Silke Holtmanns

User location tracking attacks for LTE networks using the interworking functionality

User location tracking attacks using cellular networks have been known since 2008. In 2014, several Signalling System No 7 (SS7) protocol based location tracking attacks were demonstrated, which particularly targeted the cellular roaming in GSM networks. Currently, the mobile network operators are in a gradual process of upgrading to Long Term Evolution (LTE) networks, in addition to replacing SS7 by its successor - Diameter protocol. Though Diameter seems to be an improvement over SS7 in terms of security with the use of IPsec/TLS and certificate based authentication, they still need to communicate with their roaming partners who use less secure SS7. In this paper, we will briefly present the translation of existing SS7 attacks into Diameter-based attacks in LTE networks (under certain assumptions) using Interworking Functions(IWF) - which allows communication between networks that use different protocols. The key contribution of this paper is the the detailed explanation of novel attack vectors to obtain the user location information using IWF and hence, the proof that even new LTE network can be vulnerable to legacy attacks. Furthermore, we will outline some of the potential protection approaches for the attacks that we discuss.

We know where you are

Mobile network technologies require some degree of tracking of user location, specifically user equipment tracking, as part of their fundamental mechanism of working. Without this basic function, features such as hand-over between cells would not work. Since mobile devices are typically associated with a single person, this provides a potential mechanism for user location surveillance. Network operators are bound by strict privacy legislation. However, spying by certain agencies, hackers and even advertisers without the users or operators knowledge has become a serious issue. In this article, we introduce and explain all known recent attacks on mobile networks that compromised user privacy. We focus on attacks using the Signalling System 7 (SS7) protocol as the interconnection interface between operators mainly in GSM networks. In addition, we outline a novel evolution of location tracking for LTE networks. One reason these attacks are not widely published or known by the general public is due to the complex and arcane nature of the networks and their protocols. Mobile network interfaces are `hidden from users, and therefore the general publics interest in such attacks is much lower compared to other phone vulnerabilities. The purpose of the paper is to raise awareness about the current location tracking problem in cellular networks, the existing countermeasures and to encourage further research in the area for 5G networks.

SMS and one-time-password interception in LTE networks

The Interconnection network connects the communication networks themselves to each other enabling features such as roaming and data services between those said networks. It has been known since 2014 that using the legacy SS7 (Signaling System No. 7) protocol SMS based traffic can be intercepted. Network providers are now moving towards diameter based LTE networks with the hope that the additional security provided in that protocol also improves overall interconnection security. In this article we will show how SMS can be intercepted using diameter based networks independently of device or OS type. We will show the practical impact upon services such as those provided by Google, Microsoft, Twitter, etc. We will summarize the reaction of twitter to the responsible disclosure, potential countermeasures and future research outlook.

Anomaly-Based Intrusion Detection Using Extreme Learning Machine and Aggregation of Network Traffic Statistics in Probability Space

Recently, with the increased use of network communication, the risk of compromising the information has grown immensely. Intrusions have become more sophisticated and few methods can achieve efficient results while the network behavior constantly changes. This paper proposes an intrusion detection system based on modeling distributions of network statistics and Extreme Learning Machine (ELM) to achieve high detection rates of intrusions. The proposed model aggregates the network traffic at the IP subnetwork level and the distribution of statistics are collected for the most frequent IPv4 addresses encountered as destination. The obtained probability distributions are learned by ELM. This model is evaluated on the ISCX-IDS 2012 dataset, which is collected using a real-time testbed. The model is compared against leading approaches using the same dataset. Experimental results show that the presented method achieves an average detection rate of 91% and a misclassification rate of 9%. The experimental results show that our methods significantly improve the performance of the simple ELM despite a trade-off between performance and time complexity. Furthermore, our methods achieve good performance in comparison with the other few state-of-the-art approaches evaluated on the ISCX-IDS 2012 dataset.

Experiences in Trusted Cloud Computing

While trusted computing is a well-known technology, its role has been relatively limited in scope and typically limited to single machines. The advent of cloud computing, its role as critical infrastructure and the requirement for trust between the users of computing resources combines to form a perfect environment for trusted and high-integrity computing. Indeed, the use of trusted computing is an enabling technology over nearly all ‘cyber’ areas: secure supply chain management, privacy and critical data protection, data sovereignty, cyber defense, legal etc. To achieve this, we must fundamentally redefine what we mean by trusted and high-integrity computing. We are required to go beyond boot-time trust and rethink notions of run-time trust, partial trust, how systems are constructed, the trust between management and operations, compute and storage infrastructure and the dynamic provisioning of services by external parties. While attestation technologies, so-called run-time trust and virtualized TPM are being brought to the fore, adopting these does not solve any of the fundamental problems of trust in the cloud.

Subscriber Profile Extraction and Modification via Diameter Interconnection

The interconnection network (IPX) connects telecommunication networks with each other. The IPX network enables features like roaming and data access while traveling. Designed as a closed network it is now opening up and unauthorized entities now misuse the IPX network for their purposes. The majority of the IPX still runs the Signaling System No. 7 (SS7) protocol stack, while the more advanced operators now turn towards Diameter based LTE roaming. SS7 is known to suffer from many attacks. The first attacks for Diameter are known. In this article, we will show how an attacker can deduct a subscriber profile from the Home Subscriber Service (HSS). The subscriber profile contains all key information related to the users’ subscription e.g. location, billing information etc. We will close with a recommendation how to prevent such an attack.

Providing for privacy in a network infrastructure protection context

Machine Learning and Big Data Analysis are seen as the silver bullet to detect and counteract attacks on critical communication infrastructure. Every message is analysed and is to some degree under suspicion. The principle of innocent until proven guilty does not seem to apply to modern communication usage. On the other hand, criminals would gain easily upper hand in communication networks that are not protected and on the outlook for attacks. This poses quite a problem for the technical implementation and handling of network communication traffic. How can a communication network provider protect user data against malicious activities without screening and data analysis and loss of the human right of privacy? This article provides a classification system for data usage, privacy sensitivity and risk through which we will illustrate on a concrete example how to provide user privacy, while still enabling protection.

Data Anonymization as a Vector Quantization Problem: Control Over Privacy for Health Data

This paper tackles the topic of data anonymization from a vector quantization point of view. The admitted goal in this work is to provide means of performing data anonymization to avoid single individual or group re-identification from a data set, while maintaining as much as possible (and in a very specific sense) data integrity and structure. The structure of the data is first captured by clustering (with a vector quantization approach), and we propose to use the properties of this vector quantization to anonymize the data. Under some assumptions over possible computations to be performed on the data, we give a framework for identifying and “pushing back outliers in the crowd”, in this clustering sense, as well as anonymizing cluster members while preserving cluster-level statistics and structure as defined by the assumptions (density, pairwise distances, cluster shape and members...).

A Testbed for Trusted Telecommunications Systems in a Safety Critical Environment

Telecommunications systems are critical aspects of infrastructure with more safety-critical systems utilising their capabilities. Domains such as medicine and automotive applications are required to be resilient and failure tolerant. We have constructed a testbed environment that can be configured into various telecommunication operator configurations based around Network Function Virtualisation, Edge Cloud and Internet-of-Things along with trusted computing. Utilising a medical application as the motivating case to demonstrate reliability, resiliency and as a compelling demonstration we can investigate the interaction of these security technologies in telecommunications environment while providing a safety-critical use case.

Learning Flow Characteristics Distributions with ELM for Distributed Denial of Service Detection and Mitigation

We present a methodology for modeling the distributions of network flow statistics for the specific purpose of network anomaly detection, in the form of Distributed Denial of Service attacks. The proposed methodology offers to model (using Extreme Learning Machines, ELM), at the IP subnetwork level (or all the way down to the single IP level, if computations allow), the usual distributions of certain network flow characteristics (or statistics), and then to use a One-Class classifier in the detection of abnormal joint flow statistics. The methodology makes use of the original ELM for its good performance to computational time ratio, but also because of the needs in this methodology to have simple update rules for making the model evolve in time, as new traffic and hosts come in.