security threats and challenges of the iot over … threats and challenges of the iot over mobile...
TRANSCRIPT
Security Threats and Challenges of the IoT Over Mobile Networks
Roger Piqueras Jover Wireless Security Research Scientist – Security Architect – Bloomberg LP
International Wireless Industry Consortium (IWPC) Internet of Things workshop – San Jose CA, November 2015
2
About me
• Wireless Security Researcher (aka Security Architect) at Bloomberg LP
• Former (5 years) Principal Member of Technical Staff at AT&T Security Research
• Mobile/wireless network security research
– LTE security and protocol exploits
– Advanced radio jamming
– Control plane signaling scalability in mobile networks
– 5G mobile networks
• More details
– http://www.ee.columbia.edu/~roger/
3
Mobile network security
• Traditionally thought at the app layer
– Certificates
– Encryption
– SSL
– Recent examples
• iOS SSL bug
• Android malware
• XcodeGhost iOS infected apps
4
Mobile network security
“Old” encryption Device
authentication
Strong encryption Mutual
authentication
Stronger encryption Mutual
authentication
Basic security principles
• Confidentiality
• Authentication
• Availability
Protecting user data
Mobile connectivity availability against security threats
The first mobile networks were not designed with a strong security focus (no support for encryption in 1G!!!)
5
Summary for today
IoT security threats and challenges over mobile networks
• Device (UE) threats
– Mainly a problem for the device manufacturer and IoT service provider
– Sophisticated jamming, LTE protocol exploits, battery drainage, location leaks, etc.
• Network challenges and threats
– Mainly a problem for the network operator
– Control plane signaling, device population growth scalability, etc.
6
IoT over LTE mobile networks
7
LTE Cell Selection and Connection
Cell Search Procedure
Obtain System
Configuration Power up Decode PBCH
RA
CH
Random Access
Radio Access Bearer Connected User traffic
• System configuration
– Decode Master Information Block (MIB) from PBCH
– Decode System Information Blocks (SIBs) from PDSCH
Idle
8
Low-power jamming
9
LTE frame
10
Downlink jamming
LTE Signal (10 MHz) DL broadcast
messages (1.08MHz) (PBCH)
Jamming gain (vs basic jamming) ≈ 10dB
11 © 2015 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property..
Uplink low-power jamming
Jamming this portion of the spectrum results in a total cell/sector DoS
Jamming gain (vs basic jamming) up to ~27dB
(Jam an entire cell with less tx power than a smartphone!!!)
12
Sniffing base station configuration
Time: 00:02:10.087204 Frame: 93
Subframe: 0
BCCH-BCH-Message
message
dl-Bandwidth: n50
phich-Config
phich-Duration: normal
phich-Resource: one
systemFrameNumber: {8
bits|0x17}
spare: {10 bits|0x0000|Right
Aligned}
LTE PBCH MIB packet
13
Sniffing base station configuration
Time: 00:02:10.102204 Frame: 94 Subframe: 5
BCCH-DL-SCH-Message
message
c1
systemInformationBlockType1
cellAccessRelatedInfo
plmn-IdentityList
PLMN-IdentityInfo
plmn-Identity
mcc
MCC-MNC-Digit: 3
MCC-MNC-Digit: 1
MCC-MNC-Digit: 0
mnc
MCC-MNC-Digit: 4
MCC-MNC-Digit: 1
MCC-MNC-Digit: 0
cellReservedForOperatorUse: reserved
trackingAreaCode: {16 bits|0x2713}
cellIdentity: {28 bits|0x0075400F|Right Aligned}
cellBarred: notBarred
intraFreqReselection: allowed
csg-Indication: false
cellSelectionInfo
q-RxLevMin: -60
freqBandIndicator: 17
schedulingInfoList
SchedulingInfo
si-Periodicity: rf8
sib-MappingInfo
SIB-Type: sibType3
si-WindowLength: ms10
systemInfoValueTag: 11
Padding
Mobile operator
Cell ID
RX power to select that cell
14
Sniffing base station configuration
LTE PDSCH SIB2/3 packet
RACH config
Paging config
User traffic config
RRC timers Etc…
15
LTE protocol exploits
16
LTE NAS Attach procedure
17
LTE NAS Attach procedure
Unencrypted and unprotected. I can sniff these messages and I can transmit them pretending to be a legitimate base station.
Other things sent in the clear: • Measurement reports (CQI) • HO related messages • Paging messages • Long etc
18
19
LTE protocol exploits
• Man in the Middle (MitM) rogue base stations in LTE are NOT possible
– Strong encryption and mutual authentication
• LTE rogue base stations are possible
– Spoof all messages up to the authentication process (or other messages: paging, etc)
• IMSI catching
• Battery drain
• Bricking or blocking the device and/or the SIM card
– Sniffing unprotected traffic
• Location leaks
• Follow a device as it hands over from eNodeB to eNodeB
• Estimate traffic load and time characteristics of a device
• LTE rogue base station prototyping
– Software radio platforms – USRP, RTL-SDR, etc
– Open source LTE implementations – OpenLTE, grLTE, etc
20
IoT scalability and control plane signaling overloads
21
RRC state machine
Idle to connected
Connected to idle
RRC state transitions require a large amount of control plane signaling at the EPC
22
Control plane signaling spikes
• The traffic characteristics of IoT devices are very different than smartphones
• Different types of IoT behave very different
– Security camera reporting a picture every 5 minutes
– Vending machine only sending a message when its low on supplies
– Medical IoT transmitting a constant stream of data
– Connected car
• On-board systems + Infotainment + WiFi hotspot over LTE
• Recent instances of control plans signaling overloads in the wild
– Chatty apps: IM app checking for new messages frequently caused havoc in a major US operator [FierceWireless – Oct’10]
– Signaling spike causes an outage for 3 million customers of the 6th largest operator in the world [Light Reading – Sep’11]
– Adds in a popular app caused severe signaling spikes [iWire – June’11]
– Etc
23
M2M scalability
Jermyn, J., Jover, R. P., Murynets, I., Istomin, M., & Stolfo, S. (2015, June). Scalability of Machine to Machine systems and the Internet of Things on LTE mobile networks. In World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2015 IEEE 16th International Symposium on a (pp. 1-9). IEEE.
24
Botnet of infected IoT devices
IoT security – VERY IMPORTANT
• IoT embedded device hacks presented at security conferences
• Reverse engineering of IoT devices and communication Mobile core
(EPC)
25
Wrapping up…
• Focus of mobile network security commonly at the app layer
• Mobile/wireless security at the lower layers
– RAN
• Advanced low-power jamming
• Protocol exploits – Rogue base stations, location leaks, potential brick of the SIM/device, etc
– EPC
• Control plane signaling scalability and overloads
• Big challenge for mobile operators with the IoT
26
Thanks!
Q&A
More information: http://www.ee.columbia.edu/~roger/
Big THANK YOU to Sanjole for providing the captures used in this presentation. Captures taken in Honolulu HI.