Florida Institute for Cybersecurity (FICS) Research
CIS 6930 - Cellular and Mobile Network Security:
Cellular Networking
Professor Patrick Traynor9/18/2018
Florida Institute for Cybersecurity (FICS) Research
The Big PictureDetails create the big picture. -Sanford I. Weill
2
Florida Institute for Cybersecurity (FICS) Research
Overview• Evolution• Architecture• Air Interfaces• Network Protocols• Application: Messaging
3
Florida Institute for Cybersecurity (FICS) Research
Cellular Systems• Wireless Access
• TDMA (IS-136, GSM)• CDMA (IS-95, CDMA2000)• WCDMA (UMTS)
• Connection oriented networks for voice• PSTN (ISDN)
• Packet overlay networks for data• General Packet Radio Service (GPRS) - GSM and UMTS• Enhanced Version Data “Optimized” (EVDO) - CDMA
• Rebranded from “Data Only”• Signaling protocols
• Signaling system number 7 (SS7) for voice and GPRS• IETF protocols for EVDO
4
Florida Institute for Cybersecurity (FICS) Research
Wireless Standards Evolution to 4G
5
1G
Analog AMPS
TACS
2G
IS-95-A/cdmaOne
IS-136 TDMA
GSMGSM GPRS
HSCSD
2.5G
IS-95-B/cdmaOne
WiMAX
2.75G
GSM EDGE
3GExisting
Spectrum 700 MHz
CDMA2000 1xRTT (1.25 MHz)
4G
CDMA2000 1xEVDO (1.25 MHz)
CDMA2000 3x (5 MHz)
LTE (1.4, 3, 5, 10, 15, 20 MHz)
WCDMA (UMTS)
Florida Institute for Cybersecurity (FICS) Research
Wireless Network
HLRMSC
AuCHLR
VLR
Reference Architecture
• MS: Mobile Subscriber/Station• BTS: Base Transceiver Station• BSC: Base Station Controller• MSC: Mobile Switching Center• HLR: Home Location Register• AuC: Authentication Center• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
BSC
BSC
MSC
VLR
MSC
PSTN/ISDN
MS
Florida Institute for Cybersecurity (FICS) Research
VLRMSC
MSC
Basic Network Architecture
• Gateway MSC receives incoming calls for phones.• Serving MSC assigned based on location• HLR: Permanent registry for service profiles, pointer to VLR• VLR: Temporary repository for profile information, pointer to SMSC.
7
MS
VLR
NetworkBS
BS
BS
SMSC
HLRGMSC
Florida Institute for Cybersecurity (FICS) Research
Cellular Services• Automatic call delivery
• find a user, deliver a call• IN-type services
• e.g., call forwarding• Messaging
• short message service• Connection oriented user data transfer
• voice, fax, circuit-switched data• Packet Data
• General Packet Radio Service (GPRS) - GSM and UMTS• Enhanced Version Data “Optimized” (EVDO) - CDMA
8
Florida Institute for Cybersecurity (FICS) Research
High Level Call Flow• Mobile User Registers
• Power up/down• Movement• Periodic
• Call recipient located• Call routed to gateway or home MSC• Gateway MSC searches for called mobile (via HLRs and VLRs)• Mobile user is paged (determines current base station)
• Call delivered• Uses standard SS7 procedures
9
Florida Institute for Cybersecurity (FICS) Research
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMS HLR
GMSC
1. 404-894-2000
2. 404-894-2000 maps to HLR X
3. How do I deliver call to User 222?
4. How do I deliver call to User 222?5. 999-xxx
6. 999-xxx
7. 999-xxx8. Call to 999-xxx
9. Page10. Call
Florida Institute for Cybersecurity (FICS) Research
Protocols of Note
11
MSC
MS
VLR
PSTN/ISDN
BS
BS
BS
MSC HLRSS7
Mobility Management ProtocolsGSM-MAP, ANSI41-MAP
Air InterfacesGSM, IS136, IS-95, UMTS
Florida Institute for Cybersecurity (FICS) Research
Mobile Registration - High Level
12
Old SMSC
Old VLR HLR VLR MSC BS
Update Location
Cancel Location
OK
Florida Institute for Cybersecurity (FICS) Research
Mobile Call Delivery - High Level
13
Gateway MSC HLR VLR MSC BS
Call Request Request
Routing Info
Routing Number
SS7 Call Delivery Call Request
PageConnect
Florida Institute for Cybersecurity (FICS) Research
Security Moment - Location Granularity• Commonly heard assertion: “The phone company knows exactly where all
of their customers are located at every moment.”
• Virtually all phones are equipped with some type of GPS resolution.
• Is this true? • What are the security implications?• What services could be enabled?
14
Florida Institute for Cybersecurity (FICS) Research
Hierarchy of Location Information
15
VLR
HLR
GMSC
SMSC
Paging
MSC
VLR
MSC
Phone Number
Registration
RegistrationTemporary Routing #
Florida Institute for Cybersecurity (FICS) Research
E911• Enhanced 911 (E911) transmits your GPS location to the nearest Public Safety
Answering Point (PSAP).• This is how you always get the nearest 911 call center, regardless of where
you are traveling in North America. • But what about the “Location On” vs. “E911 Only” options available on most
phones?• “Location On” does not allow the phone company to constantly track you.
It instead allows services within the network to use your GPS data when you initiate them (e.g., Verizon Navigator, Family Locator).
• The phone company simply can not keep track of all the changes in location information at every moment!
16
Florida Institute for Cybersecurity (FICS) Research
Voice Path
• This is under the assumption that the underlying network supports digital voice.
• What does that mean?
17
MS
VLR
PSTN/ISDNBS
MSC HLR
Coded VoiceFull rate voice (64 Kbps)
Florida Institute for Cybersecurity (FICS) Research
Analog vs Digital• Phone systems are generally classified as either analog or digital.
• What exactly does that mean?
• This is all about how data is represented and delivered through the network.
• Analog is the translation of voice/sound into electrical impulses.• Pure waveform representations of sounds.
• Digital is an approximation of this waveform,represented in 0s and 1s.
18
Florida Institute for Cybersecurity (FICS) Research
Analog vs Digital - Tradeoffs• Analog
• Inexpensive - think cheap home phones• Bandwidth constrained - very limited amount of data can be sent.
• Security thoughts?• Noise - every link introduces noise, reduces clarity.
• Digital• Expensive - relatively speaking• Improved voice clarity - signal arrives exactly as approximated.
• What about quality?• Higher bandwidth - compression of data.
19
Florida Institute for Cybersecurity (FICS) Research
Voice Encoding - GSM-FR/PCM/G.711• Pulse Code Modulation (PCM) is the basis for GSM Full-Rate (GSM-FR)
voice encoding.• 8 kHz samples (64 kbps) reduced to 13.2 kbps using Regular Pulse
Excitation - Long Term Prediction (RPE-LTP).• Converted back to 64 kbps at MSC prior to Release 4.
• Changes in the core towards “TrFO” for all IP.
20
...
...20 msec
RTP-LTPEncoder
160 Samples
260-bit frame
...20 msec
RTP-LTPDecoder
160 Samples
Sender Receiver
...
Florida Institute for Cybersecurity (FICS) Research
Air Interface Functions• Control
• read system parameters• authenticate• update location• receive and originate calls• manage handoffs
• Dedicated traffic• voice, data
• Shared Traffic• Messaging, data, signaling
21
Florida Institute for Cybersecurity (FICS) Research
Wireless Access Basics• Frequency Division Multiple Access (FDMA):
• Analog cellular - 1G
• Time Division Multiple Access (TDMA):
• IS-54, IS-136, FSM - 2G• GPRS - 2.5G
• Code Division Multiple Access (CDMA):
• IS-95 (cdmaOne) - 2G• IS-2000 (CDMA2000), WCDMA - 3G
22
Florida Institute for Cybersecurity (FICS) Research
FDD/TDD modes for Forward/Reverse Channels• Frequency Division Duplex (FDD)
• Two distinct bands of frequency for each user (forward and reverse).• Frequency separation between forward and reverse constant for all channels.• Reverse channel typically lower frequency than forward channel (so that the
mobile device can transmit at lower power).• Time Division Duplex (TDD)
• Each duplex channel has a forward timeslot and reverse timesolt for bidirectional communication.
• Simplifies subscriber equipment.• Rigid timing required for time-slotting.
23
Florida Institute for Cybersecurity (FICS) Research
Background - AMPS• Advanced Mobile Phone System
• Analog Channels• Frequency Modulation (FM)• 1 channel per carrier (1 conversation)
24
fc
Florida Institute for Cybersecurity (FICS) Research
Background - TDMA• Combination of FDMA and TDMA• System operated within certain frequency bands• Within system bands:
• many carrier frequencies are defined• each carrier is divided into timeslots• a channel is defined by a set of time slots on a carrier frequency
• Forward (downlink) and Reverse (uplink) channels use different carriers.• Information is digitally coded.
25
Florida Institute for Cybersecurity (FICS) Research
TDMA Overview
• Co-channel Interference
• Inter-symbol Interference
• Capacity limited by number of carriers, slots.
26
TDM
A
FDMA
System Bandwidth
One Carrier/ Channel One Slot One User
Florida Institute for Cybersecurity (FICS) Research
TDMA• Single carrier frequency is shared by several users.• Data transmission occurs in bursts, resulting in lower battery consumption.• High synchronization overhead is necessary because of burst
transmissions.• Discontinuous transmission also make handoffs simpler since the mobile
device can listen to other base stations during idle time slots• Due to high transmission rates, inter-symbol
interference is common and needs equalization.
27
Florida Institute for Cybersecurity (FICS) Research
GSM - Air Interface• Let’s get into the details of the most widely used air interface...• The GSM Air Interface supports:
• Call origination and termination• Registration (location update and authentication)• SMS• Mobile assisted handoff• User confidentiality• Data confidentiality• Sleep mode
28
Florida Institute for Cybersecurity (FICS) Research
GSM Spectrum• 50 MHz
• Uplink and downlink split bandwidth and use different frequencies• Reverse channel (uplink)
• 890-915 MHz• Forward channel (downlink)
• 935-960 MHz• Carriers spread at 200 KHz
• Why is this?
29
Florida Institute for Cybersecurity (FICS) Research
Frequency Assignments• FDMA/TDMA systems
• Take advantage of frequency attenuation• Key: Split spectrum into set of frequencies (channels) and reuse frequencies in
distant cells. Requires careful frequency planning.• Fixed vs. Dynamic allocation
• Channels are typically assigned to cells in a fixed manner.• Fixed assignment is simple to implement as base stations are independently and
statically assigned their channels.• Dynamic channel assignment based on load is possible but is more complicated
and requires real-time coordination between different base stations.
30
Florida Institute for Cybersecurity (FICS) Research
• Cells typically modeled as hexagonal• Circles result in overlaps, square/triangle possible but result in larger
approximation.• Each color represents a different set of carriers.
• Reuse factor F=3 shown• For hexagonal cells:
•
• To find co-channel cell, go i steps in one direction, turn 60° counter-clockwise and go j steps.
Paging
Frequency Reuse
31
Paging
i2 + (i � j) + j2; i ⇥ 1; j ⇥ 1
Florida Institute for Cybersecurity (FICS) Research
Example Capacity Calculation• Assume system can use all frequencies
• System-bandwidth = 50 MHz• System uses FDD => bandwidth = 25 MHz• Carriers spaced at 200 KHz
•
•
• System capacity depends on re-use factors and cell size.
32
Ncarr = Bsys
Bcarrier
Ncarr = 125
Florida Institute for Cybersecurity (FICS) Research
Cell Capacity• •
• F = 7, Ncell = 17 • 8 channels per carrier (TDMA)• 136 channels/cell (Acell)• Each cell has a capacity of 136 simultaneous voice calls
• F=3• Ncell = 41• 8 channels per carrier• 328 channels/cell
33
Ncarr = 125
Ncell = Ncarr/F
Florida Institute for Cybersecurity (FICS) Research
System Capacity• Network size = Z square miles• Cell size = C square miles
• cells/network = Z/C• Channels/network, Anet
• • Z = 1000, C = 10, F = 7, Anet = 13,600• Z = 1000, C = 10, F = 3, Anet = 32,800• Z = 1000, C = 25, F = 7, Anet = 5,440• System capacity has a linear inverse relationship with cell size and frequency reuse
patterns under ideal conditions
34
Anet = Acell � ZC
Florida Institute for Cybersecurity (FICS) Research
Capacity and Blocking• Cellular systems rely on trunking to accommodate a large number of users
with a limited number of channels.• Trunking exploits statistical multiplexing of large numbers of users
(calls).• Think about lines at the bank.
• System is engineered with enough channels to handle the peak hour offered load at the given maximum blocking rate.
• Typically, blocking for new calls is maintained at below 1%.• To calculate blocking, we need to apply some queuing theory.
35
Florida Institute for Cybersecurity (FICS) Research
Performance: Blocking• A is the offered load
in Erlangs:
36
0 1 2 0...
� � � �
µ 2µ 3µ Nµ
�/µ
1
2
N
.
.
.
λ
µ
µ
µ
• Models input (call rate) of λ, N trunks, holding time of μ-1
pn = pB =An
n!n�
i=0
Ai
i!
pn = pB =�n
n!n�
i=0
�i
i!
Florida Institute for Cybersecurity (FICS) Research
Cell Capacity Planning• Based on spectrum allocation and frequency reuse patterns, calculate
number of channels available per cell.
• Based on user density, calling and holding patterns, calculate load per cell in Erlangs.
• Use Erlang B formula to calculate blocking given the load and number of channels.
37
Florida Institute for Cybersecurity (FICS) Research
Practice Problem• Consider a system with 8 MHz total bandwidth and carrier frequencies of
160 kHz. Each carrier supports 3 voice channels using TDMA. If the frequency reuse factor F=7, and the network covers 1,000 mi2, determine the blocking probability on the air interface for cell size of 1.0 mi2 assuming that users make/receive a combined 3 calls/hour, calls last an average of 2.5 minutes and there are 10 users/mi2.
38
Florida Institute for Cybersecurity (FICS) Research
Work Through It!• 10 carriers/3 (reuse) = 3 carriers/cell• 3 carriers
39
Load :� = �
µ
8MHz total BW = 4MHz in each direction for full duplex4�106
160�103 = 25 carriers7 reuse = 3 carriers
cell
3 carrierscell � 3 channels
carrier = 9 channelscell
= 10 usersmi2 � Areacell � 3 calls
hour � 1 hour60 mins � 2.5 mins
call= 1.25 � Areacell = A
Use Erlang-B with N = 9, A = 1.25
Florida Institute for Cybersecurity (FICS) Research
Last Part• The probability of being struck by lightning = 3.57 * 10-6.
• ...meaning that you are almost twice as likely to be struck by lightning than to get a busy signal in this network...
40
pn = pB =An
n!n�
i=0
Ai
i!
pn = pB =1.259
9!1.250
0! + 1.2511! +···+ 1.259
9!
pn = pB = 5.88 � 10�6