Chapter 17

Cellular

Peng Liu State University

Thomas F. LaPorta Pennsylvania State University

Kameswari Kotapati Pennsylvania State University

1. INTRODUCTION To ensure that adversaries do not access cellular net- works and cause breakdowns, a high level of security Cellular networks are high-speed, high-capacity voice and must be maintained in cellular networks. However, data communication networks with enhanced multimedia though great efforts have been made to improve cellular and seamless capabilities for supporting cellular networks in terms of support for new and innovative ser- devices. With the increase in popularity of cellular vices, greater number of subscribers, higher speed, and devices, these networks are used for more than just enter- larger bandwidth, very little has been done to update the tainment and phone calls. They have become the primary security of cellular networks. Accordingly, these networks means of communication for finance-sensitive business have become highly attractive targets to adversaries, not transactions, lifesaving emergencies, and life-/ mission- only because of their lack of security but also due to the critical services such as E-911. Today these networks ease with which these networks can be exploited to affect have become the lifeline of communications. millions of subscribers. A breakdown in a cellular network has many adverse In this chapter we analyze the security of cellular net- effects, ranging from huge economic losses due to financial works. Toward understanding the security issues in cellu- transaction disruptions; loss of life due to loss of phone calls lar networks, the rest of the chapter is organized as made to emergency workers; and communication outages follows. We present a comprehensive overview of cellular during emergencies such as the September 11, 2001, networks with a goal of providing a fundamental under- attacks. Therefore, it is a high priority for cellular networks standing of their functioning. Next we present the current to function accurately. state of cellular network security through an in-depth dis- It must be noted that it is not difficult for unscrupu- cussion on cellular network vulnerabilities and possible lous elements to break into a cellular network and cause attacks. In addition, we present a cellular network specific outages. The major reason for this is that cellular net- attack taxonomy. Finally, we present a review of current works not designed with security in mind. They cellular network vulnerability assessment techniques and evolved from the old-fashioned networks that conclude with a discussion. were built for performance. To this day, cellular networks have numerous well-known and unsecured vulnerabilities providing access to adversaries. Another feature of cellu- lar networks is network relationships (also called depen- 2. OVERVIEW OF CELLULAR NETWORKS dencies) that cause certain types of errors to propagate to The current cellular network is an evolution of the early- other network locations as a result of regular network generation cellular networks that were built for optimal activity. Such propagation can be very disruptive to a net- performance. These early-generation cellular networks work, and in turn it can affect subscribers. Finally, were proprietary and owned by reputable organizations. connectivity to cellular networks is another major They were considered secure due to their proprietary contributor to cellular networks’ vulnerability because it ownership and their closed nature, that is, their control gives Internet users direct access to cellular network vul- infrastructure was unconnected to any public network nerabilities from their homes. (such as the Internet) to which end subscribers had direct

323 324 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

access. Security was a nonissue in the design of these were also closed networks because they were uncon- networks. nected to other public networks. Recently, connecting the Internet to cellular networks The core network is also connected to the Internet. has not only imported the Internet vulnerabilities to cellu- Internet connectivity allows the cellular network to pro- lar networks, it has also given end subscribers direct vide innovative multimedia services such as weather access to the control infrastructure of a cellular network, reports, stock reports, sports information, chat, and elec- thereby opening the network. Also, with the increasing tronic mail. Interworking with the Internet is possible demand for these networks, a large number of new net- using protocol gateways, federated databases, and multi- work operators have come into the picture. Thus, the cur- protocol mobility managers [2]. Interworking with the rent cellular environment is no longer a safe, closed Internet has created a new generation of services called network but rather an insecure, open network with many cross-network services. These are multivendor, multido- unknown network operators having nonproprietary access main services that use a combination of Internet-based to it. Here we present a brief overview of the cellular net- data and data from the cellular network to provide a vari- work architecture. ety of services to the cellular subscriber. A sample cross- network service is the Email Based Call Forwarding Service (CFS), which uses Internet-based email data (in a Overall Cellular Network Architecture mail server) to decide on the call-forward number (in a call-forward server) and delivers the call via the cellular Subscribers gain access to a cellular network via radio network. signals enabled by a radio access network, as shown in From a functional viewpoint, the core network may Figure 17.1. The radio access network is connected to the also be further divided into the circuit-switched (CS) wireline portion of the network, also called the core net- domain, the packet-switched (PS) domain, and the IP work. Core network functions include servicing subscriber Multimedia Subsystem (IMS). In the following, we fur- requests and routing traffic. The core network is also con- ther discuss the core network organization. nected to the Public Switched Telephone Network (PSTN) and the Internet, as illustrated in Figure 17.1[1]. The PSTN is the circuit-switched public voice tele- Core Network Organization phone network that is used to deliver voice telephone calls on the fixed landline telephone network. The PSTN Cellular networks are organized as collections of inter- uses Signaling System No. 7 (SS7), a set of sig- connected network areas, where each network area covers naling protocols defined by the International a fixed geographical region (as shown in Figure 17.2). At Telecommunication Union (ITU) for performing tele- a particular time, every subscriber is affiliated with two phony functions such as call delivery, call routing, and networks: the home network and the visiting network. billing. The SS7 protocols provide a universal structure Every subscriber is permanently assigned to the home for telephony network signaling, messaging, interfacing, network (of his device), from which they can roam onto and network maintenance. PSTN connectivity to the core other visiting networks. The home network maintains the network enables mobile subscribers to call fixed network subscriber profile and his current location. The visiting subscribers, and vice versa. In the past, PSTN networks network is the network where the subscriber is currently roaming. It provides radio resources, mobility manage- ment, routing, and services for roaming subscribers. The Internet visiting network provides service capabilities to the sub- scribers on behalf of the home environment [3].

Core Network Packet Radio Switched VLR MSC Access Domain Circuit GMSC Network IP Switched GMSC HLR Multimedia Domain Network Area B System Network Area A GMSC

Home Network Visiting Network PSTN BS

FIGURE 17.1 Cellular network architecture. FIGURE 17.2 Core network organization. Chapter | 17 Cellular Network Security 325

The core network is facilitated by network servers relationships (called dependencies). A dependency means (also called service nodes). Service nodes are composed that a network component must rely on other network of (1) a variety of data sources (such as cached read- components to perform a function. For example, there is only, updateable, and shared data sources) to store data a dependency between service nodes to service subscri- such as subscriber profile and (2) service logic to perform bers. Such a dependency is made possible through signal- functions such as computing data items, retrieving data ing messages containing data items. Service nodes items from data sources, and so on. typically request other service nodes to perform specific Service nodes can be of different types, with each operations by sending them signaling messages contain- type assigned specific functions. The major service node ing data items with predetermined values. On receiving types in the circuit-switched domain include the Home signaling messages, service nodes realize the operations Location Register (HLR), the Visitor Location Register to perform based on values of data items received in sig- (VLR), the Mobile Switching Center (MSC), and the naling messages. Further, dependencies may exist Gateway Mobile Switching Center (GMSC) [4]. between data items so that received data items may be All subscribers are permanently assigned to a fixed used to derive other data items. Several application layer HLR located in the home network. The HLR stores per- protocols are used for signaling messages. Examples of manent subscriber profile data and relevant temporary signaling message protocols include Mobile Application data such as current subscriber location (pointer to VLR) Part (MAP), ISDN User Part (ISUP), and Transaction of all subscribers assigned to it. Each network area is Capabilities Application Part (TCAP) protocols. assigned a VLR. The VLR stores temporary data of sub- Typically in a cellular network, to provide a specific scribers currently roaming in its assigned area; this sub- service a preset group of signaling messages is exchanged scriber data is received from the HLR of the subscriber. between a preset group of service node types. The preset Every VLR is always associated with an MSC. The MSC group of signaling messages indicates the operations to be acts as an interface between the radio access network and performed at the various service nodes and is called a sig- the core network. It also handles circuit-switched services nal flow. In the following, we use the call delivery service for subscribers currently roaming in its area. The GMSC [6] to illustrate a signal flow and show how the various is in charge of routing the call to the actual location of geographically distributed service nodes function the mobile station. Specifically, the GMSC acts as inter- together. face between the fixed PSTN network and the cellular network. The radio access network comprises a transmit- ter, receiver, and speech transcoder called the base station Call Delivery Service (BS) [5]. The call delivery service is a basic service in the circuit- Service nodes are geographically distributed and serve switched domain. It is used to deliver incoming calls to the subscriber through collaborative functioning of vari- any subscriber with a mobile device regardless of their ous network components. Such collaborative functioning location. The signal flow of the call delivery service is is possible due to the inter-component network illustrated in Figure 17.3. The call delivery service signal

FIGURE 17.3 Signal flow in the call deliv- ery service. GMSC HLR VLR MSC

1. Initial 2. Send Rout Address 3. Provide Roam Info (SRI) Message Num (PRN) (IAM) 5. Send Rout Air 4. Provide Roam Info Ack Interface Num Ack (SRI_ACK) (PRN_ACK) 6. Initial Address Message (IAM)

7. SIFIC

8. Page MS 9. Page

Home Network Visiting Network 326 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

flow comprises MAP messages SRI, SRI_ACK, PRN, 3. THE STATE OF THE ART OF CELLULAR and PRN_ACK; ISUP message IAM; and TCAP mes- NETWORK SECURITY sages SIFIC, Page MS, and Page. Figure 17.3 illustrates the exchange of signal mes- This part of the chapter presents the current state of the sages between different network areas. It shows that art of cellular network security. Because the security of a when a subscriber makes a call using his mobile device, cellular network is the security of each aspect of the net- the call is sent in the form of a signaling message IAM to work, that is, radio access network, core network, Internet the nearest GMSC, which is in charge of routing calls and connection, and PSTN connection, we detail the security passing voice traffic between different networks. This sig- of each in detail. naling message IAM contains data items such as called number that denotes the number of the sub- scriber receiving this call. The called number is used by Security in the Radio Access Network the GMSC to locate the address of the HLR (home net- In a cellular network, the radio access network uses radio work) of the called party. The GMSC uses this address to signals to connect the subscriber’s cellular device with send the signaling message SRI. the core network. Hence it would seem that attacks on the The SRI message is an intimation to the HLR of the radio access network could easily happen because anyone arrival of an incoming call to a subscriber with called with a transmitter/receiver could capture these signals. number as mobile phone number. It contains data items This was very true in the case of early-generation cellular such as the called number and alerting pattern.Thealert- networks (first and second generations), where there were ing pattern denotes the pattern (packet-switched data, no guards against on conversations short message service,orcircuit-switched call) used to between the cellular device and BS; cloning of cellular alert the subscriber receiving the call. The HLR uses the devices to utilize the network resources without paying; called number to retrieve from its database the current and cloning BSs to entice users to camp at the cloned BS location (pointer to VLR) of the subscriber receiving the in an attack is called a false base station attack, so that call. The HLR uses this subscriber location to send the the target user provides secret information to the VLR the message PRN. The PRN message is a request adversary. for call routing information (also called roaming number) In the current generation (third-generation) of cellular from the VLR where the subscriber is currently roaming. networks, all these attacks can be prevented because the The PRN message contains the called number, alerting networks provide adequate security measures. pattern, and other subscriber call profile data items. Eavesdropping on signals between the cellular device and The VLR uses the called number to store the alerting BS is not possible, because cipher keys are used to pattern and subscriber call profile data items and assign encrypt these signals. Likewise, replay attacks on radio the roaming number for routing the call. This roaming signals are voided by the use of non-repeating random number data item is passed on to the HLR (in message values. Use of integrity keys on radio conversations voids PRN_ACK), which forwards it to the GMSC (in message the possibility of deletion and modification of conversa- SRI_ACK). The GMSC uses this roaming number to tions between cellular devices and BSs. By allowing the route the call (message IAM) to the MSC where the sub- subscriber to authenticate a network, and vice versa, this scriber is currently roaming. On receipt of the message generation voids the attacks due to cloned cellular devices IAM, the MSC assigns the called number resources for and BSs. Finally, as the subscriber’s identity is kept con- the call and also requests the subscriber call profile data fidential by only using a temporary subscriber identifier items, and alerting pattern for the called number (using on the radio network, it is also possible to maintain sub- message SIFIC) from the VLR, and receives the same in scriber location [7]. the Page MS message. The MSC uses the alerting pattern However, the current generation still cannot prevent a in the incoming call profile to derive the page type data denial-of-service attack from occurring if a large number item. The page type data item denotes the manner in of registration requests are sent via the radio access net- which to alert the mobile station. It is used to page the work (BS) to the visiting network (MSC). Such a DoS mobile subscriber (using message Page). Thus subscribers attack is possible because the MSC cannot realize that the receive incoming calls irrespective of their locations. registration requests are fake until it attempts to authenti- If data item values are inaccurate, a network can miso- cate each request and the request fails. To authenticate perate and subscribers will be affected. Hence, accurate each registration request, the MSC must fetch the authen- functioning of the network is greatly dependent on the tication challenge material from the corresponding HLR. integrity of data item values. Thus signal flows allow the Because the MSC is busy fetching the authentication various service nodes to function together, ensuring that challenge material, it is kept busy and the genuine regis- the network services its subscribers effectively. tration requests are lost [7]. Overall there is a great Chapter | 17 Cellular Network Security 327

improvement in the radio network security in the current nodes [7]. Remote and physical access to service nodes third-generation cellular network. may be subject to operator’s security policy and hence could be exploited (insider or outsider) if the network operator is lax with security. Accordingly, the core net- Security in Core Network work suffers from the possibility of node impersonation, Though the current generation of a cellular network has corruption of data sources, and service logic attacks. For seen many security improvements in the radio access net- example, unauthorized access to HLR could deactivate work, the security of the core network is not as improved. customers or activate customers not seen by the building Core network security is the security at the service nodes system. Similarly, unauthorized access to MSC could and security on links (or wireline signaling message) cause outages for a large number of users in a given net- between service nodes. work area. With respect to wireline signaling message security, Corrupt data sources or service logic in service nodes of the many wireline signaling message protocols, protec- have the added disadvantage of propagating this corrup- tion is only provided for the Mobile Application Part tion to other service nodes in a cellular network [1214] (MAP) protocol. The MAP protocol is the cleartext appli- via signaling messages. This fact was recently confirmed cation layer protocol that typically runs on the security- by a security evaluation of cellular networks [13] that free SS7 protocol or the IP protocol. MAP is an essential showed the damage potential of a compromised service protocol and it is primarily used for message exchange node to be much greater than the damage potential of involving subscriber location management, authentication, compromised signaling messages. Therefore, it is of and call handling. The reason that protection is provided utmost importance to standardize a scheme for protecting for only the MAP protocol is that it carries authentication service nodes in the interest of not only preventing node material and other subscriber-specific confidential data; impersonation attacks but also preventing the corruption therefore, its security was considered top priority and was from propagating to other service nodes. standardized [810]. Though protection for other signal- In brief, the current generation core networks are ing message protocols was also considered important, it lacking in security for all types of signaling messages, was left as an improvement for the next-generation net- security for MAP signaling messages in service nodes, works [11]. and a standardized method for protecting service nodes. Security for the MAP protocol is provided in the form To protect all types of signaling message protocols and of the newly proposed protocol called Mobile Application ensure that messages are secured not only on the links Part Security (MAPSec), when MAP runs on the SS7 pro- between service nodes but also on the intermediate tocol stack, or Internet Protocol Security (IPSec) when service nodes (that is, secured end to end), and prevent MAP runs on the IP protocol. Both MAPSec and IPSec, service logic corruption from propagating to other protect MAP messages on the link between service nodes service nodes, the End-to-End Security (EndSec) proto- by negotiating security associations. Security associations col was proposed [13]. comprise keys, algorithms, protection profiles, and key Because signaling message security essentially lifetimes used to protect the MAP message. Both depends on security of data item values contained in these MAPSec and IPSec protect MAP messages by providing messages, EndSec focuses on securing data items. source service node authentication and message encryp- EndSec requires every data item to be signed by its tion to prevent eavesdropping, MAP corruption, and fab- source service nodes using public key encryption. By rication attacks. requiring signatures, if data items are corrupt by compro- It must be noted that though MAPSec and IPSec are mised intermediate service nodes en route, the compro- deployed to protect individual MAP messages on the link mised status of the service node is revealed to the service between service nodes, signaling messages typically nodes receiving the corrupt data items. Revealing the occur as a group in a signal flow, and hence signaling compromised status of service nodes prevents corruption messages must be protected not only on the link but also from propagating to other service nodes, because service in the intermediate service nodes. Also, the deployment nodes are unlikely to accept corrupt data items from com- of MAPSec and IPSec is optional; hence if any service promised service nodes. provider chooses to omit MAPSec/IPSec’s deployment, EndSec also prevents misrouting and node impersona- the efforts of all other providers are wasted. Therefore, to tion attacks by requiring every service node in a signal completely protect MAP messages, MAPSec/IPSec must flow to embed the PATH taken by the signal flow in be used by every service provider. every EndSec message. Finally, EndSec introduces sev- With respect to wireline service nodes, while eral control messages to handle and correct the detected MAPSec/IPSec protects links between service nodes, corruption. Note that EndSec is not a standardized there is no standardized method for protecting service protocol. 328 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

Security Implications of Internet match the Internet design, or vice versa, which is unlikely Connectivity to happen soon. Hence a temporary fix would be to secure the gateways connecting the Internet and core network. Internet connectivity introduces the biggest threat to the As a last note, Internet connectivity filters attacks not security of cellular networks. This is because cheap PC- only into the core network, but also into the PSTN net- based equipment with Internet connectivity can now work. Hence PSTN gateways must also be guarded. access gateways connecting to the core network (of a cel- lular network). Therefore, any attack possible in the Internet can now filter into the core network via these Security Implications of PSTN Connectivity gateways. For example, Internet connectivity was the rea- PSTN connectivity to cellular networks allows calls son for the slammer worm to filter into the E-911 service between the fixed and cellular networks. Though the in Bellevue, Washington, making it completely unrespon- PSTN was a closed network, the security-free SS7 proto- sive [15]. Other attacks that can filter into the core net- col stack on which it is based was of no consequence. work from the Internet include spamming and phishing of However, by connecting the PSTN to the core network short messages [16]. that is in turn connected to the Internet, the largest open We expect low-bandwidth DoS attacks to be the most public network, the SS7-based PSTN network has “no damaging attacks brought on by Internet connectivity security left” [19]. [16,17,18]. These attacks demonstrate that by sending just Because SS7 protocols are plaintext and have no 240 short messages per second, it is possible to saturate a authentication features, it is possible to introduce fake cellular network and cause the MSC in charge of the messages, eavesdrop, cause DoS by traffic overload, and region to be flooded and lose legitimate short messages incorrectly route signaling messages. Such introduction of per second. Likewise, it shows that it is possible to cause SS7 messages into the PSTN network is very easily done a specific user to lose short messages by flooding that using cheap PC-based equipment. Attacks in which calls user with a large number of messages, causing a buffer for 800 and 900 numbers were rerouted to 911 servers so overflow. Such DoS attacks are possible because the short that legitimate calls were lost are documented [20]. Such message delivery time in a cellular network is much attacks are more so possible due to the IP interface of the greater than the short message submission time using PSTN service nodes and Web-based control of these Internet sites [17]. networks. Also, short messages and voices services use the same Because PSTN networks are to be outdated soon, there radio channel, so contention for these limited resources is no interest in updating these networks. So, they will may still occur and cause a loss of voice service. To remain “security free” until their usage is stopped [19]. avoid loss of voice services due to contention, separation So far, we have addressed the security and attacks on of voice and data services on the radio network (of a cel- each aspect of a cellular network. But an attack that is lular network) has been suggested [14]. However, such common to all the aspects of a cellular network is the cas- separation requires major standardization and overhaul of cading attack. Next we detail the cascading attack and the cellular network and is therefore unlikely be imple- present the corresponding vulnerability assessment mented very soon. Other minor techniques such as queue techniques. management and resource provisioning have been sug- gested [17]. Though such solutions could reduce the impact of 4. CELLULAR NETWORK ATTACK short message flooding, they cannot eliminate other types TAXONOMY of low-bandwidth, DoS attacks such as attacks on connec- In this part of the chapter, we present a cellular network tion setup and teardown of data services. The root cause specific attack taxonomy. This attack taxonomy is called for such DoS attacks from the Internet to the core net- the three-dimensional taxonomy because attacks are clas- work of a cellular network was identified as the differ- sified based on the following three dimensions: (1) adver- ence in the design principles of these networks. Though sary’s physical access to the network when the attack is the Internet makes no assumptions on the content of traf- launched; (2) type of attack launched; and (3) vulnerabil- fic and simply passes it on to the next node, the cellular ity exploited to launch the attack. network identifies the traffic content and provides a The three-dimensional attack taxonomy was motivated highly tailored service involving multiple service nodes by a cellular network specific abstract model, which is an for each type of traffic [18]. atomic model of cellular network service nodes. It Until this gap is bridged, such attacks will continue, enables better study of interactions within a cellular net- but bridging the gap itself is a major process because work and aids in derivation of several insightful charac- either the design of a cellular network must be changed to teristics of attacks on the cellular network. Chapter | 17 Cellular Network Security 329

The abstract model not only led to the development of Because service nodes in a cellular network comprise the three-dimensional attack taxonomy that has been sophisticated service logic that performs numerous net- instrumental in uncovering (1) cascading attacks, a type work functions, the abstract model logically divides the of attack in which the adversary targets a specific network service logic into basic atomic units, called agents (repre- location but attacks another location, which in turn propa- sented by the elliptical shape in Figure 17.4). Each agent gates the attack to the target location, and (2) cross- performs a single function. Service nodes also manage infrastructure cyber-attack, a new breed of attack in data, so the abstract model also logically divides data which a cellular network may be attacked from the sources into data units specific to the agents they support. Internet [21]. In this part of the chapter we further detail The abstract model also divides the data sources into per- the three-dimensional attack taxonomy and cellular net- manent (represented by the rectangular shape in work abstract model. Figure 17.4)orcached (represented by the triangular shape in Figure 17.4) from other service nodes. The abstract model developed for the CS domain is Abstract Model illustrated in Figure 17.4. It shows agents, permanent and The abstract model dissects functionality of a cellular net- cached data sources for the CS service nodes. For exam- work to the basic atomic level, allowing it to systemati- ple, the subscriber locator agent in the HLR is the agent cally isolate and identify vulnerabilities. Such that tracks the subscriber location information. It receives identification of vulnerabilities allows attack classifica- and responds to location requests during an incoming call tion based on vulnerabilities, and isolation of network and stores a subscriber’s location every time they move. functionality aids in extraction of interactions between This location information is stored in the location data network components, thereby revealing new vulnerabil- source. Readers interested in further details may refer to ities and attack characteristics. [21,22].

Session Location Data Authentication State Routing Data Data Data

Registration Subscriber Authenticator Subscribed Agent Locator Agent Session Routing Services Agent Control Agent Support Agent Agent User CAMEL & Subscriber User Channel Paging Supplementary Profile Manager Profile Agent Services Data Agent Settings Agent Subscriber Services Channel Data Users New Paging Users Access Subscribed Data Terminal HLR Data Services Data MSC Data

Foreign Agent Profile Manager VLR

Routing User Profile User CAMEL & Agent Location Data Authentication Settings Supplementary Subscribed Data Services Services Foreign Data Data Foreign Registration Locator Foreign Agent Agent Authenticator Agent

FIGURE 17.4 Abstract model of circuit-switched service nodes. 330 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

Abstract Model Findings corruption. This propagation of corruption is called the cascading effect, and attacks that exhibit this effect are The abstract model led to many interesting findings. We called cascading attacks. In the following, we present a outline them as follows: sample of the cascading attack.

Interactions To study the network interactions, service nodes in signal Sample Cascading Attack flows (call delivery service) were replaced by their corre- In this sample cascading attack, cascading due to corrupt sponding abstract model agents and data sources. Such an data items and ultimately their service disruption are illus- abstract-model based signal flow based on the call trated in Figure 17.6. Consider the call delivery service delivery service is shown in Figure 17.5. explained previously. Here the adversary may corrupt the In studying the abstract model signal flow, it was roaming number data item (used to route the call) in the observed that interactions happen (1) between agents VLR. This corrupt roaming number is passed on in mes- typically using procedure calls containing data items; sage PRN_ACK to the HLR, which in turn passes this (2) between agents and data sources using queries con- information to the GMSC. The GMSC uses the incorrect taining data items; and (3) between agents belonging to roaming number to route the call to the incorrect MSCB, different service nodes using signaling messages contain- instead of the correct MSCA. This results in the caller los- ing data items. ing the call or receiving a wrong-number call. Thus cor- The common behavior in all these interactions is that ruption cascades and results in service disruption. they typically involve data items whose values are set or The type of corruption that can cascade is system- modified in agents or data source, or it involves data acceptable incorrect value corruption, a type of corrup- items passed between agents, data sources, or agents and tion in which corrupt values taken on system-acceptable data sources. Hence, the value of a data item not only can values, albeit incorrect values. Such a corruption can be corrupt in an agent or data source, it can also be easily cause the roaming number to be incorrect but a system- passed on to other agents, resulting in propagation of acceptable value.

Subscriber Users Services Terminal Location Data Data Data Routing Agent User Profile Location Data Settings 2a. Provide 2b. Provide Routing Session State Terminal(s) Location Data Data Info 10. Provide 4. Find Routing Subscriber Data Agent for User 6. Give Routing Subscriber Locator 12. Save State Number Agent Foreign Location Session Foreign Agent Agent Routing Control Profile Manager Agent Agent 1. Send Routing 3. Provide Information Roaming 5. Routing Number Request/ Response

7. PRN_ACK

8. IAM 9. SIFIC

11. Page MS

FIGURE 17.5 Abstract model-based signal flow for the call delivery service. Chapter | 17 Cellular Network Security 331

FIGURE 17.6 Sample cascading attacks in the call delivery service. GMSC HLR VLR MSCA MSCB

Initial Send Rout Address Info Provide Roam Message (SRI) Num (PRN) (IAM)

Provide Roam Num Ack Attack Send Rout (PRN_ACK) Info Ack (SRI_ACK) Propagate Propagate

Initial Address Message (IAM)

Initial Address Message (IAM)

Note that it is easy to cause such system-acceptable the effect of the attack on the mail server propagates to incorrect value corruption due to the availability of Web the CF service nodes. This is a classic example of a sites that refer to proprietary working manuals of service cross-infrastructure cyber cascading attack, whereby the nodes such as the VLR [23,24]. Such command insertion adversary gains access to the cross-network server, and attacks have become highly commonplace, the most infa- attacks by modifying data in the data source of the cross- mous being the of the Greek govern- network server. Note that it has become highly simplified ment and top-ranking civil servants [25]. to launch such attacks due to easy accessibility to the Internet and subscriber preference for Internet-based cross-network services. Cross-Infrastructure Cyber Cascading Attacks Isolating Vulnerabilities When cascading attacks cross into cellular networks from the Internet through cross-network services, they’re called From the abstract model, the major vulnerable-to-attacks cross-infrastructure cyber cascading attacks. This attack network components are: (1) data sources; (2) agents is illustrated on the CFS in Figure 17.7. (more generally called service logic); and (3) signaling As the CFS forwards calls based on the emails messages. By exploiting each of these vulnerabilities, received, corruption is shown to propagate from the mail data items that are crucial to the correct working of a cel- server to a call-forward (CF) server and finally to the lular network can be corrupted, leading to ultimate ser- MSC. In the attack, using any standard mail server vul- vice disruption through cascading effects. nerabilities, the adversary may compromise the mail In addition, the effect of corrupt signaling messages is server and corrupt the email data source by deleting different from the effect of corrupt data sources. By cor- emails from people the victim is expecting to call. The rupting data items in a data source of a service node, all CF server receives and caches incorrect email from the the subscribers attached to this service node may be mail server. affected. However, by corrupting a signaling message, When calls arrive for the subscriber, the call- only the subscribers (such as the caller and called party in forwarding service is triggered, and the MSC queries the case of call delivery service) associated with the message CF server on how to forward the call. The CF server are affected. Likewise, corrupting the agent in the service checks its incorrect email cache, and because there are no node can affect all subscribers using the agent in the ser- emails from the caller, it responds to the MSC to forward vice node. Hence, in the three-dimensional taxonomy, a the call to the victim’s voicemail when in reality the call vulnerability exploited is considered as an attack dimen- should have been forwarded to the cellular device. Thus sion, since the effect on each vulnerability is different. 332 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

FIGURE 17.7 Cross-infrastructure cyber cas- cading attacks on call-forward service.

HLR GMSC Internet Attack Core Network Propagate Propagate Mail Server

VLR CF Server MSC

Likewise, the adversary’s physical access to a cellular service is not affected, but it can have a later effect on the network also affects how the vulnerability is exploited and subscriber, such as or loss of privacy. An how the attack cascades. For example, consider the case active attack such as interruption can cause complete ser- when a subscriber has access to the air interface. The vice disruption. Hence, in the three-dimensional taxon- adversary can only affect messages on the air interface. omy, the attack means are considered a category due the Similarly, if the adversary has access to a service node, the ultimate effect on service. In the next part of the chapter, data sources and service logic may be corrupted. Hence, in we detail the cellular network specific three-dimensional the three-dimensional taxonomy, the physical access is taxonomy and the way the previously mentioned dimen- considered a category as it affects how the vulnerability is sions are incorporated (see checklist: “An Agenda For exploited and its ultimate effect on the subscriber. Action When Incorporating The Cellular Network Finally, the way the adversary chooses to launch an Specific Three-Dimensional Attack Taxonomy”). attack ultimately affects the service in a different way. Table 17.1 shows a sample tabulation of Level I Consider a passive attack such as interception. Here the attacks grouped in Case 1. For example, with Level I

An Agenda for Action when Incorporating the Cellular Network Specific Three-Dimensional Attack Taxonomy The three dimensions in the taxonomy include Dimension I: _____c. Level III: Access core service nodes.In Physical Access to the Network, Dimension II: Attack this case, the adversary could be an Categories and Dimension III: Vulnerability Exploited. In the insider who managed to gain physical following, we outline each dimension (check all tasks access to core service nodes. Attacks completed): include editing the service logic or modi- _____1. Dimension IPhysical Access to the Network: In fying data sources, such as subscriber data this dimension, attacks are classified based on the (profile, security and services) stored in adversary’s level of physical access to a cellular the service node and corresponding to network. Dimension I may be further classified into corrupt service logic, data source, and single infrastructure attacks (Level IIII) and cross- node impersonation attacks previously infrastructure cyber-attacks (Level IVV): mentioned. _____a. Level I: Access to air interface with physi- _____d. Level IV: Access to links connecting the cal device. Here the adversary launches Internet and the core network service attacks via access to the radio access net- nodes. This is a cross-infrastructure cyber- work using standard inexpensive “off-the- attack. Here the adversary has access to shelf” equipment [26]. Attacks include links connecting the core network and false base station attacks, eavesdropping, Internet service nodes. Attacks include and man-in-the-middle attacks and corre- editing and deleting signaling messages spond to attacks previously mentioned. between the two networks. This level of _____b. Level II: Access to links connecting core attack is easier to achieve than Level II. service nodes. Here the adversary has _____e. Level V: Access to Internet servers or access to links connecting to core service cross-network servers: This is a cross- nodes. Attacks include disrupting normal infrastructure cyber-attack. Here the transmission of signaling messages and adversary can cause damage by editing correspond to message corruption attacks the service logic or modifying subscriber previously mentioned. data (profile, security and services) stored Chapter | 17 Cellular Network Security 333

in the cross-network servers. Such an logic. For example, via a Level II access, attack was previously outlined earlier in the adversary modifies signaling messages the chapter. This level of attack is easier on the link; and via a Level III access, the to achieve than Level III. adversary modifies service logic or data. _____2. Dimension IIAttack Type: In this dimension, _____e. Denial of service. In this case, the adver- attacks are classified based on the type of attack. sary takes actions to overload a network The attack categories are based on Stallings [27] results in legitimate subscribers not work in this area: receiving service. _____a. Interception. The adversary intercepts sig- _____f. Interruption. Here the adversary causes an naling messages on a cable (Level II interruption by destroying data, messages, access) but does not modify or delete or service logic. them. This is a passive attack. This affects _____3. Dimension IIIVulnerability Exploited: In this the privacy of the subscriber and the net- dimension, attacks are classified based on the vul- work operator. The adversary may use the nerability exploited to cause the attack. data obtained from interception to ana- Vulnerabilities exploited are explained as follows: lyze traffic and eliminate the competition _____a. Data. The adversary attacks the data provided by the network operator. stored in the system. Damage is inflicted _____b. Fabrication or replay. In this case, the by modifying, inserting, and deleting the adversary inserts spurious messages, data, data stored in the system. or service logic into the system, depend- _____b. Messages. The adversary adds, modifies, ing on the level of physical access. For deletes, or replays signaling messages. example, via a Level II access, the adver- _____c. Service logic. Here the adversary inflicts sary inserts fake signaling messages; and damage by attacking the service logic run- via a Level III access, the adversary inserts ning in the various cellular core network fake service logic or fake subscriber data service nodes. into this system. _____d. Attack classification. In classifying attacks, _____c. Modification of resources. Here the adver- we can group them according to Case 1: sary modifies data, messages, or service Dimension I versus Dimension II, and logic. For example, via a Level II access, Case 2: Dimension II versus Dimension the adversary modifies signaling messages III. Note that the Dimension I versus on the link; and via a Level III access, the Dimension III case can be transitively adversary modifies service logic or data. inferred from Case 1 and Case 2. _____d. Modification of resources. Here the adver- sary modifies data, messages, or service

TABLE 17.1 Sample Case 1 Classification.

Interception Fabrication/Insertion Modification of Resources Denial of Service Interruption

Level I G Observe time, G Using modified cellular G With a modified base station G The adversary can G Jam victims’ rate, length, devices, the adversary and cellular devices, the cause DoS by traffic channels source, and can send spurious adversary modifies sending a large so that victims destination of registration messages to conversations between number of fake cannot access victim’s the target network. subscribers and their base registration the channels. locations. stations. messages. G With modified G Likewise, using G Broadcast at a cellular modified base stations, higher intensity devices, the adversary can signal than allowed, eavesdrop on victims to camp at their thereby hogging victim. locations. the bandwidth. 334 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

access an adversary causes interception attacks by observ- It must be noted that developing such tools CAT, ing traffic and eavesdropping. Likewise, fabrication aCAT, and eCAT presented many challenges: (1) cellu- attacks due to Level I access include sending spurious lar networks are extremely complex systems; they registration messages. Modification of resources due to comprise several types of service nodes and control proto- Level I access includes modifying conversations in the cols, contain hundreds of data elements, and support hun- radio access network. DoS due to Level I access occurs dreds of services; hence developing such toolkits requires when a large number of fake registration messages are in-depth working knowledge of these systems; and (2) sent to keep the network busy so as to not provide service every cellular network deployment comprises a different to legitimate subscribers. Finally, interruption attacks due physical configuration; toolkits must be immune to the to Level I access occur when adversaries jam the radio diversity in physical configuration; and finally (3) attacks access channel so that legitimate subscribers cannot cascade in a network due to regular network activity as a access the network. For further details on attack catego- result of dependencies; toolkits must be able to track the ries, refer to [22]. way that corruption cascades due to network dependencies. The challenge of in-depth cellular network knowledge was overcome by incorporating the toolkits with cellular 5. CELLULAR NETWORK VULNERABILITY network specifications defined by the Third Generation Partnership Project (3GPP) and is available at no charge ANALYSIS [29]. The 3GPP is a telecommunications standards body Regardless of how attacks are launched, if attack actions formed to produce, maintain, and develop globally appli- cause a system-acceptable incorrect value corruption, the cable “technical specifications and technical reports” for corruption propagates, leading to many unexpected cas- a third-generation mobile system based on evolved GSM cading effects. To detect remote cascading effects and core networks and the radio access technologies that they identify the origin of cascading attacks, cellular network support [24]. vulnerability assessment tools were developed. Usage of specifications allows handling of the diversity These tools, including the Cellular Network of physical configuration, as specifications detail the func- Vulnerability Assessment Toolkit (CAT) and the advanced tional behavior and not the implementation structure of a Cellular Network Vulnerability Assessment Toolkit cellular network. Specifications are written using simple (aCAT) [12,28], receive the input from users regarding flow-like diagrams called the Specification and Description which data item(s) might be corrupted and output an Language (SDL) [30], and are referred to as SDL specifica- attack graph. The CAT attack graph not only shows the tions. Equipment and service providers use these SDL spe- network location and service where the corruption might cifications as the basis for their service implementations. originate, it also shows the various messages and service Corruption propagation is tracked by incorporating the nodes through which the corruption propagates. toolkits with novel dependency and propagation models An attack graph is a diagrammatic representation of to trace the propagation of corruption. Finally, Boolean an attack on a real system. It shows various ways an properties are superimposed on the propagation model to adversary can break into a system or cause corruption and capture the impact of security solutions. the various ways in which the corruption may propagate CAT is the first version of the toolkit developed for within the system. Attack graphs are typically produced cellular network vulnerability assessment. CAT works by manually by red teams and used by systems administra- taking user input of seeds (data items directly corrupted tors for protection. CAT and aCAT attack graphs allow by the adversary and the cascading effect of which leads users to trace the effect of an attack through a network to a goal) and goals (data parameters that are derived and determine its side effects, thereby making them the incorrectly due to the direct corruption of seeds by the ultimate service disruption. adversary) and uses SDL specification to identify cascad- Cellular networks are at the nascent stage of develop- ing attacks. However, SDL is limited in its expression of ment with respect to security, so it is necessary to evalu- relationships and inexplicit in its assumptions and hence ate security protocols before deploying them. Hence, cannot capture all the dependencies; therefore CAT aCAT can be extended with security protocol evaluation misses several cascading attacks. capabilities into a tool [13] called Cellular Network To detect a complete set of cascading effects, CAT Vulnerability Assessment Toolkit for evaluation (eCAT). was enhanced with new features, to aCAT. The new fea- eCAT allows users to quantify the benefits of security tures added to aCAT include (1) a network dependency solutions by removing attack effects from attack graphs model that explicitly specifies the exact dependencies in a based on the defenses provided. One major advantage of cellular network; (2) infection propagation rules that iden- this approach is that solutions may be evaluated before tify the reasons that cause corruption to cascade; and expensive development and deployment. (3) a small amount of expert knowledge. The network Chapter | 17 Cellular Network Security 335

dependency model and infection propagation rules may The GUI subsystem takes user input in the form of be applied to SDL specifications and help alleviate their seeds and goals. The analysis engine contains algorithms limited expression capability. The expert knowledge helps (forward and midpoint) incorporated with cascading capture the inexplicit assumptions made by SDL. effect detection rules. It explores the possibility of the In applying these features, aCAT captures all those user input seed leading to the cascading effect of the user dependencies that were previously unknown to CAT, and input goal, using the knowledge base, and outputs the thereby aCAT was able to detect a complete set of cas- cascading attack in the form of attack graphs. cading effects. Through extensive testing of aCAT, sev- Using these attack graphs, realistic attack scenarios eral interesting attacks were found and the areas where may be derived. Attack scenarios explain the effect of the SDL is lacking was identified. attack on the subscriber in a realistic setting. Each attack To enable evaluation of new security protocols, aCAT graph may have multiple interpretations and give rise to was extended to eCAT. eCAT uses Boolean probabilities multiple scenarios. Each scenario gives a different per- in attack graphs to detect whether a given security spective on how the attack may affect the subscriber. protocol can eliminate a certain cascading effect. Given a security protocol, eCAT can measure effective coverage, Cascading Effect Detection Rules identify the types of required security mechanisms to protect the network, and identify the most vulnerable net- The Cascading Effect Detection Rules were defined to work areas. eCAT was also used to evaluate MAPSec, the extract cascading effects from the SDL specifications new standardized cellular network security protocol. contained in the knowledge base. They are incorporated Results from MAPSec’s evaluation gave insights into into the algorithms in the analysis engine. These rules MAPSec’s performance and the network’s vulnerabilities. define what constitutes propagation of corruption from a In the following, we detail each toolkit. signaling message to a block, and vice versa, and propa- gation of corruption within a service node. For example, when a service node receives a signaling message with a corrupt data item and stores the data item, it constitutes Cellular Network Vulnerability Assessment propagation of corruption from a signaling message to a Toolkit (CAT) block. Note that these rules are high level. In this part of the chapter, we present an overview of CAT and its many features. CAT is implemented using Attack Graph the Java programming language. It is made up of a num- The CAT attack graph may be defined as a state transition ber of subsystems (as shown in Figure 17.8). The knowl- showing the paths through a system, starting with the con- edge base contains the cellular network knowledge ditions of the attack, followed by attack action, and end- obtained from SDL specifications. SDL specifications ing with its cascading effects. In Figure 17.9, we present contain simple flowchart-like diagrams. The flowcharts the CAT attack graph output, which was built using user are converted into data in the knowledge base. The inte- input of ISDN Bearer Capability as a seed and Bearer grated data structure is similar to that of the knowledge Service as goal. The attack graph constitutes nodes and base; it holds intermediate attack graph results. edges. Nodes represent states in the network with respect to the attack, and edges represent network state transi- tions. For description purposes, each node has been given User Input Attack Scenario 1 a node label followed by an alphabet, and the attack Attack graph has been divided into layers. Graph Attack Scenario 2 Nodes may be broadly classified as conditions, GUI Output actions, and goals, with the conditions of the attack occurring at the lowest layer and the final cascading Analysis Engine Attack Scenario n effect at the highest layer. In the following, we detail each node type. Integrated Data Structure Condition Nodes Nodes at the lowest layer typically correspond to the conditions that must exist for the attack to occur. These Knowledge Base condition nodes directly follow from the taxonomy. They are an adversary’s physical access, target service node, FIGURE 17.8 Architecture of CAT. and vulnerability exploited. For example, the adversary 336 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

Layer 6 1,2, Goal: Incorrect Node O Bearer Service Provided

Layer 5 1, Action: Corrupt 2, Action: Respond with Bearer Service in Node M Corrupt ‘Bearer Service’ in Node N Message SIFIC Message SIFIC arriving at VLR

Layer 4 AAAA 2, Action: Corrupt data 1, Action: Incoming ‘ISDN BC’ Corrupts 1, PA: Level II 1, Tgt: VLR Message SIFIC 1, Vul: Message ‘Bearer Service’ in arriving at VLR Node H Node I Node K Process ICH_MSC of MSC Node J Node L Layer 3 2, Action: Corrupt Data ISDN BC in Process Node G ICH_MSC of MSC

Layer 2 2, Action: Message IAM arriving Node F at MSC with Corrupt ISDN BC

Layer 1 2, Action: Corrupt ISDN BC in Message Node E IAM

Layer 0 AA AA 2, Action: Incoming 2, PA: Level II 2, Tgt: GMSC Message IAM arriving 2, Vul: Message Node A Node B at GMSC Node D Node C

FIGURE 17.9 CAT attack graph output.

has access to links connecting to the GMSC service node, as ISDN Bearer Capability corrupting Bearer Service that is, Level II physical access; this is represented as (Node L), and so on. Actions may further be classified as Node A in the attack graph. Likewise, the adversary cor- adversary actions, normal network operations, or normal rupts data item ISDN Bearer Capability in the IAM mes- subscriber activities. Adversary actions include insertion, sage arriving at the GMSC. Hence the target of the attack corruption, or deletion of data, signaling messages, or ser- is the GMSC and is represented by Node B. Similarly, vice logic represented by Node E. Normal network opera- the adversary exploits vulnerabilities in a message (IAM); tions include sending (Node N) and receiving signaling and, this is represented by Node D in the attack graph. messages (Node E). Subscriber activity may include The CAT attack graphs show all the possible condi- updating or initiating service. tions for an attack to happen. In other words, we see not only the corruption due to the seed ISDN Bearer Goal Nodes Capability in the signaling message, but also IAM arriv- ing at the GMSC. But, there are also other possibilities, Goal nodes typically occur at the highest layer of the such as the corruption of the goal Bearer Service in the attack graph. They indicate corruption of the goal items signaling message SIFIC, represented by Node M. due to the direct corruption of seeds by the adversary (Node A). Action Nodes Edges Nodes at higher layers are actions that typically corre- spond to effects of the attack propagating through the net- In our graph, edges represent network transitions due to work. Effects typically include propagation of corruption both normal network actions and adversary actions. between service nodes, such as from MSC to VLR (Node Edges help show the global network view of adversary N), propagation of corruption within service nodes such action. This is the uniqueness of our attack graph. Chapter | 17 Cellular Network Security 337

Transitions due to adversary action are indicated by an Figure 17.9, the SIFIC message to the VLR has incorrect edge marked by the letter A (edges connecting Layer 0 goal item Bearer Service. The SIFIC message is used to and Layer 1). By inclusion of normal network transitions inform the VLR the calling party’s preferences such as in addition to the transitions caused by the adversary, our voice channel requirements and request the VLR to set up attack graph shows not only the adversary’s activity but the call based on the calling party and receiving party also the global network view of the adversary’s action. preferences. This is a unique feature of the attack graph. If the calling party’s preferences (such as Bearer Service) are incorrect, the call setup by the VLR is Trees incompatible with the calling party, and the communica- tion is ineffective (garbled speech). From the goal node, In the graph, trees are distinguished by the tree numbers it can be inferred that Alice, the receiver of the call, is assigned to its nodes. For example, all the nodes marked unable to communicate effectively with Bob, the caller, with number 2 belong to Tree 2 of the graph. Some nodes because Alice can only hear garbled speech from Bob’s in the graph belong to multiple trees. Tree numbers are side. used to distinguish between AND and OR nodes in the graph. Nodes at a particular layer with the same tree num- ber(s) are AND nodes. For example, at Layer 4, Nodes H, Origin of Attack I, J, and K are AND nodes; they all must occur for Nodes at Layer 0 indicate the origin of the attack, and Node M at Layer 5 to occur. Multiple tree numbers on a hence the location of the attack may be inferred. The node are called OR nodes. The OR node may be arrived speech attack may originate at the signaling messages at using alternate ways. For example, Node O at Layer 6 IAM, or the VLR service node. is an OR node, the network state indicated by Node O may be arrived at from Node M or Node N. Each attack tree shows the attack effects due to cor- Attack Propagation and Side Effects ruption of a seed at a specific network location (such as Nodes At All Other Layers Show The Propagation Of signaling message or process in a block). For example, Corruption Across The Various Service Nodes In The Tree 1 shows the attack due to the corruption of the seed Network. From Other Layers In Figure 17.9,ItCanBe Bearer Service at the VLR. Tree 2 shows the propagation Inferred That The Seed Is The ISDN Bearer Capability of the seed ISDN Bearer Capability in the signaling mes- And The Attack Spreads From The MSC To The VLR. sage IAM. These trees show that the vulnerability of a cellular network is not limited to one place but can be realized due to the corruption of data in many network Example Attack Scenario locations. Using these guidelines, an attack scenario may be derived In constructing the attack graph, CAT assumes that an as follows. Trudy, the adversary, corrupts the ISDN adversary has all the necessary conditions for launching Bearer Capability of Bob, the victim, at the IAM message the attack. The CAT attack graph format is well suited to arriving at the GMSC. The GMSC propagates this corrup- cellular networks because data propagates through the tion to the MSC, which computes, and hence corrupts, the network in various forms during the normal operation of Bearer Service. The corrupt Bearer Service is passed on a network; thus an attack that corrupts a data item mani- to the VLR, which sets up the call between Bob, the cal- fests itself as the corruption of a different data item in a ler, and Alice, the receiver. Bob and Alice cannot com- different part of the network after some network opera- municate effectively because Alice is unable to tions take place. understand Bob. Though CAT has detected several cascading attacks, Attack Scenario Derivation its output to a great extent depends on SDL’s ability to capture data dependencies. SDL is limited in its expres- The CAT attack graph is in cellular network semantics, sion capability in the sense that it does not always accu- and realistic attack scenarios may be derived to under- rately capture the relationship between data items, and in stand the implications of the attack graph. Here we detail many cases, SDL does even specify the relationship. the principles involved in the derivation of realistic attack Without these details CAT may miss some cascading scenarios: effects due to loss of data relationships. CAT’s output to a minor extent also depends on user input in the sense End-User effect that to accurately capture all the cascading effect of a Goal node(s) are used to infer the end effect of the attack seed, the user’s input must comprise all the seeds that can on the subscriber. According to the goal node in occur in the cascading effect; otherwise the exact 338 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

cascading effect is not captured. To alleviate CAT’s inad- network components. Hence, to uncover these attacks, the equacies, aCAT was developed. network dependency model and infection propagation (IP) rules were defined. In the following, we detail the network dependency model and infection propagation Advanced Cellular Network Vulnerability model using Figure 17.10. Assessment Toolkit (aCAT) In this section, we present aCAT, an extension of CAT Network Dependency Model with enhanced features. These enhanced features include (1) incorporating expert knowledge to compensate for the The network dependency model accurately defines fine- lacking caused by SDL’s inexplicit assumptions; expert grained dependencies between the various network com- knowledge added to the knowledge base with the SDL ponents. Given that service nodes comprise agents and specifications; (2) defining a network dependency model data sources (from the abstract model), the dependencies that accurately captures the dependencies in a cellular are defined as follows. In interagent dependency, agents network; the network dependency model is used to format communicate with each other using agent invocations the data in knowledge base, thereby clarifying the nature (as shown by 6 in Figure 17.10) containing data items. of the network dependency; and (3) defining infection Thus, agents are related to each other through data propagation rules that define fine-grained rules to detect items. Likewise, in agent to data source dependency, cascading attacks; these infection propagation rules are agents communicate with data sources using Read and incorporated into the analysis engine, which comprises Write operations containing data items. Therefore, the forward, reverse, and combinatory algorithms. aCAT agents and data items are related to each other through is also improved in terms of its user input requirements. It data items. Within agents, derivative dependencies requires as input either seeds or goals, whereas CAT define relationships between data items. Here data items required both seeds and goals. are used as input to derive data items using derivation In principle, cascading attacks are the result of propa- operations such as AND, OR operations. Therefore, data gation of corruption between network components (such items are related to each other through derivation opera- as signaling messages, caches, local variables, and service tion. For further detail on the network dependency logic) due to dependencies that exist between these model, refer to [12].

FIGURE 17.10 Network depen- Node Nk dency model. 11. Message M3 (dA, dF, dG)

Node Nj Agent A 2 Local Variables = 8. f(dAor dC) dF

= 9. f(dAand dF) dG

7. Read 10. Write[ dF, dG] 6. InvokeA2[dH] 1. Message [dA, dC] Agent A1 Node M1 (dA, dB) 2. f(d and d )=d Ni A B C Data Source Dj k = 3. f(dA key dB) dH

Cache 4. Write[ dA, dB, dC, dH]

5. Message M2 (dA, dB, dC, dH)

dX : Indicates that data parameter dx Node N is corrupt due to intruder action m

dX : Indicates that data parameter dx is corrupt due to cascading effect Chapter | 17 Cellular Network Security 339

Infection Propagation (IP) Rules or the HLR. From the other levels it may be inferred that the seed is the alerting pattern that the adversary corrupts These are finegrained rules to detect cascading effects. in the SRI message and the attack spreads from the HLR They are incorporated into the algorithms in the analysis to the VLR and from the VLR to the MSC. For more engine. An example of the IP rule is that an output data details on these attacks, refer to [12]. item in the AND dependency is corrupt only if both the input data items are corrupt (as shown by 9 in Figure 17.10). Likewise, an output data item in the OR Cellular Network Vulnerability Assessment dependency is corrupt if a single input data item is cor- Toolkit for Evaluation (eCAT) rupt (as shown by 8 in Figure 17.10). Similarly, corrup- tion propagates between agents when the data item used In this part of the chapter, we present eCAT an extension to invoke the agent is corrupt, and the same data item is to aCAT. eCAT was developed to evaluate new security used as an input in the derivative dependency whose out- protocols before their deployment. Though the design put may be corrupt (as shown by 6, 8 in Figure 17.10). goals and threat model of these security protocols are Accordingly, corruption propagates from an agent to a common knowledge, eCAT was designed to find (1) the data source if the data item written to the data source is effective protection coverage of these security protocols corrupt (as shown by 4 in Figure 17.10). Finally, corrup- in terms of percentage of attacks prevented; (2) the other tion propagates between service nodes if a data item used kinds of security schemes required to tackle the attacks in the signaling message between the service nodes is cor- that can evade the security protocol under observation; rupt, and the corrupt data item is used to derive corrupt and (3) the most vulnerable network areas (also called output items or the corrupt data item is stored in the data hotspots) [13]. source (as shown by 1, 3 or 1, 4 in Figure 17.10) [12]. eCAT computes security protocol coverage using With such a fine-grained dependency model and infec- attack graphs generated by aCAT and Boolean probabili- tion propagation rules, aCAT was very successful in iden- ties in a process called attack graph marking and quanti- tifying cascading attacks in several key services offered fies the coverage using coverage measurement formulas by a cellular network, and it was found that aCAT can (CMF). Attack graph marking also identifies network hot- indeed identify a better set of cascading effects in com- spots and exposes if the security protocol being evaluated parison to CAT. aCAT has also detected several interest- protects these hotspots. eCAT was also used to evaluate ing and unforeseen cascading attacks that are subtle and MAPSec, as it is a relatively new protocol, and evaluation difficult to identify by other means. These newly results would aid network operators. identified cascading attacks include the alerting attack, power-off/power-on attack, mixed identity attack, call Boolean Probabilities redirection attack, and missed calls attack. Boolean probabilities are used in attack graphs to distin- Alerting Attack guish between nodes eliminated (denoted by 0, or shaded node in attack graph) and nodes existing (denoted by 1, In the following we detail aCAT’s output, a cascading or unshaded node in attack graph) due to the security pro- attack called the alerting attack, shown in Figure 17.11. tocol under evaluation. By computing Boolean probabili- From goal nodes (Node A at Level 5, and Node C at ties for each node in the attack graph, eCAT can extract Level 4) in the alerting attack, it can be inferred that the the attack effects that may be eliminated by the security Page message has incorrect data item page type. The protocol under evaluation. Page message is used to inform subscribers of the arrival of incoming calls, and “page type” indicates the type of Attack Graph Marking call. “Page type” must be compatible with the subscri- ber’s mobile station or else the subscriber is not alerted. To mark attack graphs, user input of Boolean probabili- From the goal node it may be inferred that Alice, a sub- ties must be provided for Layer 0 nodes. For example, if scriber of the system, is not alerted on the arrival of an the security protocol under evaluation is MAPSec, then incoming call and hence does not receive incoming calls. because MAPSec provides security on links between This attack is subtle to detect because network adminis- nodes, it eliminates Level 2 physical access. For example, trators find that the network processes the incoming call consider the attack graph generated by eCAT shown in correctly and that the subscriber is alerted correctly. They Figure 17.12. Here, Node 5 is set to 0, while all other might not find that this alerting pattern is incompatible nodes are set to 1. with the mobile station itself. eCAT uses the input from Layer 0 nodes to compute Also, nodes at Level 0 indicate the origin of the attack the Boolean probabilities for the rest of the nodes starting as signaling messages SRI, PRN, the service nodes VLR, from Layer 1 and moving upward. For example, the 340 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

FIGURE 17.11 Attack graph for Layer 5 1,2. Action: Output alerting attack. message Page to BSS has incorrect data parameter ‘Page Type’ [Node A]

Layer 4 1,2. Action: Output message 3. Action: Output message PRN to VLR has incorrect Page to BSS has incorrect data parameter ‘Alerting data parameter ‘Page Type’ Pattern’ [Node B] [Node C]

Layer 3 1,2. Action: Corrupt data 3. Action: Output message parameter ‘Alerting Pattern’ PRN to VLR has incorrect corrupts data ‘Page Type’ in data parameter ‘Alerting Process ICH_VLR in VLR [Node D] Pattern’ [Node E]

Layer 2

1,2. Action: Output 1,2. Action: 3. Action: Corrupt data parameter message PRN to VLR has Incoming message ‘Alerting Pattern’ corrupts data incorrect data parameter SIFIC arriving at ‘Page Type’ in Process ICH_VLR ‘Alerting Pattern’ [Node F] VLR [Node G] in VLR [Node H]

Layer 1

1. Action: Corrupt 2. Action: Corrupt 3. Action: Corrupt data 3. Action: data parameter data parameter parameter ‘Alerting Incoming ‘Alerting Pattern’ ‘Alerting Pattern’ Pattern’ in message message SIFIC Output in message in message SRI PRN [Node K] arriving at VLR SRI [Node I] [Node J] [Node L] AA A Layer 0 AA A AA A AA 1. PA: Level 3 1. Vul: Data 2. Action: Incoming 3. Tgt: VLR 2,3. Vul: [Node M] Source or service message SRI arriving [Node S] Message Logic [Node O] at HLR [Node Q] [Node U]

1. Tgt: GMSC 1. Tgt: HLR 2,3. PA: Level 2 3. Action: Incoming [Node N] [Node P] [Node R] message PRN arriving at VLR [Node T]

Boolean probability of the AND node (Node 18) is the attractiveness of the network location to adversaries. This product of all the nodes in the previous layer with the is because by breaking into the network location indicated same tree number. Because Node 5 has the same tree by the hotspot node, the adversary has a higher likelihood number as Node 18, and Node 5’s Boolean probability is of success and can cause the greatest amount of damage. 0, Node 18’s Boolean probability is also 0. This process Extensive testing of eCAT on several of the network of marking attack graphs is continued until Boolean prob- services using MAPSec has revealed hotspots to be “Data ability of all the nodes is computed till the topmost layer. Sources and Service Logic.” This is because a corrupt data source or service logic may be used by many differ- ent services and hence cause many varied cascading Hotspots effects, spawning a large number of attacks (indicated by Graph marking also marks the network hotspots in the multiple trees in attack graphs). Thus attacks that occur attack graph. With respect to the attack graph, hotspots due to exploiting service logic and data source vulnerabil- are the Layer 0 nodes with the highest tree number count. ities constitute a major portion of the networkwide vul- For example in Figure 17.12, Node 3 and Node 4 are the nerabilities and so a major problem. In other words, by hotspots. A high tree number count indicates an increased exploiting service logic and data sources, the likelihood Chapter | 17 Cellular Network Security 341

Layer 1 T# 10. Action: Corrupt data ‘PDU’ in message T# 12. Action: Corrupt ‘MAP_MT_Fwd_SM’ data ‘PDU’ in message T# 5. Action: Corrupt arriving at MSC T# 9. Action: Corrupt ‘Short Message’ data ‘SC_Addr’ in message [Node 24] P=0 arriving at MS ‘MAP_MT_Fwd_SM_ACK’ data ‘PDU’ at MSC = [Node 25] P=1 arriving at MSC [Node 23] P 1 [Node 22] P=0 T# 11. Action: Corrupt T# 6. Action: Corrupt T# 13. Action: Corrupt data ‘PDU’ in message data ‘SC_Addr’ in message data ‘PDU’ in message T# 7,8. Action: Corrupt ‘MAP_MO_Fwd_SM’ T# 1,2. Action: Corrupt T# 3,4. Action: Corrupt ‘MAP_MO_Fwd_SM’ ‘Short Message’ data ‘PDU’ at I-MSC arriving at I-MSC data ‘SC_Addr’ at data ‘SC_Addr’ at arriving at I-MSC arriving at SC = [Node 19] P=1 [Node 20] P=0 MSC [Node 16] P=1 I-MSC [Node 17] P=1 [Node 18] P 0 [Node 21] P=1

Layer 0 A T# 3. Action: Message T# 8. Action: T# 2. Action: Message T# 4,7. Action: Message T# 9. Action: Message ‘MAP_MT_Fwd_ Message ‘Short_ T# 1. Action: ‘Short_ Message_ACK’ ‘MAP_MO_Fwd_SM’ ‘MAP_MT_Fwd_SM’ SM_ACK’ arriving Message’ arriving Message ‘Short_ arriving at MSC arriving at I-MSC arriving at MSC Message’ arriving at I-MSC at I-MSC [Node 11] P=1 = [Node 13] P=1 [Node 15] P=1 at MSC [Node 10] P=1 [Node 12] P 1 [Node 14] P=1 T# 1,2,3,4,7,8,9. T# 1,2,3,4,7,8,9, T# 1,2,5,9,10. T# 3,4,6,7,8,11,13. T# 5,6,10,11,12,13. Vul: Data Source T# 5,6,10,11,13. T# 12. T# 12. PA: Level 3 Tgt: MSC Tgt: I-MSC Vul: Message T# 13. or Service Logic PA: Level 2 PA: Level 1 Tgt: MS [Node 1] P=1 [Node 2] P=1 [Node 4] P=1 [Node 6] P=1 Tgt: SC = [Node 5] P=0 = 5 [Node 3] P 1 [Node 7] P 1 [Node 8] P 1 [Node 9] P=1

FIGURE 17.12 Fragment of a marked attack graph generated by eCAT. of attack success is very high. Therefore data source and processing load and monetary investment. Also, as MAP service logic protection mechanisms must be deployed. It messages travel through third-party networks en route to must be noted that MAPSec protects neither service logic their destinations, the risk level of attacks without nor data sources; rather, it protects MAP messages. MAPSec is very high. Hence, MAPSec is vital to protect MAP messages. In conclusion, because MAPSec can protect against Coverage Measurement Formulas only 33% of attacks, it alone is insufficient to protect the The CMF comprises the following set of three formulas network. A complete protection scheme for the network to capture the coverage of security protocols: (1) effective must include data source and service logic protection. coverage, to capture the average effective number of attacks eliminated by the security protocol; the higher the value of Effective Coverage the greater the protection the 6. SUMMARY security protocol; (2) deployment coverage, to capture the Next to the Internet, cellular networks are the most highly coverage of protocol deployments; and (3) attack cover- used communication network. It is also the most vulnera- age, to capture the attack coverage provided by the secu- ble, with inadequate security measures making it a most rity protocol; the higher this value, the greater is the attractive target to adversaries that want to cause commu- security solution’s efficacy in eliminating a large number nication outages during emergencies. As cellular of attacks on the network. networks are moving in the direction of the Internet, Extensive use of CMF on several of the network ser- becoming an amalgamation of several types of diverse vices has revealed that MAPSec has an average network- networks, more attention must be paid to securing these wide attack coverage of 33%. This may be attributed to networks. A push from government agencies requiring the fact that message corruption has a low spawning mandatory security standards for operating cellular net- effect. Typically a single message corruption causes a sin- works would be just the momentum needed to securing gle attack, since messages are typically used by a single these networks. service. Hence MAPSec is a solution to a small portion of Of all the attacks discussed in this chapter, cascading the total network vulnerabilities. attacks have the most potential to stealthily cause major Finally, in evaluating MAPSec using eCAT, it was network misoperation. At present there is no standard- observed that though MAPSec is 100% effective in pre- ized scheme to protect from such attacks. EndSec is a venting MAP message attacks, it cannot prevent a suc- good solution for protecting from cascading attacks, cessfully launched attack from cascading. For MAPSec to since it requires every data item to be signed by the be truly successful, every leg of the MAP message trans- source service node. Because service nodes are unlikely port must be secured using MAPSec. However, the over- to corrupt data items and they are to be accounted for head for deploying MAPSec can be high, in terms of both by their signatures, the possibility of cascading attacks 342 PART | 1 Overview of System and Network Security: A Comprehensive Introduction

is greatly reduced. EndSec has the added advantage of C. Application Program Interfaces providing end-to-end security for all types of signaling D. Network Areas messages. Hence, standardizing EndSec and mandating E. Extensible Authentication Protocol (EAP) its deployment would be a good step toward securing framework the network. 2. The core network is facilitated by network servers, Both Internet and PSTN connectivity are the open which are also called? gateways that adversaries can use to gain access and A. Middle Layers attack the network. Because the PSTN’s security is not B. Network Layers going to be improved, at least its gateway to the core net- C. Transport Layers work must be adequately secured. Likewise, since neither D. Service Nodes the Internet’s design nor security will be changed to suit a E. All of the above cellular network, at least its gateways to the core network 3. What is a basic service in the circuit-switched must be adequately secured. domain? Finally, because a cellular network is an amalgam- A. Secure on-demand routing protocol service ation of many diverse networks, it has too many vulnera- B. Taxonomy service ble points. Hence, the future design of the network must C. Caller delivery service be planned to reduce the number of vulnerable network D. Authenticated Routing for Ad hoc Networks points and reduce the number of service nodes that partic- (ARAN) service ipate in servicing the subscriber, thereby reducing the E. Destination-Sequenced Distance Vector (DSDV) number of points from which an adversary may attack. routing service Finally, let’s move on to the real interactive part of 4. The cloning of cellular devices to utilize the network this Chapter: review questions/exercises, hands-on pro- resources without paying; and cloning BSs to entice jects, case projects and optional team case project. The users to camp at the cloned BS in an attack, is answers and/or solutions by chapter can be found in the called a: Online Instructor’s Solutions Manual. A. False base station attack. B. Privacy attack. C. Eavesdropping attack CHAPTER REVIEW QUESTIONS/EXERCISES D. Man-in-the-Middle Attack. E. True/False Passive attack. 5. What introduces the biggest threat to the security of 1. True or False? Cellular networks are high-speed, high- cellular networks? capacity voice and data communication networks with A. HELLO Flood connectivity. enhanced multimedia and seamless roaming capabili- B. Denial-of-service attack connectivity. ties for supporting cellular devices. C. Internet connectivity. 2. True or False? The current cellular network is an evo- D. Sybil connectivity. lution of the early-generation cellular networks that E. All of the above. were built for optimal performance. 3. True or False? It would seem that attacks on the radio access network could not easily happen, because any- EXERCISE one with a transmitter/receiver could capture these signals. Problem 4. True or False? Though the current generation of a cel- What are the limitations of cellular network security? lular network has seen many security improvements in the radio access network, the security of the core net- work is not as improved. Hands-On Projects 5. True or False? Internet connectivity introduces the biggest threat to the security of cellular networks. Project What are the security issues in cellular networks? Multiple Choice 1. Cellular networks are organized as collections of Case Projects interconnected: Problem A. Message Integrity Codes (MIC) B. Temporal Key Integrity Protocols (TKIP) What types of attacks are cellular networks open to? Chapter | 17 Cellular Network Security 343

Optional Team Case Project 2008) in IEEE International Symposium on a World of Wireless Mobile and Multimedia Networks (WOWMOM), June 2008. Problem [15] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver, Inside the slammer worm, IEEE Secur. Privacy 1 (4) What additional security mechanisms are available to cel- (2003) 3339. lular networks? [16] W. Enck, P. Traynor, P. McDaniel, T.F. LaPorta, Exploiting open functionality in -capable cellular networks, CCS 005: REFERENCES Proceedings of the 12th ACM Conference on Computer and Communications Security, ACM Press, 2005. [1] 3GPP, architectural requirements, Technical Standard TS [17] P. Traynor, W. Enck, P. McDaniel, T.F. LaPorta, Mitigating 23.221 V6.3.0, 3G Partnership Project, May 2004. attacks on open functionality in SMS-capable cellular networks, [2] K. Murakami, O. Haase, J. Shin, T.F. LaPorta, Mobility manage- MobiCom ’06: Proceedings of the 12th Annual International ment alternatives for migration to mobile internet session-based Conference on Mobile Computing and Networking, ACM Press, services, IEEE J. Sel. Areas Commun. (J-SAC) 22 (June 2004) 2006, pp. 182193 834848. special issue on Mobile Internet. [18] P. Traynor, P. McDaniel, T.F. LaPorta, On attack causality in [3] 3GPP, 3G security, Security threats and requirements, Technical internet-connected cellular networks, USENIX Security Standard 3G TS 21.133 V3.1.0, 3G Partnership Project, December Symposium (SECURITY), August 2007. 1999. [19] T. Moore, T. Kosloff, J. Keller, G. Manes, S. Shenoi. Signaling [4] 3GPP, network architecture, Technical Standard 3G TS 23.002 system 7 (SS7) network security, in: Proceedings of the IEEE V3.3.0, 3G Partnership Project, May 2000. 45th Midwest Symposium on Circuits and Systems, August 2002. [5] V. Eberspacher, GSM Switching, Services and Protocols, John [20] G. Lorenz, T. Moore, G. Manes, J. Hale, S. Shenoi, Securing SS7 Wiley & Sons, 1999. telecommunications networks, in: Proceedings of the 2001 IEEE [6] 3GPP, Basic call handling - technical realization, Technical Workshop on Information Assurance and Security, June 2001. Standard 3GPP TS 23.018 V3.4.0, 3G Partnership Project, April [21] K. Kotapati, P. Liu, Y. Sun, T.F. LaPorta, A taxonomy of cyber 1999. attacks on 3G networksISI, Lecture Notes in Computer Science [7] 3GPP, A guide to 3rd generation security, Technical Standard Proceedings IEEE International Conference on Intelligence and 3GPP TR 33.900 V1.2.0, 3G Partnership Project, January 2001. Security Informatics, Springer-Verlag, May 2005, pp. 631633 [8] B. Chatras, C. Vernhes, Mobile application part design principles, [22] K. Kotapati, Assessing Security of Mobile Telecommunication in: Proceedings of XIII International Switching Symposium, Networks, Ph. D dissertation, Penn State University, August 2008. vol. 1, June 1990, pp. 3542. [23] Switch, 5ESS Switch, www.alleged.com/telephone/5ESS/. [9] J.A. Audestad, The mobile application part (map) of GSM, techni- [24] Telcoman, Central Offices, www.thecentraloffice.com/. cal report, Telektronikk 3.2004, Telektronikk, March 2004. [25] V. Prevelakis, D. Spinellis, The Athens affair, IEEE Spectrum [10] 3GPP, Mobile Application part (MAP) specification, Technical (July 2007). Standard 3GPP TS 29.002 V3.4.0, 3G Partnership Project, April [26] H. Hannu, Signaling Compression (SigComp) Requirements & 1999. Assumptions, RFC 3322 (Informational), January 2003. [11] K. Boman, G. Horn, P. Howard, V. Niemi, Umts security, [27] W. Stallings, and Network Security: Principles and Electron. Commun. Eng. J. 14 (5) (October 2002) 191204. Practice, Prentice Hall, 2000. Special issue security for mobility. [28] K. Kotapati, P. Liu, T. F. LaPorta, CAT - a practical graph & [12] K. Kotapati, P. Liu, T.F. LaPorta, Dependency relation-based vul- SDL based toolkit for vulnerability assessment of 3G networks, nerability analysis of 3G networks: can it identify unforeseen cas- in: Proceedings of the 21st IFIP TC-11 International Information cading attacks? Special Issue of Springer Telecommunications Security Conference, Security and Privacy in Dynamic Systems on Security, Privacy and Trust for Beyond 3G Networks, Environments, SEC 2006, May 2006. March 2007. [29] 3GPP2 3GPP, Third Generation Partnership Project, www.3gpp. [13] K. Kotapati, P. Liu, T.F. LaPorta, Evaluating MAPSec by mark- org/, 2006. ing attack graphs, ACM/Kluwer J. Wire. Netw. J. (WINET) 12 [30] J. Ellsberger, D. Hogrefe, A. Sarma, SDL, Formal Object- (March 2008). oriented Language for Communicating Systems, Prentice Hall, [14] K. Kotapati, P. Liu, T.F. LaPorta, EndSec: an end-to-end message 1997. security protocol for cellular networks, IEEE workshop on secu- rity, privacy and authentication in wireless networks (SPAWN