Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Rogue Femtocell Owners: How Mallory Can Monitor My Devices 19 April 2013

advertisement 
Rogue Femtocell Owners: How Mallory Can
Monitor My Devices
David Malone, Darren F. Kavanagh and Niall R. Murphy
19 April 2013
Femtocells
• Small devices acting as cellular base stations.
• Deployed to extend coverage in homes, offices, . . .
• Access can be open or closed.
• No direct connection to MNO network.
• Use Internet and IPsec for backhaul.
Femtocell (front)
Alcatel-Lucent 9361 Home Cell V2-V.
Femtocell (back)
Alcatel-Lucent 9361 Home Cell V2-V.
Femtocell Access Control
• Anyone device can connect to open femtocell.
• Closed femtocells allow ACL.
• Commonly administered by web page, list phone numbers.
• No further checking done.
• Idea: ACL to target devices who shouldn’t trust us?
• Idea: Use traffic analysis as passive attack.
• Snoop on your neighbour?
Monitoring a device
• Add phone (Nokia X6) to femtocell’s ACL.
• SMS, MMS, voice calls, web browsing, management.
• Collect femtocell traffic on router.
• Traffic (mostly) encrypted, but know time, size, ToS.
• What does traffic tell us about activity?
Traffic Analysis (to femtocell)
ToS 0
ToS 2
1400
1200
1000
800
600
400
200
Get short text message
Get text long message
Get text message
Phonephone
fully on
booted
Turn
Turn phone off
7000
Hangmobile
up
Call
number with no an
End web browsing
Start web browsing
Call to 1191 end
starts
6000
Sending
short
test text again ag
Get
shortshort
text again
Sending
test text again
Get
shortshort
text test text
Sending
5000
Begin lap of block
Incoming call ends
ringing
begins
ringing
End lap of block
4000
3000
Get short text saying Testing
Hanga up
on ringing
callanswer
Call
number
with no
2000
1000
0
Call
to
1191
second
At
it willa few
be 20:46:4
Callthe
tosignal
1191 ends
starts
Send MMS send
icon gone
with 126kB
messa
Send SMS saying This is a lon
Send SMS saying Testing shor
0
Traffic Analysis (from femtocell)
ToS 0
ToS 72
ToS 74
ToS 184
ToS 192
1400
1200
1000
800
600
400
200
Get short text message
Get text long message
Get text message
Phonephone
fully on
booted
Turn
Turn phone off
7000
Hangmobile
up
Call
number with no an
End web browsing
Start web browsing
Call to 1191 end
starts
6000
Sending
short
test text again ag
Get
shortshort
text again
Sending
test text again
Get
shortshort
text test text
Sending
5000
Begin lap of block
Incoming call ends
ringing
begins
ringing
End lap of block
4000
3000
Get short text saying Testing
Hanga up
on ringing
callanswer
Call
number
with no
2000
1000
0
Call
to
1191
second
At
it willa few
be 20:46:4
Callthe
tosignal
1191 ends
starts
Send MMS send
icon gone
with 126kB
messa
Send SMS saying This is a lon
Send SMS saying Testing shor
0
Traffic Analysis (cleaned up)
ToS 0
ToS 72
ToS 74
ToS 184
ToS 192
1400
1200
1000
800
600
400
200
Get short text message
Get text long message
Get text message
Phonephone
fully on
booted
Turn
Turn phone off
7000
Hangmobile
up
Call
number with no an
End web browsing
Start web browsing
Call to 1191 end
starts
6000
Sending
short
test text again ag
Get
shortshort
text again
Sending
test text again
Get
shortshort
text test text
Sending
5000
Begin lap of block
Incoming call ends
ringing
begins
ringing
End lap of block
4000
3000
Get short text saying Testing
Hanga up
on ringing
callanswer
Call
number
with no
2000
1000
0
Call
to
1191
second
At
it willa few
be 20:46:4
Callthe
tosignal
1191 ends
starts
Send MMS send
icon gone
with 126kB
messa
Send SMS saying This is a lon
Send SMS saying Testing shor
0
Classification
• Could we classify based on this?
• Yes — hand designed algorithm based on 10s buckets.
• Some trouble telling SMS/signaling and MMS/data apart.
• Works well (15000s, 35 events, one false positive).
for each (10s interval) {
Remove background traffic (size, TOS, direction)
Count number_of packets for each (TOS, direction)
Store largest packet size for each (TOS, direction)
if (number_of (TOS 184,SRC) packets > 1)
event "Call in progress";
if (number_of (TOS 0,SRC) packets > 0) {
if (largest (TOS 0, SRC|DST) > 800)
event "Web session in progress";
else if (largest (TOS 0, DST) > 800)
event "Recv MMS in progress";
else if (largest (TOS 0, SRC) > 800)
event "Send MMS in progress";
else
event "Small Data/MMS in progress";
}
if (number_of (TOS 74) > 0 &&
number_of (TOS 0|72|184, SRC) == 0)
event "Signaling or SMS";
}
+
Recv Signaling
MMS in progress+
or SMS+
End incoming call
Begin incoming call
Phone fully on
Turn phone on
Signaling or SMS+
phone
fully off
Turn phone
Signaling or SMS+
SMS
actuallySMS
arrives
Start getting
SmallSend
data traffic
+
MMS in
in progress+
progress+
MMS
gone
Begin icon
sending
MMS
3500
Signaling or SMS+
4000
4500
+
+
+
Call in progress+
MMS actually
in transitarrives
MMS starts to arrive
5000
5500
6000
Classification vs. Events
Begin web browsing
0
3000
20
40
60
80
100
End web browsing
Two Femtocells?
• Suppose we can snoop on two femtocells, each near a target.
• E.g. two celebrities, are they exchanging calls?
• Can we correlate the information at both ends?
• Two femtos, two gateways (NTP synced), two phones
(iPhone).
• Collect traffic, compare traces.
• Run classifier, correlate results.
Traffic Analysis (two femto)
Packets from Femto 2 (above axis) and to Femto 1 (below axis)
1500
Femto 1 Dst ToS 0
Femto 1 Dst ToS 2
Femto 2 Src ToS 0
Femto 2 Src ToS 72
Femto 2 Src ToS 74
Femto 2 Src ToS 184
Femto 2 Src ToS 192
1000
Packet Size (bytes)
500
0
500
1000
1500
0
500
1000
1500
2000
Time (s)
2500
3000
3500
Traffic Analysis (two femto)
Packets from Femto 1 (above axis) to Femto 2 (below axis)
1500
Femto 1 Src ToS 0
Femto 1 Src ToS 72
Femto 1 Src ToS 74
Femto 1 Src ToS 184
Femto 1 Src ToS 192
Femto 2 Dst ToS 0
Femto 2 Dst ToS 2
1000
Packet Size (bytes)
500
0
500
1000
1500
0
500
1000
1500
2000
Time (s)
2500
3000
3500
Traffic Analysis (two femto)
Packets from Femto 2 (above axis) and to Femto 1 (below axis)
Femto 1 Dst ToS 0
Femto 1 Dst ToS 2
Femto 2 Src ToS 0
Femto 2 Src ToS 72
Femto 2 Src ToS 74
Femto 2 Src ToS 184
Femto 2 Src ToS 192
400
Packet Size (bytes)
200
0
200
400
390
400
410
420
Time (s)
430
440
450
Other Side Channels
• We control femtocell’s environment.
• Are there other things we can snoop on?
• RF?
• Power usage?
• LEDs?
Power Analysis
Power consumption of femtocell under different conditions
9
8
7
Power (W)
6
5
4
3
2
Booting
Idle
One Voice Call
Two Voice Calls
FTP Transfer
1
0
0
100
200
300
Time (s)
Measured with help of Roberto Riggo.
Actually significant difference in means!
400
500
600
LED Analysis
Maybe good for clearing false positives?
Fixes?
Dummy Traffic Generate dummy traffic all the time, to hide
behaviour. Unlikely to be popular.
IMEI/IMSI Number Ask for more information when adding
phone to ACL.
User Confirmation Send a SMS and ask if OK to use femto?
The last addresses the issue of user consent.
Issues for dumb devices.
Conclusion
• Analysis worked pretty well.
• Trusted devices with potentially rogue network administrators.
• Attacks on compressed voice (Wright et al).
• What about active attacks?
• More ambitions — botnet of femto gateways?
Related documents
Lecture#14
Lecture#14
February 25, 2008 - West Hills Community College District
February 25, 2008 - West Hills Community College District
Venous TOS first visit
Venous TOS first visit
View Presentation - Northern Ontario School of Medicine
View Presentation - Northern Ontario School of Medicine
Vascular Diseases Quiz − Case 24
Vascular Diseases Quiz − Case 24
Fives, H. & DiDonato-Barnes, N. (2013). Classroom test construction
Fives, H. & DiDonato-Barnes, N. (2013). Classroom test construction
FEMTO Lab Access
FEMTO Lab Access
Download
advertisement