On cellular botnets

Traynor, Patrick; Lin, Michael; Ongtang, Machigar; Rao, Vikhyath; Jaeger, Trent; McDaniel, Patrick; Porta, Thomas La

doi:10.1145/1653662.1653690

Cited by 149 publications

(4 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Previous works have reported attacks against 2G and 3G access network protocols [2], [55], core network protocols [56], [57], [58], [59], as well as services [60]. In passive attacks, Kune et al [2] showed that despite the use of temporary IDs, the location of a subscriber's UE in a GSM network can be leaked.…”

Section: Related Workmentioning

confidence: 99%

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

Shaik¹,

Borgaonkar²,

Asokan³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

186

178

View full text Add to dashboard Cite

Abstract-Mobile communication systems are now an essential part of life throughout the world. Fourth generation "Long Term Evolution" (LTE) mobile communication networks are being deployed. The LTE suite of specifications is considered to be significantly better than its predecessors not only in terms of functionality but also with respect to security and privacy for subscribers. We carefully analyzed LTE access network protocol specifications and uncovered several vulnerabilities. Using commercial LTE mobile devices in real LTE networks, we demonstrate inexpensive, and practical attacks exploiting these vulnerabilities. Our first class of attacks consists of three different ways of making an LTE device leak its location: In our experiments, a semi-passive attacker can locate an LTE device within a 2 km 2 area in a city whereas an active attacker can precisely locate an LTE device using GPS co-ordinates or trilateration via cell-tower signal strength information. Our second class of attacks can persistently deny some or all services to a target LTE device. To the best of our knowledge, our work constitutes the first publicly reported practical attacks against LTE access network protocols.We present several countermeasures to resist our specific attacks. We also discuss possible trade-off considerations that may explain why these vulnerabilities exist. We argue that justification for these trade-offs may no longer valid. We recommend that safety margins introduced into future specifications to address such trade-offs should incorporate greater agility to accommodate subsequent changes in the trade-off equilibrium.

show abstract

Section: Related Workmentioning

confidence: 99%

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

Shaik¹,

Borgaonkar²,

Asokan³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

186

178

View full text Add to dashboard Cite

show abstract

“…General packet radio service (GPRS) offers strong security protocols for data transmission as well as a range of authentication mechanisms that make the packet sniffing procedure a demanding task. However, Traynor et al in [31] demonstrated that a botnet of poorly secured mobile phones could be utilised to cause significant availability issues in the examined cellular network. The present work aims to address the increasingly sophisticated attacks that may occur in such networks.…”

Section: Ddos Attacksmentioning

confidence: 99%

Short‐term risk assessment of botnet attacks on advanced metering infrastructure

Sgouras

Kyriakidis

Labridis

2017

IET cyber-phys. syst.

View full text Add to dashboard Cite

“…However, in order to make the attack successful, the state-of-the-art attack methodologies [6] are based on GSM network alone and require the availability of botnets with more than 10.000 smartphones with valid SIM modules. In this work, we have explored a different approach, leveraging the 3G UMTS network and evaluating the possibility to bypass the strict timings enforced by the cellular network protocols by means of radio devices different from the ones available on the consumer market.…”

Section: Conclusion and Future Scopementioning

confidence: 99%

“…This attack exclusively operates at the user-level by relying on unavoidable protocol level signalling features so that no hacking on intra-operator facilities is needed. It is indirectly targeted at the Home Location Register (HLR) that is the database containing information on mobile subscribers as well as call blocking and forwarding rules that can be overwhelmed by service requests [6]. Since this database is a critical component, often revealing to be a major bottleneck within the overall infrastructure, an outage of its functionality may cause an interruption of other mobile services too, finally resulting in a mobile network DoS potentially leaving thousands of devices without their lifelines to the network core.…”

Section: Introductionmentioning

confidence: 99%

Denial of Service Attack to UMTS (Radio) Networks Using Sim-Less Devices to Increase Network Efficiency

2015

IJSR

View full text Add to dashboard Cite

One of the fundamental security elements in cellular networks is the authentication procedure performed by means of the Subscriber Identity Module (SIM) that is required to grant access to network services and hence protect the network from unauthorized usage. Nonetheless, in this proposed work we present a new kind of denial of service (DoS) attack based on properly crafted SIM-less devices that, without any kind of authentication and by exploiting some specific features and performance bottlenecks of the Universal Mobile Telecommunication System (UMTS) network attachment process, are potentially capable of introducing significant service degradation up to disrupting large sections of the cellular network coverage. Beyond protocol-specific vulnerabilities, the same network complexity may also hide potential performance bottlenecks in signalling protocols or control applications or components that can be exploited by several kinds of Denial of Service (DoS) attacks in order to tear down critical service subsystems or overwhelm them with large number of requests, exhausting the resources needed to ensure network operations. The knowledge of this attack can be exploited by several applications both in security and in network equipment manufacturing sectors.

show abstract

On cellular botnets

Cited by 149 publications

References 19 publications

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

Short‐term risk assessment of botnet attacks on advanced metering infrastructure

Denial of Service Attack to UMTS (Radio) Networks Using Sim-Less Devices to Increase Network Efficiency

Contact Info

Product

Resources

About