Elsevier

Computers & Security

Volume 40, February 2014, Pages 84-94
Computers & Security

An advanced persistent threat in 3G networks: Attacking the home network from roaming networks

https://doi.org/10.1016/j.cose.2013.11.006Get rights and content

Abstract

The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel distributed denial of service attack in 3G networks that targets the availability of the HLR/AuC. More specifically, first we present an experiment in which we identified and proved some zero-day vulnerabilities of the 3G network that can be exploited by malicious actors to mount various attacks. For the purpose of our experiment, we have used off-the-shelf infrastructure and software, without any specialized modification. Based on the observations of the experiment, we reveal an Advanced Persistent Threat (APT) in 3G networks that aims to flood an HLR/AuC of a mobile operator. We also prove that the discovered APT can be performed in a trivial manner using commodity hardware and software, which is widely and affordably available.

Introduction

Universal mobile telecommunication system (UMTS) is a third generation (3G) mobile service technology that extends the general packet radio service/global system for mobile communication (GPRS/GSM) networks, supporting higher data rates and multimedia services. In UMTS, voice services are provided by the mobile switching center (MSC), while the packet data services of a mobile station (MS) are provided by the serving GPRS support node (SGSN). Both entities (we use the notation MSC/SGSN to refer to both MSC and SGSN in the rest of the paper) communicate with the home location register/authentication center (HLR/AuC), which is a database where information about the operator's subscribers is stored. MS may access UMTS services either from its home network or from a roaming network. Roaming in UMTS is defined as the ability for an MS to make and receive voice calls, send and receive data, or access other services when traveling outside the geographical coverage area of the home network, by means of using a visited network, which may be located in the same country (i.e., national roaming) or another country (i.e., international roaming). For the operation of roaming, an agreement is required between the home network of the mobile user and the serving network of the visited area, which includes authentication, authorization, and billing services for the roaming users. As mentioned in (GSM), the majority of the mobile network operators that belong in the GSM association, which currently includes more than 800 mobile network operators from 220 Countries, have signed roaming agreements with each other. The GSM association also outlines the content of such roaming agreements in standardized form for its members (GSM).

When an MS moves outside its home network, it should perform a registration procedure with the visited/roaming network. In particular, a challenge/response protocol named authentication and key agreement (AKA) is executed between the MS and the roaming MSC/SGSN (3GPP TS 33.102). In the AKA protocol, the roaming MSC/SGSN sends an authentication data request (ADR) message to the home HLR/AuC of the MS to fetch fresh authentication credentials, named authentication vectors (AVs), for the MS (3GPP TS 29.002). This message includes the international mobile subscriber identity (IMSI) that uniquely identifies the MS in HLR/AuC. The latter generates a batch of L different AVs and sends them to the roaming MSC/SGSN. Having received them, MSC/SGSN provides to the MS one AV (which is used only in the specific authentication and is deleted afterward) and stores the remaining (L − 1) AVs to serve future authentication requests by the MS. The reason HLR/AuC generates a batch of L different AVs, instead of only one as required for an authentication request, is to avoid executing an ADR and the related burden of generating AVs in HLR/AuC, each time MS access the MSC/SGSN. In this paper, we explore a feasible attack that considerably increases this burden.

The HLR/AuC is considered to be one of the most important network elements of a 3G network. In its database, various information about each operator's subscriber is stored, such as the permanent key Ki, the IMSI, the last serving MSC/SGSN, the phone number, etc. According to (Traynor et al., 2009), an HLR/AuC can serve up to five million subscribers, and at least one transaction with HLR/AuC is required for every single phone call or data session. Due to its critical functionality, the HLR/AuC is considered to be a single point of failure for every mobile operator (Traynor et al., 2009). This means that if an HLR/AuC is out of service, then none of its subscribers can be served for calls or data services. Thus, it is motivating for a malicious user to create overload conditions at the level of HLR/AuC that lead to service unavailability.

This paper presents experimental results and observations that can be exploited to perform a novel distributed denial of service (DoS) attack in 3G networks that targets the availability of the HLR/AuC. More specifically, first we present an experiment in which we identified and proved some zero-day vulnerabilities of the 3G network that can be exploited by malicious actors to mount various attacks. For the purpose of our experiment, we have used off-the-shelf infrastructure and software, without any specialized modification. Based on the observations of the experiment, we reveal an Advanced Persistent Threat (APT) (Virvilis and Gritzalis, 2013) in 3G networks that aims to flood an HLR/AuC of a mobile operator. In particular, in this attack, a group of adversaries first collect IMSIs that belong to the same HLR/AuC, using an IMSI catcher (Joachim and Bott, 2003). Next, residing in roaming networks, they perform successive registrations using the collected IMSIs that trigger the execution of ADRs to the specific HLR/AuC. For each ADR concerning a different IMSI (i.e., user), the HLR/AuC is forced to generate a batch of L AVs, and send them to the requesting MSC/SGSNs. The continuous execution of ADRs, in a very short-time period incurs the depletion of the computational resources of the HLR/AuC, eventually, leading to system saturation. Moreover, we prove that this attack can be performed in a trivial manner using commodity hardware and software, which is widely and affordably available. The multiple alarming findings of this article should raise awareness of the security risks that threaten the normal operation of the mobile networks and in general critical infrastructures (Kotzanikolaou et al., 2013).

The rest of the paper is organized as follows. Section 2 presents an overview of the 3G network, and Section 3 includes the related work. Section 4 elaborates on the carried out experiments; while Section 5 analyses quantitatively and qualitatively the discovered APT in 3G networks, as well as proposes mitigation measures. Finally, Section 6 concludes the article.

Section snippets

Identification

Each 3G subscriber is assigned a unique identity, called IMSI that identifies it, globally. An IMSI is usually presented as a 15-digit number, where the first 3 digits are the mobile country code (MCC), followed by the mobile operator code (MNC). The length of MNC is either 2 digits (European standard) or 3 digits (North American standard). The remaining digits are the mobile subscription identification number (MSIN) within the home network's customer base. However, in the majority of cases,

Related work

The literature includes some previous works, which present discovered vulnerabilities in 3G networks that can be exploited to mount DoS attacks to various segments of 3G networks. In (Ricciato et al., 2010), the authors have, collectively, reviewed four different DoS attacks that target 3G networks. The first one is the SMS (short message service) DoS attack (Enck et al., 2005), in which a high number of SMS are dispatched toward a large number of mobile users, virtually, to all active MS. The

Proven vulnerabilities in 3G networks

In this section, we present an experiment in which we identified and proved some zero-day vulnerabilities of the 3G network that can be exploited by malicious actors to mount various attacks. For the purpose of our experiment, we have used off-the-shelf infrastructure and software, without any specialized modification. First, we cloned a SIM card of a Greek mobile operator, using specialized software named SIM scanner (http://www.nowgsm.com/download/SIM-Scanner.pdf). The home network of this

General

In this section, we present and analyze an APT in 3G networks that aims to flood an HLR/AuC of a mobile operator, resulting in system saturation. As the HLR/AuC is queried in the delivery of all phone calls and text messages, acts as the authentication server for the network, records data for the purposes of billing, and generally assists in a wide range of management jobs, such an attack would, potentially, devastate nearly all services in the network of the mobile operator. In essence, the

Conclusions

This paper presented experimental results and observations that can be exploited to perform a novel distributed DoS attack in 3G networks that targets the availability of the HLR/AuC. First, we analysed an experiment in which we identified and proved some zero-day vulnerabilities of the 3G network, which can be exploited by malicious actors to mount various attacks. For the purposes of our experiment, we used off-the-shelf infrastructure and software, without any specialized modification. Based

Dr. Christos Xenakis received his B.Sc degree in computer science in 1993 and his M.Sc degree in telecommunication and computer networks in 1996, both from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2004 he received his Ph.D. from the same Department. From 1996 to 2007 he was a member of the Communication Networks Laboratory of the University of Athens. Since 2007 he is a faculty member of the Department of Digital Systems of the University of

References (23)

  • G. Kambourakis et al.

    DoS attacks exploiting signaling in UMTS and IMS

    Comp Commun

    (2011)
  • F. Ricciato et al.

    A review of DoS attack models for 3G cellular networks from a system-design perspective

    Comp Commun, Elsevier Sci

    (March 2010)
  • A. Barbuzzi et al.

    Discovering parameter setting in 3G networks via active measurements

    IEEE Commun Lett

    (Oct. 2008)
  • J. Cao et al.

    A survey on security aspects for LTE and LTE-a networks

    IEEE Commun Sur Tut

    (2013)
  • Guan-Chi Chen et al.

    Evaluation of distributed and replicated HLR for location management in PCS network

    J Info Sci Eng

    (Jan. 2003)
  • W. Enck et al.

    Exploiting open functionality in SMS-capable cellular networks

  • N. Gobbo et al.

    A denial of service attack to GSM networks via attach procedure

  • GSM Association, available at:...
  • F. Joachim et al.

    Method for identifying a mobile phone user or for eavesdropping on outgoing calls

    (Jul. 2003)
  • P. Kotzanikolaou et al.

    Cascading effects of common-cause failures on critical infrastructures

  • P. Lee et al.

    On the detection of signaling DoS attacks on 3G wireless networks

  • Cited by (12)

    • Sentient-based Access Control model: A mitigation technique for Advanced Persistent Threats in Smartphones

      2020, Journal of Information Security and Applications
      Citation Excerpt :

      Lastly, an attacker may use sensors to gather information regarding the targeted victim. Several methods, namely, encryption [1], network monitoring [25,45] and malware behaviour monitoring [24,46], have been proposed to minimise APT attacks. These solutions, which include encryption, malware and network monitoring, are focused on the network part.

    • (U)SimMonitor: A mobile application for security evaluation of cellular networks

      2016, Computers and Security
      Citation Excerpt :

      Standalone (U)SimMontor was used to acquire data regarding the usage of 2G or 3G network technology, the frequency of AKA executions and the related change/refresh of keys, and the frequency of TMSI reallocations. ( U)SimMomitor combined with simtrace (Xenakis and Ntantogian, 2014) (Simtrace, 2013) was employed to capture data regarding the frequency of IMSI requests, while QXDM was used to obtain data for the employed cryptographic algorithms and whether padding randomization and inclusion of IMEI in the ciphering mode complete message are enabled. The duration of all experiments was 9 months (September 2013 to May 2014).

    • Research and application of APT attack defense and detection technology based on big data technology

      2019, ICEIEC 2019 - Proceedings of 2019 IEEE 9th International Conference on Electronics Information and Emergency Communication
    • Attack path prediction of APT based on HMM

      2019, Xi Tong Gong Cheng Yu Dian Zi Ji Shu/Systems Engineering and Electronics
    View all citing articles on Scopus

    Dr. Christos Xenakis received his B.Sc degree in computer science in 1993 and his M.Sc degree in telecommunication and computer networks in 1996, both from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2004 he received his Ph.D. from the same Department. From 1996 to 2007 he was a member of the Communication Networks Laboratory of the University of Athens. Since 2007 he is a faculty member of the Department of Digital Systems of the University of Piraeus, Greece, where currently is an Assistant Professor and member of the System Security Laboratory.

    Dr. Christoforos Ntantogian received his B.Sc degree in Computer Science and Telecommunications in 2004 and a M.Sc degree in Computer Systems Technology in 2006 both from the Department of Informatics and Telecommunications of University of Athens. In 2009 he received his Ph.D. from the University of Athens (Department of Informatics and Telecommunications). Currently, he is a research assistant at the Department of Digital Systems of the University of Piraeus. His research interests are computer security, digital forensics and data analysis.

    View full text