Cellular Networks: Background and Classical Vulnerabilities

Similar documents
The GSM and GPRS network T /301

CS Cellular and Mobile Network Security: Cellular Networking

Mobile Wireless Overview

Wireless LANs vs. Wireless WANs

Development of Wireless Networks

Wireless Mobile Telephony

Wireless Cellular Networks: 1G and 2G

Wireless Cellular Networks: 3G

CS263: Wireless Communications and Sensor Networks

Mobile Communications TCS 455

Lecture overview. History of cellular systems (1G) GSM introduction. Basic architecture of GSM system. Basic radio transmission parameters of GSM

Emerging Wireless Technologies

2G/3G Mobile Communication Systems

GSM v. CDMA: Technical Comparison of M2M Technologies

communication over wireless link handling mobile user who changes point of attachment to network

Mobile Computing. Basic Call Calling terminal Network Called terminal 10/25/14. Public Switched Telephone Network - PSTN. CSE 40814/60814 Fall 2014

Guide to Wireless Communications. Digital Cellular Telephony. Learning Objectives. Digital Cellular Telephony. Chapter 8

Modern Wireless Communication

CS Cellular and Mobile Network Security: GSM - In Detail

Chapters 1-21 Introduction to Wireless Communication Systems

How To Understand The Gsm And Mts Mobile Network Evolution

EPL 657 Wireless Networks

GSM GPRS. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides)

Wireless Access of GSM

Mobile Communications

Mobile Networking. SS7 Network Architecture. Purpose. Mobile Network Signaling

Cellular Network Organization. Cellular Wireless Networks. Approaches to Cope with Increasing Capacity. Frequency Reuse

GSM and Similar Architectures Lesson 07 GSM Radio Interface, Data bursts and Interleaving

Lecture 1. Introduction to Wireless Communications 1

GSM Network and Services

International Journal of Advanced Research in Computer Science and Software Engineering

Revision of Lecture Eighteen

In this Lecture" Access method CDMA" Mobile and Sensor Systems Lecture 2: Mobile Medium Access Control Layer and Telecommunications

Mobile Communications Chapter 4: Wireless Telecommunication Systems slides by Jochen Schiller with modifications by Emmanuel Agu

CS Cellular and Mobile Network Security: CDMA/UMTS Air Interface

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

Course Duration: Course Content Course Description Course Objectives Course Requirements

Indian Journal of Advances in Computer & Information Engineering Volume.1 Number.1 January-June 2013, Academic Research Journals.

Introduction to Wireless Communications and Networks

Παρουσιάσεις για το Μάθημα Ασύρματων και Κινητών Τηλεπικοινωνιών του ΔΜΠΣ στο ΕΚΠΑ

Global System for Mobile Communications (GSM)

EE 4105 Communication Engg-II Dr. Mostafa Zaman Chowdhury Slide # 1

Chapter 6 Bandwidth Utilization: Multiplexing and Spreading 6.1

WHITE PAPER. Use of MPLS technology in mobile backhaul networks CONTENTS: Introduction. IP/MPLS Forum White Paper. February Introduction...

1 Introduction. 2 Assumptions. Implementing roaming for OpenBTS

FIGURE 12-1 Original Advanced Mobile Phone Service (AMPS) frequency spectrum

Toolkit for vulnerability assessment in 3G networks. Kameswari Kotapati The Pennsylvania State University University Park PA 16802

CDMA TECHNOLOGY. Brief Working of CDMA

CHAPTER 1 1 INTRODUCTION

Worldwide Major Mobile Phone Vendor Performance, 2Q 2015

Positioning in GSM. Date: 14th March 2003

Mobile & Wireless Networking. Lecture 5: Cellular Systems (UMTS / LTE) (1/2) [Schiller, Section 4.4]

2G, 3G, 4G... OMG! What G Is Right for IoT / M2M? Aeris White Paper.

Multiple Access Techniques

GSM Architecture and Interfaces

1 Lecture Notes 1 Interference Limited System, Cellular. Systems Introduction, Power and Path Loss

Global System for Mobile Communication Technology

Mobile Phone Security. Hoang Vo Billy Ngo

Chapter 6 Wireless and Mobile Networks

VPN. Date: 4/15/2004 By: Heena Patel

Chapter 1: Introduction

Administrivia. CSMA/CA: Recap. Mobility Management. Mobility Management. Channel Partitioning, Random Access and Scheduling

Cooperative Techniques in LTE- Advanced Networks. Md Shamsul Alam

How To Make A Multi-User Communication Efficient

Lecture 18: CDMA. What is Multiple Access? ECE 598 Fall 2006

INTERNET ACCESS COMPARISON BETWEEN GSM AND CDMA NETWORKS

3GPP Wireless Standard

Imre Földes THE EVOLUTION OF MODERN CELLULAR NETWORKS

GSM System. Global System for Mobile Communications

GPRS Systems Performance Analysis

Computer Networks. Wireless and Mobile Networks. László Böszörményi Computer Networks Mobile - 1

Cellular Network Organization

INTELLIGENT NETWORK SERVICES MIGRATION MORE VALUE FOR THE

Module 5. Broadcast Communication Networks. Version 2 CSE IIT, Kharagpur

ECE/CS 372 introduction to computer networks. Lecture 13

Global System for Mobile Communication (GSM)

18-759: Wireless Networks Lecture 18: Cellular. Overview

INTRODUCTION TO COMMUNICATION SYSTEMS AND TRANSMISSION MEDIA

Wireless LAN advantages. Wireless LAN. Wireless LAN disadvantages. Wireless LAN disadvantages WLAN:

UMTS/GPRS system overview from an IP addressing perspective. David Kessens Jonne Soininen

Handoff in GSM/GPRS Cellular Systems. Avi Freedman Hexagon System Engineering

Cellular Technology Sections 6.4 & 6.7

! encor e networks TM

Chapter 10 VoIP for the Non-All-IP Mobile Networks

Introductory Concepts

Mobile Application Part protocol implementation in OPNET

Hello viewers, welcome to today s lecture on cellular telephone systems.

Pradipta Biswas Roll No. 04IT6007 M. Tech. (IT) School of Information Technology Indian Institute of Technology, Kharagpur

How To Understand The Theory Of Time Division Duplexing

1 Which network type is a specifically designed configuration of computers and other devices located within a confined area? A Peer-to-peer network

EETS 8316 Wireless Networks Fall 2013

Location management Need Frequency Location updating

Best Practices for Outdoor Wireless Security

Overview of Network Architecture Alternatives for 3GPP2 Femto Cells Jen M. Chen, et al. QUALCOMM Incorporated

Cellular Network. Outline. Chapter 8. Conventional Radio

Packet Synchronization in Cellular Backhaul Networks By Patrick Diamond, PhD, Semtech Corporation

Mobile Networking Concepts and Protocols CNT 5517

PDF vytvořeno zkušební verzí pdffactory UMTS

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Transcription:

Cellular Networks: Background and Classical Vulnerabilities Patrick Traynor CSE 545 1

Cellular Networks Provide communications infrastructure for an estimated 2.6 billion users daily. The Internet connects roughly 1 billion. For many people, this is their only means of reaching the outside world. Portable and inexpensive nature of user equipment makes this technology accessible to most socioeconomic groups. 2

Aren t They The Same? Cellular networks and the Internet are built to support very different kinds of traffic. Real-time vs Best Effort The notions of control and authority are different. Centralized vs distributed The underlying networks are dissimilar. Circuit vs packet-switched 3

Network Characteristics Composed of wired backbone and wireless last-hop Inconsistent performance Variable delay High error rates Lower bandwidth Potentially high mobility. 4

Access Basics - FDMA The most basic access technique is known as Frequency-Division Multiple Access (FDMA). Each user in these systems receives their own dedicated frequency band (i.e., carrier ). Requires one for uplink and another for downlink. To reduce interference, each carrier must be separated by guard bands. 5

TDMA Access Time-Division Multiple Access (TDMA) systems greatly increase spectrum utilization. Each carrier is subdivided into timeslots, thereby increasing spectrum use by a factor of the divisor. Requires tight time synchronization in order to work. To protect against clock drift, we need to buffer our timeslots with guard-time. 6

CDMA Access Code-Division Multiple Access (CDMA) systems have users transmit simultaneously on the same frequency. The combined transmissions are viewed additively by the receiver. By applying a unique code, the receiver can mask-out the correct signal. Picking these codes must be done carefully. 7

In the beginning... (1G) First commercial analog systems introduced in the early 1980 s. Two competing standards arose: The Advanced Mobile Phone System (AMPS) and Total Access Communication System (TACS). Both systems were FDMA-based, so supporting a large number of calls concurrently was difficult. 8

The Advent of Digital (2G) Second Generation systems were introduced in the early 1990 s. Three competing standards: IS-136 and GSM (TDMA) and IS-95-A/cdmaOne (CDMA). 2G networks introduced dedicated control channels, which greatly increased the amount of information exchanged between devices and the network. 9

Introducing Data (2.5G) Digital brings higher bandwidth, and the opportunity to deploy data services. Standards for data systems: GPRS and HSCSD (TDMA) IS-95-B/cdmaOne (CDMA). 2.5G Data services have been met with varying success. 2.75G provides significant improvements. 10

High Speed (3G) In theory, can provide rates of 10 Mbps downlink. Slow to roll out, 3G systems are only now becoming widespread. In Pennsylvania, only a few major cities have coverage. Competing standards: cdma2000/ev-do and WCDMA/UMTS. 11

Evolution Summary 1G (analog) 2G (digital) 2.5G (data) 2.75G (data) 3G (wideband data) AMPS IS-95-A/ cdmaone IS-95-B/ cdmaone cdma2000 1x (1.25 MHz) cdma2000 3x (5 MHz) 1X EVDO: HDR IS-136 TDMA 136 HS EDGE TACS GPRS GSM EDGE WCDMA HSCSD 12

SS7 Network Powering all of these networks is the SS7 core. 3G networks will eventually shift to the all-ip IMS core, but SS7 will never fully go away. These systems are very different from IP networks. The requirements are different: real-time vs best-effort services. 13

Protocol Architecture Application Layer MAP Transport Layer TCAP Network Layer ISUP MTP L3 SCCP Link Layer MTP L2 Physical Layer MTP L1 All of the functionality one expects to find in the OSI/Internet protocol stack is available in SS7. Where those services are implemented may be different. 14

Message Transfer Part Covers most of the functionality of the lowest three OSI/Internet protocol stack. Broken into three levels. MTP1: 56/64 KBps physical links. MTP2: Link layer and reliable message delivery. MTP3: Network layer functionality. Application Layer Transport Layer MAP TCAP Network Layer ISUP MTP L3 SCCP Link Layer MTP L2 Physical Layer MTP L1 15

ISUP, SCCP, TCAP ISDN User Part (ISUP): Carries call routing information for resource reservation. Signaling Connection Control Part (SCCP): Carries routing information for specific functions. Transaction Capabilities Application Part Application Layer (TCAP): Interface to request the execution Transport Layer of remote procedures. Network Layer MAP TCAP ISUP SCCP MTP L3 Link Layer MTP L2 Physical Layer MTP L1 16

Mobile Application Part The application layer for SS7 networks. This supports services directly visible by the user: Call handling Text messaging Location-based services Application Layer MAP Protected by MAPsec Sort of... Transport Layer Network Layer Link Layer TCAP ISUP SCCP MTP L3 MTP L2 Physical Layer MTP L1 17

Network Components HLR stores records for all phones in the network. MSC/VLR connect wired and wireless components of the network and perform handoffs. BS communicate wirelessly with users. MSC MSC MS is a user s mobile device. VLR VLR MS Serving MSC Network HLR Gateway MSC 18

Security Issues Such networks have long been viewed as secure because few had access to them or the necessary knowledge. However, attacks are not a new phenomenon. Many different classes of attacks are well documented. We investigate a number of such attacks throughout the remainder of this lecture. 19

Weak Crypto GSM networks use COMP128 for all operations. Authentication (A3), session key gen (A8) and encryption (A5). COMP128 was a proprietary algorithm......that can be broken in under one second. Weaker variants can be broken in 10 milliseconds. Replaced by COMP128-2 and COMP128-3 (maybe) Also proprietary. 20

One-Way Authentication In GSM systems, the network cryptographically authenticates the client. The client assumes that any device speaking to it is the network. Accordingly, it is relatively easy to perform a Man in the Middle attack against all GSM networks.? 21

Core Vulnerabilities None of the messages sent within the network core are authenticated. MAPsec attempts to address this problem by providing integrity and/or confidentiality. The only known deployment of MAPsec was online for two days before being shut off. Serious performance degradation prevent its use. 22

Eavesdropping Early analog systems were easy to eavesdrop upon. Processing power, export rules and bandwidth worked against cryptography. GSM systems use weak crypto, so eavesdropping is still possible over the air. Nothing is encrypted through the network itself, so anyone with access can listen to any call. 23

Jamming The legality of cell phone jamming varies from country to country. USA: Illegal France: Legal in certain circumstances Just because it is illegal in some countries does not mean it is not a threat. You can buy hand-held jammers on the street in most major cities. 24

Malware Known malware does not target the cellular infrastructure......yet. The proliferation of laptop cellular cards is wreaking havoc on these networks. Spyware phoning home is already taxing the network. Differences between the Internet and cellular networks make malware MORE dangerous in this setting. 25

Conclusion Cellular networks are significantly different than their traditional IP counterparts. Built on the assumption of a controlled environment, these systems are becoming more accessible. Much more work is needed. Solutions in one domain do not always apply to the other. Examples of new attacks coming soon... 26

Questions Patrick Traynor traynor@cse.psu.edu http://www.cse.psu.edu/~traynor 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information