Security Threats and Challenges of the IoT Over Mobile Networks

Roger Piqueras Jover Wireless Security Research Scientist – Security Architect – Bloomberg LP

International Wireless Industry Consortium (IWPC) Internet of Things workshop – San Jose CA, November 2015

2

About me

• Wireless Security Researcher (aka Security Architect) at Bloomberg LP

• Former (5 years) Principal Member of Technical Staff at AT&T Security Research

• Mobile/wireless network security research

– LTE security and protocol exploits

– Advanced radio jamming

– Control plane signaling scalability in mobile networks

– 5G mobile networks

• More details

– http://www.ee.columbia.edu/~roger/

3

Mobile network security

• Traditionally thought at the app layer

– Certificates

– Encryption

– SSL

– Recent examples

• iOS SSL bug

• Android malware

• XcodeGhost iOS infected apps

4

Mobile network security

“Old” encryption Device

authentication

Strong encryption Mutual

authentication

Stronger encryption Mutual

authentication

Basic security principles

• Confidentiality

• Authentication

• Availability

Protecting user data

Mobile connectivity availability against security threats

The first mobile networks were not designed with a strong security focus (no support for encryption in 1G!!!)

5

Summary for today

IoT security threats and challenges over mobile networks

• Device (UE) threats

– Mainly a problem for the device manufacturer and IoT service provider

– Sophisticated jamming, LTE protocol exploits, battery drainage, location leaks, etc.

• Network challenges and threats

– Mainly a problem for the network operator

– Control plane signaling, device population growth scalability, etc.

6

IoT over LTE mobile networks

7

LTE Cell Selection and Connection

Cell Search Procedure

Obtain System

Configuration Power up Decode PBCH

RA

CH

Random Access

Radio Access Bearer Connected User traffic

• System configuration

– Decode Master Information Block (MIB) from PBCH

– Decode System Information Blocks (SIBs) from PDSCH

Idle

8

Low-power jamming

9

LTE frame

10

Downlink jamming

LTE Signal (10 MHz) DL broadcast

messages (1.08MHz) (PBCH)

Jamming gain (vs basic jamming) ≈ 10dB

11 © 2015 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property..

Uplink low-power jamming

Jamming this portion of the spectrum results in a total cell/sector DoS

Jamming gain (vs basic jamming) up to ~27dB

(Jam an entire cell with less tx power than a smartphone!!!)

12

Sniffing base station configuration

Time: 00:02:10.087204 Frame: 93

Subframe: 0

BCCH-BCH-Message

message

dl-Bandwidth: n50

phich-Config

phich-Duration: normal

phich-Resource: one

systemFrameNumber: {8

bits|0x17}

spare: {10 bits|0x0000|Right

Aligned}

LTE PBCH MIB packet

13

Sniffing base station configuration

Time: 00:02:10.102204 Frame: 94 Subframe: 5

BCCH-DL-SCH-Message

message

c1

systemInformationBlockType1

cellAccessRelatedInfo

plmn-IdentityList

PLMN-IdentityInfo

plmn-Identity

mcc

MCC-MNC-Digit: 3

MCC-MNC-Digit: 1

MCC-MNC-Digit: 0

mnc

MCC-MNC-Digit: 4

MCC-MNC-Digit: 1

MCC-MNC-Digit: 0

cellReservedForOperatorUse: reserved

trackingAreaCode: {16 bits|0x2713}

cellIdentity: {28 bits|0x0075400F|Right Aligned}

cellBarred: notBarred

intraFreqReselection: allowed

csg-Indication: false

cellSelectionInfo

q-RxLevMin: -60

freqBandIndicator: 17

schedulingInfoList

SchedulingInfo

si-Periodicity: rf8

sib-MappingInfo

SIB-Type: sibType3

si-WindowLength: ms10

systemInfoValueTag: 11

Padding

Mobile operator

Cell ID

RX power to select that cell

14

Sniffing base station configuration

LTE PDSCH SIB2/3 packet

RACH config

Paging config

User traffic config

RRC timers Etc…

15

LTE protocol exploits

16

LTE NAS Attach procedure

17

LTE NAS Attach procedure

Unencrypted and unprotected. I can sniff these messages and I can transmit them pretending to be a legitimate base station.

Other things sent in the clear: • Measurement reports (CQI) • HO related messages • Paging messages • Long etc

18

19

LTE protocol exploits

• Man in the Middle (MitM) rogue base stations in LTE are NOT possible

– Strong encryption and mutual authentication

• LTE rogue base stations are possible

– Spoof all messages up to the authentication process (or other messages: paging, etc)

• IMSI catching

• Battery drain

• Bricking or blocking the device and/or the SIM card

– Sniffing unprotected traffic

• Location leaks

• Follow a device as it hands over from eNodeB to eNodeB

• Estimate traffic load and time characteristics of a device

• LTE rogue base station prototyping

– Software radio platforms – USRP, RTL-SDR, etc

– Open source LTE implementations – OpenLTE, grLTE, etc

20

IoT scalability and control plane signaling overloads

21

RRC state machine

Idle to connected

Connected to idle

RRC state transitions require a large amount of control plane signaling at the EPC

22

Control plane signaling spikes

• The traffic characteristics of IoT devices are very different than smartphones

• Different types of IoT behave very different

– Security camera reporting a picture every 5 minutes

– Vending machine only sending a message when its low on supplies

– Medical IoT transmitting a constant stream of data

– Connected car

• On-board systems + Infotainment + WiFi hotspot over LTE

• Recent instances of control plans signaling overloads in the wild

– Chatty apps: IM app checking for new messages frequently caused havoc in a major US operator [FierceWireless – Oct’10]

– Signaling spike causes an outage for 3 million customers of the 6th largest operator in the world [Light Reading – Sep’11]

– Adds in a popular app caused severe signaling spikes [iWire – June’11]

– Etc

23

M2M scalability

Jermyn, J., Jover, R. P., Murynets, I., Istomin, M., & Stolfo, S. (2015, June). Scalability of Machine to Machine systems and the Internet of Things on LTE mobile networks. In World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2015 IEEE 16th International Symposium on a (pp. 1-9). IEEE.

24

Botnet of infected IoT devices

IoT security – VERY IMPORTANT

• IoT embedded device hacks presented at security conferences

• Reverse engineering of IoT devices and communication Mobile core

(EPC)

25

Wrapping up…

• Focus of mobile network security commonly at the app layer

• Mobile/wireless security at the lower layers

– RAN

• Advanced low-power jamming

• Protocol exploits – Rogue base stations, location leaks, potential brick of the SIM/device, etc

– EPC

• Control plane signaling scalability and overloads

• Big challenge for mobile operators with the IoT

26

Thanks!

Q&A

More information: http://www.ee.columbia.edu/~roger/

Big THANK YOU to Sanjole for providing the captures used in this presentation. Captures taken in Honolulu HI.