DDoSing a Cell Phone Network

Interesting research:

Abstract: The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel distributed denial of service attack in 3G networks that targets the availability of the HLR/AuC. More specifically, first we present an experiment in which we identified and proved some zero-day vulnerabilities of the 3G network that can be exploited by malicious actors to mount various attacks. For the purpose of our experiment, we have used off-the-shelf infrastructure and software, without any specialized modification. Based on the observations of the experiment, we reveal an Advanced Persistent Threat (APT) in 3G networks that aims to flood an HLR/AuC of a mobile operator. We also prove that the discovered APT can be performed in a trivial manner using commodity hardware and software, which is widely and affordably available.

The attack involves cloning SIM cards, then making multiple calls from different handsets in different locations with the same SIM card. This confuses the network into thinking that the same phone is in multiple places at once.

Note that this has not been tested in the field, but there seems no reason why it wouldn't work.

There's a lot of insecurity in the fact that cell phones and towers largely trust each other. The NSA and FBI use that fact for eavesdropping, and here it's used for a denial-of-service attack.

Posted on February 26, 2014 at 6:55 AM • 14 Comments

Comments

Stuart WardFebruary 26, 2014 9:08 AM

I am sure I saw a similar paper a couple of years ago. This is seriously flawed, I cant read the whole paper not being an academic and the paper itself paywalled away.

While cloning older SIM (2G) cards was possible if they used the flawed COMP128 algorithm, the newer USIM cards, as must be used on all 3G networks have much better protection against cloning.

Some networks will switch off their AUC if there are problems, and users will largely be unaware of this, as most phones do not report to the user that the phone is operating in an un-authenticated mode and not using encryption.

Once the AUC is turned off then cloning is trivial, as any USIM reported IMSI will work on the network. The location updates for the phone will then be reported to the HLR. An HLR is designed to cope with high transaction volumes and performing a DoS attack on this just through traffic load will be hard. When an operator sees increased load on the HLR they can turn down the frequency of location updates to ease the load.

Clive RobinsonFebruary 26, 2014 11:17 AM

@ Bruce,

HLR and AuC are probably "alien TLA's" to most of your readers.

HLR is known as the "Home Location Register" and
AuC is knoun as the "Authentication Center", thus
HLR/AuC is a combination of both, there is also the
VLC which is known as the Visiting Location Register.

In the original GSM900 spec the Authentication Center provides authentication and encryption parameters that are used to verify the user's identity (on either the home or peering network) and --supposadly-- ensure the confidentiality of each call. Due to delays etc when on a peering network you get tempory credentials in the VLC on the MSC such that you can make around five billable actions prior to getting a new set. This in of itself is a bit of a security hole. Which means that the AuC which --supposedly-- protects the network operator from various types of fraud can still be duped something like a quater of a century after various design failings were noted and reported...

The Home Location Register is a database used for storage and management of subscriber information. The HLR is considered the heart of both the switching and billing systems, thus it's the DB to go after if you are hacking the network for fraud. It stores permanent data about the home network subscribers, including their service profile, assumed current location and current activity status.

The Visitor Location Register like the HLR is a database that contains information about subscribers which is "temporary" and it is needed by the MSC in order to service visiting subscribers. The VLR is almost always integrated with the MSC. When a mobile roams into a new MSC area, the VLR connected to that MSC will request data about the mobile station from the HLR on the subscribers home network. This, if the subscriber places a call etc, the VLR will have the required information to hand so the call etc can be placed without incuring the time penalty of interrogate the HLR for each action.

Now some important things to note firstly the HLR does not actually know where you are, the VLR likewise does not know either the only thing that knows is the BSC and th BTS you are nominaly located in from the last exchange between your mobile and the BTS.

There is a perfectly good reason for this and it's to minimise "non billable" traffic across the network. What happens depends on the action concerened (primary or secondary) and if you have moved or not since the last action.

When you move from one BTS to another (handover) the BSC gets updated by the BTS if the BTS you move to is on the same BSC then it has no need to pass the information upwards. If however the BTS you move to is on a different BSC then the BSC's talk to the MSC. However if you move to a different MSC the HLR "should" be notified. However there are good and propper reasons why it might not, one is when you are on the edge of the MSC's and you bounce back and forwards between the two.

Another is the operator has configured the network for minimum switching information going to the HLR... either way it's an exploitable security issue for fraudsters as it alows two or more phones with the same ID's to be active on the network...

If you want to know more of the details then have a look at,

http://www.cellular.co.za/gsmtechdata.htm

And slide down to the "network-related" section and start there.

Clive RobinsonFebruary 26, 2014 11:32 AM

Oh I forgot to mention one thing, the HLR and AuC are not required for you to place calls it's often the VLC that does the work... And the MSC or lower has the "backhaul" to the ISDN etc POTS, Internet, etc.

It's important to know this because it enables someone to walk into an MSC and in effect --and over simplisticaly-- cut the link with the HLR or spoof it and allow users local to the MSC to still place calls and browse etc. This is one of the things that happened during Arab Spring.

0dayFebruary 26, 2014 2:59 PM

Below is from:
http://www.politico.com/story/2014/02/nsa-inspector-general-edward-snowden-103949.html

The National Security Agency’s top watchdog slammed Edward Snowden on Tuesday for failing to follow official protocol in relaying his concerns about wayward intelligence gathering and also faulted Congress for not vetting the details of post-9/11 surveillance programs.

“Snowden could have come to me,” George Ellard, the NSA’s inspector general, said during a panel discussion hosted by the Georgetown University Law Center.

Ellard, making his first public comments in seven years working for NSA, insisted that Snowden would have been given the same protections available to other employees who file approximately 1,000 complaints per year on the agency’s hotline system.

“We have surprising success in resolving the complaints that are brought to us,” he said.

In Snowden’s case, Ellard said a complaint would have prompted an independent assessment into the constitutionality of the law that allows for the bulk collection of Americans’ telephone metadata. But that review, he added, would have also shown the NSA was within the scope of the law.

“Perhaps it’s the case that we could have shown, we could have explained to Mr. Snowden his misperceptions, his lack of understanding of what we do,” Ellard said.

And if Snowden wasn’t satisfied, Ellard said the NSA would have then allowed him to speak to the House and Senate intelligence committees.

I am sure they would have been happy to be able to "take care of" Snowden's concerns...

This is like an issue where a ruling authority also expects its subjects to express "faith" toward themselves.

But "faith" is a concept from the realm of religion, generally understood to be expressed only toward 'conventionally invisible' beings like "The Creator God" (what-ever that may mean to the person) or something like that.

A problem with expressing faith is that the progress of "science" during the last 100+ years is often promoted as a reason for there no longer being a need for "faith". Everything (or at least most things) is either supposedly explainable through science or not worth "believing" in.

While organized religions are (sometimes perhaps intentionally) undermined through this, it leads to the implicit assumption that everyone should be free to have "faith" in what-ever they choose.

This freedom is sometimes in contrast with the government expectation that people have faith in them.

Thus for example Ed Snowden ended up believing that the wholesale spying is wrong.

Looking at this situation it seems like the US Government wants people to be willing to give away all their freedoms for them and maybe even die for them (well this last part they expect at least from those serving in the armed forces).

My take is that in all of this they are actually running a de facto religion.

EvanFebruary 26, 2014 4:47 PM

@0day:
The most interesting part of that article you posted is the following:

In Snowden’s case, Ellard said a complaint would have prompted an independent assessment into the constitutionality of the law that allows for the bulk collection of Americans’ telephone metadata. But that review, he added, would have also shown the NSA was within the scope of the law.

It is interesting because Ellard asserts that a legal assessment of eavesdropping activities would be independent, but at the same time that he knows in advance what the outcome of such an assessment would be. Since we know there is some difference of opinion on the matter, it is not the case that there is a consensus that NSA surveillance is constitutional. Therefore, the only way Ellard can say what the outcome of the assessment will be is if the assessors are deliberately selected to agree with the government's position, making them anything but independent.

I posit that Ellard is not actually trying to pull a fast one on the American public; rather I think this sort of doublethink is actually the normal modus operandi of the NSA (and to a lesser extent, the rest of government bureaucracy). Parallel construction is another example of this kind of thing - the constitution prohibits certain kinds evidence collection techniques to prevent abuse, so agents use them and simply fail to bring it up in court.

Increasingly, my belief is that the problem is not the NSA, the CIA, Keith Alexander, James Clapper, or the Patriot Act, it's the mindset that the rule of law is an empty ritual, a set of motions through which one goes but does not have any bearing on what they can actually do. At most they just have to give it a special name, like "enhanced interrogation".

CuriousFebruary 26, 2014 5:18 PM

@ 0day and others

"In Snowden’s case, Ellard said a complaint would have prompted an independent assessment into the constitutionality of the law that allows for the bulk collection of Americans’ telephone metadata. But that review, he added, would have also shown the NSA was within the scope of the law." (from politico article quoted above)

Not knowing what might be quotations in this paraphrase shown in italic, I want to point out that I think the notion of a "scope" in such a context is really only meaningful after the fact and not in some allusion to a meaning yet to be disclosed or revealed. I suppose the paraphrase in its entirety might be a reinterpretation and really without anything quoted.

A phrase like "the scope of the law" seem really vague to me. Would surely become problematic if someone simply had assumed that a particular subject must have been "within the scope of the law", as if such was a particularily relevant point or otherwise had to have been the case regardless. (Theory, for sake of theory.)

I initially wrote a wall of text explaining why it might be interesting to problematize such an expression, but I chose to keep it simple. :|

Ex-HLR developerFebruary 26, 2014 5:51 PM

So far from the original intent of CALEA, which specifically mandated that location information not be used by Law Enforcement. It always did.

WFebruary 26, 2014 6:15 PM

Isn't all this security research pretty pointless now that we now it is a feature, not a bug?

jdgaltFebruary 26, 2014 11:07 PM

This seems as trivial for the cellular carriers to fix as the old-hat problem of cloned SIM cards has been. If the fix doesn't happen reasonably quickly, we'll know there's a political reason why not.

In a way, I'm glad that these kinds of stress tests are happening to the networks, because their operators will learn to make them more robust. What I'm really worried about is some kind of coordinated takedown of the entire network to prevent the proper response to some other type of attack (and I don't make any assumptions about which side "our" government might be on then).

B.S. But not Bruce.February 27, 2014 2:05 PM

I think it's off-topic but I'll follow on the Snowden post.

Well it's easy for Ellard to say that, while his own phone is tapped and Snowden's phone call to Ellard will be directed to /dev/null and himself taken out.

Thanks Eric Snowden for doing all this. Thanks for bringing all this under the sunlight from under the carpet of agencies abusing their unjustified and uncontested power.

O.D.DFebruary 28, 2014 3:31 AM

A quick question, a few years ago, there was use of IMSI catchers that could fool phones into connecting to their networks and being able to alter messages and listen in to calls being made. From my reading it affected GSM networks. Does it have any effect on the latter 2G, 3G and 4G networks. I am interested in doing a paper on this

paranoia destroys yaMarch 4, 2014 8:21 AM

At what point will telemarketing robocallers exceed the capacity of the phone equipment thus creating a systemwide DOS failure?
Some days 1/2 of all calls to my parents are from the likes of Rachel of Cardholder Services.
A better use of the collected phone call metadata would have been to locate the dialers based upon more calls than can be manually dialed were made from a number.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..