Presentation is loading. Please wait.

Presentation is loading. Please wait.

MOBILE DATA CHARGING: NEW ATTACKS AND COUNTERMEASURES Chunyi Peng,

Published byDomenic Stoke Modified over 10 years ago

Similar presentations

Presentation on theme: "MOBILE DATA CHARGING: NEW ATTACKS AND COUNTERMEASURES Chunyi Peng,"— Presentation transcript:

1 MOBILE DATA CHARGING: NEW ATTACKS AND COUNTERMEASURES Chunyi Peng,
Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS’12

2 Mobile Data Access 1.2 billion global users Cellular Network Core
ACM CCS'12 C Peng (UCLA) Mobile Data Access 1.2 billion global users Cellular Network Core Network Internet

3 Mobile Data Charging Security: Cellular Network Metered charging
ACM CCS'12 C Peng (UCLA) Mobile Data Charging Cellular Network Internet Metered charging based on actual data usage, e.g., $20/month for 300MB (AT&T) Bill Security: Can any attack make the users pay MORE/LESS?

4 How Charging Works & Be Secured
ACM CCS'12 C Peng (UCLA) How Charging Works & Be Secured Cellular Network Authentication #1: Accounting @ core gateway only #2: Both UL/DL per connection charged Gateway Internet Accounting NAT Policy #3: Policy defined by operators Bill

5 Toll-Free-Data-Access-Attack
ACM CCS'12 C Peng (UCLA) Two Security Issues NAT Authentication Bill #1: Can the attacker bypass the security mechanism to exploit charging architecture loophole to make the users pay MORE? Stealth-spam-attack #2: Can the attacker exploit charging policy to pay LESS? Toll-Free-Data-Access-Attack

6 Threat Models Cellular network is not compromised
ACM CCS'12 C Peng (UCLA) Threat Models Cellular network is not compromised Charging subsystem works as designed Security mechanism works as designed Mobile device is secure No malwares run at mobile-devices Attacker’s capability Only use installed mobile, or Deploy malicious servers outside cellular networks

7 Outline Stealth-spam-attack (pay MORE)
ACM CCS'12 C Peng (UCLA) Outline Stealth-spam-attack (pay MORE) Vulnerability Attack design & implementation & damage Countermeasures & insight Toll-free-data-access-attack (pay LESS) Summary

8 Stealth-Spam-Attack

9 Security Against Spamming
ACM CCS'12 C Peng (UCLA) Security Against Spamming Authentication Can security mechanism (e.g., NAT/Firewalls) block incoming spam? Outgoing-Spam Outgoing-Spam Incoming-Spam Outgoing-Spam due to or spoofing. Simple, not addressed here. Private IP addr. is not accessible Access allowed only when initiated by the mobile NAT Bill

10 Vulnerability ✔ ✗ E-attacker NAT Different from conventional spamming,
ACM CCS'12 C Peng (UCLA) Vulnerability Authentication Different from conventional spamming, e.g., /SMS spam Unawareness (stealthy) Long-lived (lasting hours or longer) Init a data service Incoming Spam Incoming traffic time Data Services (charged) (normal) Spam from the attacker trap the victim to open data access E-attacker Incoming Spam Actual charging time window (attacked) NAT Bill

11 Stealth-Spam-Attack Step1-Trap: init data access
ACM CCS'12 C Peng (UCLA) Stealth-Spam-Attack Step1-Trap: init data access Example-1: click a malicious web link Example-2: login Skype once / stay online Step2-Spam: keep spamming No matter what

12 Web-based Attack Implementation Result: charging keeps going
ACM CCS'12 C Peng (UCLA) Web-based Attack Implementation Phone: click a malicious web link Attacker (server): send spam data at constant rate (disable TCP congest control and tear-down) Result: charging keeps going Even after the phone tears down TCP TCP FIN, timeout Even when many “TCP RESET” sent from the mobile

13 Damage vs. Spamming Rate
ACM CCS'12 C Peng (UCLA) Damage vs. Spamming Rate Charging volume vs. spamming rate Operator-I Operator-II In proportion to spamming rate when rate is low Charging blocked when rate is high (> 1Mbps) The charged volume could be > the received one [Mobicom’12]

14 ACM CCS'12 C Peng (UCLA) Damage vs. Duration Spamming rate = 150Kbps No observed sign to end when the attack lasts 2 hours if the rate is low (spamming> 120MB)

15 Skype-based Attack Implementation Exploit Skype “loophole” Demo
ACM CCS'12 C Peng (UCLA) Skype-based Attack Implementation Phone: do nothing (stay online once in Skype) Attacker: Skype call the victim and hang up Attacker (server): send spam data at constant rate Exploit Skype “loophole” allows data access from the host who attempts to call the victim before the attempt is accepted Demo Result: charging keeps going Even there is no any skype call session Even when many ICMP unreachable sent from the mobile

16 Demo: for a specific victim
ACM CCS'12 C Peng (UCLA) Demo: for a specific victim Result: charging keeps going Even after Skype logout Even when there is no any skype call session Even when many “ICMP unreachable” sent from the mobile

17 Damage vs. Spamming Rate
ACM CCS'12 C Peng (UCLA) Damage vs. Spamming Rate Charging volume vs. spamming rate Operator-I Operator-II No bounds on spamming rate compared with TCP-based attack

18 ACM CCS'12 C Peng (UCLA) Damage vs. Duration Spamming rate = 50Kbps No observed sign to end when the attack lasts 24 hours (spamming > 500MB)

19 Root Cause E-attacker NAT ≠ charging termination @ the operator
ACM CCS'12 C Peng (UCLA) Root Cause Current system: Secure only the initialization IP forwarding can push packets to the victim (not controlled by the victim) Init a data service #1: Initial authentication ≠ authentication all along Incoming Spam Current system: Keep charging if data comes Local core gateway Different mobile: data conn. ends or never starts or exception happens Lack of feedback/control trap the victim to open data access E-attacker NAT #2: Data flow the phone ≠ charging the operator Bill

20 Countermeasures Spamming inevitable due to IP push model
ACM CCS'12 C Peng (UCLA) Countermeasures Spamming inevitable due to IP push model Remedy: stop early when spamming happens Detection of unwanted Feedback (esp. from the mobile to the operator) At least allow users to stop data charging (no service) Exploit/design mechanisms in cellular networks: implicit- block, explicit-allow, explicit-stop Precaution, e.g., set a volume limit Application: be aware of spamming attack

21 Toll-Free-Data-Access-Attack

22 Vulnerability Both operators provide free DNS service
ACM CCS'12 C Peng (UCLA) Vulnerability Both operators provide free DNS service Real data over 53 #1: free fake DNS loophole DNS packets OP-I: Free via port 53 OP-II: Free via UDP+Port 53 DNS flow ID: (srcIP, destIP, srcPort, destPort, protocol) OP-I: Packets via port 53 are free OP-II: Packets via UDP+Port 53 free Policy: Free DNS Service #2: no volume-check loophole Bill (DNS) = 0 Any enforcement for packets over port 53? OP-I: no observed limits, except 29KB for one request packet OP-II: no observed limits Bill (ANY-on-DNS) = 0

23 Toll-Free-Data-Access-Attack
ACM CCS'12 C Peng (UCLA) Toll-Free-Data-Access-Attack Proxy outside cellular network Tunneling over 53 between the mobile and external network similar to calling 800-hotline Implementation HTTP-proxy on port 53 (only for web, OP-I) Sock-proxy on port 53 (for more apps, OP-I) DNS-tunneling on UDP-53 (all apps, OP-I, II) Results Free data access > 200MB, no sign of limits Demo if interested

24 Countermeasures Simplest fix: stop free DNS service Other suggestions
ACM CCS'12 C Peng (UCLA) Countermeasures Simplest fix: stop free DNS service OP-III stopped it since this July Other suggestions Authenticate DNS service Only allow using authenticated DNS resolvers DNS message integrity check Provide free DNS quota

25 Beyond DNS Existing DNS tunneling tools: iodine etc,
ACM CCS'12 C Peng (UCLA) Beyond DNS Existing DNS tunneling tools: iodine etc, Designed for data access when Internet access is blocked differentiated-charging policy e.g., free access to one website/ via some APN, or cheaper VoIP than Web Incentive to pay less (Attackers or even normal users) Bill Gap btw policy and its enforcement Bullet-proof design & practice

26 On Incentive Toll-Free-Data-Access-Attack ✔ Stealth-Spam-Attack
ACM CCS'12 C Peng (UCLA) On Incentive Toll-Free-Data-Access-Attack ✔ Stealth-Spam-Attack Good news: no obvious and strong incentive No immediate gain for the attacker unless the ill- intentioned operator does it Monetary loss against the attacker’s adversary Unexpected incentive in the future?

27 More information/demo in
ACM CCS'12 C Peng (UCLA) Summary More information/demo in Assess the vulnerability of 3G/4G data charging system Two types of attacks, Toll-free-data-access-attack (free > 200MB) Enforcement of differentiated-charging policy Stealth-spam-attack (overcharging > 500MB) Rooted in charging architecture, security mechanism and IP model No observed volume limits Insight IP push model is not ready for metered-charging Feedback or control needed during data charging Differentiated-charging policy has to secure itself No sign of limits

Download ppt "MOBILE DATA CHARGING: NEW ATTACKS AND COUNTERMEASURES Chunyi Peng,"

Similar presentations

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Module X Session Hijacking

Module X Session Hijacking
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Security Issues In Mobile IP

Security Issues In Mobile IP
Copyright (c) 2002 Japan Network Information Center Introduction of JPNICs New Registry System Izumi Okutani IP Address Section Japan Network Information.

Copyright (c) 2002 Japan Network Information Center Introduction of JPNICs New Registry System Izumi Okutani IP Address Section Japan Network Information.
New Packet Sampling Technique for Robust Flow Measurements Shigeo Shioda Department of Architecture and Urban Science Graduate School of Engineering, Chiba.

New Packet Sampling Technique for Robust Flow Measurements Shigeo Shioda Department of Architecture and Urban Science Graduate School of Engineering, Chiba.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Can We Pay for What We Get in 3G Data Access? ACM MOBICOM 2012 Istanbul, Turkey Chunyi Peng, Guan-Hua Tu, Chi-Yu Li, Songwu Lu University of California,

Can We Pay for What We Get in 3G Data Access? ACM MOBICOM 2012 Istanbul, Turkey Chunyi Peng, Guan-Hua Tu, Chi-Yu Li, Songwu Lu University of California,
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.

Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
© 2009 Carnegie Mellon University IP Dossier Paul N. Krystosek, Ph.D. CERT/NetSA January 2008.

© 2009 Carnegie Mellon University IP Dossier Paul N. Krystosek, Ph.D. CERT/NetSA January 2008.
Zhiyun Qian, Z. Morley Mao (University of Michigan)

Zhiyun Qian, Z. Morley Mao (University of Michigan)
ABC Technology Project

ABC Technology Project
Taming User-Generated Content in Mobile Networks via Drop Zones Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Taming User-Generated Content in Mobile Networks via Drop Zones Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Implementing Cognos Mobile

Implementing Cognos Mobile
© 2005 AT&T, All Rights Reserved. 11 July 2005 AT&T Enhanced VPN Services Performance Reporting and Web Tools Presenter : Sam Levine-866-624-2008 x111.

© 2005 AT&T, All Rights Reserved. 11 July 2005 AT&T Enhanced VPN Services Performance Reporting and Web Tools Presenter : Sam Levine x111.
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

Similar presentations

Ads by Google