Real Threats to Your Data Bills
– Security Loopholes and Defenses in Mobile Data Charging
Chunyi Peng
The Ohio State University
chunyi@cse.ohio-state.edu
Chi-Yu Li, Hongyi Wang, Guan-Hua Tu, Songwu Lu
University of California, Los Angeles
{lichiyu,hywang,ghtu,slu}@cs.ucla.edu
ABSTRACT
Secure mobile data charging (MDC) is critical to cellular network
operations. It must charge the right user for the right volume that
(s)he authorizes to consume (i.e., requirements of authentication,
authorization, and accounting (AAA)). In this work, we conduct
security analysis of the MDC system in cellular networks. We find
that all three can be breached in both design and practice, and iden-
tify three concrete vulnerabilities: authentication bypass, autho-
rization fraud and accounting volume inaccuracy. The root causes
lie in technology fundamentals of cellular networks and the Internet
IP design, as well as imprudent implementations. We devise three
showcase attacks to demonstrate that, even simple attacks can eas-
ily penetrate the operational 3G/4G cellular networks. We further
propose and evaluate defense solutions.
Categories and Subject Descriptors
C.2.0 [Computer-Communication Networks]: General—Se-
curity and protection; C.2.1 [Computer-Communication Net-
works]: Network Architecture and Design—Wireless Communi-
cation
Keywords
Cellular Networks; Mobile Data Services; Authentication, Autho-
rization, Accounting (AAA); attack; defense
1. INTRODUCTION
Mobile data services are getting increasingly popular, thanks to
the proliferation of smartphones and tablets, as well as the rapid
deployment of the third-generation/fourth-generation (3G/4G) cel-
lular networks. Global mobile data traffic grew 81% in 2013 and is
projected to increase 11-fold in the following five-year span [16].
This is contributed by 2.1 billion mobile Internet users world-
wide (by 2013 June), including 299 million 3G/4G broadband sub-
scribers (95% of inhabitants) in the US [25].
Convenient mobile data access does come with cost for users.
Most cellular operators charge mobile users based on their con-
sumed data volume [8, 32]. Mobile users pay for the data usage
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full cita-
tion on the first page. Copyrights for components of this work owned by others than
ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-
publish, to post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from permissions@acm.org.
CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA.
Copyright 2014 ACM 978-1-4503-2957-6/14/11 ...$15.00.
http://dx.doi.org/10.1145/2660267.2660346 .
at a preset price within certain volume cap, or in the pay-per-use
manner. For example, AT&T, a Tier-1 US carrier, charges $20 for
300MB per month for domestic access and about 2¢ per KB during
international travels [10]. This volume-based charging scheme is
not adopted without rationale. The radio spectrum is scarce and ex-
pensive (in spectrum licensing [20]), and wireless speed is bounded
by Shannon channel capacity. The explosive growth of mobile data
traffic further justifies the metered charging.
Undoubtedly, a well-designed and properly-operated mobile data
charging (MDC) system is critical to cellular networks. It not only
safeguards the multi-trillion revenue of global operators, but also
protects the monetary rights of billions of mobile users. To enable
metered charging, the key is to collect how much data is actually
used by which mobile user when (s)he agrees to. A secure MDC
should meet three requirements:
1. [Authentication] The user being billed for the given data
transfer must be the one who actually does the transfer.
MDC must authenticate the user who consumes the actual
data usage.
2. [Authorization] The data usage and its associated charge
should be with the user’s consent. A user should only pay
for those authorized data services, but not the spam from at-
tackers.
3. [Accounting volume] The volume should be accurate. The
recorded volume should be identical to that transferred at the
user device.
At first glance, it appears straightforward to meet the above re-
quirements. The MDC method is officially stipulated by the 3GPP
specification [3]. It is performed inside the cellular core network.
Whenever a data session is initiated with the mobile device, the
traffic from/to the mobile device traverses the cellular gateways
(akin to edge routers or switches in the Internet) to reach the des-
tination. The gateway counts the payload of observed data packets
for each mobile data session as the volume. It further associates
this volume with the user who initializes and uses this data ses-
sion. Given user authentication, the network is capable of inferring
who uses this data session. To prevent unauthorized access, cellu-
lar operators also deploy firewalls and network address translators
(NATs) to shield mobile devices from the traffic types of no inter-
est. While recent studies [21, 22, 27, 28, 36] have reported various
cases on accounting volume inaccuracy, the two aspects of authen-
tication and authorization still look bullet-proof. They seem almost
impossible to go wrong. Anyway, authentication and authorization
have been well studied in the security community, and their solu-
tions to cellular networks have been generally successful to date.
However, MDC is not as secure as anticipated. We discover that,
it is also vulnerable in authentication and authorization. Charging
actions may be taken upon the wrong user, or on data that the cellu-
剩余11页未读,继续阅读
资源评论
