Presentation is loading. Please wait.

Presentation is loading. Please wait.

MOBILE DATA CHARGING: ACM CCS12 NEW ATTACKS AND COUNTERMEASURES Chunyi Peng, Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los.

Similar presentations


Presentation on theme: "MOBILE DATA CHARGING: ACM CCS12 NEW ATTACKS AND COUNTERMEASURES Chunyi Peng, Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los."— Presentation transcript:

1 MOBILE DATA CHARGING: ACM CCS12 NEW ATTACKS AND COUNTERMEASURES Chunyi Peng, Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles

2 Mobile Data Access billion global users Internet Core Network Cellular Network ACM CCS'12 C Peng (UCLA)

3 Mobile Data Charging 3 Internet Cellular Network Metered charging based on actual data usage, e.g., $20/month for 300MB (AT&T) Bill Security: Can any attack make the users pay MORE/LESS? Security: Can any attack make the users pay MORE/LESS? ACM CCS'12 C Peng (UCLA)

4 How Charging Works & Be Secured 4 Cellular Network Internet Gateway … NAT Accounting Policy Bill Authentication #2: Both UL/DL per connection charged #1: core gateway only #3: Policy defined by operators ACM CCS'12 C Peng (UCLA)

5 Two Security Issues 5 NAT Authentication Bill #1: Can the attacker bypass the security mechanism to exploit charging architecture loophole to make the users pay MORE? #2: Can the attacker exploit charging policy to pay LESS? Stealth-spam-attack Toll-Free-Data-Access-Attack ACM CCS'12 C Peng (UCLA)

6 Threat Models 6 Cellular network is not compromised Charging subsystem works as designed Security mechanism works as designed Mobile device is secure No malwares run at mobile-devices Attackers capability Only use installed mobile, or Deploy malicious servers outside cellular networks ACM CCS'12 C Peng (UCLA)

7 Outline 7 Stealth-spam-attack (pay MORE) Vulnerability Attack design & implementation & damage Countermeasures & insight Toll-free-data-access-attack (pay LESS) Vulnerability Attack design & implementation & damage Countermeasures & insight Summary ACM CCS'12 C Peng (UCLA)

8 Stealth-Spam-Attack 8

9 Security Against Spamming 9 NAT Authentication Bill Outgoing-Spam Incoming-Spam Outgoing-Spam Outgoing-Spam due to or spoofing. Simple, not addressed here. Can security mechanism (e.g., NAT/Firewalls) block incoming spam? Private IP addr. is not accessible Access allowed only when initiated by the mobile ACM CCS'12 C Peng (UCLA)

10 Vulnerability 10 NAT Authentication Bill Init a data service Incoming traffic Incoming Spam E-attacker trap the victim to open data access Incoming Spam time Data Services (charged) (normal) Spam from the attacker (attacked) Actual charging time window Different from conventional spamming, e.g., /SMS spam Unawareness (stealthy) Long-lived (lasting hours or longer) ACM CCS'12 C Peng (UCLA)

11 Stealth-Spam-Attack 11 Step1-Trap: init data access Example-1: click a malicious web link Example-2: login Skype once / stay online Step2-Spam: keep spamming No matter what ACM CCS'12 C Peng (UCLA)

12 Web-based Attack 12 Implementation Phone: click a malicious web link Attacker (server): send spam data at constant rate (disable TCP congest control and tear-down) Result: charging keeps going Even after the phone tears down TCP TCP FIN, timeout Even when many TCP RESET sent from the mobile ACM CCS'12 C Peng (UCLA)

13 Damage vs. Spamming Rate 13 Charging volume vs. spamming rate Operator-IOperator-II In proportion to spamming rate when rate is low Charging blocked when rate is high (> 1Mbps) The charged volume could be > the received one [Mobicom12] ACM CCS'12 C Peng (UCLA)

14 Damage vs. Duration 14 Spamming rate = 150Kbps No observed sign to end when the attack lasts 2 hours if the rate is low (spamming> 120MB) ACM CCS'12 C Peng (UCLA)

15 Skype-based Attack 15 Implementation Phone: do nothing (stay online once in Skype) Attacker: Skype call the victim and hang up Attacker (server): send spam data at constant rate Exploit Skype loophole allows data access from the host who attempts to call the victim before the attempt is accepted Demo ACM CCS'12 C Peng (UCLA)

16 Demo: for a specific victim 16 Result: charging keeps going Even after Skype logout Even when there is no any skype call session Even when many ICMP unreachable sent from the mobile ACM CCS'12 C Peng (UCLA)

17 Damage vs. Spamming Rate 17 Charging volume vs. spamming rate Operator-IOperator-II No bounds on spamming rate compared with TCP-based attack ACM CCS'12 C Peng (UCLA)

18 Damage vs. Duration 18 Spamming rate = 50Kbps No observed sign to end when the attack lasts 24 hours (spamming > 500MB) ACM CCS'12 C Peng (UCLA)

19 Root Cause NAT Bill Init a data service Incoming Spam E-attacker trap the victim to open data access Current system: Secure only the initialization Current system: Secure only the initialization IP forwarding can push packets to the victim (not controlled by the victim) #1: Initial authentication authentication all along Current system: Keep charging if data comes Local core gateway Current system: Keep charging if data comes Local core gateway Different mobile: data conn. ends or never starts or exception happens Lack of feedback/control Different mobile: data conn. ends or never starts or exception happens Lack of feedback/control #2: Data flow the phone charging the operator ACM CCS'12 C Peng (UCLA) 19

20 Countermeasures 20 Spamming inevitable due to IP push model Remedy: stop early when spamming happens Detection of unwanted Feedback (esp. from the mobile to the operator) At least allow users to stop data charging (no service) Exploit/design mechanisms in cellular networks: implicit- block, explicit-allow, explicit-stop Precaution, e.g., set a volume limit Application: be aware of spamming attack ACM CCS'12 C Peng (UCLA)

21 Toll-Free-Data-Access-Attack 21

22 Vulnerability 22 Policy: Free DNS Service Bill (DNS) = 0 Bill (ANY- on-DNS ) = 0 Both operators provide free DNS service DNS packets DNS flow ID: (srcIP, destIP, srcPort, destPort, protocol) OP-I: Packets via port 53 are free OP-II: Packets via UDP+Port 53 free #1: free fake DNS loophole #2: no volume-check loophole OP-I: Free via port 53 OP-II: Free via UDP+Port 53 Any enforcement for packets over port 53? OP-I: no observed limits, except 29KB for one request packet OP-II: no observed limits Real data over 53 ACM CCS'12 C Peng (UCLA)

23 Toll-Free-Data-Access-Attack 23 Proxy outside cellular network Tunneling over 53 between the mobile and external network similar to calling 800-hotline Implementation HTTP-proxy on port 53 (only for web, OP-I) Sock-proxy on port 53 (for more apps, OP-I) DNS-tunneling on UDP-53 (all apps, OP-I, II) Results Free data access > 200MB, no sign of limits Demo if interested ACM CCS'12 C Peng (UCLA)

24 Countermeasures 24 Simplest fix: stop free DNS service OP-III stopped it since this July Other suggestions Authenticate DNS service Only allow using authenticated DNS resolvers DNS message integrity check Provide free DNS quota ACM CCS'12 C Peng (UCLA)

25 Beyond DNS 25 Existing DNS tunneling tools: iodine etc, Designed for data access when Internet access is blocked differentiated-charging policy e.g., free access to one website/ via some APN, or cheaper VoIP than Web Gap btw policy and its enforcement Bullet-proof design & practice Incentive to pay less (Attackers or even normal users) Bill ACM CCS'12 C Peng (UCLA)

26 On Incentive 26 Toll-Free-Data-Access-Attack Stealth-Spam-Attack Good news: no obvious and strong incentive No immediate gain for the attacker unless the ill- intentioned operator does it Monetary loss against the attackers adversary Unexpected incentive in the future? ACM CCS'12 C Peng (UCLA)

27 Summary 27 Assess the vulnerability of 3G/4G data charging system Two types of attacks, Toll-free-data-access-attack (free > 200MB) Enforcement of differentiated-charging policy Stealth-spam-attack (overcharging > 500MB) Rooted in charging architecture, security mechanism and IP model No observed volume limits Insight IP push model is not ready for metered-charging Feedback or control needed during data charging Differentiated-charging policy has to secure itself More information/demo in ACM CCS'12 C Peng (UCLA)


Download ppt "MOBILE DATA CHARGING: ACM CCS12 NEW ATTACKS AND COUNTERMEASURES Chunyi Peng, Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los."

Similar presentations


Ads by Google