9
Security Attacks Against the Availability of LTE Mobility Networks: Overview and Research Directions Roger Piqueras Jover AT&T Security Research Center New York, NY 10007 [email protected] Abstract—Modern LTE (Long Term Evolution) cellular net- works provide advanced services for billions of users that go beyond traditional voice and short messaging traffic. The recent trend of Distributed Denial of Service (DDoS) attacks impacting the availability of communication systems illustrate the importance of strengthening the resiliency of mobility networks against Denial of Service (DoS) and DDoS threats, ensuring this way full LTE network availability against security attacks. In parallel, the advent of the Advanced Persistent Threat (APT) has capsized the common assumptions about attackers and threats. When it comes to very well planned and funded cyber-attacks, the scale of the threat is not the key element anymore. Instead, scenarios such as a local DoS attack, for example, against the cell service around a large corporation’s headquarters or the Stock Exchange become very relevant. Therefore, traditionally overlooked low range threats, such as radio jamming, should not be de-prioritized in security studies. In this paper we present an overview of the current threat landscape against the availability of LTE mobility networks. We identify a set of areas of focus that should be considered in mobility security in order to guarantee availability against secu- rity attacks. Finally, we introduce potential research directions, including a new attack detection layer, to tackle these problems. The final goal is to rethink the architecture of a mobility network within the current security context and threat landscape and considering the current evolution towards a near future scenario where nearly every electronic device will be connected through Machine-to-Machine (M2M) systems. I. I NTRODUCTION Modern cellular networks support a large number of services that go beyond traditional voice and short messaging traffic to include high bandwidth data communications. These networks are based on 3GPP standards for wireless communications, such as the Universal Mobile Telecommunication System (UMTS) for current 3G access networks. Release 8 of the 3GPP standards resulted in the deployment of Long Term Evolution (LTE). This new technology is characterized by great enhancements in the Radio Access Network (RAN) for capacity improvement in terms of bits per second per Hertz (bps/Hz) as well as a redesign of the cellular core network (Enhanced Packet Core - EPC), moving towards an all-IP system. Despite the tremendous capacity and system enhancements implemented by LTE, in general, cellular networks are known to be vulnerable to security attacks [1], [2]. In parallel, a recent DDoS campaign against an anti-spam blacklisting service resulted in substantial impact on global communication networks and widespread service degradation [3]. This has sparked the general interest and concern in attacks against the availability of communication networks, which could be either affected despite not being the target (like in the case of the Spamhaus DDoS attack) or be the actual target. However, theoretical vulnerabilities of mobility networks had been known and published for a few years. Billions of users depend on cellular networks on a daily basis. Therefore, the consequences of a Denial of Service (low traffic volume) or a Distributed Denial of Service (high traffic volume) attack against the mobility network could be severe. For example, with the current outbreak of mobile malware, the possibility of a botnet of infected cell-phones launching an attack against the cellular network is closer to reality. An actual milder version of such a scenario was already observed in the wild due to a poorly programmed application which caused severe service degradation on a cellular carrier [4]. The threat scenario against communication networks is drastically changing. Not only the surge of hacktivism is threatening information systems, but also the relevance of the latest player, the Advanced Persistent Threat (APT), in the security ecosystem is growing fast. A recent report released information on a succession of highly sophisticated and long cyber-attacks against all kinds of institutions and enterprises all over the world [5]. The advent of APT brings into the equation the concept of a highly sophisticated and well-funded at- tacker. In this context, traditionally overlooked threats are very important. When it comes to very well-planned and funded cyber-attacks, even small-scale threats can be important. For example, scenarios such as a local DoS attack against the cell service around a large corporation’s headquarters or the Stock Exchange become very relevant. This motivates further the importance of enhancing the security of mobility networks. GSM (Global System for Mobile Communications) mobility networks were designed two decades ago to address issues in the previous cellular system (Advanced Mobile Phone System, AMPS), namely privacy and authentication. The GSM encryption and authentication algorithms were appropriately enhanced in UMTS and LTE by including new encryption options but most importantly by requiring mutual authentica-

TD_101153

Embed Size (px)

DESCRIPTION

jj

Citation preview

Security Attacks Against the Availability of LTEMobility Networks: Overview and ResearchDirectionsRoger Piqueras JoverAT&T Security Research CenterNew York, NY [email protected](LongTermEvolution) cellularnet-works provide advanced services for billions of users thatgo beyondtraditional voice andshort messaging trafc. Therecent trendof DistributedDenial of Service (DDoS) attacksimpacting the availability of communication systems illustrate theimportance of strengthening the resiliency of mobility networksagainst Denial of Service (DoS) and DDoS threats, ensuring thiswayfull LTEnetworkavailabilityagainst securityattacks. Inparallel, the advent of the Advanced Persistent Threat (APT) hascapsizedthecommonassumptionsaboutattackersandthreats.Whenitcomestoverywellplannedandfundedcyber-attacks,the scale of the threat is not the key element anymore. Instead,scenariossuchasalocal DoSattack, forexample, against thecell servicearoundalargecorporations headquarters ortheStockExchangebecomeveryrelevant. Therefore, traditionallyoverlooked low range threats, such as radio jamming, should notbe de-prioritized in security studies.Inthispaperwepresent anoverviewof thecurrent threatlandscape against the availability of LTE mobility networks. Weidentifyaset of areas of focus that shouldbe consideredinmobility security in order to guarantee availability against secu-rity attacks. Finally, we introduce potential research directions,including a new attack detection layer, to tackle these problems.The nal goal is to rethink the architecture of a mobility networkwithinthe current securitycontext andthreat landscape andconsidering the current evolution towards a near future scenariowherenearlyeveryelectronicdevicewillbeconnectedthroughMachine-to-Machine (M2M) systems.I. INTRODUCTIONModern cellular networks support a large number of servicesthat go beyond traditional voice and short messaging trafc toinclude high bandwidth data communications. These networksarebasedon3GPPstandards for wireless communications,such as the Universal Mobile Telecommunication System(UMTS) for current 3Gaccess networks. Release8of the3GPPstandards resultedinthe deployment of LongTermEvolution (LTE). This newtechnology is characterized bygreat enhancements in the Radio Access Network (RAN) forcapacityimprovement intermsofbitspersecondperHertz(bps/Hz) aswell asaredesignof thecellular corenetwork(EnhancedPacket Core - EPC), movingtowards anall-IPsystem.Despite the tremendous capacity and system enhancementsimplemented by LTE, in general, cellular networks are knownto be vulnerable to security attacks [1], [2]. In parallel,a recent DDoScampaignagainst ananti-spamblacklistingservice resulted in substantial impact on global communicationnetworks andwidespreadservicedegradation[3]. This hassparkedthegeneral interest andconcerninattacks againstthe availability of communication networks, which couldbe either affecteddespite not beingthe target (like inthecaseoftheSpamhausDDoSattack)orbetheactual target.However, theoretical vulnerabilities of mobility networks hadbeenknownandpublishedforafewyears.Billionsofusersdependoncellularnetworksonadailybasis. Therefore, theconsequencesofaDenialofService(lowtrafcvolume)oraDistributedDenial of Service(hightrafcvolume) attackagainst themobilitynetworkcouldbesevere. For example,with the current outbreak of mobile malware, the possibility ofa botnet of infected cell-phones launching an attack against thecellular network is closer to reality. An actual milder versionof such a scenario was already observed in the wild due to apoorlyprogrammedapplicationwhichcausedsevereservicedegradation on a cellular carrier [4].The threat scenario against communication networks isdrastically changing. Not only the surge of hacktivismisthreatening information systems, but also the relevance of thelatest player, theAdvancedPersistent Threat (APT), inthesecurityecosystemisgrowingfast. Arecent report releasedinformation on a succession of highly sophisticated and longcyber-attacks against all kinds of institutions and enterprises allover the world [5]. The advent of APT brings into the equationthe concept of a highly sophisticated and well-funded at-tacker. In this context, traditionally overlooked threats are veryimportant. Whenit comestoverywell-plannedandfundedcyber-attacks, evensmall-scalethreatscanbeimportant. Forexample, scenarios such as a local DoS attack against the cellservice around a large corporations headquarters or the StockExchangebecomeveryrelevant. This motivates further theimportance of enhancing the security of mobility networks.GSM (Global System for Mobile Communications) mobilitynetworks weredesignedtwodecades agotoaddress issuesin the previous cellular system(Advanced Mobile PhoneSystem, AMPS), namely privacy and authentication. The GSMencryptionandauthenticationalgorithmswereappropriatelyenhancedinUMTSandLTEbyincludingnewencryptionoptions but most importantly by requiring mutual authentica-tion. However, the threat landscape and computational powerhaveevolvedmuchfaster, withnosignicantupdatesintheoverallsecurityarchitecture. Aproactiveeffortisnecessaryto guarantee the full availability of mobility networks againstsecurity attacks.Analysis is required to determine the conditions that makepossible DoSandDDoSattacks against LTEas well as aclearassessment oftheimpact andseverityofsuchattacks.Basedonsucha study, solutions andmitigationstrategiesshould be proposed with the overall short-term goal to makemobility networks more secure and resilient to threats rangingfrom local radio jamming to complex DDoS threats targetingessential EPC elements, such as the Home Subscriber Server(HSS).Moreover, the long termgoal should be to rethink thearchitecture of a mobility network, originally designed just toguarantee privacy and authentication, for security and with thecurrent threat scenario in mind. Proactive efforts must be takeninorder togenerateinput andrecommendations for futurestandard releases and technologies in order to ensure networkavailability.Inthis paper weintroducethecurrent researchinitiativebeing carried out in order to address the problem of availabilityof LTE mobility networks. We rst present an overview of DoSandDDoSattacksagainst LTEcellular networks. Basedonthis analysis, we identify the main research areas that shouldbeaddressedtoguaranteefull mobilityavailability. Ononehand, fast detectionalgorithmsandmitigationstrategiesarebeingdened.Ontheotherhand,newnetworkarchitecturesarebeingproposedaspotential input andrecommendationsfor future technologies and standards, rethinking the networkwith a security perspective. All these are being done within thecontextofthenewmobilityecosystems. Weareprogressingto a near future scenario where most electronic devices will beconnected to the network through Machine to Machine (M2M)systems [6], giving shape to the Internet of Things (IoT) [7]. Atthe same time, wireless access networks are becoming highlyheterogeneousandcomplex,combiningcellulardeploymentswithother advancedaccess schemes (suchas metropolitanmicro- and pico-cells and user deployed femto-cells) andRadioAccessTechnologies(RATs), suchasWirelessLocalArea Networks (WLANs).Newresearchdirectionsareproposedtotacklethemajorsecurity concerns and architectural challenges of LTE, cover-ingall thenetworklayers. Forexample, thePhysical Layer(PHY) shouldberevisitedtoaddressthegrowingthreat ofnewsophisticatedradiojammingattacks[8], [9]. Moreover,the mobility network architecture should be attened anddistributedtoprevent largeloads of signalingtrafcintheLTE EPC as a result of common NAS (Non-Access Stratum)operations, suchas idle-to-connected andconnected-to-idleRadio Resource Control (RRC) state transitions. Such signal-ingoverloads areknowntobeapotential waytoattackamobility network [10]. Note that this challenge becomes highlyimportantwiththeexpectedrapidincreaseofthenumberofconnected devices.The remainder of this paper is organized as follows. First,someimportant backgrounddetails arebrieydiscussedinSection II. Section III reviews the threat landscape and relatedattacks against the availability of mobility networks. In SectionIVwediscussmethodstoimprovethesecurityinmobilitynetworksalongwithfurtherresearchdirectionsinthisarea.Finally, in Section Vwe sketch potential attack detectionstrategies andinSectionVI wepresent theconcludingre-marks.II. BACKGROUNDMobilecommunicationnetworksarerapidlyevolvingintocomplex systems both in terms of the network architecture andthetypes of connecteddevices. This increasingcomplexitynaturallyresultsinanincreasingnumberofsecuritythreats.This section presents an overviewof aspects relevant tomobility network security.A. Mobility network vulnerabilitiesSecurityresearchonwirelesssystemshasbeenincreasingthroughout academia andindustryover the last fewyears.One possible reasonfor this is the widespreadavailabilityof open source platforms that support wireless protocols. Forexample, theopensourceGSMproject OpenBTS[11] hassignicantly decreased the cost to research GSM and thus hasspurred a large amount of security research focused on GSMnetworks [12] along with the implementation of certain attacks[13], [14]. However, at this time, not much research has beenfocused on LTE networks.B. M2M trafc scalability and signaling load impactTheconvergenceoftheInternetandcellularmobilitynet-works is enabling new M2M communication systems as partoftheInternetofThings[7]. Theindustryconsensusisthatthere will be drastic growth in mobile cellular connectivity dueto M2M and embedded mobile applications. The majority ofM2M systems currently operate on 2G and 3G networks but,in the long term, everything is expected to transition to LTE.Somepredict that 50billionnon-personal data-onlymobiledevices will be on existing networks in the near future [6].Theemergenceof theIoTandthespikeinthenumberofconnecteddevicescouldhavesignalingloadimplicationsonthe cellular core network[15]. It will be necessarytooptimize howM2Mnodes utilize networkresources. Evenwiththe enhancements made toLTE, Machine-to-Machinetrafc is expected to signicantly affect the network [16]. Theexpected number of devices trying to connect wirelessly maybe sufcient to overwhelm the network due to high signalingtrafc volume.Inthesamecontext, thecombinationof theIoTandthetransition towards IPv6 could drive this trend to a point whereevery single consumer item is IP addressable. Mobile devicesare not normally directly addressable from the Internet; mobiletrafcisroutedthroughtheP-GW(Packet Gateway)whichhas NAT (Network Address Translation) functionality and thuseffectively rewalls off incoming connections. However, it ispossible that future M2M services will require to be address-ablefromtheInternetinordertodeploynewservices. Thiswill certainlyopennewattackvectors, especiallyformulti-homed devices, and is an area that needs to be investigated.C. Heterogeneous networks (metrocells, femtocells and WiFi)Mobility networks have evolved over the last few years tobecomehighly-complexheterogeneous systems suchas theonedepictedinFigure1. Oneexampleof heterogeneityisfound within cellular networks, where radio resources are op-timized by deploying smaller cells. High density metropolitanareas with large trafc demands are provisioned with micro-,pico,andfemtocellsthatprovidecoveragetoareaslessthan100 meters in radius.Fig. 1. Example of mobile network heterogeneityIn particular, femtocells are rapidly becoming a popular andlowcost solutiontoenhancethecoverageandcapacityofmobilesystems. Femtocellsarelow-powerbasestationsthatareinstalledbyendusersandbackhauledtotheEPCoverthebroadbandIPconnectionavailableattheuserspremises(cable, ber, DSL, etc). Anewnetworknode, theFemtocellGateway(FGW), enables the interconnectionof femtocellswith the network over an encrypted IP channel. Such aconnection must be both highly secure and well authenticatedinorder toavoidmisuse of this alternative entryintotheinternal mobility network.Further heterogeneity of mobility networks is caused by thenumber of different RATsthat theysupport. Intheabsenceof LTE coverage, User Equipment (UE) will establish aconnectiontoUMTSorevenGSMnetworks. Whileserviceavailability is extremely important, falling back to these otherprotocolsmayopenupthedevicetoattack[14]. Moreover,somecellular operators deployWiFi access points onverydense areas and congure UEs to automatically camp on themwhenavailabletospareasmuchloadaspossiblefromthehighly congested cellular systems.Each different method that allows UE to access the mobilitynetworkincreasesthecomplexityofthesystem. Newattackvectors potentially appear if this interconnectivity and hetero-geneityisnot properlyaddressed. For example, researchersrecentlypresentedwaystohackintofemtocellaccesspointstogainroot accesstothedevice[17]. Inthissituation, thecommon assumption that an attacker does not own or controlnetwork elements is not valid anymore.III. ATTACKS AGAINST THE AVAILABILITY OF LTEDoSandDDoSattacksinLTEmobilitynetworkscanbeclassied based on the trafc load maliciously generated:onesingleattackerorlowtrafcvolume(DoS)andalargecombination of multiple simultaneous attackers or high trafcvolume (DDoS). Note that a special class of attack is denedfor the case of the attacker being already within the networkperimeterand,therefore,notrequiringachargeofmalicioustrafc. This is the case of an insider attack.A parallel classication is based on the impact of the attack.Some attacks have a local scope, disruptingservice at theRANlevel andblockingservicefor asinglecell or sector.Other attacks can have a much wider scope, and are capableof disruptingalargeportionof themobilitynetwork. Notethat, insomesituations, local attacks maybecombinedsothat they affect a larger area. The combination of both attackcategories plus the insider attack is depicted in Figure 2.It isimportant tonotethat several other typesof attackscould be launched from or through a mobility network, suchas malwarespreading, phishingor evendataexltrationinthecontextofanAPT[18]. Also, abotnetofUEscouldbeleveragedtoenhancetheseverityof aDDoSattackagainstaspecictarget intheInternet. ThesethreatsareaddedtoFigure2for completionbut donot fall inthecategoryofattacks against the availability of LTE and are, therefore, outof the scope of this paper.DDoS against the LTE EPC can exploit either single pointsof failure or amplication effects inherent to the operation ofmobilitynetworks. Forexample, thesuccessful operationofthe LTE network depends on a central authentication node, theHomeSubscriberServer(HSS). Inparallel, sometheoreticalstudieshavepointedout thepotential riskthat amplicationattacks present against the EPC. Specically, it is well knownthat a single simple event on the phone side (a state transitionintheRRCstatemachine)requiresasubstantial numberofmessagesexchangedamongseveral EPCnodes. Thiscouldtheoretically be exploited to become a DDoS attack [10], [19].Suchanoverloadinghasalreadybeenobservedinthewildwith a non-malicious origin. A major US cellular operator hadpart of its network highly saturated due to an instant messagingappupdate- installedonmanysmartphones- that checkedvery often with a server [4]. This resulted in a large numberofconnect/disconnect eventsat theRRCengineoftheEPCwhich, as a result, generated a very large load on the EPC.Local attacks, such as radio jamming and saturation of thewirelessinterface, canbelaunchedfromasingledeviceorradio transmitter and have recently become more sophisticatedwithanincreasedimpact[8],[9].Othermorecomplexlocalthreatsagainst theRANoriginatingat multiplecell phonesshould be considered as well, such as Theft of Service (ToS)and protocol misbehavior. Although these are not availabilityattacks per se, theycanpotentiallydegradetheQualityofService (QoS) for legitimate customers.Finally, insider attacksdefythecommonassumptionthatanattackercannot haveaccesstoanynodeofthenetwork.Fig. 2. DoS and DDoS attacks in mobility networksAninsider is anindividual withelevatedrights andaccesstospecicnetworkelements. Suchprivilegescouldbema-liciouslyexploitedtodisrupt communications locallyor ataglobal networkscale. Thisattackcategoryisunlikelybutshouldbeincludedinacompleteanalysisgiventhecurrentthreat scenario.A. Denial of Service attacks (DoS)Following the overview in Figure 2, this sub-section brieyintroducesthedetailsofDoSattacksagainstamobilitynet-work. Thefocusismostlyonlocalattacks, i.e. jamming, aswell as threats against the RAN that could be leveraged froma single attacker.1) Radio jamming: Radio jamming is the deliberate trans-mission of radio signals to disrupt communications by decreas-ingthesignaltonoiseratio. Thisattackhasbeenstudiedintheliteratureinthecontext of cellular communicationsandessentiallyconsistsofblastingahighpowerconstant signalontheentiretarget band[20], [21]. Althoughonewaytoblockthisattackistolocateandstopthejammingdevice,the large amount of power required reduces the effectivenessof the attack.2) (Low Power) Smart Jamming: Smart jamming consistsof attacks that aim to locally disrupt the communications of anLTE network without raising alerts. This can be done by sat-urating one or more of the essential control channels requiredbyall mobiledevicestoaccessthespectrum. Saturationofthese channels would make the network appear unresponsive.Moreover, given that this attack requires low transmitted powerandrequiresnoauthentication, detectionandmitigationarevery difcult.This type of attack can be launched against essential controlchannels in both the downlink and the uplink. Instead ofsaturatingtheentirechannel, thisattackconcentratesonthemuch narrower control channels and so consumes less power.Thefact that theradioresourceallocationofthemainLTEdownlinksynchronizationandbroadcastchannels(PSS, SSSand PBCH) is known a priori makes this a very simpleimprovement over basic jamming. Bytuninga regular offtheshelf radiojammer at thecentral frequencyof theLTEbandandtransmittingat abandwidthof at least 1.08MHz,an attacker would block reception of the aforementioneddownlink control channels [9].Uplink smart jamming targets LTE uplink control channels.The required bandwidth is substantially lower than DownlinkSmart Jamming and, given that the attacker is competingagainstlow-powerUEs, therequiredpowerisverylow, too.However, thiscategoryofattackmight requireanadvancedjammer that is able to fully synchronize with the LTE signal.Fig. 3. Impact range of radio jamming vs UL smart jammingNote that, unlike a traditional jammingattack, whichislocalized around the actual attacker, an uplink smart jammingattack would deny the service to all the users within the targetcell or sector. Therefore, as it can be seen in Figure 3, whilestill beingalocal DoSattack, smart jamminghas awiderrange.Basedonthisvulnerability, awell organizedgroupofat-tackers could simultaneously activate jamming devices in orderto block access to the network over several contiguous cells.This attack could potentially be optimized by equipping eachradiojammerwithmultipledirectiveantennasandtargetingthis way multiple sectors or cells.Injammingmitigationstudies, the goal is toforce anysophisticatedattacktobejust asefcient asbasicjamming[22]. Therefore, LTE security systems should be able tomitigateor blocksmart jammingattacks. Weareproposingcertain mitigation strategies based on leveraging the multipleantennas per cell/sector available at most cell sites [8]. ThesearraysofantennasarecurrentlyonlybeingusedtoimprovetheperformanceofthePHYlayerintermsofbit errorrateand minimumreceived power. Following similar ideas asthe spatial multiplexing concepts planned for Advanced LTE,multiple receiving antennas can be leveraged to perform beam-forming in order to detect interference and block its effects.Therst instanceof smart jammingwasproposedafewyears agointhecontext of GSMnetworks [13]. Also, theauthors of [12] suggested the theoretical feasibility of lo-cally jamming a GSMbase station with a constant loadof text messages. The fact that, inlegacyGSMnetworks,text messages share resources with signaling channels makessuch an attack possible. Recent results indicate that it istheoreticallyalsoapplicable toUMTS-basednetworks, butwith less intensity [23]. However, it is important to note that, inLTE systems, SMS trafc does not share resources with systemsignalingmessages. Therefore, anLTESMS-basedoodofRAN signaling channels is not possible.A basic form of smart jamming against LTE was presentedrecently as well [9] as a response to developing a public safetyLTE-based network.3) Classic computer vulnerabilities: Cellular equipmentandthesoftwarerunningonmobilitynetworks aresimilartoanyothercomputersystemandsocanbeaffectedbythesame large class of vulnerabilities. For example, there is no a-priori reason to expect that rmware and software on telecomequipment doesnot havetheclassof vulnerabilityreferredtoasbufferoverows. Althoughnormallyonewouldexpectan attacker to use a buffer overow to cause code to executeontheattackeddevice, afailedattackor evenexploratoryinvestigationsofabufferoverowcouldcauseequipmenttocrash and, hence, cause a DoS condition.Agood example of this is a recent effort on basebandfuzzingof mobiledevices [24]. It identiedzerodaybugsthat causedthebasebandortheentiredevicetocrashwhenparsing malformed text messages.B. Distributed Denial of Service attacks (DDoS)This section provides an overview of potential DDoS attackslaunchedbyabotnetofmobiledevicesorahighvolumeofmalicious trafcagainst themobilitynetwork. Thecaseofasimilar botnet of mobileterminalsleveragedtoattackanexternal network or node is considered as well for completion.1) Botnet of mobiledevices: Researchstudiesonbotnetdetectionandtrackingarestartingtoconsiderthepossibilityof amobilebotnet conformedbyalargenumber of smart-phones. Theauthorsof [25] statedthat, giventhepotentialeconomic incentives and impact of a mobile botnet, these arelikely to appear and spread on current cellular networks. Thisstudydemonstratestheavailabilityofmultipleplatformsforcommand and control messaging exchange and the feasibilityof thesuccessful operationof suchabotnet. Thesurgeinmalwareinstancesandsuccessfulspreadinfectionsenhancesthe likelihood of such a scenario. In fact, a recent studyreportedthediscoveryof anAndroidmalware-basedbotnetthat activatessmart phonesastext messagespamplatforms[26].Based on these assumptions, a smart-phone botnet presentsanewandverypowerful attackvectoragainst mobilitynet-works. As aresult, anewset of DDoSattacks is possiblewhen large volumes of trafc and signaling messages can begenerated from within the network. We categorize such threatsin the following subsections.2) Signaling amplication attacks: Mobility networks donot have sufcient radio resources to provide service to everysingle customer at the same time. Typically, resources aredeployedtobeabletosustainpeaktrafchoursand, intheeventofloadspikesknownapriori(e.g. alargetechnologyfestival) extra capacity can be temporarily deployed [27].The scarcity of bandwidth requires advanced techniques toreuseidleresourcesinanefcientmanner.TheRRCengineof thenetworkreassignsradioresourcesfromagivenuserwhentheconnectiongoesidleforafewseconds. Whenaninactivitytimerexpires, theradiobearerbetweenthemobiledeviceandthecorenetworkis closedandthoseresourcesbecome available to be reassigned to another UE. At this stage,the UE moves from connected to idle state.Eachinstanceof bearer disconnectionandsetupinvolvesasignicant number of control messagesexchangedamongnodes withintheEPC. This signalingload, if not properlymanaged, canresult inlarge-scalesaturationofthenetworkwhich could be exploited in the context of a DDoS attack [10].Suchimpact hasalreadybeenseeninthewild. Aninstantmessagingapplicationthat waspoorlydesignedcheckedfornew messages with a server too often and ooded portions ofthe cellular network of one of the major providers in America[4].A botnet of infected mobile devices could be used to gen-erate a signaling amplication attack by forcing each terminaltoconstantlyestablishandrelease IPconnections withanexternal server [19]. Apieceof malwarecouldalsotriggermobile phones to reboot at the same time, thereby potentiallyoverloadingtheEPCwithregistrationsoncetheycomebackup. SuchsaturationoftheEPCcouldpotentiallyalsooccurlegitimatelyduetotheoverwhelmingamount of trafcandfrequent reconnections of billions of M2M nodes [16].3) HSS saturation: The HSS is a key node of the EPC thatstores information for every subscriber in the network. Someof the parameters stored per user are the phone number (pub-licid), theInternational MobileSubscriberIdentity(IMSI)(private id), billing and account information, cryptographicprimitivesandkeystoperformauthenticationofsubscribersand also the last known location of the user.This essential node is the provider of authentication of usersand is the cornerstone of the paging infrastructure. Therefore,a DDoSattackagainst this node couldpotentiallypreventthe network from being operated. Some research work in theacademiahasexploredthepossibilityofoverloadingthe3GHome Location Register (HLR) leveraging a botnet of mobileterminals [28]. It is important to note that the HSS is involvedinasubstantial numberofsignalingeventsintheEPCandcouldsufferaswelltheconsequencesoftheaforementionedsignaling amplication attack.4) DDoS against external nodes/networks: Recently, ma-jor banking institutions were the target of some of the largestDDoSattacks ever seen in communication networks [29].Theseattacksoriginatedfromanumberofserversthatwereremotely controlled by an attacker and were able to inject largetrafcloadsintothenetwork. Althoughthetarget ofDDoSattacks is not the networkitself, the recent DDoSattacksagainst Spamhausresultedinsubstantial impact against theavailability of communication networks [3].In this context, the high volume of trafc aimed to aspecic target during a DDoSattack could originate at abotnet of mobile phones and, therefore, potentially impact theperformance of the mobility network.C. Insider attacksAcompletesecurityanalysis of mobilitycommunicationnetworks should address the concept of an insider threat, whichis often ignored or assumed unlikely. This has many opportu-nities to architect sophisticated intrusion detection techniquesfor this attackcategory. However, withthecurrent securitythreat landscapeandtheadvent of theAPT[5], aninsiderattack becomes highly relevant.Avery well funded attacker could persuade an insidertoperformanattackagainst theavailabilityof themobilitynetwork. Thiswouldchangeacommonassumptioninmo-bility network security: the attacker could own and control aninternal network node.Aninsidercouldphysicallyorremotelyshut downanet-worknode. Unless this node was the HSS, the impact ofthe attack would not be global. Beyond a strong securityperimeter and remote access control to the HSS, the privilegesand access granted to employees should be carefully plannedanddesignedinorder tominimize, if not totallydeny, thereachability of the HSS and other important EPC nodes.However, access control protectiontoessential elementsof the EPCis not the optimal solution. Toguarantee fullavailability of a mobility network against an insider attack, thisnewdimensionofsecuritythreatmustbeanalyzedcarefullyandaddressedbyspecicaccesscontrol policies, perimeterdelimitation, and new advanced techniques.D. Overview of threats against mobility availabilityInthissectionwepresent abrief overviewof theafore-mentionedattacks against the availabilityof LTEmobilitynetworks. The main threats are summarized in Table I based onthe attack platform, the scope, the difculty or cost to launchsuch an attack and, nally, an estimate of the impact againstthe availability of an LTE network. The larger the impact, themore the availability is affected within the scope of the attack.A smart jamming attack, despite being local, can potentiallyblock one or multiple sectors at a very low cost. The cost ofa signaling amplication attack or a threat against the HSS islargerbecauseit requiresalargebotnet ofinfecteddevices.In the latter case of a DDoS against the HSS, the range of theattack could be potentially global.Thecaseofaninsiderthreat isalsoconsidered. Onceaninsider goes rogue, thepotential attacks havelowcost andpotentiallyhighimpact. Finally, abotnet of UEs couldbeleveragedtolaunchor enhance a DDoSattackagainst anexternal target.IV. NEW SECURITY-ORIENTED NETWORK ARCHITECTUREWireless cellular networks were originally designed toprovideubiquitousaccessfor communication. Althoughthesecondgenerationof mobilitynetworks was designedwithsome securityaspects inmind, GSMjust featuredcrypto-graphicalgorithms toguaranteeprivacyandauthentication.TheGSMsecurityarchitecture, proposedtwodecades ago,isnowadaysknowntobeinsufcient givencurrent compu-tational power [14]. UMTS-based 3G networks enhanced thesystembyimplementingstrongerencryptionandatwo-wayauthentication scheme. Both encryption and authentication arefurther enhancedinLTE. However, withthe current threatlandscapeandtheincreasingsophisticationof attacks, suchsecurity architecture is not enough to guarantee the availabilityof mobility networks.Mobility networks are not designed to guarantee availabilitybeyond redundancy and resiliency to network outage. Theinherent characteristics and operation modes of mobility net-worksarestronglyboundtocentralizednodesandessentialcontrol channels. Inother words, largeclusters of mobilityusers are tightly dependent on certain specic nodes (e.g. theHSS in LTE) and all the devices within a given cell or sectortransmit and receive essential control trafc on shared channels(such as the Physical Broadcast Channel -PBCH).In this section we introduce potential directions for aredesign of the mobility network architecture for security, witha goal of full mobility availability against security attacks.A. Main areas of focus for security enhanced network archi-tectureThe analysis of the threat scenarios presented in this paper,DoSandDDoSattacksagainstmobilitynetworks, allowsustoidentifyspecicareas of focus. Inorder toachievefullavailability and resiliency of cellular networks against securityattacks, efforts should be carried out in the following areas.Threat Platform Range Difculty ImpactSmart Jamming1 RF/SW-denedradio deviceLocal(cell/sector)Low cost andcomplexityHigh (but local)SignalingamplicationBotnet ofinfected UEsLarge portion ofa nationalnetworkMedium(10K-100Kinfected UEs)HighHSS saturationBotnet ofinfected UEsPotentiallyglobalMedium(10K-100Kinfected UEs,avoid attackthrottled at EPC)Very highExternal DDoSBotnet ofinfected UEsDDoS target Medium Potentially highAPT Insider Local to global Low Very highTABLE IOVERVIEW OF ATTACKS AGAINST THE AVAILABILITY OF MOBILITY NETWORKSBroadcast and Control Channel protection for enhancedjammingresiliency: Radiojammingisacommonthreatforall kindsofwirelessnetwork. Ontopofdesigningjammingmitigationandblockingtechniques, itisimportanttoensurethat themaincontrol andbroadcast channelsof amobilitynetwork are protected against radio jamming. This can preventsmart jamming attacks, through which an attacker could blockthe access over up to an entire cell by means of a low powerandlowbandwidthsignal. Aninitial proposal onsecuritysolutions tackling this problem is presented in [8].Initial access to the network: A random access procedureto request resources is the rst step in the initial access to thenetwork and the transition from idle to connected state. Suchprocedure is carried out on an uplink shared control channel,the (Random Access Channel) RACH. This resource is oftenthe rst source of networkcongestiondue toa legitimatetrafcspike. Thecharacteristicsofrandomaccessprocedurecan be leveraged in the context of malicious DoS attacks. Theincreasing sophistication of attacks plus the increasing numberof connecteddevices andnetworkloadrequire the designofdistributednetworkinitial accesstechniques. Conceptsofcognitive radio and reuse of legacy networks could be appliedto design more robust radio resource allocation architectures.Optimization of the RACH procedure and a exible adaptationto changes in trafc and channel conditions are already withinthe scope of the design of Self Organizing Networks [30].RRC bearer management: The scarcity of spectrum resultsin complex radio resource management techniques at the RAN.LTE Physical Resource Blocks (PRBs) cannot be permanentlyallocated to a given device so, by default, UEs are moved toadisconnectedstateafter theyhavebeenidlefor acertaintime. This on-demand resource reuse strategy, combined withthe cost of cellular infrastructure, results in cellular networksprovisioningenoughcapacityat the RANandthe EPCtohandlethetrafcduringthebusiest timesof theday. RRCalgorithms activate and deactivate trafc bearers depending onthe UE trafc activity. Each bearer establishment and releasegenerates a substantial number of signaling among the nodesintheEPC,whichcanpotentiallysaturatenetworkelementsor connectivity links with bursty spikes of trafc. Initial effortsof designingLTEnetworks witha more distributedbearermanagement procedure have to be continued in order todistributeEPCsignalingloadandminimizeitsimpact [15].Thiswaythescalabilityof theIoTover mobilitynetworkscould be achieved.Corenetworksignaling: TheevolutiontoLTEhasmadegreat efforts in designing a at and exible network . Neverthe-less, the NAS signaling load at the EPC has strong relevanceon network security [15]. This very complex problem resultsin large amounts of trafc exchanged among EPC entities andbetweentheEPCandtheRANeachtimeaNASnetworkfunctionis executed. This results inasub-optimal networkarchitecturethat canbeexploitedmaliciouslyinthecontextof DDoS attacks. A exible and rapidly adapting architectureisrequiredtominimizetheNASsignalingloadat theEPCandprovidemitigationfeaturestobalance, re-routeorlternetworkcontroltrafc. Suchfunctionalitycanpotentiallybeachieved by means of strong SoN and software-based networknodes.Central Node Dependency: Mobility networks stronglydependonspeciclogicallycentralizednodes. Forexample,essential authenticationandbillingfunctionsarecarriedoutbythe HSSperiodically. This way, the consequences of aDDoS or an insider threat against such a node could be severe,potentially denying access to mobile communications oververy large geographical areas. Distributed solutions should beimplemented in order to reduce the dependance on centralizednodes. Twopossiblesolutionstobeexploredincludepartiallocal replicasofthecontent oftheHSSclosertotheRANandoptimizationof thesignalinghandshakefor connectionmanagement and authentication procedures. Software-denedcellular networksrunninginthecloudalsooffer promisingsolutionsbyadaptivetuningthecapacityandprocessingofcentralizednodes(i.e. assigningmoreCPUresourcestotheHSSordistributingit amongseveral virtual machines)asaresult of a legitimate trafc spike or an attack.A redesign of the network architecture based on software-based mobile network might not require an intense modica-Fig. 4. Research directions for mobility availability against security attackstionof basicLTEstandards. Instead, newsecurity-orientedproposals and recommendations would be included in thestandards for self organization and self healing. Nevertheless,new RAN security solutions to enhance the resiliency againstradio jamming and to optimize the initial access to the networkwould require modications to the standards.B. Security research directionsThe mobility network redesign for security described in Sec-tion IV-A should follow three main directions, with increasingsecurity benet but with increasing complexity as well. Thesethree directions are summarized in Figure 4 with their impacton four examples of availability threats against mobility (radiojamming, EPCsignalingbasedthreats, M2MscalabilityandHSSsaturation). Thesefour cases havebeenselectedas asample of the overall security of mobility availability problem.Note that as indicated in the gure, a successful enhancementof mobilitynetworksecuritymust bebuilt together withastrongandeffectiveattack-detectionengine. Moredetailsondetecting mobility attacks are given in Section V.Therst buildingblockof amobilesecurityarchitectureshould leverage the power of the network as is. For example,theavailabilityof multipleantennasat theeNodeBenablesthe possibility of advanced anti-jamming techniques basedon multi-antenna and beamforming technology [8]. Sucha modication at the PHYlayer would require minimumchanges to the network, from a standards and deployment pointofview, andwouldofferstrategiestotackleradiojammingthreats.The trafc scalability and signaling load should be analyzed,through simulations, by stressing the network with unboundedtrafc and device growth to give insights on the EPC signalingload architecture. Based on these results, the conguration ofthecurrent networkcouldbemodiedtooptimallyhandleNAS messaging and bearer-related signaling trafc, providinga certain degree of mitigation against DDoS attacks.Note that leveraging the current network design can providea rst layer of protection frommobility attacks, but doesnot fullyaddresstheproblem. Withamoreforward-lookingapproach, security research should propose both a new imple-mentationofcellularnetworksandanactualredesignofthenetwork architecture for security enhancements.As the next buildingblockfor a newmobilitysecurityarchitecture, software-dened cellular networks offer manypotential benetsbyfullyorpartiallydeployingtheEPCinthe cloud. Such exible approaches would provide new meansforasecure, exibleandadaptivemanagement oftheEPC.A more efcient load processing and balancing among nodeswouldbepossible. Moreover, theprocessingcapabilitiesofnetworknodescouldexiblybeenhancedintheevent ofalegitimateor maliciousspikeinuser or signalingtrafc. Inthe context of a DDoS threat, the nodes under attack could beeither replicated or assigned more processing capacity.Finally,securityeffortsshouldimpactupcomingstandardsandtechnologies. Thegoal istorethinkthearchitectureofa mobility network, originally designed only to guaranteeencryption and authentication but without the current securitycontext andthreat landscapeinmind. Suchredesignshouldalso consider the current evolution of mobility networks,progressing to a near future scenario where nearly everyelectronicdevicewill beconnectedtothenetworkthroughM2M systems and the IoT.Similar directions have been proposed for the developmentof efcient and exible mobility network architectures, able toserve the still unknown needs and preferences of future users[31].V. MOBILITY NETWORK ATTACK DETECTIONAs depicted in Figure 4, on top of all the security enhance-mentswill layanadvancedattackdetectionlayer. Efcientdata mining and machine learning techniques will ensure therapidandaccuratedetectionof securityattacks against themobility network, automatically triggering the appropriate de-fenses and self-healing functionalities. Some of these might bedesigned and proposed within the scope of SoN, establishingthe context of secure and self recovering networks.Thenetworkattackdetectioncapabilityshouldbeabletosense both large scale DDoS-type of attacks as well as moresubtle threats, such as much localized low volume DoS attacksor other network and trafc anomalies. An effective detectionengine should leverage the power and computational resourcesof the network and the cloud and leverage data that is availableat all stages and layers of the network.Inparallel, alocalizeddetectionlayershouldmonitorforlocal low trafc threats against the RAN. This RAN-level de-tection layer should generate constant feedback to the network-basedglobal detectionengine because the aggregationandcorrelation of localized attacks could be indicative of a largerattack at a higher layer.VI. CONCLUSIONSIn this paper we presented an overviewof the currentavailabilitythreat landscapeofLTEmobilitynetworks, cov-eringbothlocal DoSattacks against theRANandlargelydistributedDDoSattacks aimingtosaturatetheEPCor tosimultaneously block multiple cells at the RANlevel. Inparallel, considering the recent drastic changes on the securityassumptions resulting from the advent of the APT, we includethe insider threat in our study.Mobility networks were initially designed primarily to guar-antee privacy and authentication. However, in the contextof thecurrent threat landscape, securityresearcheffortsarenecessary in order to achieve full mobility availability.To achieve this goal, we propose three major securityresearch directions, as well as an effective and efcientnetwork-based attack detection layer. As a rst step, thecapabilities of current mobility networks should be leveraged,recongured and adapted for security enhancement. In the midterm, architecturechangessuchas, software-denedcellulararchitectures, with full or partial deployments of the EPCin the cloud, potentially provide a strong enhancement ofresiliency against DDoS attacks. Finally, the mobility networkandsecurityarchitecturesshouldbecompletelyrethoughttosupport ascenariointhenot-too-distant futurewhennearlyevery electronic device will be connected to the network.ACKNOWLEDGEMENTSThe author would like to thank Dr. Gustavo de Los Reyesand Dr. Joshua Lackey for their valuable help, comments andsuggestions.REFERENCES[1] E. Gadaix, GSMand3Gsecurity,inInBlackHat Asia, 2001, http://tinyurl.com/85plhlv.[2] P. Traynor, P. McDaniel, and T. La Porta, On attack causality ininternet-connectedcellularnetworks,inProceedingsof16thUSENIXSecuritySymposiumonUSENIXSecuritySymposium,2007,pp.21:121:16.[3] J. Markoff, Firm Is Accused of Sending Spam, and Fight Jams Internet,The New York Times, March 2013, http://goo.gl/76ipU.[4] M. Dano, The Android IM app that brought T-Mobiles network to itsknees, Fierce Wireless, October 2010, http://goo.gl/O3qsG.[5] D. Alperovitch, Revealed: OperationShadyRAT,Threat Research,McAfee, 2011, http://goo.gl/ATL2X.[6] More than50billionconnecteddevices, Ericsson, EricssonWhitePaper, February 2011, http://goo.gl/KGaVg.[7] A. Iera, C. Floerkemeier, J. Mitsugi, andG. Morabito, Special Issueon the Internet of Things, in IEEE Wireless Communications, vol. 17,December 2010, pp. 89.[8] R. Piqueras Jover, J. Lackey, and A. Raghavan, Enhancing the securityof LTE networks against jamming attacks, February 2013, Undersubmission.[9] Talbot, David, One Simple Trick Could Disable a Citys 4G Phone Net-work, MIT Technology Review, November 2012, http://goo.gl/PnqHf.[10] P.Lee,T.Bu,andT.Woo,Onthedetectionofsignalingdosattackson 3g wireless networks, in INFOCOM 2007. 26th IEEE InternationalConference on Computer Communications. IEEE, May 2007.[11] Kestrel Signal Processing, Inc., The OpenBTS Project, http://openbts.sourceforge.net/.[12] P. Traynor, W. Enck, P. Mcdaniel, andT. LaPorta, Exploitingopenfunctionalityinsms-capablecellular networks,inJ. Comput. Secur.,vol. 16. Amsterdam, TheNetherlands, TheNetherlands: IOSPress,December 2008, pp. 713742.[13] D. Spaar, A practical DoS attack to the GSM network, in In DeepSec,2009, http://tinyurl.com/7vtdoj5.[14] K. NohlandS. Munaut, WidebandGSMsnifng,inIn27thChaosCommunication Congress, 2010, http://goo.gl/wT5tz.[15] 3rd Generation Partnership Project; Technical Specication Group Ser-vices and Systems Aspects, Study on Core Network overload solutions.3GPP TR 23.843, vol. v0.7.0, 2012.[16] A. Prasad, 3GPP SAE-LTE Security, in NIKSUN WWSMC, July 2011.[17] N. Golde, K. Redon, and R. Borgaonkar, Weaponizing femtocells:The effect of rogue devices on mobile telecommunications, in AnnualNetwork & Distributed System Security Symposium, 2012.[18] R. PiquerasJoverandP. Giura, Howvulnerabilitiesinwirelessnet-works can enable Advanced Persistent Threats, in International Journalon Information Technology (IREIT), 2013.[19] R. Bassil, A. Chehab, I. Elhajj, andA. Kayssi, Signalingorienteddenial of serviceonltenetworks,inProceedings of the10thACMinternational symposium on Mobility management and wireless access.ACM, 2012, pp. 153158.[20] M. Stahlberg, Radio jamming attacks against two popular mobilenetworks,inHelsinki Universityof Technology. SeminaronNetworkSecurity. Mobile Security, 2000.[21] W. Xu, Y. Zhang, and T. Wood, The feasibility of launching anddetectingjammingattacksinwirelessnetworks,inACMMOBIHOC,2005, pp. 4657.[22] T. Clancy,Efcient ofdm denial:Pilot jamming and pilotnulling, inCommunications (ICC), 2011 IEEE International Conference on. IEEE,2011, pp. 15.[23] I. Murynets and R. Piqueras Jover, Howan SMS-Based malwareinfectionwill get throttledbythewirelesslink,inIEEEICC2012-Communication and Information Systems Security Symposium (ICC12CISS), Ottawa, Ontario, Canada, June 2012.[24] M. Vuontisjarvi and T. Rontti, SMS fuzzing, Codenomicon, http://goo.gl/C0pXj.[25] C. Mulliner and J.-P. Seifert, Rise of the ibots: 0wning a telco network,in Proceedings of the 5th IEEE International Conference on Maliciousand Unwanted Software (Malware), 2010.[26] SecurityAlert - SpamSoldier,TheLookout Blog, December 2012,http://goo.gl/7lkRM.[27] J. Donovan, Helping Fans Connect and Share at SXSW, AT&TInnovation Space, March 2013, http://goo.gl/vy5w8.[28] P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, andT. LaPorta, Oncellularbotnets: measuringtheimpact ofmaliciousdevicesonacellularnetworkcore,inProceedingsof the16thACMconferenceonComputerandcommunicationssecurity, ser. CCS09.New York, NY, USA: ACM, 2009, pp. 223234.[29] D. Goldman, Major bankshit withbiggest cyberattacksinhistory,CNN Money, September 2012, http://goo.gl/4qCXG.[30] M. Kottkamp, A. Rossler, J. Schlienz, andJ. Schutz, LTERelease9: TechnologyIntroduction,Rhode&Schwarz, WhitePaper, 2011,http://goo.gl/QeGPO.[31] B.-j. Kim and P. Henry, Directions for future cellular mobile networkarchitecture, First Monday, vol. 17, no. 12-3, 2012.


Physical Modelling Synthesis Overview

Physical Modelling Synthesis Overview

Documents
Venture Capital

Venture Capital

Documents
Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Documents
One Flew Over the Cuckoo's Nest

One Flew Over the Cuckoo's Nest

Documents
Acetone Peroxide

Acetone Peroxide

Documents
Cakes Recipes

Cakes Recipes

Documents
Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

Documents
Life Is Just A Dream - Or Is It?

Life Is Just A Dream - Or Is It?

Documents
Chapter 23

Chapter 23

Documents
Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Documents
Compressing And Decompressing Folders

Compressing And Decompressing Folders

Documents
The Best American Humorous Short Stories

The Best American Humorous Short Stories

Documents
Chapter 24

Chapter 24

Documents
Star Wars Trivia!

Star Wars Trivia!

Documents
Star Wars Prequel Trilogy Trivia (Episodes I-III)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Documents
Simple Functions in Haskell

Simple Functions in Haskell

Documents
Aesops Fables

Aesops Fables

Documents
Bhagavad Gita

Bhagavad Gita

Documents
Heidegger Kritik

Heidegger Kritik

Documents
Iron Mills Essay

Iron Mills Essay

Documents
Daniel Zanella and Alexander Weygers

Daniel Zanella and Alexander Weygers

Documents
Algorithms

Algorithms

Documents
United States Constitution

United States Constitution

Documents
xCDC14a

xCDC14a

Documents
How Computer Keyboards Work

How Computer Keyboards Work

Documents
Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Documents
Steve Jobs' Commencement Speech at Stanford

Steve Jobs' Commencement Speech at Stanford

Documents
Oedipus The King: The Ideal Tragic Play

Oedipus The King: The Ideal Tragic Play

Documents
How Computer Monitors Work

How Computer Monitors Work

Documents
Explore The Levels of Creation

Explore The Levels of Creation

Documents