Post on 13-Apr-2018
Florida Institute for Cyber Security (FICS) Research
CS 5410 - Computer and Network Security:
Cellular
Professor Patrick TraynorFall 2017
Florida Institute for Cyber Security (FICS) Research
Who Are You?• We have built an array of mechanisms to attest to
identity for the Internet.
• Well, for well-known entities on the Internet.
• Phones are our backup, our trusted platform…
• …and yet even a security expert can not tell who is calling him/her.
• What we need are stronger notions of identity for these devices.
• …or at least an understanding of the limits…
2
Florida Institute for Cyber Security (FICS) Research
SMS and Identity• In what mistaken ways are we using identity and
phone networks now?
• Even when we are using SMS properly, are the mechanisms we are building robust? • B. Reaves, N. Scaife, D. Tian, L. Blue, P. Traynor and K. Butler, Sending out
an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways, Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2016
3
Florida Institute for Cyber Security (FICS) Research
The SMS Landscape
4
Cell Network
Core
SMSC SMSC
ESMEGateway
ESMEGateway
VOIPCarrier
ESMEReseller
ESMEReseller
ESMEReseller
Web Services
OTT Services
Cloud
Web Services
Encrypted
Not Encrypted
Over Internet
VOIPCarrier
Key
Core
Cell Network
Core
SMSC SMSC
ESMEGateway
ESMEGateway
VOIPCarrier
ESMEReseller
ESMEReseller
ESMEReseller
Web Services
OTT Services
Cloud
Web Services
Encrypted
Not Encrypted
Over Internet
VOIPCarrier
Key
Core
SMS Gateway
Florida Institute for Cyber Security (FICS) Research
Data Characterization• Collected ~400k text messages from 8 public
gateways over the course of 14 months.
• Our study looks at 421 phone numbers from 52 known carriers in 28 countries
• These interfaces are “receive only”, so what we saw was limited overwhelmingly to transactions (as opposed to conversations).
• Let’s chop the data into misuse and abuse.
5
Florida Institute of Cyber Security (FICS)
Misuse: PII in SMS
6
Password Resets
Usernames and Passwords
Names and Addresses
Credit Card Numbers
All sent over a channel believed to be secure
Florida Institute for Cyber Security (FICS) Research
Misuse: 2FA and Code Entropy
7
WeChat:rand()∗16 mod10000
Talk2:?
LINE:No leading 0s
chi-square Analysis:A mix of quality
Florida Institute for Cyber Security (FICS) Research
Abuse: Geo-Fencing• Shortened URL
services regularly seen.
• Messages to numbers in countries are often viewed outside of those countries.
8
Florida Institute for Cyber Security (FICS) Research
Abuse: Spam
• 2.7% of traffic appears to be spam.
• This is after provider filters have been run.
• Extended analysis of the ecosystem shows that academic solutions are no longer effective.
9
Florida Institute for Cyber Security (FICS) Research
Abuse: Phone Verified Accounts• Many of these services
advertise as a means of evading PVA systems.
• 50% of numbers have a lifetime of 20 days.
• Skew and kurtosis calculations show rapid use when numbers are introduced, followed by rapid decline.
10
Florida Institute for Cyber Security (FICS) Research
Abuse: Phone Verified Accounts• 2015 CCS paper (Google authors) argues that bad
providers and numbers can easily be blacklisted.
• All of our gateways spread numbers across multiple mobile and VoIP providers.
• Additionally, that work mentioned bulk blocking similar numbers.
• Our analysis showed that such a strategy will also not be successful as numbers are not allocated in blocks.
11
Florida Institute for Cyber Security (FICS) Research
Lessons• Phones (especially via SMS) are increasingly used to tie
accounts to identity.
• Some parties still treat these networks as physically separate and secure channels (but they aren’t).
• Others parties take advantage of the loose ties of numbers to identities (because they can).
• Since the publication of this paper, NIST has officially recommended that SMS not be used for 2FA.
12