).

However, there are certain issues with network-wide NAT deployment. For example, it

often hinders application deployment. Additionally, certain security protocols such as IPSec and

Kerberos are affected NAT changes the address in the IP header, causing loss of integrity. For

these reasons, operators choose to implement NAT only on certain subnets affecting a selectedcustomer base. In other words, most operators offer both private and public IP plans.

It would seem that our attack could be mitigated with NAT and firewall placement. How-

ever, a very simple restriction to the attack could yield the same result. The crux of the change

would be an observation that each inside IP address maps to a port on the outside interface because

the publicIP is the public IP address of NAT system. Thus, targeting an inside IP address reduces

to targeting a certain port of the outside interface. Since NAPT does address and port translation

dynamically, the IP address and port mappings are only alive during active PDP contexts. Thus,

the attack must be delivered within an active session window. Since phones automatically create

an outbound connection to connect to a malicious HTTP server, the server itself must deliver the

attack, thus prolonging the connection. The firewall would consider this connection valid as it is

internally initiated over allowed ports, and NAT would continue the address and port translation for

the duration of the attack.

7/28/2019 CSE-2007-10

25/62


3.3 Mitigation strategies

Our attack uncovered two vulnerable components in cellular networks.

PDP Context is retained. We observed that a mobile users PDP context is kept alive even

after the user has completed his/her data session. The PDP context may be kept active from 15

minutes to several hours, depending on the service provider. This active PDP context allowed

us to send unwanted IP packets to the victims mobile phone to drain its battery.

Attack packets are not in any active session. Our attack periodically sends packets to mobile

user without an active connection. A mobile user must initiate active connections before

he receives data. Since the GGSN records the connection states, it can distinguish attack

packets from normal packets that belong to active connections, unless the attacker can guess

the correct sequence number, destination IP address and port number of an active connection.

Based on these observations, we suggest the following mitigation stratgies on MMS and

GPRS.

3.3.1 MMS Protocol Modification

To mitigate threats against MMS, we propose a redesign by incorporating security mech-

anisms into the protocol.

Message and server authentication. To avoid man-in-the-middle attacks, we should authenti-

cate MMS messages and R/Ss, using PKI for instance.

Information hiding at WAP gateway. WAP gateway should prevent outside web servers from

obtaining critical information about mobile devices, such as their IP addresses, and hardware

and software profiles. Since profiles are used only by the WAP gateway for converting web

contents, the WAP gateway should filter out all but essential information about the user agent

in HTTP requests.

MMS message filtering. Service providers typically hard-code their approved MMS R/S into

mobile devices OS or firmware to prevent users from choosing alternative MMS R/Ss. How-

ever, sophisticated users can modify their OS or firmware to defeat this protection. A more

reliable approach for service providers is to filter MMS messages, since all MMS packets

must traverse the providers network. The filter can scan MMS message headers to ensure

7/28/2019 CSE-2007-10

26/62


that the destination IP address is one of the MMS R/S or accredited third party Value Added

Service (VAS) providers. The filter should not be implemented at the WAP gateway, but

rather at the SGSN or GGSN, since users can easily modify the phones settings and bypass

the cellular providers WAP gateway.

3.3.2 Adaptive PDP Context Management

In addition to protocol modification, we suggest a defense framework that could avoid the

shortcomings of external firewalls and IDSs mentioned above by supplementing these protection

mechanisms:

This defense mechanism can also serve as an event detector for IDSs already in place tomonitor the internal network.

It must also be effective against insider attacks, where malicious users are connected using

the cellular network instead of the Internet.

It should be designed with the goal of being non-intrusive so that it does not require ancillary

network infrastructure; it should utilize existing GPRS mechanisms to provide an additional

layer of protection.

In the following section, we propose a novel defense mechanism implemented at the

GGSN, Adaptive PDP Context Management (APM) designed to detect and mitigate previously

mentioned attacks.

Motivation

Firewalls and IDSs are common mechanisms for defending against malicious behavior

from the Internet, but they have several disadvantages: (1) firewalls and IDSs become the single

point of failure, (2) they are external entities, and they usually do not protect against insider attacks,

(3) they are not flexible enough to dynamically adapt to traffic conditions without system adminis-

trators they require knowledgeable administration staff, (4) they are not suitable for monitoring

peer-to-peer (such as Bluetooth) communication, and (5) they cannot protect against attacks exploit-

ing insecure protocols whose action is seemingly valid they either allow or deny a connection.

Our defense framework attempts to avoid these downfalls of external firewalls and IDSs

by supplementing these protection mechanisms in order to detect and mitigate attacks that could

7/28/2019 CSE-2007-10

27/62


stealthily bypass firewalls and IDSs. Our defense mechanism can also serve as an event detector for

IDSs already in place in order to monitor the internal network. Our defense mechanism is also effec-

tive against insider attacks, where malicious users are connected using the cellular network instead

of the Internet. Finally, APM is non-intrusive it does not require ancillary network infrastructure

as it utilizes existing GPRS mechanisms to provide an additional layer of protection.

Using these two observations, we developed APM to detect and mitigate attacks on the

GGSN. APM, not only can completely mitigate our battery draining attack, but also detect and

mitigate other attacks exploiting the paging channel and PDP context, such as flooding attacks on

the paging channel using packets from the Internet.

Design Principle

We designed APM with three goals in mind,

It should be implemented in the network core.

It should be transparent to mobile users.

It must be simple.

Since our attack focuses on draining the battery of mobile users, the defense strategy

should not exacerbate the attack by requiring additional processing from the mobile phone. If

this was not the case, the defense mechanism itself could be utilized as a battery draining tool.

Since the network core is assumed to have unlimited battery power, we must implement the defense

mechanism at the core. Furthermore, it is almost impossible to implement any defense strategies

on the mobile phone since cellular technology has already been widely deployed. Service providers

cannot require all users to upgrade or update their hardware. Any type of defense strategy would be

useless if users do not implement the mechanism. For instance, software patches are often useless

against malware due to deployment issues. On the other hand, cellular providers can easily deploy

defense strategies at the core, without user interaction.Our defense should also be transparent to each user. If our defense mechanism causes

any inconvenient for mobile user, user will most likely complain to service providers. Usability is

a main concern for mobile users since attacks on mobile phones are, at this time, unlikely and not

wide spread. Furthermore, service providers will be less inclined to implement our strategy due to

the inconvenience for users and the support cost to educate customers.

7/28/2019 CSE-2007-10

28/62


Outgoing

Packet

Yes

NewConnection

No

PDP ContextExists

No

Drop Packet

Yes

No

TransmitPacket

Yes

stateCount * 2

Existingconnection

Yes

Transmit

Packet

No

stateCount > 0 Yes

No

(1) Backoff

(2) PDP Modification(3) Drop Packet

(1) stateCount(2) Transmit Packet

stateCount < max

Yes

Connectionclose

No

stateCount / 2

Yes

Figure 3.6: Adaptive PDP Context management scheme

Finally, our defense strategy should be as simple as possible due to the high workload

of each GGSN. GGSN is responsible for providing an interface for millions of mobile phones. If

our mechanism is computationally consuming, the attacker can exploit this vulnerability and in turn

cause a DoS on the GGSN.

Strategy overview

For clearity, we present APM in both pseudo code shown below, and state diagram shown

in Figure 3.6. APM is separated into three phases, the detection phase, exponential increase linear

decrease (EILD) phase, and the recovery phase.

AP M(packet)

1 if packet is outgoing

2 then if packet initiates a new connection

3 then ifstatecount < statecountmax

4 then statecount 2

5 if packet ends a connection

6 then statecount/2

7 else if PDP context exist

8 then if packet does not belongs to existing connection

7/28/2019 CSE-2007-10

29/62


9 then ifstatecount > 0

10 then statecount 1

11 else backoff

12 perform PDP Modification

13 drop packet

14

15 else drop packet

The APM detection algorithm works in the following manner. For each packet, the algo-

rithm decides if its valid or not. The GGSN can accomplish this by using our second observation

discussed in Section 5.1, a packet is not valid if it is incoming, and does not belong to any activeconnections. Since GGSN is stateful, and already keeps track of connection states, it can distinguish

if a packet is valid or not by simply examining the header of each packet. However, to offload work

from the GGSN, we also propose a modification to the PDP context. Currently, PDP context only

contains the external address of each mobile device. Instead of simply storing the address, we can

store (IPaddress,portnumber) tuple. A modified PDP context can have multiple address and port

tuples. Whenever a mobile agent requests an outgoing connection, a tuple is assigned to it instead

of just an address. Using this technique, we can easily distinguish between valid and non-valid

incoming packets.

To manage PDP context lifetime, we introduce a new variable along with the PDP context

called stateCount. This counter serves as the time to live (TTL) time for each PDP context. The

algorithm uses the stateCount variable in the following way: when GGSN receives an outgoing

connection request or packet, a new tuple is assigned to the mobile phone, and the stateCount is

doubled. If stateCount is 0, then we initialize it to 1. However, if GGSN receives an incoming

non-valid packet, the stateCount is decremented by 1. When stateCount decreases to 0, GGSN can

conclude that the phone is under attack and perform recovery. This phase is called exponential in-

crease, linear decrease (EILD). By implementing EILD, our algorithm can withstand some amounts

of false positive readings before raising an alert and entering the recovery phase. For example, it

would be hard to distinguish between valid and malicous streaming traffic. Furthermore, many port

scanners, worms, and other backscatter activities [50] are unavoidable on the Internet. Using EILD,

we can avoid disrupting the user as much as possible before we enter the recovery phase. Finally,

we note that PDP context can still be kept indefinitely, depending on service providers policy, as

long as the mobile agent is not under attack.

7/28/2019 CSE-2007-10

30/62


The recovery phase is implemented when the stateCount decrements to 0. The recovery

phase is implemented as follows: before disconnecting the user, we implement a random backoff

wait period between (Cmin,Cmax). The wait period allows any existing connection to finish. After a

random backoff waiting period, GGSN implements a gateway assisted PDP context modification,

changing the external address in the PDP context. At this time, all connections currently still active

will be dropped, thus preventing the attacker from reaching the mobile agent. Furthermore, only

one extra message would be sent to the mobile agent notifying the modification, and one extra

message would be sent from the mobile agent acknowledging the change. The mobile agent, after

the recovery phase, can resume data connection and request outgoing connections as usual.

Specification Modification

Our defense strategy can be safely implemented in existing GPRS infrastructure without

any violation to the specification [51]. In particular, GPRS specification states that user should

be able to establish and deactivate GPRS service as requested. Our defense mechanism does not

violate any of the specification stated.

The specification does not clearly state any PDP context management schemes. In fact, the

specification does not restrict when PDP context should be deactivated. However, the specification,

under invocation and operation, states that,

It shall be possible for a MS to be a GPRS service requester and service receiver.

Our defense mechanism would violate this specification. However, we argue that cellu-

lar devices should not act as a server or any service receiver. In fact, most service providers in

the US restricts mobile agents usage and does not allow any type of services to be active on any

mobile users. Furthermore, the specification allows our battery draining attack, and many other

attacks possible since it is allowed for an entity to activate the PDP context and communicate with

mobile devices. We argue that such action should not be encouraged and protection against such

exploitation should be straightly enforced.

Analytical Analysis

We now present an analytical analysis of our proposed defense strategy and provide a

simplistic calculation of the maximum stateCount value which must be set in order for our defense

to detect an attack.

7/28/2019 CSE-2007-10

31/62


We define the number of packets needed in order to mount a battery draining attack as

follows:

n 60sec

min

60mins

hr hhours = 602nh. (3.1)

Given n = #packetss

and h, the number of hours required to drain a phones battery (h 1n

) we can

calculate the upper bound on the number of outgoing connections that a cellular operator may set.

Parameters n and h are network dependent so each operator would have to tailor them to their

network.

In order to detect this attack, our stateCount variable must not exceed 602nh. Since we

exponentially increase stateCountin the fashion of 2connectionCount

, we calculate connectionCountmax

as follows:

connectionCountmax = log2602nh (3.2)

And following our argument from above, the connectionCount should be calculated as

follows:

connectionCount log2602nh (3.3)

For example, for n = 1packets

and h 4 hours we notice that connectionCount= log214400 =

13. This means that the maximum number of connections each phone can make simultaneously in

order to detect an attack that sends 1packets

is 13 connections.

Note that this calculation provides a maximum for the connectionCount variable. Providers

should set this variable limit to a much smaller number, in order to detect any type of attack much

faster than this rate.

Implementation Details

As mentioned previously, our defense strategy is best implemented on the GGSN. Since

service providers already perform some proprietary PDP management scheme, as tested empirically

3, implementing our scheme would be very simple. Furthermore, as most of the functions needed

3During our battery draining experiments, the PDP context sometimes would detach even if the mobile phone is

stationary. We notice that PDP context can be alive from 15 minutes to even days.

7/28/2019 CSE-2007-10

32/62


are already implemented, such as the gateway assisted PDP context modification function, there

would not be any additional implementation work.

Furthermore, our proposed extension on the PDP context would also be a simple modifi-

cation. The implementation of the modified PDP context can be transparent to mobile devices, and

the mapping can be done entirely at the GGSN. Since GGSNs are already stateful, a simple change

in IP address assignment would not be difficult. Furthermore, our proposed modification to the PDP

context would also provide a NAT like behavior, as each IP address can be assigned multiple times

using different ports.

We envision APM to be implemented as a plug-in module, which should not be any

longer than a couple of hundred lines of code. Since GGSNs are standardized within each service

provider, a patch-like distribution can be easily deployed once the module has been fully tested ontestbeds.

3.4 Conclusion

In this chapter, we demonstrated an attack, such that is able to drain mobile devices

battery power as much as 22 times faster. This attack proceeds in two stages. First, the attack

exploits vulnerabilities in MMS to build a hit list of mobile devices. Then, the attack exploits PDP

content retention and the paging channel to drain mobile devices battery power. We were able to

drain batteries without alerting either the mobile user victims or the cellular network operators. Our

analysis shows that an attacker would need only several home DSL Internet connections to mount

a large scale attack against a large number of cellular phones. We identified key components in

cellular networks that enable this attack and proposed corresponding mitigating solutions.

7/28/2019 CSE-2007-10

33/62

CHAPTER 4. SCHEDULER ATTACK 27

Chapter 4

Exploiting Opportunistic Scheduling in

Cellular Packet Networks

In this chapter, we study 3G and 3.5G networks and investigate the unwarranted trust

granted to mobile devices and the ensuing vulnerabilities. These networks rely on schedulers to

multiplex the spectrum efficiently. A commonly used scheduling algorithm is Proportional Fair

(PF) [52, 53], which maximizes the product of the throughput delivered to all users. In this paper,

we reveal vulnerabilities in the PF scheduler and demonstrate that malicious mobile devices can

usurp time slots at the expense of honest users, hence denying them network access. For example,we show that only one attacker per cell that has 50 users can occupy as much as 89% of the all the

scheduling slots indefinitely. Similarly, five attackers per cell can cause and perpetuate 2.1s end-to-

end inter-packet transmission delay for every victim user in the cell, thus rendering many services

useless.

4.1 Attack overview

Our attacks exploit vulnerabilities that result from unwarranted trust that the network

grants to mobile devices. By reporting false channel conditions and initiating frequent handoffs,

attackers can usurp the majority of downlink1 scheduling slots, causing intolerable delays to the

victim users and rendering many network services virtually useless. We will give an overview of

the vulnerable 3G data network technologies and our attacks.

1From the network to the mobile users.

7/28/2019 CSE-2007-10

34/62


4.1.1 3G data networks

Cellular providers have developed two new data services, EV-DO and HSDPA, to pro-

vide broadband like downlink speed for emerging applications such as Voice-over-IP (VoIP), and

streaming video and audio, without major network restructuring. In both services, the downlink

utilizes time division multiplexing by dividing the channel in time slots, or Transmission Time In-

terval (TTI). (Note that T T I = 1.67ms for EV-DO and T T I = 2ms for HSDPA). The scheduler at

each base station then selects a single user to transmit at each TTI. Both services rely on two main

techniques to increase efficiency in the downlink direction: link adaptation and fast retransmission.

Link adaptation utilizes base stations processing power to collect quasi instantaneous downlink

quality information a channel quality indicator (CQI). Based on this CQI, the base station can

adapt data rate based on channel conditions: the better the channel condition, the higher the data

rate. Fast retransmission mechanism enables a mobile device to NACK each erroneous downlink

packet in order to request a retransmission from its base station instead of the originating server.

Opportunistic scheduling

Most 3G data services implement an opportunistic scheduler (Both HSDPA [54] and

EVDO [55] outline the use of an opportunistic scheduler in the downlink. Several service providers

also confirmed the use of opportunistic scheduler in their data networks) . In cellular networks,

channel conditions of mobile devices are time-varying and location-dependent. Since instantaneous

channel conditions derive the instantaneous data rates of mobile devices [56], mobile devices pe-

riodically measure and report their CQIs to their base stations. An opportunistic scheduler at a

base station selects a user with relatively good channel condition to transmit while maintaining pre-

defined QoS or fairness constraints. Thus, opportunistic schedulers often achieve higher network

performance than schedulers that do not take into account instantaneous channel conditions such as

round robin. A very popular opportunistic scheduler is Proportional Fair (PF), whose design goal is

to maximize the product of the throughput delivered to all users [52, 53].

In PF, each mobile device measures its instantaneous channel conditions through pilot

signals, estimates the achievable data rate under its channel condition (denoted as CQIi(t) for user

i at time t), and sends the information back to the base station. To achieve the goal of maximizing

the product of the throughput delivered to all users [57], the PF scheduler chooses the user with

the highest ratio ofCQIi(t)/Ri(t)2, where Ri(t) is the average throughput of user i at time t. It is

2PF makes scheduling decisions based on the ratio DRCi(t)/Ri(t) where DRCi(t) = min{CQIk[n],Bk[n]tTT I

} and Bk[n] is

7/28/2019 CSE-2007-10

35/62


estimated by the base station as follows:

Ri(t) =

CQIi(t) + (1 )Ri(t 1) if the user i is scheduled at t

(1 )Ri(t 1) otherwise(4.1)

where is a network providers parameter describing the weight of the current time slot toward the

average. Typically, is set as 0.001.

Handoff

Cellular networks implement handoffs to transfer a connection from one base station to

another. There are two types of handoffs: soft and hard. In hard handoff, the network drops the

connection to the current base station before initiating a new one. In soft handoff, on the otherhand, a mobile device can have connections from several base stations simultaneously and choose

to transmit through the best base station. Noticeably, handoffs in 3G cellular services do not break

data transmission sessions.

4.1.2 Overview of attacks

3G data networks include mobile devices in their TCB. However, attackers can modify

mobile devices to perform actions different from intended by the providers, even when providers

attempt tamper-proof techniques [32, 58]. By trusting all mobile devices, 3G data networks sufferfrom at least two vulnerabilities.

Fabricated CQIs Opportunistic schedulers base their scheduling decisions on CQIs reported by

mobile devices without verification. By reporting fabricated CQIs, malicious mobile devices can

manipulate the schedulers to achieve unfair network utilization and to disrupt other mobile devices.

For instance, a malicious mobile device can report an inflated CQI such that its ratio of CQI to

average data rate is the highest among all the devices in its cell, therefore ensuring that it will be

scheduled in the next time slot. By repeating this strategy, the malicious device may obtain a large

portion of slots in a short period of time, which causes large delay and delay jitter to other users

(Section 4.2.1).

Greedy handoffs Mobile devices may initiate soft handoffs, but opportunistic schedulers are

oblivious of handoffs. For example, when a mobile device performs a handoff to another base

the buffer size. We eliminated buffer dependence from our calculations for simplicity.

7/28/2019 CSE-2007-10

36/62


station, the new base station does not retrieve the devices average data rate from its previous base

station [40], but rather assigns an often small or average value as the devices initial average rate.

In the previous attack via reporting fabricated CQIs, the malicious mobile device has to report

monotonically increasing CQIs to sustain the attack because its average data rate keeps increasing.

Eventually, the attack becomes ineffective when its reported CQI exceeds the maximum allowable

CQI. However, if the malicious device sits in the coverage of multiple base stations, it may handoff

to another cell to acquire a fresh, lower average data rate and to start the attack again. Moreover,

multiple malicious devices may cooperate to attack multiple cells simultaneously (Section 4.2.2).

4.2 Attack analysis

Threat model Our threat model assumes that (1) attackers control one or a few mobile devices

that a cellular network has admitted; and (2) attackers have modified the devices to report any CQI

value to the base station and to initiate handoff at any time. We believe this threat model is realistic.

Attackers can buy network-approved mobile devices and prepaid data plans or can spread worms

to take over existing mobile devices. Moreover, experiences show that attackers can modify mobile

devices to perform different actions than intended by the providers, even when providers attempt

temper-proof techniques [32, 58, 59]. However, our threat model does not assume that attackers

attack the cellular network infrastructure directly, e.g. by hacking into the network. Instead, they

exploit vulnerabilities in the networks scheduler by manipulating the information that their mobile

devices report to the network.

Attack settings From this point on, we use attacker to refer to either a human adversary or the

mobile device of the adversary (the context should differentiate the two meanings), and use user

to refer to either a human user or the mobile device of the user. When an attack involves multiple

attackers, we assume that they coordinate. We will consider attacks on the proportional fair (PF)

scheduler under three settings. First, we consider attacks from a single cell, with a single or multiple

attackers. Next, we consider attacks from multiple cells, which is much more effective. Finally, we

consider a more realistic situation where the attackers do not know the channel conditions of other

users.

7/28/2019 CSE-2007-10

37/62


4.2.1 Attack within a single cell

We consider the situation when all the attackers stay in the same cell. Starting with one

attacker, we use mathematical analysis and simulation to evaluate his attack strategy. Then, we

extend our analysis to multiple attackers in the same cell. We assume that no user leaves or joins

the cell during the attack. Although this assumption is not crucial to our attack, it simplifies our

analysis. We also assume that the attackers know the channel conditions of all the users in the cell.

Section 4.2.3 will describe an attack strategy for the situations when this assumption does not hold.

Single attacker

The goal of the single attacker is to obtain a large number of consecutive time slots, there-

fore causing severe delay and jitter for the other victim users in the same cell. Since the PF scheduler

assigns the next time slot to the user that has the highest ratio of instantaneous achievable data rate

(measured in CQI) to average throughput, the attacker can report a large enough CQI to obtain the

time slot. To obtain consecutive time slots, the attacker must report monotonically increasing CQIs

(because its average throughput is increasing while other users throughput is decreasing, according

to Equation 4.1) until its reported CQI exceeds the range of CQI values.

It is difficult to calculate the precise number of consecutive time slots that the attacker can

get, because the number depends on the channel conditions of all the users in the cell. However, we

can estimate an upper bound of this number by considering a simplified situation where each user

has the same CQI.3 First, we calculate the average throughput of a user. Let Ri(t) be the average

throughput of user i at time slot t. Recall from Section 4.1.1 that

Ri(t) =

CQIi(t) + (1 )Ri(t 1) if the user i is scheduled at t

(1 )Ri(t 1) otherwise(4.2)

Since we assume that each user has the same CQI, the PF scheduler becomes a round robin sched-

uler, where each user is scheduled once every N slots (N is the number of users in the cell). For

example, if user i is scheduled at time slot s, he will not be scheduled until time slot s +N. There-fore, user is average rate Ri(t) maximizes at time slot s, and minimizes at the time slot s +N 1.

According to Equation 4.1,

Ri(s) = (1 )NRi(s N) +CQI (4.3)

3And each user always has outstanding data to receive.

7/28/2019 CSE-2007-10

38/62


Let us consider a steady state, where Ri(t) = Ri(t+ kN) for all integer k. In this case, Ri(s) =

Ri(s N). Using this equality in Equation 4.3, we have

Ri(s) =CQI

1 (1 )N

CQI

N(4.4)

Ri(s) is user is maximum throughput. His minimum throughput is

Ri(s 1) = Ri(s +N 1) = (1 )N1 Ri(s) (1 )

N1 CQI

N(4.5)

Let C(t) = maxi{CQI/Ri(t)} be the maximum of CQI-to-throughput ratio at time t among all the

users. In the steady state, C(t) becomes a constant C, which is:

C=

CQI

Ri(s 1)

N

(1 )N1 (4.6)

Next, we describe a strategy for the attacker to obtain consecutive time slots. To obtain

time slot 1, the attacker i must report a CQIi(1) such that CQIi(1)/Ri(0) C(0). After time slot

1, C(1) = C(0)/(1 ), because for each victim user j, its CQI remains constant, but its average

throughput Rj has been scaled by 1 . Therefore, to obtain time slot 2, the attacker i must report

CQIi(2) such that CQIi(2)/Ri(1) C(1) = C(0)/(1 ). Subsequently, at time t, the attacker must

claim CQIi(t) such that CQIi(t)/Ri(t 1) C(0)/(1 )t1. The attacker can obtain consecutive

time slots until the required CQIi(t) exceeds CQImax, the maximum value ofCQI. Therefore, the

maximum number of consecutive time slots that the attacker can obtain is the maximum integer t0

that satisfies

CQImax C

(1 )t01Ra(0)

t01

k=1

C

(1 )k1+ (1 )

(4.7)

Equation (4.7) shows that the maximum number of consecutive slots an attacker can ob-

tain (t0) depends on the average throughput of the attacker at the beginning of the attack (Ri(0)),

the maximum CQI (CQImax), and . Since the maximum CQI and are set by the system, they

are out of the control of the attacker. The maximum CQI depends on the hardware. is used to

balance the tradeoff between long-term and short-term performance. The smaller the value , the

better the systems long-term throughput; however, when under attack, the smaller the value , the

larger the value of t0, i.e., the attacker can obtain more time slots. By comparison, the attacker has

control over Ri(0), its average throughput at the beginning of the attack. Equation (4.7) shows that

the smaller the value Ra(0), the larger the value t0. Therefore, after each attack session, the attacker

needs to reset its Ra(0) by reporting lowest CQI values for a sufficient period (typically on the order

7/28/2019 CSE-2007-10

39/62


of seconds). Finally, this model is simplified, assuming all victim users have the same, consistent

CQI. When users have users have time-varying channel conditions, Equation 4.7 provides an upper

bound for estimating t0.

Multiple attackers

A single attacker can obtain consecutive time slots until his reported CQI exceeds the

maximum CQI value; however, we can increase the number of consecutive time slots obtained by

using multiple colluding attackers. We describe three different coordinating schemes.

Sequential attack The simplest scheme is to attack sequentially. The attacker with the smallest

average throughput Ri(t) starts the attack and tries to obtain as many consecutive time slots as pos-sible, while the other attackers lurk (by reporting arbitrarily small CQIs to avoid being scheduled).

When the active attackers reported CQI exceeds the maximum value of CQI, it stops the attack

while the attacker with the smallest average throughput starts to attack. The attack continues until

no attacker can get scheduled (because their average throughput is too high).

Minimum CQI Attack Since the attack will stop when all attackers reported CQIs exceed the

maximum value, this scheme tries to slow the increment of the reported CQIs. At each time slot,

each attacker computes the CQI that it needs obtain the time slot. Then, the attacker with the

smallest CQI reports its CQI to the base station while the other attackers lurk.

Delta CQI Attack This algorithm tries to slow the increment of calculated CQI values. At each

time slot t, each attacker i computes the increment i(t) needed to its previous CQI. In other words,

i(t) = CQIi(t) CQIi(t 1). The attacker with the smallest i(t) then reports its CQI to the base

station.

Simulation

We used simulation to evaluate the effectiveness of our attacks in a single cell. In the

simulation, we chose parameters that were recommended by specifications or that were commonly

used by cellular networks. The PF scheduler had = .001. The cell had 50 users. Each user

quantized his channel condition into CQI, an integer between 1 and 15, and reported the CQI to the

base station. The goal of the attack was to obtain the maximum number of consecutive time slots.

7/28/2019 CSE-2007-10

40/62


First, we simulated a single attacker in a cell with 49 victim users. We used the same

ideal scenario as in our analysis in Section 4.2.1, i.e., all victim users had the same CQI value. The

simulation showed that the attacker could obtain 42 consecutive time slots, whereas Equation 4.7

predicts that the attacker can obtain 39 consecutive time slots. The minor difference between the

simulation and the analysis is due to the approximation during the derivation of Equation 4.7.

Next, we simulated the same attack under a more realistic condition where each users

channel condition was a random variable following a Rayleigh distribution with = 3 and an initial

average rate of 0.5. The simulation showed that the attacker gained an average of 19 time slots, with

a standard deviation of 2.77.

Next, we simulated multiple attackers in the same cell. Again, each users channel con-

dition was a random variable following a Rayleigh distribution. We varied the number of attackersfrom one to five and simulated each of the attack schemes in Section 4.2.1. Figure 4.1 shows that

the number of collective conse

Date post:	03-Apr-2018
Category:	Documents
Upload:	shahwaiz-afaqui
View:	217 times
Download:	0 times

CSE-2007-10

Documents