Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

On De-synchronization of User Pseudonyms in Mobile Networks

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10717))

Included in the following conference series:

  • 1118 Accesses

Abstract

This paper is in the area of pseudonym-based enhancements of user identity privacy in mobile networks. Khan and Mitchell (2017) have found that in recently published pseudonym-based schemes an attacker can desynchronize the pseudonyms’ state in the user equipment and in its home network. In this paper, we first show that by exploiting this vulnerability a botnet of mobile devices can kick out of service a large portion of the users of a mobile network. We characterize this novel DDoS attack analytically and confirm our analysis using a simulation. Second, we explain how to modify the pseudonym-based schemes in order to mitigate the DDoS attack. The proposed solution is simpler than that in Khan and Mitchell (2017). We also discuss aspects of pseudonym usage in mobile network from charging and regulatory point of view.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Samfat, D., Molva, R., Asokan, N.: Untraceability in mobile networks. In: Proceedings of the 1st Annual International Conference on Mobile Computing and Networking, MobiCom 1995, pp. 26–36. ACM, New York (1995)

    Google Scholar 

  2. Strobel, D.: IMSI Catcher, July 2007. https://www.emsec.rub.de/media/crypto/attachments/files/2011/04/imsi_catcher.pdf

  3. Ginzboorg, P., Niemi, V.: Privacy of the long-term identities in cellular networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, MobiMedia 2016, ICST (2016)

    Google Scholar 

  4. Soltani, A., Timberg, C.: Tech firm tries to pull back curtain on surveillance efforts in Washington, September 2014. https://www.washingtonpost.com/world/national-security/researchers-try-to-pull-back-curtain-on-surveillance-efforts-in-washington/2014/09/17/f8c1f590-3e81-11e4-b03f-de718edeb92f_story.html?utm_term=.96e31aa4440b

  5. Ney, P., Smith, J., Gabriel, C., Tadayoshi, K.: SeaGlass: enabling city-wide IMSI-catcher detection. In: Proceedings on Privacy Enhancing Technologies, PoPETs (2017)

    Google Scholar 

  6. Intelligence, P.E.: 3G UMTS IMSI Catcher. http://www.pki-electronic.com/products/interception-and-monitoring-systems/3g-umts-imsi-catcher/

  7. Van den Broek, F., Verdult, R., de Ruiter, J.: Defeating IMSI catchers. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015. ACM (2015)

    Google Scholar 

  8. Khan, M.S.A., Mitchell, C.J.: Improving air interface user privacy in mobile telephony. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 165–184. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27152-1_9

    Chapter  Google Scholar 

  9. Norrman, K., Näslund, M., Dubrova, E.: Protecting IMSI and user privacy in 5G networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, MobiMedia 2016, ICST (2016)

    Google Scholar 

  10. Muthana, A.A., Saeed, M.M.: Analysis of user identity privacy in LTE and proposed solution. Int. J. Comput. Netw. Inf. Secur. (IJCNIS) 1, 54–63 (2017). MECS Publisher

    Google Scholar 

  11. Khan, M., Mitchell, C.: Trashing IMSI catchers in mobile networks. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017), Boston, USA, 18–20 July 2017. Association for Computing Machinery (ACM), United States, May 2017

    Google Scholar 

  12. 3GPP: 3GPP TS 33.102 V14.1.0 Security architecture (Release 14), March 2017. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2262

  13. 3GPP: 3GPP TS 33.401 V15.0.0 Security architecture (Release 15), June 2017. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2296

  14. 3GPP: 3GPP TS 23.012 V14.0.0 Location management procedures (Release 14), March 2017. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=735

  15. Ahlström, M., Holmberg, S.: Prototype Implementation of a 5G Group-Based Authentication and Key Agreement Protocol (2016). http://lup.lub.lu.se/luur/download?func=downloadFile&recordOId=8895975&fileOId=8895979

  16. Traynor, P., Lin, M., Ongtang, M., Rao, V., Jaeger, T., McDaniel, P., La Porta, T.: On cellular botnets: measuring the impact of malicious devices on a cellular network core. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 223–234. ACM, New York (2009)

    Google Scholar 

  17. Xiang, C., Binxing, F., Lihua, Y., Xiaoyi, L., Tianning, Z.: Andbot: towards advanced mobile botnets. In: Proceedings of the 4th USENIX Conference on Large-scale Exploits and Emergent Threats, LEET 2011, p. 11. USENIX Association, Berkeley (2011)

    Google Scholar 

  18. Chen, W., Luo, X., Yin, C., Xiao, B., Au, M.H., Tang, Y.: MUSE: towards robust and stealthy mobile botnets via multiple message push services. In: Liu, J.K.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9722, pp. 20–39. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40253-6_2

    Chapter  Google Scholar 

  19. Linuxbsdos: Geinimi a Sophisticated New Android Trojan Found in Wild (2010). http://linuxbsdos.com/2010/12/29/geinimi-sophisticated-new-android-trojan-found-in-wild/

  20. KrebsonSecurity: ZeuS Trojan for Google Android Spotted (2011). https://krebsonsecurity.com/2011/07/zeus-trojan-for-google-android-spotted/

  21. Jiang, X.: Security Alert: AnserverBot, New Sophisticated Android Bot Found in Alternative Android Markets (2011). https://www.csc2.ncsu.edu/faculty/xjiang4/AnserverBot/

  22. Tung, L.: Android Dreamdroid two: rise of laced apps (2011). https://www.itnews.com.au/news/android-dreamdroid-two-rise-of-lacedapps-259147

  23. Karim, A., Shah, S.A.A., Salleh, R.B., Arif, M., Noor, R.M., Shamshirband, S.: Mobile botnet attacks - an emerging threat: classification, review and open issues. KSII Trans. Internet Inf. Syst. 9(4), 1471–1492 (2015)

    Google Scholar 

  24. Muncaster, P.: Chinese cops cuff 1,500 in fake base station spam raid, March 2014. https://www.theregister.co.uk/2014/03/26/spam_text_china_clampdown_police/

  25. Wikipedia: Data Retention Directive. https://en.wikipedia.org/wiki/Data_Retention_Directive

Download references

Acknowledgement

We thank Markku Antikainen for the useful discussion to characterize the DDoS attack and his help to optimize the code of the simulation of the DDoS attack.

Author information

Authors and Affiliations

  1. University of Helsinki, Helsinki, Finland

    Mohsin Khan, Kimmo Järvinen & Valtteri Niemi

  2. Huawei Technologies, Helsinki, Finland

    Philip Ginzboorg

  3. Aalto University, Espoo, Finland

    Philip Ginzboorg

Authors
  1. Mohsin Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kimmo Järvinen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Philip Ginzboorg
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Valtteri Niemi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohsin Khan .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Bombay, Mumbai, India

    Rudrapatna K. Shyamasundar

  2. Indian Institute of Technology Bombay, Mumbai, India

    Virendra Singh

  3. Rutgers University, Newark, New Jersey, USA

    Jaideep Vaidya

Appendices

Appendix A

Let us consider \(\mathcal {M}\) bins, each labeled with a pseudonym or IMSI. Choosing m random pseudonyms with replacement and sending them in an attach request can be compared with the classic experiment of throwing m balls to \(\mathcal {M}\) bins. The number of affected users by sending m attach requests is the same as the number of bins that get two or more balls after throwing m balls to \(\mathcal {M}\) bins. The probability that a particular bin gets no balls is \(\left( 1-\frac{1}{\mathcal {M}}\right) ^m\). The probability that this bin gets exactly one ball is \(\left( {\begin{array}{c}m\\ 1\end{array}}\right) \frac{1}{\mathcal {M}}\left( 1-\frac{1}{\mathcal {M}}\right) ^{m-1}\). Consequently, the probability that the bin will get two or more balls is:

$$\begin{aligned} Pr[\text {2 or more balls in a fixed bin}] = 1 - \left( 1-\frac{1}{\mathcal {M}}\right) ^m - \left( {\begin{array}{c}m\\ 1\end{array}}\right) \frac{1}{\mathcal {M}}\left( 1-\frac{1}{\mathcal {M}}\right) ^{m-1} \end{aligned}$$

If n is the number of users in the HN, then by linearity of expectation, the expected number of affected user would be:

$$\begin{aligned} E[\# \text {bins with more than 1 balls}] = n\left( 1 - \left( 1-\frac{1}{\mathcal {M}}\right) ^m - m\frac{1}{\mathcal {M}}\left( 1-\frac{1}{\mathcal {M}}\right) ^{m-1}\right) \end{aligned}$$

Consequently, the expected portion of affected user would be:

$$\begin{aligned} E[u_a] = 1 - \left( 1-\frac{1}{\mathcal {M}}\right) ^m - m\left( \frac{1}{\mathcal {M}}\right) \left( 1-\frac{1}{\mathcal {M}}\right) ^{m-1} \end{aligned}$$

Appendix B

In the without replacement attack, the attacker sends all the pseudonyms incrementally starting from 0 across the whole MSIN space. Let us consider that the pseudonym x is the first attack on a user’s \(p'\). Once the user’s \(p'\) is attacked, HN updates \(p \leftarrow p'\) and choose a new unused \(p'\) randomly. If the attacker sends total m number of pseudonyms to the HN, then the probability that the user’s new \(p'\) will once again be attacked is: \(\frac{m-x}{\mathcal {M}}\). If n is the total number of subscribers in the HN and \(m \le \mathcal {M}\) (first round) then expected number of subscribers affected after sending m pseudonyms is:

$$\begin{aligned} \frac{n}{\mathcal {M}}\int _{0}^{m}\frac{m-x}{\mathcal {M}}dx= & {} \frac{n}{\mathcal {M}^2}\int _{0}^{m}\left( m-x\right) dx\\= & {} \frac{nm}{\mathcal {M}^2}\int _{0}^{m}dx - \frac{n}{\mathcal {M}^2}\int _{0}^{m}xdx\\= & {} \frac{nm^2}{\mathcal {M}^2} - \frac{nm^2}{2\mathcal {M}^2}\\= & {} \frac{nm^2}{2\mathcal {M}^2} \end{aligned}$$

Consequently, the expected portion of affected users would be \(\frac{m^2}{2\mathcal {M}^2}\) where \(m \le \mathcal {M}\).

Let us now consider the case where \(\mathcal {M} < m \le 2\mathcal {M}\) (second round). The attacker again sends all the pseudonyms incrementally starting from 0. Choosing a pseudonym x will affect a user (who has not yet been affected) only if x is the pseudonym of a user who was attacked only once in the first round. The probability of that event is: \(1 - \frac{x}{\mathcal {M}}\). So, after sending \(m = \mathcal {M} + m'\) number of pseudonyms, the expected number of affected user would be:

$$\begin{aligned}&\frac{n\mathcal {M}^2}{2\mathcal {M}^2} + \frac{n}{\mathcal {M}} \int _{0}^{m'}\left( 1 - \frac{x}{\mathcal {M}} \right) dx \\= & {} \frac{n}{2} + \frac{n}{\mathcal {M}^2} \int _{0}^{m'} \mathcal {M} dx - \frac{n}{\mathcal {M}^2} \int _{0}^{m'} x dx \\= & {} \frac{n}{2} + \frac{n\left( m - \mathcal {M} \right) }{\mathcal {M}} - \frac{n}{\mathcal {M}^2} \frac{\left( m - \mathcal {M} \right) ^2}{2} \text {(since } m = \mathcal {M} + m' \text {)}\\= & {} \frac{n}{\mathcal {M}} \left( 2m - \mathcal {M} - \frac{m^2}{2\mathcal {M}} \right) \\ \end{aligned}$$

Consequently, the expected portion of affected users would be \(\frac{1}{\mathcal {M}} \left( 2m - \mathcal {M} -\right. \) \(\left. \frac{m^2}{2\mathcal {M}} \right) \) where \(\mathcal {M} < m \le 2\mathcal {M}\).

Even though x in the above derivation is a discrete variable, we have used integration. So, the result we have found here is an approximation since \(\mathcal {M}\) is large. We expect it to be a good approximation.

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Khan, M., Järvinen, K., Ginzboorg, P., Niemi, V. (2017). On De-synchronization of User Pseudonyms in Mobile Networks. In: Shyamasundar, R., Singh, V., Vaidya, J. (eds) Information Systems Security. ICISS 2017. Lecture Notes in Computer Science(), vol 10717. Springer, Cham. https://doi.org/10.1007/978-3-319-72598-7_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72598-7_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72597-0

  • Online ISBN: 978-3-319-72598-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation