Security analysis of networking elements in cellular core networks

Abstract

The evolution of cellular networks had enabled a large number of users to enjoy cellular services. As cellular services play an important role in our daily lives, various security problems, such as location tracking, privacy leak, fraud, and denial-of-service (DoS) have also attracted attention. These security problems may not only cause serious damage to the users but also create economic and social disarray. Therefore these security issues should be analyzed, discovered, and addressed in advance. In this dissertation, we conduct security analyses to analyze, discover, and address critical security problems for three networking elements in cellular core networks: middleboxes, charging systems, and roaming systems. First, we investigate the impact of adding IPv6 to cellular networks. With the introduction of IPv6, cellular middleboxes, such as firewalls for preventing malicious traffic from the Internet, and stateful NAT64 boxes for providing backward compatibility with legacy IPv4 services, it has become crucial to maintain the stability of cellular networks. We analyze the security problems of IPv6 middleboxes of five major operators that are currently being deployed. To this end, we first investigate several key features of the current IPv6 deployment that can harm the safety of a cellular network as well as its customers. These features combined with the currently deployed IPv6 middlebox allow an adversary to launch six different attacks. The firewalls in IPv6 cellular networks fail to block the incoming packets properly. Thus, an adversary could fingerprint the cellular devices with scanning, and further, she could launch denial-of-service or over-billing attacks. Furthermore, the vulnerabilities in the stateful NAT64 box (a middlebox that maps an IPv6 address to an IPv4 address, and vice versa) allow an adversary to launch three different attacks: 1) NAT overflow attack that allows an adversary to overflow the Network Address Translator (NAT) resources, 2) NAT wiping attack that removes the active NAT mappings by exploiting the lack of Transmission Control Protocol (TCP) sequence number verification of firewalls, and 3) NAT bricking attack that targets the services adopting IP-based blacklisting by preventing the shared external IPv4 addresses from accessing the service. We confirmed the feasibility of these attacks with an empirical analysis. We also propose effective countermeasures for each attack. Next, we focus on charging systems in cellular networks. The current charging systems have two major limitations: 1) the charging system is located at the middle of end-to-end communication, 2) only the header information of the protocol is used as accounting information due to the performance issues. Because these limitations make it difficult to handle the charging problems occurring at each end point, sometimes, unthoughtful charging policies may lead to the free-riding attack, which enables an adversary to use the cellular data service for free. For this reason, we analyze the data charging policies and mechanisms for protocols and applications. The analysis shows that all operators in South Korea did not charge the payload of the Internet Control Message Protocol (ICMP) echo request/reply messages, and the payload attached to TCP-SYN and TCP-RST packets. In addition, the operators only utilize IP addresses to verify whether the traffic comes from the expected application. By misusing the findings with consideration of NAT in IPv4 cellular networks, we validate the feasibility of free-riding attacks with empirical experiments and propose an effective countermeasures. Finally, we examine the roaming systems in cellular networks. As the cellular networks were being widely deployed by many operators in different countries, and obtaining an access to the roaming networks became easier than before, these networks are no longer trusted or closed anymore. Following this, several studies have revealed a number of major vulnerabilities in the roaming networks, however, no prior study has been conducted on comprehensive security analysis of the cellular roaming networks. For this reason, we comprehensively examine the security problems of the cellular roaming networks. In the examination, we categorize and describe the security threats in the cellular roaming networks with the assumption that an adversary has an access to the roaming networks. The threats are categorized into five cases, such as: 1) information leak, 2) fraud, 3) DoS, 4) location tracking, and 5) interception. Then, we analyze the Mobile Application Part (MAP) and Diameter messages related to the security issues, and identify the critical security problems. With the identified security problems for the analyzed messages, we implement a security measurement framework, and validate that the framework works well by conducting a measurement on a testbed of roaming networks. Furthermore, we propose effective countermeasures that can mitigate the discovered problems. In summary, from the security analysis of middleboxes, we find the transition to IPv6 in cellular networks opens a new set of vulnerabilities, which may lead to six types of attacks causing privacy leak, fraud, or DoS problems. Moreover, from the security analysis of the charging systems, we discover that the limitations of the current charging systems may lead to fraud problems, and requiring additional methods to monitor the traffic of end nodes. In addition, from the security analysis of the roaming systems, we find that the legacy roaming networks should have proper authentication when they communicate with each other. We anticipate that these findings can be important directions in designing, deploying, and managing the cellular networking elements.