Signaling Attacks in Mobile Networks - PowerPoint PPT Presentation

1 / 8
About This Presentation
Title:

Signaling Attacks in Mobile Networks

Description:

MSC/VLR. MSC/VLR. HLR. HLR. Internet/ IP Core. SIP. Server ... MSC. 2.Send Rout. Info (SRI) 3. Provide Roam. Num (PRN) Home Network. 4.Provide Roam. Num Ack ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 9
Provided by: rav47
Category:

less

Transcript and Presenter's Notes

Title: Signaling Attacks in Mobile Networks


1
Signaling Attacks in Mobile Networks
  • Thomas F. La Porta

2
Future Network Environment
Services in all-IP domain
Open Interfaces
3G
Circuit Access
CDMA2000
ANSI-41 Core
BS
MSC/VLR
HLR
Internet/ IP Core
IP Access
3G-IP
BS
UMTS Core
Circuit Access
SIP Server
MSC/VLR
BS
UMTS
SIP Server
IP Access
HLR
IP Access
BS
UMTS-IP
SIP Server
Internet vulnerabilities transferred to 3G
Networks
BS
WI-FI/802.16
Interworking between networks
3
Network Architecture
Subscriber Alice
M
M
BS
BS
BS
BS
M
MSC/ VLR
M
GMSC
Ohio
BS
GMSC
MSC/VLR
Pennsylvania
GMSC
M
MSC/VLR
HLR
GMSC
MSC/VLR
HLR
BS
GMSC
West Virginia
M
BS
MSC/VLR
MSC/VLR
BS
HLR
BS
M
M
BS
M
BS
BS
Subscriber Bob
4
Possible Attacks
  • Message modification/insertion/deletion
  • Requires access to signaling network
  • Service logic corruption
  • Change software in switches (has occurred)
  • Can be done by corrupted network
  • Data corruption
  • Service provisioning, transient data,

5
Current Solution
  • Current (2G) and early 3G systems MAPSEC
  • MAP is the mobility/authentication protocol for
    cellular networks
  • MAPSEC provides message integrity and
    confidentiality (optional)
  • Impact
  • Signaling protocols are application layer
    protocols
  • Messages are modified at each hop along the
    connection or involved in the transaction
  • Amounts to hop-by-hop integrity
  • Our study prevents only about 30 of possible
    attacks

6
Call delivery Service
GMSC
HLR
VLR
MSC
1.Initial Address Message (IAM)
2.Send Rout Info (SRI)
Subscriber Bob
3. Provide Roam Num (PRN)
Air Interface
4.Provide Roam Num Ack (PRN_ACK)
5. Send Rout Info Ack (SRI_ACK)
6.Initial Address Message (IAM) Caller ID
Number, Callee ID
7.SIFIC
8.Page MS
9. Page
Home Network
Roaming Network
7
Possible Solution EndSec
  • Design Goals
  • protecting all types of signaling messages
  • providing end-to-end security for signaling
    messages
  • providing multi-hop security to each data item
    in the signaling message
  • detecting compromised service nodes due to
    corrupt service logic or data sources.
  • Data items must be encrypted and signed by the
    originator and derivator
  • Signaling messages to record the PATH (and its
    signature) taken by the signal flow
  • Significantly increased signaling load (size of
    messages)

8
Challenges
  • How to efficiently protect signaling?
  • Similar problems will exist in IP-based mobile
    networks
  • SIP is an application layer protocol much like
    the telecom protocols
  • IPSec or TLS will provide protections similar to
    MAPSec
Write a Comment
User Comments (0)
About PowerShow.com