Mobile Data Charging: New Attacks and Countermeasures
Chunyi Peng, Chi-yu Li, Guan-hua Tu, Songwu Lu, Lixia Zhang
Department of Computer Science, University of California
In the modern society, Wireless access to Internet data services is getting increasingly popular, thanks to the deployment of 3G/4G cellular networks. The explosive growth of smartphones (e.g., iPhones and Android phones) will further accelerate this usage trend. While users enjoy wireless data access, it does not come for free. Most 3G/4G operators bill the user based on the usage data volume. This metered charging is officially stipulated by the 3G/4G standards. Based on the standards, charging is performed inside the cellular network (CN) on a per-flow basis. Each flow is defined by the five-tuple (source-IP, destination-IP, source-port, destination-port, protocol) or its subset. Whenever a data flow is initiated with the phone, the traffic volume is recorded at the CN when data traverse the CN to reach the phone/server. Therefore, the CN performs accounting operations based on its observed traffic volume. Carriers can also define their flow-specific billing policy. However, there is much vulnerability in 3G/4G charging system. In the paper, the author discovers loopholes in its policy practice and weakness in its charging architecture. As a result, they identify two new types of attacks against the charging system. The “toll-free-data-access-attack” enables the attacker to access any data service for free. The “stealth-spam-attack” incurs any large traffic volume to the victim, while the victim may not be even aware of such spam traffic. Their experiments on two operational 3G networks have confirmed the feasibility and simplicity of such attacks. The author also proposes defense remedies.
1. Data Charging Architecture and Procedures
The author introduces the 3G/4G architecture and its data charging system. First is the overall 3G UMTS network architecture and charging system for data services. The UMTS network consists of the Terrestrial Radio Access Network (RAN) and the core network (CN). RAN provides wireless access to the mobile device (called User Equipment (UE)), and exchanges data session provisioning with the Packet-Switched (PS) core networks. The major components of the PS core network are the Serving GPRS Support Node (SGSN) and the Gateway GPRS Support Node (GGSN). SGSN handles data packet delivery from and to the UEs within its geographical service area. GGSN acts as a router be-tween the SGSN and the external wired Internet, and „hides‟ the 3G UMTS infrastructure from the external network. In fact, SGSNs and GGSNs are the aforementioned gateway-like devices, recording data usage through them to perform charging functions.
Current cellular networks support both offline and online charging modes. In addition to SGSN and GGSN, three more charging components work to support both modes: the Billing Domain (BD), the Charging Gateway Function (CGF), and the Online Charging System (OCS). In offline charging, data usage is collected during service provisioning in the form of Charging Data Records (CDRs), which are sent to the BD to generate data bills offline. The SGSN and GGSN are responsible for and generating CDRs. The CGF is used to validate CDRs from SGSNs/GGSNs and transfer CDRs to the BD. In online charging, mobile users have to pre-pay to obtain credits for data services in advance. The OCS authorizes whether or 1
not users have enough credits so that GGSN/SGSN can proceed data services. GGSN/SGSN deducts data usage from the available credits and stops data services upon zero credit. The charging subsystem for 4G LTE cellular network is almost identical to 3G UMTS. The major difference is that, Serving Gateway(S-GW) and Packet Data Network Gateway (P-GW) replace SGSN and GGSN to collect data usage and generate CDRs. The authors also describe how mobile users are charged for data services through an example that a person called...
Please join StudyMode to read the full document