mobile data chargingghtu/published-papers/peng-ccs12-slides.pdf · web-basedattack acm ccs'12...
TRANSCRIPT
MOBILE DATA CHARGING:
NEW ATTACKSNEW ATTACKSAND COUNTERMEASURESAND COUNTERMEASURES
Chunyi PengChunyi Peng, Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang
University of California, Los Angeles
ACM CCS’12
Mobile Data AccessACM CCS'12 C Peng (UCLA)
Mobile Data Access2
1.2 billion global users
Cellular NetworkCellular Network
Core N t k
InternetNetwork
Mobile Data ChargingACM CCS'12 C Peng (UCLA)
Mobile Data Charging3
Cellular NetworkInternet
Metered chargingbased on actual data usage,
Bill
e.g., $20/month for 300MB (AT&T)
Security:Security:Can any attack make the users pay MORE/LESS?Can any attack make the users pay MORE/LESS?
How Charging Works & Be SecuredACM CCS'12 C Peng (UCLA)
How Charging Works & Be Secured 4
C ll l N t kCellular NetworkAuthentication
Gateway#2 B th UL/DL ti h d
#1: Accounting @ core gateway only
InternetGateway…#2: Both UL/DL per connection charged
Accounting
NATPolicy
#3 P li d fi d b tBill
#3: Policy defined by operators
Two Security IssuesACM CCS'12 C Peng (UCLA)
Two Security Issues5
Authentication
NATNATBill
#1: Can the attacker bypass the security mechanism to exploit charging architecture loophole to make the Stealth-spam-attackg gusers pay MORE?
Stealth spam attack
#2: Can the attacker exploit charging policy to pay LESS?Toll-Free-Data-Access-Attack
Threat ModelsACM CCS'12 C Peng (UCLA)
Threat Models6
Cellular network is not compromised Charging subsystem works as designed Security mechanism works as designed
Attacker’s capabilityO l i t ll d @ bil Only use installed apps @ mobile, or
Deploy malicious servers outside cellular networks
OutlineACM CCS'12 C Peng (UCLA)
Outline7
S l h k ( O ) Stealth-spam-attack (pay MORE) Vulnerability Attack design & implementation & damage Countermeasures & insight
Toll-free-data-access-attack (pay LESS) Vulnerability Attack design & implementation & damage
i i h Countermeasures & insight
Summary Summary
Stealth-Spam-Attack8
Security Against SpammingACM CCS'12 C Peng (UCLA)
Security Against Spamming9
Authentication
Outgoing-SpamOutgoing-SpamCan security mechanism (e.g., NAT/Firewalls) block incoming
Incoming-Spamspam?
NAT
g pOutgoing-Spam due to malwares@mobile or spoofing.
•Private IP addr. is not accessible•Access allowed only when initiatedNAT
BillSimple, not addressed here.
Access allowed only when initiated by the mobile
Bill
VulnerabilityACM CCS'12 C Peng (UCLA)
Vulnerability
Authentication① i d i
Different from conventional spamming, ① Init a data service e.g., Email/SMS spam
Unawareness (stealthy) L li d (l ti h l )② Incoming traffic② Incoming Spam
① trap the victim to open data access✔ ✗Spam from the attackerLong-lived (lasting hours or longer)
10 E attacker② Incoming Spam time
Data Services (charged)✗
(normal)
(attacked) Actual charging time window10
NATE-attacker(attacked) g g
Bill
Stealth-Spam-AttackACM CCS'12 C Peng (UCLA)
Stealth Spam Attack11
Step1-Trap: init data accessExample-1: click a malicious web linkpExample-2: login Skype once / stay online
Step2-Spam: keep spammingNo matter what status @mobile
Web-based AttackACM CCS'12 C Peng (UCLA)
Web based Attack12
Implementation Phone: click a malicious web link Attacker (server): send spam data at constant rate
(disable TCP congest control and tear-down)( g )
Result: charging keeps going Result: charging keeps going Even after the phone tears down TCP TCP FIN, timeout
Even when many “TCP RESET” sent from the mobile
Damage vs Spamming RateACM CCS'12 C Peng (UCLA)
Damage vs. Spamming Rate13
Ch i l iCharging volume vs. spamming rate
Operator-I Operator-II
In proportion to spamming rate when rate is lowCh i bl k d h i hi h ( 1Mb )Charging blocked when rate is high (> 1Mbps)
The charged volume could be > the received one [Mobicom’12]
Damage vs DurationACM CCS'12 C Peng (UCLA)
Damage vs. Duration14
Spamming rate = 150Kbps
No observed sign to end when the attack lasts 2No observed sign to end when the attack lasts 2 hours if the rate is low (spamming> 120MB)
Skype-based AttackACM CCS'12 C Peng (UCLA)
Skype based Attack15
I l t ti Implementation Phone: do nothing (stay online once in Skype) Attacker: Skype call the victim and hang up Attacker: Skype call the victim and hang up Attacker (server): send spam data at constant rate
Exploit Skype “loophole” allows data access from the host who attempts to call allows data access from the host who attempts to call
the victim before the attempt is accepted
Demo
Demo: for a specific victimACM CCS'12 C Peng (UCLA)
Demo: for a specific victim16
Result: charging keeps going Even after Skype logout Even after Skype logoutEven when there is no any skype call session
E h “ICMP h bl ” t f Even when many “ICMP unreachable” sent from the mobile
Damage vs Spamming RateACM CCS'12 C Peng (UCLA)
Damage vs. Spamming Rate17
Ch i l iCharging volume vs. spamming rate
Operator-I Operator-II
No bounds on spamming rate compared with TCP-based attack
Damage vs DurationACM CCS'12 C Peng (UCLA)
Damage vs. Duration18
Spamming rate = 50Kbps
No observed sign to end when the attackNo observed sign to end when the attack lasts 24 hours (spamming > 500MB)
Root CauseACM CCS'12 C Peng (UCLA)
Root Cause19
① i d i
Current system: Secure only the initialization
IP forwarding can push packets to the victim (not
① Init a data service
② I i S
controlled by the victim)
#1: Initial authentication ≠ authentication all along② Incoming Spam
① trap the victim to open data access
#1: Initial authentication ≠ authentication all along
Current system: K h i if d t
Different views @ mobile: d t d t t
E attacker
① trap the victim to open data accessKeep charging if data comesLocal view @ core gateway
data conn. ends or never starts or exception happensLack of feedback/control
NATE-attackerLack of feedback/control
#2: Data flow termination @ the phone≠ h i i i @ hBill≠ charging termination @ the operator
CountermeasuresACM CCS'12 C Peng (UCLA)
Countermeasures20
i i i bl d h d l Spamming inevitable due to IP push model
Remedy: stop early when spamming happensDetection of unwanted traffic @mobile/operatorDetection of unwanted traffic @mobile/operator Feedback (esp. from the mobile to the operator)At least allow users to stop data charging (no service)At least allow users to stop data charging (no service) Exploit/design mechanisms in cellular networks: implicit-
block, explicit-allow, explicit-stopp p p
Precaution, e.g., set a volume limit, g ,Application: be aware of spamming attack
Toll-Free-Data-Access-Attack21
VulnerabilityACM CCS'12 C Peng (UCLA)
Vulnerability22
Both operators provide free DNS service
DNS packets #1: free fake DNS loopholeReal data over 53
Policy:
DNS packets
DNS flow ID: (srcIP, destIP, srcPort, d tP t t l)
#1: free fake DNS loopholeOP-I: Free via port 53OP II: Free via UDP+Port 53
Real data over 53
Policy: Free DNS Service
Bill (DNS) 0
destPort, protocol)OP-I: Packets via port 53 are freeOP II P k t i UDP+P t 53 f
#2: no volume-check loopholeOP-II: Free via UDP+Port 53
Bill (DNS) = 0
Bill (ANY-on-DNS) = 0
OP-II: Packets via UDP+Port 53 freeAny enforcement for packets over port 53?Bill (ANY on-DNS) 0 p
OP-I: no observed limits, except 29KB for one request packet
OP-II: no observed limits
Toll-Free-Data-Access-AttackACM CCS'12 C Peng (UCLA)
Toll Free Data Access Attack23
P t id ll l t k Proxy outside cellular network Tunneling over 53 between the mobile and external
network similar to calling 800-hotline
Implementation Implementation HTTP-proxy on port 53 (only for web, OP-I) Sock-proxy on port 53 (for more apps, OP-I) Sock proxy on port 53 (for more apps, OP I) DNS-tunneling on UDP-53 (all apps, OP-I, II)
Results Free data access > 200MB, no sign of limits
D if i t t d Demo if interested
CountermeasuresACM CCS'12 C Peng (UCLA)
Countermeasures24
Simplest fix: stop free DNS serviceOP-II stopped it since this Julypp y
O h i Other suggestionsAuthenticate DNS serviceOnly allow using authenticated DNS resolversDNS message integrity checkg g y
Provide free DNS quota
Beyond DNSACM CCS'12 C Peng (UCLA)
Beyond DNS25
i i li l i di Existing DNS tunneling tools: iodine etc,Designed for data access when Internet access is
blocked
differentiated-charging policydifferentiated-charging policye.g., free access to one website/ via some APN, or cheaper VoIP than Web
Incentive to pay less(A )
Gap bt polic and its enforcement
(Attackers or even normal users)
Bill Gap btw policy and its enforcementBullet-proof design & practice
On IncentiveACM CCS'12 C Peng (UCLA)
On Incentive26
Toll-Free-Data-Access-Attack ✔
Stealth-Spam-AttackGood news: no obvious and strong incentiveNo immediate gain for the attacker unless the ill-
intentioned operator does itMonetary loss against the attacker’s adversaryUnexpected incentive in the future?
SummaryMore information/demo in h // l d / j h l
ACM CCS'12 C Peng (UCLA)
Summary27
A th l bilit f 3G/4G d t h i
http://metro.cs.ucla.edu/projects.html
Assess the vulnerability of 3G/4G data charging systemTwo t pes of attacks Two types of attacks, Toll-free-data-access-attack (free > 200MB) Enforcement of differentiated-charging policy Enforcement of differentiated-charging policy
Stealth-spam-attack (overcharging > 500MB) Rooted in charging architecture, security mechanism and IP
model No observed volume limitsInsight Insight IP push model is not ready for metered-charging Feedback or control needed during data charging Feedback or control needed during data charging Differentiated-charging policy has to secure itself