Analysis and Experimental Verification of Diameter Attacks in Long Term Evolution Networks

In cellular networks, the roaming interconnection was designed when there were only a few trusted parties and security was not a major concern or design criteria. Most of the roaming interconnections today are still based on the decades-old SS7 and the lack of security is being blamed for several vulnerabilities. Recent research indicates that the roaming interconnection has been widely misused for gaining access to the core network. Several attacks have been demonstrated by malicious attackers and other unauthorized entities such as intelligence agencies by exploiting the SS7 signaling protocol. Some operators moved to the more modern LTE (Long Term Evolution) and Diameter Signaling for high-speed data roaming and enhanced security. While LTE offers very high quality and resilience over the air security, it still requires special security capabilities and features to secure the core network against attacks targeting the roaming interconnection. This thesis analyses and identifies attacks that exploit the roaming interconnection and Diameter signaling used in LTE networks. The attacks are analyzed in accordance with the mobile network protocol standards and signaling scenarios. The attacks are also implemented in a test LTE network of a global operator. This thesis also focuses on potential countermeasures to mitigate the identified attacks

SECURITY MEASUREMENT FOR LTE/SAE NETWORK DURING SINGLE RADIO VOICE CALL CONTINUITY (SRVCC).

Voice has significant place in mobile communication networks. Though data applications have extensively gained in importance over the years but voice is still a major source of revenue for mobile operators. It is obvious that voice will remain an important application even in the era of Long Term Evolution (LTE). Basically LTE is an all-IP data-only transport technology using packet switching. Therefore, it introduces challenges to satisfy quality of service expectations for circuit-switched mobile telephony and SMS for LTE capable smartphones, while being served on the LTE network. Since 2013, mobile operators have been busy deploying Voice Over LTE (VoLTE). They are relying on a VoLTE technology called Single Radio Voice Call Continuity (SRVCC) for seamless handover between packet-switch domain to circuit-switch domain or vice versa. The aim of thesis is to review and identify the security measurement during SRVCC and verify test data for ciphering and integrity algorithm.fi=Opinnäytetyö kokotekstinä PDF-muodossa.|en=Thesis fulltext in PDF format.|sv=Lärdomsprov tillgängligt som fulltext i PDF-format

SECURITY MEASUREMENT FOR LTE/SAE NETWORK DURING SINGLE RADIO VOICE CALL CONTINUITY (SRVCC).

Voice has significant place in mobile communication networks. Though data applications have extensively gained in importance over the years but voice is still a major source of revenue for mobile operators. It is obvious that voice will remain an important application even in the era of Long Term Evolution (LTE). Basically LTE is an all-IP data-only transport technology using packet switching. Therefore, it introduces challenges to satisfy quality of service expectations for circuit-switched mobile telephony and SMS for LTE capable smartphones, while being served on the LTE network. Since 2013, mobile operators have been busy deploying Voice Over LTE (VoLTE). They are relying on a VoLTE technology called Single Radio Voice Call Continuity (SRVCC) for seamless handover between packet-switch domain to circuit-switch domain or vice versa. The aim of thesis is to review and identify the security measurement during SRVCC and verify test data for ciphering and integrity algorithm.fi=Opinnäytetyö kokotekstinä PDF-muodossa.|en=Thesis fulltext in PDF format.|sv=Lärdomsprov tillgängligt som fulltext i PDF-format

Analysis and Mitigation of Recent Attacks on Mobile Communication Backend

2014 aasta viimases kvartalis demonstreeriti mitmeid edukaid rünnakuid mobiilsidevõrkude vastu. Need baseerusid ühe peamise signaaliprotokolli, SS7 väärkasutamisel. Ründajatel õnnestus positsioneerida mobiilseadmete kasutajaid ja kuulata pealt nii kõnesid kui ka tekstisõnumeid. Ajal mil enamik viimase aja ründeid paljastavad nõrkusi lõppkasutajate seadmete tarkvaras, paljastavad need hiljutised rünnakud põhivõrkude endi haavatavust. Teadaolevalt on mobiilsete telekommunikatsioonivõrkude tööstuses raskusi haavatavuste õigeaegsel avastamisel ja nende mõistmisel. Käesolev töö on osa püüdlusest neid probleeme mõista. Töö annab põhjaliku ülevaate ja analüüsib teadaolevaid rünnakuid ning toob välja võimalikud lahendused. Rünnakud võivad olla väga suurte tagajärgedega, kuna vaatamata SS7 protokolli vanusele, jääb see siiski peamiseks signaaliprotokolliks mobiilsidevõrkudes veel pikaks ajaks. Uurimustöö analüüs ja tulemused aitavad mobiilsideoperaatoritel hinnata oma võrkude haavatavust ning teha paremaid investeeringuid oma taristu turvalisusele. Tulemused esitletakse mobiilsideoperaatoritele, võrguseadmete müüjatele ning 3GPP standardi organisatsioonile.In the last quarter of 2014, several successful attacks against mobile networks were demonstrated. They are based on misuse of one of the key signaling protocol, SS7, which is extensively used in the mobile communication backend for signaling tasks such as call and mobility management. The attackers were able to locate the mobile users and intercept voice calls and text messages. While most attacks in the public eye are those which exploits weaknesses in the end-device software or radio access links, these recently demonstrated vulnerabilities exploit weaknesses of the mobile core networks themselves. Understandably, there is a scramble in the mobile telecommunications industry to understand the attacks and the underlying vulnerabilities. This thesis is part of that effort. This thesis presents a broad and thorough overview and analysis of the known attacks against mobile network signaling protocols and the possible mitigation strategies. The attacks are presented in a uniform way, in relation to the mobile network protocol standards and signaling scenarios. Moreover, this thesis also presents a new attack that enables a malicious party with access to the signaling network to remove lost or stolen phones from the blacklist that is intended to prevent their use. Both the known and new attacks have been confirmed by implementing them in a controlled test environment. The attacks are serious because SS7, despite its age, remains the main signaling protocol in the mobile networks and will still long be required for interoperability and background compatibility in international roaming. Moreover, the number of entities with access to the core network, and hence the number of potential attackers, has increased significantly because of changes in regulation and opening of the networks to competition. The analysis and new results of this thesis will help mobile network providers and operators to assess the vulnerabilities in their infrastructure and to make security-aware decisions regarding their future investments and standardization. The results will be presented to the operators, network-equipment vendors, and to the 3GPP standards body

A Unified Mobility Management Architecture for Interworked Heterogeneous Mobile Networks

The buzzword of this decade has been convergence: the convergence of telecommunications, Internet, entertainment, and information technologies for the seamless provisioning of multimedia services across different network types. Thus the future Next Generation Mobile Network (NGMN) can be envisioned as a group of co-existing heterogeneous mobile data networking technologies sharing a common Internet Protocol (IP) based backbone. In such all-IP based heterogeneous networking environments, ongoing sessions from roaming users are subjected to frequent vertical handoffs across network boundaries. Therefore, ensuring uninterrupted service continuity during session handoffs requires successful mobility and session management mechanisms to be implemented in these participating access networks. Therefore, it is essential for a common interworking framework to be in place for ensuring seamless service continuity over dissimilar networks to enable a potential user to freely roam from one network to another. For the best of our knowledge, the need for a suitable unified mobility and session management framework for the NGMN has not been successfully addressed as yet. This can be seen as the primary motivation of this research. Therefore, the key objectives of this thesis can be stated as: To propose a mobility-aware novel architecture for interworking between heterogeneous mobile data networks To propose a framework for facilitating unified real-time session management (inclusive of session establishment and seamless session handoff) across these different networks. In order to achieve the above goals, an interworking architecture is designed by incorporating the IP Multimedia Subsystem (IMS) as the coupling mediator between dissipate mobile data networking technologies. Subsequently, two different mobility management frameworks are proposed and implemented over the initial interworking architectural design. The first mobility management framework is fully handled by the IMS at the Application Layer. This framework is primarily dependant on the IMS’s default session management protocol, which is the Session Initiation Protocol (SIP). The second framework is a combined method based on SIP and the Mobile IP (MIP) protocols, which is essentially operated at the Network Layer. An analytical model is derived for evaluating the proposed scheme for analyzing the network Quality of Service (QoS) metrics and measures involved in session mobility management for the proposed mobility management frameworks. More precisely, these analyzed QoS metrics include vertical handoff delay, transient packet loss, jitter, and signaling overhead/cost. The results of the QoS analysis indicates that a MIP-SIP based mobility management framework performs better than its predecessor, the Pure-SIP based mobility management method. Also, the analysis results indicate that the QoS performances for the investigated parameters are within acceptable levels for real-time VoIP conversations. An OPNET based simulation platform is also used for modeling the proposed mobility management frameworks. All simulated scenarios prove to be capable of performing successful VoIP session handoffs between dissimilar networks whilst maintaining acceptable QoS levels. Lastly, based on the findings, the contributions made by this thesis can be summarized as: The development of a novel framework for interworked heterogeneous mobile data networks in a NGMN environment. The final design conveniently enables 3G cellular technologies (such as the Universal Mobile Telecommunications Systems (UMTS) or Code Division Multiple Access 2000 (CDMA2000) type systems), Wireless Local Area Networking (WLAN) technologies, and Wireless Metropolitan Area Networking (WMAN) technologies (e.g., Broadband Wireless Access (BWA) systems such as WiMAX) to interwork under a common signaling platform. The introduction of a novel unified/centralized mobility and session management platform by exploiting the IMS as a universal coupling mediator for real-time session negotiation and management. This enables a roaming user to seamlessly handoff sessions between different heterogeneous networks. As secondary outcomes of this thesis, an analytical framework and an OPNET simulation framework are developed for analyzing vertical handoff performance. This OPNET simulation platform is suitable for commercial use

Private Identification, Authentication and Key Agreement Protocol with Security Mode Setup

Identification, authentication and key agreement protocol of UMTS networks with security mode setup has some weaknesses in the case of mutual freshness of key agreement, DoS-attack resistance, and efficient bandwidth consumption. In this article we consider UMTS AKA and some other proposed schemes. Then we explain the known weaknesses of the previous frameworks suggested for the UMTS AKA protocol. After that we propose a new protocol called private identification, authentication, and key agreement protocol (PIAKAP), for UMTS mobile network. Our suggested protocol combines identification and AKA stages of UMTS AKA protocol while eliminates disadvantages of related works and brings some new features to improve the UMTS AKA mechanism. These features consist of reducing the interactive rounds of the UMTS AKA with security mode setup and user privacy establishment

The Design of Efficient Internetwork Authentication for Ubiquitous Wireless Communications

A variety of wireless technologies have been standardized and commercialized, but no single solution is considered the best to satisfy all communication needs due to different coverage and bandwidth limitations. Therefore, internetworking between heterogeneous wireless networks is extremely important for ubiquitous and high performance wireless communications. The security problem is one of the major challenges in internetworking. To date, most research on internetwork authentication has focused on centralized authentication approaches, where the home network participates in each authentication process. For high latency between the home and visiting networks, such approaches tend to be inefficient. In this paper, we describe chained authentication, which requires collaboration between adjacent networks without involvement of the home network. After categorizing chained protocols, we propose a novel design of chained authentication methods under 3G-WLAN internetworking. The experiments show that proactive context transfer and ticket forwarding reduce the 3G authentication latency to 36.8% and WLAN EAP-TLS latency to 23.1% when RTT between visiting and home networks is 200 ms

On secure communication in integrated internet and heterogeneous multi-hop wireless networks.

Integration of the Internet with a Cellular Network, WMAN, WLAN, and MANET presents an exceptional promise by having co-existence of conventional WWANs/WMANs/WLANs with wireless ad hoc networks to provide ubiquitous communication. We call such integrated networks providing internet accessibility for mobile users as heterogeneous multi-hop wireless networks where the Internet and wireless infrastructure such as WLAN access points (APs) and base stations (BSs) constitute the backbone for various emerging wireless networks (e.g., multi-hop WLAN and ad hoc networks. Earlier approaches for the Internet connectivity either provide only unidirectional connectivity for ad hoc hosts or cause high overhead as well as delay for providing full bi-directional connections. In this dissertation, a new protocol is proposed for integrated Internet and ad hoc networks for supporting bi-directional global connectivity for ad hoc hosts. In order to provide efficient mobility management for mobile users in an integrated network, a mobility management protocol called multi-hop cellular IP (MCIP) has been proposed to provide a micro-mobility management framework for heterogeneous multi-hop network. The micro-mobility is achieved by differentiating the local domain from the global domain. At the same time, the MCIP protocol extends Mobile IP protocol for providing macro-mobility support between local domains either for single hop MSs or multi-hop MSs. In the MCIP protocol, new location and mobility management approaches are developed for tracking mobile stations, paging, and handoff management. This dissertation also provides a security protocol for integrated Internet and MANET to establish distributed trust relationships amongst mobile infrastructures. This protocol protects communication between two mobile stations against the attacks either from the Internet side or from wireless side. Moreover, a secure macro/micro-mobility protocol (SM3P) have been introduced and evaluated for preventing mobility-related attacks either for single-hop MSs or multi-hop MSs. In the proposed SM3P, mobile IP security has been extended for supporting macro-mobility across local domains through the process of multi-hop registration and authentication. In a local domain, a certificate-based authentication achieves the effective routing and micro-mobility protection from a range of potential security threats