2,936 research outputs found
You have been warned: Abusing 5G's Warning and Emergency Systems
The Public Warning System (PWS) is an essential part of cellular networks and
a country's civil protection. Warnings can notify users of hazardous events
(e.g., floods, earthquakes) and crucial national matters that require immediate
attention. PWS attacks disseminating fake warnings or concealing precarious
events can have a serious impact, causing fraud, panic, physical harm, or
unrest to users within an affected area. In this work, we conduct the first
comprehensive investigation of PWS security in 5G networks. We demonstrate five
practical attacks that may impact the security of 5G-based Commercial Mobile
Alert System (CMAS) as well as Earthquake and Tsunami Warning System (ETWS)
alerts. Additional to identifying the vulnerabilities, we investigate two PWS
spoofing and three PWS suppression attacks, with or without a man-in-the-middle
(MitM) attacker. We discover that MitM-based attacks have more severe impact
than their non-MitM counterparts. Our PWS barring attack is an effective
technique to eliminate legitimate warning messages. We perform a rigorous
analysis of the roaming aspect of the PWS, incl. its potentially secure
version, and report the implications of our attacks on other emergency features
(e.g., 911 SIP calls). We discuss possible countermeasures and note that
eradicating the attacks necessitates a scrupulous reevaluation of the PWS
design and a secure implementation
Eavesdropping on GSM: state-of-affairs
In the almost 20 years since GSM was deployed several security problems have
been found, both in the protocols and in the - originally secret -
cryptography. However, practical exploits of these weaknesses are complicated
because of all the signal processing involved and have not been seen much
outside of their use by law enforcement agencies.
This could change due to recently developed open-source equipment and
software that can capture and digitize signals from the GSM frequencies. This
might make practical attacks against GSM much simpler to perform.
Indeed, several claims have recently appeared in the media on successfully
eavesdropping on GSM. When looking at these claims in depth the conclusion is
often that more is claimed than what they are actually capable of. However, it
is undeniable that these claims herald the possibilities to eavesdrop on GSM
using publicly available equipment.
This paper evaluates the claims and practical possibilities when it comes to
eavesdropping on GSM, using relatively cheap hardware and open source
initiatives which have generated many headlines over the past year. The basis
of the paper is extensive experiments with the USRP (Universal Software Radio
Peripheral) and software projects for this hardware.Comment: 5th Benelux Workshop on Information and System Security (WISSec
2010), November 201
Denial of service attacks and challenges in broadband wireless networks
Broadband wireless networks are providing internet and related services to end users. The three most important broadband wireless technologies are IEEE 802.11, IEEE 802.16, and
Wireless Mesh Network (WMN). Security attacks and
vulnerabilities vary amongst these broadband wireless networks because of differences in topologies, network operations and physical setups. Amongst the various security risks, Denial of Service (DoS) attack is the most severe security threat, as DoS can compromise the availability and integrity of broadband
wireless network. In this paper, we present DoS attack issues in broadband wireless networks, along with possible defenses and future directions
xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs
In this paper we show how attackers can covertly leak data (e.g., encryption
keys, passwords and files) from highly secure or air-gapped networks via the
row of status LEDs that exists in networking equipment such as LAN switches and
routers. Although it is known that some network equipment emanates optical
signals correlated with the information being processed by the device
('side-channel'), intentionally controlling the status LEDs to carry any type
of data ('covert-channel') has never studied before. A malicious code is
executed on the LAN switch or router, allowing full control of the status LEDs.
Sensitive data can be encoded and modulated over the blinking of the LEDs. The
generated signals can then be recorded by various types of remote cameras and
optical sensors. We provide the technical background on the internal
architecture of switches and routers (at both the hardware and software level)
which enables this type of attack. We also present amplitude and frequency
based modulation and encoding schemas, along with a simple transmission
protocol. We implement a prototype of an exfiltration malware and discuss its
design and implementation. We evaluate this method with a few routers and
different types of LEDs. In addition, we tested various receivers including
remote cameras, security cameras, smartphone cameras, and optical sensors, and
also discuss different detection and prevention countermeasures. Our experiment
shows that sensitive data can be covertly leaked via the status LEDs of
switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per
LED
- …