SecMDC: Secure Mobile Data Charging in 3G/4G Cellular Networks

WiNG Lab@UCLA ; MSSN Lab@Purdue

What's New

June 2021: Mobile data charging for cellular IoT (C-IoTs) accepted by MobiCom'21.
Aug 2017: Prof Peng moved to CS@Purdue.
Oct 2016: Chunyi was interviewed by a TV program by Fox 25 (Boston) regarding overcharging in US carrier networks. Watch Here
March 2016 : We released a Do-It-Yourself demo, HackCellular, which allows you to replay several attacks identified in our research projects. It would be fun to learn real threats in real networks. Surely, please attack against your own phone only!
Oct 2015 : Our study in VoLTE security disclosed two attacks against MDC: free data access and overbilling. In the former, mobile devices use VoLTE control sessions (designed to carry VoLTE control signaling messages) to carry ordinary data traffic and in the latter, a mobile device sends data through its VoLTE interface to another victim phone through its normal data interface. More details can be found in here .
Nov 2014: We conducted small-scale experiments in two US carriers and validated identified vulnerabilities before Oct 2014. We reported our findings to both carriers and worked with them to fix the authentication problem. In Nov 2014, both carriers have performed nationwide infrastructure update by disabling IP spoofing.

Research Goals

This project investigate security implications of mobile data charging, one essential operation to mobile network carriers and users. Our overall research has two main thrusts. The first is to identify security loopholes in the MDC system. We further devise novel attacks that exploit such loopholes and validate them via experiments in operational cellular carriers. The second is to devise defenses that protect from such attacks. These solutions call for concerted effort between the network infrastructure and the mobile device.

Vulnerability Analysis

A secure MDC should ensure that the right user is charged to the right data volume that (s)he has agreed to consume. That is, it should meet three requirements:

1. [Authentication] The user being billed for the given data transfer must be the one who actually does the transfer. MDC must authenticate the user who consumes the actual data usage.
2. [Authorization] The data usage and its associated charge should be with the user?s consent. A user should only pay for those authorized data services, but not the spam from attackers.
3. [Accounting volume] The volume should be accurate. The recorded volume should be identical to that transferred at the user device.

Unfortunately, we identified three vulnerabilities along all three AAA dimensions: authentication bypass, authorization frauds and inaccurate accounting volumes.

L1. authentication bypass : authentication for MDC counts on inherent user authentication and IP address allocation. It indeed ensures that IP address is allocated to an authenticated, specific user. However, the current practice may not ensure its secure binding with its mobile charging ID, so that MDC may use a wrong IP address to determine who should be charged. A specific violation is that IP spoofing was allowed in real 4G/3G networks and some carriers used the spoofable IP address to determine who should be charged.

Figure 1: current authentication solution (a, left) and authentication bypass loophole in MDC (b, right).
As shown in Figure 1(a), the current 3G/4G networks adopts user authentication (Step 1) and IP address authentication (Step 2). The baseline user authentication (Step 1) is ensured through the Authentication and Key Agreement (AKA) procedure. Once completed, IP address authentication (Step 2) is performed through this secure connection during the bearer activation process. A bearer is used for subsequent data transfer. It is carried by an underlying GTP-U (GPRS Tunneling Protocol-User Plane) tunnel. During this process, an IP address is allocated by the gateway, to the UE through this secure connection. Consequently, the IP address is authenticated with the UE. Such IP address authentication is mandatory in cellular networks. This is a key difference from the Internet, where such authentication is rarely required.
However, though cellular networks indeed perform control-plane authentication when assigning an IP address, enforcement of the assigned, authentic IP address may be missing in packet delivery on the data plane. The prior authentication is circumvented when a forged IP address is embedded in the data packet, as shown in Figure 1(b). A malicious user can spoof the source IP address to fool MDC which further associates its charging only based on the packet header. In a word, the current solution lacks secure cross-layer binding.

L2. authorization frauds : we find that the current practice did a great job for outbound traffic from the mobile devices, but have limited control on inbound traffic. In fact, the network side deploy firewalls or NATs or border gateways for access control of incoming traffic. However, the current practice leaves the control to the core network only, regardless of whether the connection is tore down or never wanted on the mobile device. By this sense, the network determined whether the traffic should be allowed and push them to the mobile device even without their consent in certain cases.
Figure 2: current authorization solution for inbound traffic (a, left) and authorization frauds in MDC (b, right).
The authorization for MDC concerns charging actions with or without user content. In 3G/4G networks, it varies for two types of data transfer: inbound and outbound. The outbound transfer is authorized through implicit user consent based on authentication. Packets from the authenticated device are sufficient to signify that the UE authorizes the data transfer and its charging. In inbound data transfer, the UE is at the last hop to receive data and charging is already performed upstream. The current practice takes implicit authorization though deploying firewalls and NATs, and even border gateways at the border to the Internet. The incoming traffic is allowed to pass through only when it matches a valid mapping, which is set by an outgoing and ?already-authorized? data stream, as shown in Figure 2(a).
However, no proper authorization is in place for the inbound transfer. The current practice is to invoke onetime authorization only at the start, but apply soft-state renewal by data packets during actual transfer. For example, when an inbound packet arrives at NAT, the mapping between its IP address and the port number remains valid until timeout (e.g., 5 minutes). However, once the access is granted, it is largely beyond user control. By exploit the ?non-expiring authorization,? as illustrated in Figure 2(b), the attacker can inject spamming packets to the victim device. In this process, we make use of popular mobile applications (e.g., VoIP, MMS) that allow push-based communication model and perform automatic background operations. This feature can also be exploited to trap the victim. Here, we disclose two examples using IP spoofing and MMS. More examples can be found in our previous CCS'12 work.

L3. Inaccurate accounting volume : our study revealed that the current practice takes an open-loop view where the core gateway performs data accounting no matter whether the packets have been delivered to the end devices. As shown in Figure 3, any packets will be "overcharged" if they are counted but not delivered to the end devices. Here, we presents a TTL-based attack. Given a specific TTL, malicious data packets could be able to arrive at the core gateway for data accounting but never arrive at the end devices for data transfer. Mobile users will be charged for data that never been received.
Figure 3: current accounting solution (top) and possible inaccurate accounting with intended or unintended packet loss (bottom)

Demos

We have video demos on all the above loopholes and attacks that exploit them.

The below demo shows that you could gain free uplink data access by exploiting the authentication bypass loophole. It was feasible before Nov 2014 and now it has been fixed by disabling IP spoofing in mobile carrier networks.

Due to its threatening damages, other attack demos will be available only upon requests.

We have developed an all-in-one-demo, called HackCellular, which allows you to attack your own phones and repeat the identified threats in our recent work. Source codes can be found in the link. The below is its video demo which records three attacks. The first one is TTL attack disclosed in this project.

Publications

[1] Can We Pay for What We Get in 3G Data Access?
Chunyi Peng, Guan-hua Tu, Chi-yu Li, Songwu Lu, Mobicom'12, Aug. 2012. [PDF] [slide]

[2] Mobile Data Charging: New Attacks and Countermeasures
Chunyi Peng, Chi-yu Li, Guan-hua Tu, Songwu Lu, Lixia Zhang, CCS'12, Oct. 2012. [PDF] [slide]

[3] Accounting for Roaming Users on Mobile Data Access: Issues and Root Causes
Guan-hua Tu, Chunyi Peng, Chi-yu Li, Xingyu Ma, Hongyi Wang, Tao Wang, Songwu Lu, MobiSys'13, Taipei, Taiwan, June 2013. [PDF] [Slide]

[4] Real Threats to Your Data Bills: Security Loopholes and Defense in Mobile Data Charging
Chunyi Peng, Chiyu Li, Hongyi Wang, Guanhua Tu, Songwu Lu, CCS'14 , Scottsdale, Arizona, Nov. 2014. [PDF] [Slide ]

[5] Hidden Costs of Mobile Data Access in Cellular Networks
Zehui Li, Chunyi Peng, Yunxin Liu, LANMAN'14 , (Invited Paper), 2014. [ PDF]

[6] Insecurity of Voice Solution VoLTE in LTE Mobile Networks
Chiyu Li, Guanhua Tu, Chunyi Peng, Zengwen Yuan, Yuanjie Li, Songwu Lu, Xinbing Wang, CCS'15 , Denver, Colorado, Oct. 2015. [PDF]

[7] How can IoT services pose new security threats in operational cellular networks?
Tian Xie, Guan-Hua Tu, Chi-Yu Li, Chunyi Peng, IEEE Transactions on Mobile Computing , 20 (8), 2592-2606, 2020.

[8] Insecurity of Operational Cellular IoT Service: New Vulnerabilities, Attacks, and Countermeasures
Sihan Wang, Guan-Hua Tu, Xinyu Lei, Tian Xie, Chi-Yu Li, Po-Yi Chou, Fucheng Hsieh, Yiwen Hu, Li Xiao, Chunyi Peng, MobiCom'21 , April 2022. [PDF]

Team Members

Chunyi Peng(Faculty, Purdue)
Songwu Lu (Faculty, UCLA)
Chi-Yu Li (Postdoc (2014-2015) UCLA)
Guan-Hua Tu (Postdoc (2015-2016), UCLA)
Note: Hongyi Wang (UCLA), Zhuoran Li (OSU) and Jiaqi Xu (OSU) participated in this project.

Research Support

We gratefully acknowledge research support from NSF under grants CNS-1421933 (–> CNS-1753500) and CNS-1422835, as well as the departmental support from Purdue and OSU.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.