skip to main content
10.1145/3495243.3560534acmconferencesArticle/Chapter ViewAbstractPublication PagesmobicomConference Proceedingsconference-collections
research-article
Public Access

Uncovering insecure designs of cellular emergency services (911)

Published: 14 October 2022 Publication History

Abstract

Cellular networks that offer ubiquitous connectivity have been the major medium for delivering emergency services. In the U.S., mobile users can dial an emergency call with 911 for emergency uses in cellular networks, and the call can be forwarded to public safety answer points (PSAPs), which deal with emergency service requests. According to regulatory authority requirements for the cellular emergency services, anonymous user equipment (UE), which does not have a SIM (Subscriber Identity Module) card or a valid mobile subscription, is allowed to access them. Such support of emergency services for anonymous UEs requires different operations from conventional cellular services, and can therefore increase the attack surface of the cellular infrastructure. In this work, we are thus motivated to study the insecurity of the cellular emergency services and then discover four security vulnerabilities from them. Threateningly, they can be exploited to launch not only free data service attacks against cellular carriers, but also data DoS/overcharge and denial of cellular emergency service (DoCES) attacks against mobile users. All vulnerabilities and attacks have been validated experimentally as practical security issues in the networks of three major U.S. carriers. We finally propose and prototype standard-compliant remedies to mitigate the vulnerabilities.

References

[1]
3GPP. TS 23.002: Universal Mobile Telecommunications System (UMTS); Network architecture (Release 5), Sept. 2003. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=728.
[2]
3GPP. TS 29.211: Rx Interface and Rx/Gx signalling flows (Release 6), June 2007. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1671.
[3]
3GPP. TS 23.167: IP Multimedia Subsystem (IMS) emergency sessions (Release 17), Sept. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=799.
[4]
3GPP. TS 23.228: IP Multimedia Subsystem (IMS); Stage 2 (Release 17), Dec. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=821.
[5]
3GPP. TS 23.501: System architecture for the 5G System (5GS) (Release 17), Dec. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3144.
[6]
3GPP. TS 23.502: 5G; Procedures for the 5G System (5GS)(Release 17), Dec. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3145.
[7]
3GPP. TS 23.503: Policy and charging control framework for the 5G System (5GS); Stage 2 (Release 17), Dec. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3334.
[8]
3GPP. TS 24.229: IP multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP); Stage 3 (Release 17), Sept. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1055.
[9]
3GPP. TS 24.301: Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3 (Release 17), Dec. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1072.
[10]
3GPP. TS 24.501: Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3 (Release 17), Dec. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3370.
[11]
3GPP. TS 26.114: IP Multimedia Subsystem (IMS); Multimedia telephony; Media handling and interaction (Release 17), Dec. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1404.
[12]
3GPP. TS 29.212: Policy and Charging Control (PCC); Reference points (Release 17), Sept. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1672.
[13]
3GPP. TS 29.274: 3GPP Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS) Tunnelling Protocol for Control plane (GTPv2-C); Stage 3 (Release 17), Dec. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1692.
[14]
3GPP. TS 33.203: Access security for IP-based services (Release 17), Dec. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2277.
[15]
3GPP. TS 36.213: Evolved Universal Terrestrial Radio Access (E-UTRA); Physical layer procedures (Release 17), Jan. 2022. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2427.
[16]
Androidcentral. Shutting and rebooting down during calls, 2015. https://forums.androidcentral.com/moto-x/575325-shutting-rebooting-down-during-calls.html.
[17]
Aschenbruck, N., Frank, M., and Martini, P. Present and future challenges concerning dos-attacks against psaps in voip networks. In Fourth IEEE International Workshop on Information Assurance (IWIA'06) (2006), IEEE, pp. 6--pp.
[18]
Communications, B. Linphone - for smartphones, tablets and desktop platforms, 2020. https://www.linphone.org/.
[19]
Fuchs, C., Aschenbruck, N., Leder, F., and Martini, P. Detecting voip based dos attacks at the public safety answering point. In Proceedings of the 2008 ACM symposium on Information, computer and communications security (2008), pp. 148--155.
[20]
Goebel, M., Dameff, C., and Tully, J. Hacking 9-1-1: infrastructure vulnerabilities and attack vectors. Journal of medical Internet research 21, 7 (2019), e14383.
[21]
GSMA. Official Document IR.92 -IMS Profile for Voice and SMS (Version 15.0), May 2020. https://www.gsma.com/newsroom/wp-content/uploads//IR.92-v15.0-4.pdf.
[22]
GSMA. Official Document NG.111 -SMS Evolution (Version 2.0), Nov. 2020. https://www.gsma.com/newsroom/wp-content/uploads//NG.111-v2.0-1.pdf.
[23]
GSMA. Official Document NG.119 -Emergency Communication (Version 1.0), July 2021. https://www.gsma.com/newsroom/wp-content/uploads//NG.119-v1.0-3.pdf.
[24]
Harvey. How to fix a Galaxy S9 that reboots on its own during calls, 2022. https://thedroidguy.com/how-to-fix-a-galaxy-s9-that-reboots-on-its-own-during-calls-1091448.
[25]
Hou, K., Li, Y., Yu, Y., Chen, Y., and Zhou, H. Discovering emergency call pitfalls for cellular networks with formal methods. In Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services (2021), pp. 296--309.
[26]
Hussain, S., Chowdhury, O., Mehnaz, S., and Bertino, E. Lteinspector: A systematic approach for adversarial testing of 4g lte. In Network and Distributed Systems Security (NDSS) Symposium 2018 (2018).
[27]
Jung, S. W. Captcha-based ddos defense system of call centers against zombie smart-phone. International Journal of Security and Its Applications 6, 3 (2012), 29--36.
[28]
Lee, G., Lee, J., Lee, J., Im, Y., Hollingsworth, M., Wustrow, E., Grunwald, D., and Ha, S. This is your president speaking: Spoofing alerts in 4g lte networks. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services (2019), pp. 404--416.
[29]
Mirsky, Y., and Guri, M. Ddos attacks on 9-1-1 emergency services. IEEE Transactions on Dependable and Secure Computing 18, 6 (2021), 2767--2786.
[30]
of Federal Regulations, C. FCC 911 Regulations: 47 CFR Part 9: 911 Requirements, 2021. https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-9.
[31]
Onofrei, A. A., Rebahi, Y., Magedanz, T., Institute, F. F., et al. Preventing distributed denial-of-service attacks on the ims emergency services support through adaptive firewall pinholing. International Journal of Next-Generation Networks (2010).
[32]
OpenIMSCore.org. Welcome to Open IMS Core's Homepage., 2008. http://openimscore.sourceforge.net/.
[33]
Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and Schooler, E. SIP: Session Initiation Protocol, 2002. https://datatracker.ietf.org/doc/html/rfc3261.
[34]
Seth, M., Kasera, S. K., and Ricci, R. P. Emergency service in wi-fi networks without access point association. In Proceedings of the 1st International Conference on Wireless Technologies for Humanitarian Relief (2011), pp. 411--419.
[35]
srsRAN. Get the srsRAN software and documentation., 2022. https://docs.srsran.com/en/latest/index.html.
[36]
Subudhi, B. S. K., Catal, F., Tcholtchev, N., Chiu, K. T., Rebahi, Y., Boerger, M., and Lämmel, P. Performance testing for voip emergency services: a case study of the emynos platform and a reflection on potential blockchain utilisation for ng112 emergency communication. J. Ubiquitous Syst. Pervasive Networks 12, 1 (2020), 1--8.
[37]
Tschofenig, H., Schulzrinne, H., Shanmugam, M., and Newton, A. Protecting first-level responder resources in an ip-based emergency services architecture. In 2007 IEEE International Performance, Computing, and Communications Conference (2007), IEEE, pp. 626--631.
[38]
Tsiatsikas, Z., Kambourakis, G., and Geneiatakis, D. At your service 24/7 or not? denial of service on esinet systems. In International Conference on Trust and Privacy in Digital Business (2021), Springer, pp. 35--49.
[39]
Voice, G. Google Voice calling rates, 2022. https://voice.google.com/rates.
[40]
Wang, S., Tu, G.-H., Lei, X., Xie, T., Li, C.-Y., Chou, P.-Y., Hsieh, F., Hu, Y., Xiao, L., and Peng, C. Insecurity of operational cellular iot service: new vulnerabilities, attacks, and countermeasures. In Proceedings of the 27th Annual International Conference on Mobile Computing and Networking (2021), pp. 437--450.
[41]
ZeroMQ. ZeroMQ: An open-source universal messaging library, 2022. https://zeromq.org/.

Cited By

View all
  • (2024)Uncovering Problematic Designs Hindering Ubiquitous Cellular Emergency Services AccessProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3690704(1455-1469)Online publication date: 4-Dec-2024
  • (2024)Securing the Cloud-Native 5G Control PlaneMILCOM 2024 - 2024 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM61039.2024.10774032(1-6)Online publication date: 28-Oct-2024
  • (2024)Exploring the Impact of Big Data Analytics on Emergency Calls within Telecommunication SystemsProcedia Computer Science10.1016/j.procs.2024.06.021238(240-247)Online publication date: 2024
  • Show More Cited By

Index Terms

  1. Uncovering insecure designs of cellular emergency services (911)

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    MobiCom '22: Proceedings of the 28th Annual International Conference on Mobile Computing And Networking
    October 2022
    932 pages
    ISBN:9781450391818
    DOI:10.1145/3495243
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 14 October 2022

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. 911 (9-1-1)
    2. cellular networks
    3. emergency services
    4. security

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    ACM MobiCom '22
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 440 of 2,972 submissions, 15%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)381
    • Downloads (Last 6 weeks)73
    Reflects downloads up to 13 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Uncovering Problematic Designs Hindering Ubiquitous Cellular Emergency Services AccessProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3690704(1455-1469)Online publication date: 4-Dec-2024
    • (2024)Securing the Cloud-Native 5G Control PlaneMILCOM 2024 - 2024 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM61039.2024.10774032(1-6)Online publication date: 28-Oct-2024
    • (2024)Exploring the Impact of Big Data Analytics on Emergency Calls within Telecommunication SystemsProcedia Computer Science10.1016/j.procs.2024.06.021238(240-247)Online publication date: 2024
    • (2023)An Experimental Study of Denial of Service Attacks on a 5G COTS Hardware2023 7th Cyber Security in Networking Conference (CSNet)10.1109/CSNet59123.2023.10339752(12-18)Online publication date: 16-Oct-2023
    • (2023)When Good Turns Evil: Encrypted 5G/4G Voice Calls Can Leak Your Identities2023 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS59707.2023.10288900(1-9)Online publication date: 2-Oct-2023

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media