KAIST Yongdae Kim

 Full Professor at EE, KAIST ( ~)  Affiliated with CSRC and GIST  Formerly at the Univ. of Minnesota (2002 ~ 2012)  Contact Information    Facebook:  Twitter: 2

 Full Professor at EE, KAIST ( ~)  Affiliated with CSRC and GIST  20 year career in security research  Applied Cryptography, Group key agreement, Storage, P2P, Mobile/Sensor/Ad- hoc/Cellular Networks, Social networks, Internet, Anonymity, Censorship  Published about 70 papers (3,000 Google scholar citations)  NSF Career and U of M McKnight Land-Grant Award  10 PhD, 9 MS, 15 BS advised ETRI USC KAIST Tenure, Associate UMN Assistant UMN Assistant 3

 Data Plane: Actual data delivery  Control Plane  To support data delivery (efficiently, reliably, and etc.)  Routing information exchange  In some sense, every protocol except data delivery is considered to be control plane protocols  Example network  Peer-to-peer network, Cellular network, Internet, … 4

CreationName# of BotsSpamControl 2004Bagle230K5.7 B/dayCentralized 2007Storm> 1,000K3 B/dayP2P 2008Mariposa12,000K?Centralized 2008Waledac80K?Centralized 2008Conficker>10,000K10 B/dayCtrlzd/P2P 2009?Mega-D4,500K10 B/dayCentralized 2009?Zeus>3,600K? 2009BredoLab30,000K3.6 B/dayCentralized 2010TDL44,500K?P2P

 1997: AS7007  Claimed shortest path to the whole Internet  Causing Internet Black hole  2004: TTNet (AS9121)  Claimed shortest path to the whole Internet  Lasted for several hours  2006: AS27056  "stole" several important prefixes on the Internet  From Martha Stewart Living to The New York Daily News  2008: Pakistan Youtube  decided to block Youtube  One ISP advertised a small part of YouTube's (AS 36561) network  2010: China  15% of whole Internet traffic was routed through China for 18 minutes  including.mil and.gov domain  2011: China  All traffic from US iPhone to Facebook  routed through China and Korea

 300 Gbps DDoS against Spamhous from Stophous  Mitigation by CloudFlare using anycast  Stophous turn targets to IX (Internet Exchange)  Korea – World IX Bandwidth  KT: 560 Gbps, SKB: 235 Gbps, LGU+: 145 Gbps, SKT: 100 Gbps  Total: 1 Tbps 7

Max Schuchard, Eugene Vasserman, Abedelaziz Mohaisen, Denis Foo Kune, Nicholas Hopper, Yongdae Kim

His thesis: How to crash the Internet – Star Tribune The cyberweapon that could take down the internet – New Scientist Boffins devise 'cyberweapon' to take down internet – The Register Prof. Says New Cyberweapon Could Take Down the Internet – CBS How to crash the Internet – ZDNet Losing Control of the Internet - Using the Data Plane to Attack the Control Plane – Network and Distributed System Security (NDSS)2011

 Attack on the Internet's control plane  Overwhelm routers with BGP updates  Launched using only a botnet  Defenses are non trivial  Different from DDoS on web servers

^ No router compromise or misconfiguration  BGPSEC or similar technologies ^ Our attack model: Unprivileged adversary  can generate only data plane events  does not control any BGP speakers  botnet of a reasonable size  50, 100, 250, 500k nodes

Can we shut down the Internet only using data plane events? How much control plane events can be generated by data plane events caused by coordinated set of compromised computers?

 AS (Autonomous System)  Core AS: High degree of connectivity  Fringe AS: very low degrees of connectivity, sitting at the outskirts of the Internet  Transit AS: core ASes, which agree to forward traffic to and from other Ases  BGP (Border Gateway Protocol)  the de facto standard routing protocol spoken by routers connecting different ASes.  BGP is a path vector routing algorithm, allowing routers to maintain a table of AS paths to every destination.  uses policies to preferentially use certain AS paths in favor.

/8 DST: /8 Path: A DST: /8 Path: B, A DST: /8 Path: C, A A B C D E DST: /8 Path: D, B, A DST: /8 Path: E, C, A

/8 A B C D E DST: /8 Path: B, A DST: /8 Path: C, A DST: /8 Path: D, B, A DST: /8 Path: E, B, A DST: /8 Path: B, C, A DST: /8 Path: D, C, A DST: /8 Path: E, C, A

/8 A B C D E DST: /8 Path: B, A DST: /8 Path: C, A DST: /8 Path: D, B, A DST: /8 Path: E, B, A DST: /8 Path: B, C, A DST: /8 Path: D, C, A DST: /8 Path: E, C, A

B C D E UPDATE! How does the attacker pick links? How does the attacker direct traffic?

A B C D E {DB, DBA, DBAC, DBE}{EB, EBA, EBAC, EBD} {CA, CB, CD, CE} {AB, AC, ABE, ABD} {BA, BC, BD, BE} CB BC

A B C D E {DB, DBA, DBAC, DBE}{EB, EBA, EBAC, EBD} {CA, CB, CD, CE} {AB, AC, ABE, ABD} {BA, BC, BD, BE}

A BC D E Spread attack flows!

A B C

A B C One Target per Attack Flow!

 Simulator to model network dynamics  Topology generated from the Internet  Routers fully functional BGP speakers  Bot distribution from Waledac  Bandwidth model worst case for attacker

Targeted link: Any link selected for disruption Last mile links: un-targeted links that connect fringe ASes to the rest of the network Transit link: Any link that does not fit the other two

 Adversarial route flapping on an Internet scale  Implemented using only a modest botnet  Defenses are non-trivial, but incrementally deployable

^ Cascaded failure  Router failure modeling ^ Attacks using remote compromised routers  Targeted Attack: Internet Kill Switch ^ Router Design for the Future Internet  Software router?

 Routers placed in certain states fail to provide the functionality they should.  Unexpected but perfectly legal BGP messages can place routers into those states  Any assumptions about the likelyhood of encountering these messages do not apply under adversarial conditions. Peer Pressure: Exerting Malicious Influence on Routers at a Distance, Max Schuchard, Christopher Thompson, Nicholas Hopper and Yongdae Kim, ICDCS 2013

 How many BGP updates needed to consume 1GB memory? About 2,000,000 BGP updates is needed to succeed this attack

 Distinct/long length AS paths and community attribute 300,000 BGP updates is enough for this attack

 Hash collision makes router spend more processing time

 Man-in-the-middle between the MS and BST  Eavesdropping device used for interception  Tracking of cellular phones  Undetectable for the users of mobile phones  GSM uses one-way authentication  UMTS uses mutual authentication, but backward compatible to GSM  Manufacturers  Meganet, NeoSoft, Shoghi, Proximus  Chris Paget built a custom one for $1,500.  Detection of IMSI catcher?  Karsten Nohl. catcher catcher!

 Dec Karsten Nohl at CCC  $15 phone and open-source software  OsmocomBB  Free/Open Source GSM Baseband software implementation.  Replace the need for a proprietary GSM baseband software ▪ drivers for the GSM analog and digital baseband peripherals ▪ the GSM phone-side protocol stack, from layer 1 up to layer 3  2009: GSM A5/1 encryption can be decryptable  How about 3G and LTE?  Debugger for the Qualcomm baseband chip MSM6280  CDMA longcode?

 Location Privacy  Marie Colvin: Syria regime accused of murder (Aug. 2012) ▪ Syrian forces had “locked on” to their satellite phone signals  Appelbaum ▪ “These phone protocols are intentionally insecure” ▪ “Tracking people is sometimes considered a feature”  Confidentiality  Driessen and Hund have showed that both GMR-1 and GMR-2 are broken. (Feb. 2012)  Completely reverse-engineered the encryption algorithm  Took less than 30 min due to insecure design of the algorithm

 Targeting 2.5G GSM networks Exploiting Open Functionality in SMS-Capable Cellular Networks, McDaniel et. al., ACM CCS 2005 (Mobicom, Usenix Security, …)

 All systems have bottlenecks; finding them reveals a weak point  SMSCs have per-user queues; once reached, texts are dropped  Sprint: 30 messages; Verizon: 100: ATT: 400+  Delivery rate from SMSC to MH measured at 7-8 seconds  Can send messages via Internet in 0.71 seconds

 Phone network can be DOSed with enough text  Same channels used to initiate voice calls and deliver text  How many text messages does it take?  Estimate Washington, D.C. can handle 240 msg/sec  Internet-based attacker needs only 2.8 Mbps  Some networks allow sending to 10 people at once  Reduces needed bandwidth to 280 kbps

 We have the victim’s mobile phone number  Can we detect if the victim is in/out of an area of interest?  Granularity? 100 km 2 ? 1km 2 ? Next door?  No collaboration from service provider  i.e. How much information leaks from the HLR over broadcast messages?  Attacks by passively listening  Paging channel  Random access channel Location leaks on the GSM air interface, D. F. Kune, J. Koelndorfer, N. Hopper, Y. Kim, NDSS 2012 Media: Ars Technica, Slashdot, MPR, Fox Twin Cities, Physorg, TG Daily, Network World, e! Science News, Scientific Computing, gizmag, Crazy Engineers, PC Advisor, Mobile Magazine, The CyberJungle, Inquisitr Location leaks on the GSM air interface, D. F. Kune, J. Koelndorfer, N. Hopper, Y. Kim, NDSS 2012 Media: Ars Technica, Slashdot, MPR, Fox Twin Cities, Physorg, TG Daily, Network World, e! Science News, Scientific Computing, gizmag, Crazy Engineers, PC Advisor, Mobile Magazine, The CyberJungle, Inquisitr

PSTN MSC BSC VLR ATR HLR HSS BTS MS GSM Air Interface

 IMSI  a unique # associated with all GSM  TMSI  Randomly assigned by the VLR  Updated in a new area  PCCH  Broadcast paging channel  RACH  Random Access Channel  SDCCH  Standalone Dedicated Control Channel  LAC has multiple cell towers that uses different ARFCN BTS MS Paging Request PCCH Channel Request RACH Immediate Assignment PCCH Paging Response SDCCH Setup and Data

Motorola C118 ($30) VirtualBox running Ubuntu and OsmosomBB software (free) Serial cable and reprogrammer cable ($30) HTC Dream with custom Android Kernel ($100)

PSTN PCH Time dt

 Delay between the call initiation and the paging request: 3 sec  Median delay between call initiation and ring: 6 sec

 Is IA message sent to all towers in the same LAC?  How do we identify IA message?  No identifiable information  Check the correlation between IA and Paging request

Towers in this area are observable with a rooftop 12 db gain antenna Observer Downtown Minneapolis John’s newly shaved head Yagi antenna

Observer Start End Approximate areas covered by towers to which the victim’s phone was attached to

 Solutions to offload traffic to other networks  Small/cheap cells in residential environments  ~ Q2 2011, 31 operators in 20 countries adopted femtocell  Rooting is assumed, which is available in  Borgaonkar, Redon, Seifert. "Security Analysis of a Femtocell device" Femtocells: A Poisonous Needle in the Operator’s Hay Stack, Borgaonkar, Golde, Redon, Blackhat’11

 Over-the-Air traffic encrypted but decrypted on the femtocell  All traffic between femtocell and network is plaintext and only protected by Ipsec  Hijacking control flow of IPSec tunnel software  Decode IPsec traffic, extract voice/SMS  Femtocells can be a very cheap IMSI-Catcher

 What if we change the HNB-GW?  Full control over all communication  Modify traffic, impersonating subscribers  Relay messages to subscriber whenever authentication is required  Demo implementation based on SMS:  Modify messages or inject SMS on behalf of subscriber (will be billed)

 They found a remote root vulnerability in the webserver (CVE )  Take over femtocell network  End-user threats become a global problem!  Signaling attacks a well known problem, e.g. HLR overload  TCP/IP based communication allows for easy signaling traffic generation at a high rate  Given a remote root bug this can be amplified with a femtocell botnet  Connect to femtocell network without femtocell!  Act as femtocell by using network protocols

 Yongdae Kim   Facebook:  Twitter: Recruiting new graduate students!