Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat, Analysis and Mitigation

Published byJuliana Maria Cunningham Modified over 7 years ago

Similar presentations

Presentation on theme: "Threat, Analysis and Mitigation"— Presentation transcript:

1 Threat, Analysis and Mitigation
9-1-1 DDoS: Threat, Analysis and Mitigation

2 Therefore, it’s possible to launch a DDoS
DDoS on 9-1-1 9-1-1 emergency service: allows anonymized call Requires all carriers to transmit 911 calls to special end point without subscribers validation Don’t require SIM to make a 911 call Therefore, it’s possible to launch a DDoS

3 Mobile phone botnets Malware installed in smartphone, normally very stealthy Make calls without notice of device owner Steal personal information

4 Cellular Network IMSI (Internal Mobile Subscriber Identity)
Unique identification number across all cellular networks Usage: identify subscriber 15 digit stored in SIM IMEI (International Mobile Station Equipment Identity) Identifying mobile equipment Stored in firmware/burned into ROM Required in authentication phase

5 Cellular Network NSI (Non-Service Initialized) Emergency Calls
Register and unregister process Basically, your device isn’t connected into network Emergency Calls The “emergency” button in your lock screen CM_SERVICE_REQUEST: indicate this is an emergency call At least require an IMEI Can be made even under NSI

6 E911 PSAP (Public-Safety Answering Point) Selective Router (SR)
Centers that handle 911 calls Selective Router (SR) Special telephony switches used to connect 911 calls to PSAP Telephone Switch (TS) Process of a call being connected to PSAP

7 E911 Caller Identification and Location Information Call Routing
Used to retrieve caller information Call Routing A 911 call is received Transfer the call to local SR If no available SR, the call is dropped or transferred to alternative SR SR connect the call to PSAP If no available PSAP or no available call taker, the call is transferred or dropped

8 Several kinds of attack bots
NA (non-anonymized) Ordinary smartphone infected with an OS level malware Anonymized (A) Hide IMSI when making the call Virtually entering no-SIM state Persistent Anonymized (A*) Bot that ramdomized IMEI or IMSI The most stealthy one

9 Implementation of NA bot
Launched from OS level A proxy between RILD and RIL RIL: Radio Interface Layer, the interface between low level hardware and high level telephony service RILD: Radio Interface Layer Daemon, interface between telephony service and RIL The proxy send some fake command in owner’s part Injecting audio into the outgoing call (only certain model)

10 Implementation of A bot
Cellular protocol stack: managed by a separate real-time OS (RTOS) Interacting with Android Our goal: switch protocol stack into no-SIM mode Implement a rootkit inside firmware Can manage RTOS’s state machine Fool the phone! How to do this? OsmocomBB

11 Implementation of A bot
Layered protocol stack L1: radio interface L2: data link layer L3: RR (lowest)-MM(IMEI and IMSI are handled)-CM Since we can manipulate RTOS’s state machine now Initiate 911 call Mask IMSI and IMEI before they reach upper layer The device is in psudo no-SIM state now

12 Implementation of A bot
OsmocomBB The only way to freely research the implementation of a mobile’s baseband software Architecture of the bot Caller Anonymizer Caller: handle state machine Build emergency call request via MM and CR layer Masking IMEI/IMSI

13 Implementation of A bot
Normal register process Switch on IMSI attach Validation request contains IMSI and location register Authentication Carrier sends authentication request to mobile Answer with encrypted message Finished register

14 Implementation of A bot
Anonymize process Initialize a SIM card missing report Invoke flag MMR_NREG_REQ Detached from network No SIM card, can still make memrgency calls

15 Implementation of A* bot
Detect smartphone’s status (If owner is press the key?) Detach SIM (Same as A bot) Set a random IMEI number IMEI and/or IMSI are spoofed Initialize 911 call repeatly

16 Implementation of A* bot
A* bot anonymizer Same as A bot with no-sim state but added IMEI spoofing Randomized during location update procedure Each call with a new IMSI Can’t be blocked!

17 Experiment Test Environment
A base transceiver station Wireshark capturing traffic Build a simulated model of E911 system based on NC, Charlotte

18 E911 Network Simulation Robustness SR redundancy Traffic overflows
Heavy-tail degree distribution Robust to random failures SR redundancy 83% PSAPs are connected to single SR Highly risky! Traffic overflows No enough call takers

19 E911 Network Simulation PSAP workload PSAP call balancing
Yes, you can get busy signal even in an real emergency situation PSAP call balancing No such resources PSAP call waiting Calls can be held

20 Attack simulation Time Call Event Generation Call processing time
The peak hours Call Event Generation Call processing time Time for saying “9-1-1, what’s your emergency?” Redial How many people will call again? SR capacity

21 Attack simulation results
Callers who give up

22 Attack simulation results
More bots, more legimate calls Callers are desperately redialing

23 Attack simulation results
Network performance 87% SR overloaded Affection 98% callers PSAP performance Wireline: 75% calls affected Wireless: 91% calls affected Why?

24 Countermeasures Disallow NSI calls? Trusted Device identification?
Human presence detection? Call firewall?

25 Afterthoughts Critical challenge Ethical problem
Wide range regulation change (government, manufacturer, carrier)

Download ppt "Threat, Analysis and Mitigation"

Similar presentations

Preparing for the Future.  Emergency calls today are primarily voice.  People expect to reach PSAP when dials 911.  People have multiple ways and devices.

Preparing for the Future.  Emergency calls today are primarily voice.  People expect to reach PSAP when dials 911.  People have multiple ways and devices.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
GSM Network. GSM-Introduction Architecture Technical Specifications Frame Structure Channels Security Characteristics and features Applications Contents.

GSM Network. GSM-Introduction Architecture Technical Specifications Frame Structure Channels Security Characteristics and features Applications Contents.
GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.

GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
16: Distributed Systems1 DISTRIBUTED SYSTEM STRUCTURES NETWORK OPERATING SYSTEMS The users are aware of the physical structure of the network. Each site.

16: Distributed Systems1 DISTRIBUTED SYSTEM STRUCTURES NETWORK OPERATING SYSTEMS The users are aware of the physical structure of the network. Each site.
MOBILE PHONE ARCHITECTURE & TECHNOLOGY. HISTORY  The idea of the first cellular network was brainstormed in 1947  Disadvantages  All the analogue system.

MOBILE PHONE ARCHITECTURE & TECHNOLOGY. HISTORY  The idea of the first cellular network was brainstormed in 1947  Disadvantages  All the analogue system.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Evolution from GMS to UMTS

Evolution from GMS to UMTS
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.

GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.
 Global System for Mobile Communications (GSM) is a second generation (2G) cellular standard developed to cater voice services and data delivery using.

 Global System for Mobile Communications (GSM) is a second generation (2G) cellular standard developed to cater voice services and data delivery using.
GSM: The European Standard for Mobile Telephony Presented by Rattan Muradia Requirement for course CSI 5171 Presented by Rattan Muradia Requirement for.

GSM: The European Standard for Mobile Telephony Presented by Rattan Muradia Requirement for course CSI 5171 Presented by Rattan Muradia Requirement for.
SIGNALING. To establish a telephone call, a series of signaling messages must be exchanged. There are two basic types of signal exchanges: (1) between.

SIGNALING. To establish a telephone call, a series of signaling messages must be exchanged. There are two basic types of signal exchanges: (1) between.
Members of our Presentation  (Bsts09-08) Hafiz Umer Ejaz  (Bsts09-09) Rai-Habib Ullah  (Bsts09-31) M.Arsalan Qureshi  (Bsts09-32) Shoaib Ansari 

Members of our Presentation  (Bsts09-08) Hafiz Umer Ejaz  (Bsts09-09) Rai-Habib Ullah  (Bsts09-31) M.Arsalan Qureshi  (Bsts09-32) Shoaib Ansari 
Communications and Networks Chapter 8. 2 Introduction We live in a truly connected society. Increased connectivity potentially means increased productivity,

Communications and Networks Chapter 8. 2 Introduction We live in a truly connected society. Increased connectivity potentially means increased productivity,
GSM Network Structure Lance Westberg.

GSM Network Structure Lance Westberg.
Communication Networks Fourth Meeting. Types of Networks  What is a circuit network?  Two people are connected and allocated them their own physical.

Communication Networks Fourth Meeting. Types of Networks  What is a circuit network?  Two people are connected and allocated them their own physical.

Similar presentations

Ads by Google