Guan-Hua Tu

Can we pay for what we get in 3G data access

Data-plan subscribers are charged based on the used traffic volume in 3G/4G cellular networks. This usage-based charging system has been operational and received general success. In this work, we conduct experiments to critically assess both this usage-based accounting architecture and application-specific charging policies by operators. Our evaluation compares the network-recorded volume with the delivered traffic at the end device. We have found that, both generally work in common scenarios but may go wrong in the extreme cases: We are charged for what we never get, and we can get what we want for free. In one extreme case, we are charged for at least three hours and 450MB or more data despite receiving no single bit. In another extreme case, we are able to transfer 200MB or any amount we specify for free. The root causes lie in lack of both coordination between the charging system and the end device, and prudent policy enforcement by certain operators. We propose immediate fixes and discuss possible future directions.

Accounting for roaming users on mobile data access: issues and root causes

In this paper, we study how mobility affects mobile data accounting, which records the usage volume for each roaming user. We find out that, current 2G/3G/4G systems have well-tested mobility support solutions and generally work well. However, under certain biased, less common yet possible scenarios, accounting gap between the operators log and the users observation indeed exists. The gap can be as large as 69.6% in our road tests. We further discover that the root causes are diversified. In addition to the no-signal case reported in the prior work [23], they also include handoffs, as well as insufficient coverage of hybrid 2G/3G/4G systems. Inter-system handoffs (that migrate user devices between radio access technologies of 2G, 3G, and 4G) may incur non-negligible accounting discrepancy.

How voice calls affect data in operational LTE networks

Both voice and data are indispensable services in current cellular networks. In this work, we study the inter-play of voice and data in operational LTE networks. We assess how the popular CSFB-based voice service affects the IP-based data sessions in 4G LTE networks, and visa versa. Our findings reveal that the interference between them is mutual. On one hand, voice calls may incur throughput drop, lost 4G connectivity, and application aborts for data sessions. One the other hand, users may miss incoming voice calls when turning on data access. The fundamental problem is that, signaling and control for circuit-switched voice and packet-switched data have dependency and coupling effect via the LTE phone client. We further propose fixes to the identified issues.

Insecurity of Voice Solution VoLTE in LTE Mobile Networks

VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this work, we conduct the first study on VoLTE security before its full rollout. We discover several vulnerabilities in both its control-plane and data-plane functions, which can be exploited to disrupt both data and voice in operational networks. In particular, we find that the adversary can easily gain free data access, shut down continuing data access, or subdue an ongoing call, etc. We validate these proof-of-concept attacks using commodity smartphones (rooted and unrooted) in two Tier-1 US mobile carriers. Our analysis reveals that, the problems stem from both the device and the network. The device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check.

Control-plane protocol interactions in cellular networks

Control-plane protocols are complex in cellular networks. They communicate with one another along three dimensions of cross layers, cross (circuit-switched and packet-switched) domains, and cross (3G and 4G) systems. In this work, we propose signaling diagnosis tools and uncover six instances of problematic interactions. Such control-plane issues span both design defects in the 3GPP standards and operational slips by carriers. They are more damaging than data-plane failures. In the worst-case scenario, users may be out of service in 4G, or get stuck in 3G. We deduce root causes, propose solutions, and summarize learned lessons.

An improved GGSN failure restoration mechanism for UMTS

Universal mobile telecommunications system (UMTS) provides packet-switched data services for mobile users. To efficiently deliver packets in the UMTS core network, the PDP contexts (i.e., the routing information) are maintained in the volatile storage (e.g., memory) of SGSN, GGSN, and UE. The GGSN routes packets between the UMTS core network and external data networks, and thus has heavy traffic and computation loading, which may result in PDP contexts lost or corrupted, and the QoS of the UMTS network may degrade significantly. To resolve this issue, 3GPP 23.007 proposes a mechanism for GGSN failure restoration. In this mechanism, the corrupted PDP contexts can be restored through the PDP Context Activation procedure. However, this incurs extra signaling cost to the network. To reduce the network signaling cost and delay for restoration of the corrupted PDP contexts, this paper proposes an improved mechanism “GGSN Failure Restoration” (GFR) with different backup algorithms. The analytic models and simulation experiments are conducted to evaluate GFR.Our study indicates that the GFR mechanism can significantly reduce the cost for the PDP context restoration.

How voice call technology poses security threats in 4G LTE networks

To support voice calls vital to mobile users and carriers, 4G LTE cellular networks adopt two solutions: VoLTE (Voice Over LTE) and CSFB (Circuit-Switched FallBack). In this paper, we disclose that both schemes are harmful to mobile users from a security perspective. The adoption of the latest VoLTE allows an attacker to manipulate the radio resource states of the victims device in a silent call attack, thereby draining the victims battery 5-8 times faster. CSFB exhibits two vulnerabilities of exposing 4G↔3G network switch to adversaries. This can be further exploited to launch ping-pong attacks where mobile users may suffer from up to 91.5% performance downgrade, or 4G denial-of-service (DoS) attacks where mobile users are deprived of 4G LTE connectivity without their consent. We devise two proof-of-concept attacks as showcases, and demonstrate their viability over operational LTE networks. We analyze their root causes and uncover that the problems lie in seemingly sound design decisions for functional correctness but such choices bear unexpected and intriguing implications for security design. We finally propose remedies to mitigate the attack damage.

Real Threats to Your Data Bills: Security Loopholes and Defenses in Mobile Data Charging

Secure mobile data charging (MDC) is critical to cellular network operations. It must charge the right user for the right volume that (s)he authorizes to consume (i.e., requirements of authentication, authorization, and accounting (AAA)). In this work, we conduct security analysis of the MDC system in cellular networks. We find that all three can be breached in both design and practice, and identify three concrete vulnerabilities: authentication bypass, authorization fraud and accounting volume inaccuracy. The root causes lie in technology fundamentals of cellular networks and the Internet IP design, as well as imprudent implementations. We devise three showcase attacks to demonstrate that, even simple attacks can easily penetrate the operational 3G/4G cellular networks. We further propose and evaluate defense solutions.

Detecting problematic control-plane protocol interactions in mobile networks

The control-plane protocols in 3G/4G mobile networks communicate with each other, and provide a rich set of control functions, such as radio resource control, mobility support, connectivity management, to name a few. Despite their significance, the problem of verifying protocol correctness remains largely unaddressed. In this paper, we examine control-plane protocol interactions in mobile networks. We propose CNetVerifier, a two-phase signaling diagnosis tool to detect problematic interactions in both design and practice. CNetVerifier first performs protocol screening based on 3GPP standards via domain-specific model checking, and then conducts phone-based empirical validation in operational 3G/4G networks. With CNetVerifier, we have uncovered seven types of troublesome interactions, along three dimensions of cross (protocol) layers, cross (circuit-switched and packet-switched) domains, and cross (3G and 4G) systems. Some are caused by necessary yet problematic cooperation (i.e., protocol interactions are needed but they misbehave), whereas others are due to independent yet unnecessary coupled operations (i.e., protocols interactions are not required but actually coupled). These instances span both design defects in 3GPP standards and operational slips by carriers and vendors. They all result in performance penalties or functional incorrectness. We deduce root causes, present empirical results, propose solutions, and summarize learned lessons.

VoLTE*: A Lightweight Voice Solution to 4G LTE Networks

VoLTE is the designated voice solution to the LTE network. Its early deployment is ongoing worldwide. In this work, we report an assessment on VoLTE.We show that VoLTE offers no categorically better quality than popular VoIP applications in all tested scenarios except some congested scenarios. Given the high cost on infrastructure upgrade, we argue that VoLTE, in its current form, might not warrant the deployment effort. We sketch VOLTE*, a lightweight voice solution from which all parties of users, LTE carriers, and VoIP service providers may benefit.