Dongkwan Kim

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations

Long Term Evolution (LTE) is becoming the dominant cellular networking technology, shifting the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet. To support voice calls over the LTE network, operators have introduced Voice-over-LTE (VoLTE), which dramatically changes how voice calls are handled, both from user equipment and infrastructure perspectives. We find that this dramatic shift opens up a number of new attack surfaces that have not been previously explored. To call attention to this matter, this paper presents a systematic security analysis. Unlike the traditional call setup, the VoLTE call setup is controlled and performed at the Application Processor (AP), using the SIP over IP. A legitimate user who has control over the AP can potentially control and exploit the call setup process to establish a VoLTE channel. This combined with the legacy accounting policy (e.g., unlimited voice and the separation of data and voice) leads to a number of free data channels. In the process of unveiling the free data channels, we identify a number of additional vulnerabilities of early VoLTE implementations, which lead to serious exploits, such as caller spoofing, over-billing, and denial-of-service attacks. We identify the nature of these vulnerabilities and concrete exploits that directly result from the adoption of VoLTE. We also propose immediate countermeasures that can be employed to alleviate the problems. However, we believe that the nature of the problem calls for a more comprehensive solution that eliminates the root causes at mobile devices, mobile platforms, and the core network.

BurnFit: Analyzing and Exploiting Wearable Devices

Wearable devices have recently become popular, and more and more people now buy and wear these devices to obtain health-related services. However, as wearable device technology quickly advances, its security cannot keep up with the speed of its development. As a result, it is highly likely for the devices to have severe vulnerabilities. Moreover, because these wearable devices are usually light-weight, they delegate a large portion of their operations as well as permissions to a software gateways on computers or smartphones, which put users at high risk if there are vulnerabilities in these gateways. In order to validate this claim, we analyzed three devices as a case study and found a total 17 vulnerabilities in them. We verified that an adversary can utilize these vulnerabilities to compromise the software gateway and take over a victims computers and smartphones. We also suggest possible mitigation to improve the security of wearable devices.

Analyzing Security of Korean USIM-Based PKI Certificate Service

This paper analyzes security of Korean USIM-based PKI certificate service. Korean PKI certificate consists of public key and password encrypted private key on disk. Due to insufficient security provided by single password, Korean mobile operators introduced USIM-based PKI system. We found several vulnerabilities inside the system, including private key’s RSA prime number leakage during certificate installation. We also suggest possible improvments on designing secure authentication system (Preliminary work of this paper was published previously [1]. This work was responsibly disclosed to the vendor and associated government organizations.).

When Cellular Networks Met IPv6: Security Problems of Middleboxes in IPv6 Cellular Networks

Recently, cellular operators have started migrating to IPv6 in response to the increasing demand for IP addresses. With the introduction of IPv6, cellular middleboxes, such as firewalls for preventing malicious traffic from the Internet and stateful NAT64 boxes for providing backward compatibility with legacy IPv4 services, have become crucial to maintain stability of cellular networks. This paper presents security problems of the currently deployed IPv6 middleboxes of five major operators. To this end, we first investigate several key features of the current IPv6 deployment that can harm the safety of a cellular network as well as its customers. These features combined with the currently deployed IPv6 middlebox allow an adversary to launch six different attacks. First, firewalls in IPv6 cellular networks fail to block incoming packets properly. Thus, an adversary could fingerprint cellular devices with scanning, and further, she could launch denial-of-service or over-billing attacks. Second, vulnerabilities in the stateful NAT64 box, a middlebox that maps an IPv6 address to an IPv4 address (and vice versa), allow an adversary to launch three different attacks: 1) NAT overflow attack that allows an adversary to overflow the NAT resources, 2) NAT wiping attack that removes active NAT mappings by exploiting the lack of TCP sequence number verification of firewalls, and 3) NAT bricking attack that targets services adopting IP-based blacklisting by preventing the shared external IPv4 address from accessing the service. We confirmed the feasibility of these attacks with an empirical analysis. We also propose effective countermeasures for each attack.

Pay as You Want: Bypassing Charging System in Operational Cellular Networks

Accurate and fair data charging in cellular networks is an important issue because of its large impacts on profits of operators and bills for users. In this study, we analyze the data charging policies and mechanisms for protocols and applications. The analysis shows that all operators in South Korea did not charge the payload of Internet Control Message Protocol (ICMP) echo request/reply messages, as well as the payload attached to Transmission Control Protocol (TCP) SYN and TCP RST packets. In addition, the operators only utilize IP addresses to verify whether the traffic comes from the expected application. By misusing the findings with consideration of Network Address Translator (NAT) in IPv4 cellular networks, we validate with empirical experiments the feasibility of free-riding attack, which enables an adversary to use the cellular data service for free, and propose effective countermeasures.

A New Soybean Variety, ‘Joongmo 3009’ with Green Cotyledon, Black Seed Coat, Disease Tolerant, and High Yield

A new soybean variety, ‘Joongmo 3009’ (Milyang 222) was developed at the National Institute of Crop Science (NICS) in 2012. ‘Joongmo 3009’ was released by pedigree selection from the cross between ‘Cheongja 2(Milyang 121)’ and ‘Daemangkong’. It has determinate growth habit, white flower, brown pubescence, brown pod color, green seed coat, green cotyledon, spherical seed shape, oval leaf shape and large seed size (29.3 grams per 100 seeds). It was late 16 days in maturing date than the check cultivar ‘Cheongjakong’. The average yield of ‘Joongmo 3009’ was 2.91 ton per hectare, which was higher 36 percentage than the check variety, in the regional yield trials carried out in three adaptable locations of Korea from 2010 to 2012. The number of breeder’s right is ‘5474’