Dissecting Operational Cellular IoT Service Security: Attacks and Defenses
Authors: 
Sihan Wang, Tian Xie, Min-Yue Chen, Guan-Hua Tu, Chi-Yu Li, Xinyu Lei, Po-Yi Chou, Fucheng Hsieh, Yiwen Hu, Li Xiao, Chunyi PengAuthors Info & Claims
Pages 1229 - 1244
Abstract
More than 150 cellular networks worldwide have rolled out LTE-M (LTE-Machine Type Communication) and/or NB-IoT (Narrow Band Internet of Things) technologies to support massive IoT services such as smart metering and environmental monitoring. Such cellular IoT services share the existing cellular network architecture with non-IoT (e.g., smartphone) ones. When they are newly integrated into the cellular network, new security vulnerabilities may happen from imprudent integration. In this work, we explore the security vulnerabilities of the cellular IoT from both system-integrated and service-integrated aspects. We discover several vulnerabilities spanning cellular standard design defects, network operation slips, and IoT device implementation flaws. Threateningly, they allow an adversary to remotely identify IP addresses and phone numbers assigned to cellular IoT devices, interrupt their power saving services, and launch various attacks, including data/text spamming, battery draining, device hibernation against them. We validate these vulnerabilities over five major cellular IoT carriers in the U.S. and Taiwan using their certified cellular IoT devices. The attack evaluation result shows that the adversary can raise an IoT data bill by up to <inline-formula> <tex-math notation="LaTeX">${\$}226$ </tex-math></inline-formula> with less than 120 MB spam traffic, increase an IoT text bill at a rate of <inline-formula> <tex-math notation="LaTeX">${\$}5$ </tex-math></inline-formula> per second, and prevent an IoT device from entering/leaving power saving mode; moreover, cellular IoT devices may suffer from denial of IoT services. We finally propose, prototype, and evaluate recommended solutions.
References
[1]
(2020). Cellular IoT Market. [Online]. Available: https://www.marketdataforecast.com/market-reports/cellular-iot-market
[2]
Clp.29: LTE-M Deployment Guide to Basic Feature Set Requirements, GSMA, London, U.K., 2019.
[3]
Clp.28: Nb-IoT Deployment Guide to Basic Feature Set Requirements, GSMA, London, U.K., 2019.
[4]
Ericsson. (2016). Cellular IoT Alphabet Soup. [Online]. Available: https://www.ericsson.com/en/blog/2016/2/cellular-iot-alphabet-soup
[5]
TS 24.301: Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) Protocol for Evolved Packet System (EPS); Stage 2, 3GPP, Sophia Antipolis, France, 2020.
[6]
C. Peng, C.-Y. Li, H. Wang, G.-H. Tu, and S. Lu, “Real threats to your data bills: Security loopholes and defenses in mobile data charging,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Nov. 2014, pp. 1–12.
[7]
Y. Go, J. Won, D. F. Kune, E. Jeong, Y. Kim, and K. Park, “Gaining control of cellular traffic accounting by spurious TCP retransmission,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2014, pp. 1–15.
[8]
C.-Y. Liet al., “Insecurity of voice solution VoLTE in LTE mobile networks,” in Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., Oct. 2015, pp. 1–12.
[9]
H. Kimet al., “Breaking and fixing VoLTE: Exploiting hidden data channels and mis-implementations,” in Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., Oct. 2015, pp. 1–12.
[10]
T. Xie, C.-Y. Li, J. Tang, and G.-H. Tu, “How voice service threatens cellular-connected IoT devices in the operational 4G LTE networks,” in Proc. IEEE Int. Conf. Commun. (ICC), May 2018, pp. 1–6.
[11]
Y. Li, K.-H. Kim, C. Vlachou, and J. Xie, “Bridging the data charging gap in the cellular edge,” in Proc. ACM SIGCOMM, 2019, pp. 15–28.
[12]
T. Xie, G.-H. Tu, C.-Y. Li, and C. Peng, “How can IoT services pose new security threats in operational cellular networks?” IEEE Trans. Mobile Comput., vol. 20, no. 8, pp. 2592–2606, Aug. 2021.
[13]
Fcm.01: Volte Service Description and Implementation Guidelines V1.1, GSMA, London, U.K., 2014.
[14]
(2021). Can I Get Unlimited Data? [Online]. Available: https://www.xfinity.com/support/articles/exp-unlimited-data
[15]
(2018). Mobile IoT in the 5G Future—Nb-IoT and LTE-M in the Context of 5G. [Online]. Available: https://www.gsma.com/iot/wp-content/uploads/2018/05/GSMA-5G-Mobile-IoT.pdf
[16]
Technical Specification Group Radio Access Network; Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC) Protocol Specification, document TS 36.331, 3GPP, 2020.
[17]
Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Overall Description; Stage 2, document TS 36.300, 2016.
[18]
Ir.92: IMS Profile for Voice and SMS. Version 13.0, GSMA, London, U.K., 2019.
[19]
D. Rupprecht, K. Kohls, T. Holz, and C. Pöpper, “Breaking LTE on layer two,” in Proc. IEEE Symp. Secur. Privacy (SP), May 2019, pp. 1121–1136.
[20]
D. Rupprecht, K. Kohls, T. Holz, and C. Poepper, “IMP4GT: IMPersonation attacks in 4G networks,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2020, pp. 893–907.
[21]
M. Stute, A. Heinrich, J. Lorenz, and M. Hollick, “Disrupting Continuity of Apple’s wireless ecosystem security: New tracking, DoS, and MitM attacks on iOS and macOS through Bluetooth low energy, AWDL, and Wi-Fi,” in Proc. USENIX Security, 2021, pp. 1–19.
[22]
(Oct. 26, 2016). Understanding Physical Internet Infrastructure Vulnerabilities. [Online]. Available: https://cip.gmu.edu/2016/10/26/understanding-physical-internet-infrastructure-vulnerabilities/
[23]
H. Yang, S. Bae, and M. Son, “Hiding in plain signal: Physical signal overshadowing attack on LTE,” in Proc. USENIX Security, 2023, pp. 1–12.
[24]
(2023). WIO LTE Cat M1/Nb-IoT Tracker. [Online]. Available: https://wiki.seeedstudio.com/Wio_LTE_Cat_M1_NB-IoT_Tracker/
[25]
(Nov. 22, 2016). Pycom Fipy Testbed. [Online]. Available: https://pycom.io/product/fipy/
[26]
(Oct. 23, 2019). Mangoh Yellow Testbed. [Online]. Available: https://mangoh.io/mangoh-yellow
[27]
(2023). Sixfab CIOT Hat. [Online]. Available: https://sixfab.com/product/arduino-lte-m-nb-iot-egprs-cellular-shield/
[28]
(2021). Arduino MKR Nb 1500 Testbed. [Online]. Available: https://store.arduino.cc/usa/arduino-mkr-nb-1500
[29]
(2023). Telit Charlie Evaluation Kit. [Online]. Available: https://www.telit.com/support-tools/development-evaluation-kits/charlie-evaluation-kit-for-cellular-lpwa/
[30]
(2023). Waveshare CIOT Kit. [Online]. Available: https://www.waveshare.com/wiki/SIM7080G_Cat-M/NB-IoT_HAT
[31]
(2020). 2020 IoT Developer Survey Key Findings. [Online]. Available: https://iot.eclipse.org/community/resources/iot-surveys/assets/iot-developer-survey-2020.pdf
[32]
J. Postel, Transmission Control Protocol, document RFC 793, Sep. 1981.
[33]
M. Z. Shafiq, L. Ji, A. X. Liu, J. Pang, and J. Wang, “Large-scale measurement and characterization of cellular machine-to-machine traffic,” IEEE/ACM Trans. Netw., vol. 21, no. 6, pp. 1960–1973, Dec. 2013.
[34]
I Cisco Systems. (2023). Dynamic ARP Inspection. [Online]. Available: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html
[35]
J. Arkko, J. Kempf, and B. Zill. (2005). Secure Neighbor Discovery (Send). [Online]. Available: https://tools.ietf.org/html/rfc3971
[36]
TS 23.401: General Packet Radio Service (GPRS) Enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) Access, 3GPP, Sophia Antipolis, France, 2020.
[37]
TS 32.240: Technical Specification Group Services and System Aspects; Telecommunication Management; Charging Management; Charging Architecture and Principles, 3GPP, Sophia Antipolis, France, 2020.
[38]
Technical Specification Group Services and System Aspects; Policy and Charging Control Architecture, document TS 23.203, 2020.
[39]
Technical Specification Group Services and System Aspects; Telecommunication Management; Charging Management; IP Multimedia Subsystem (IMS) Charging, document TS 32.260, 2020.
[40]
Charging Management; Charging Data Record (CDR) Parameter Description, document TS 32.298, 2020.
[41]
(2023). The Trusted Source for IP Address Data. [Online]. Available: https://ipinfo.io/
[42]
(2020). E.164: The International Public Telecommunication Numbering Plan. [Online]. Available: https://www.itu.int/rec/T-REC-E.164/
[43]
Digital Cellular Telecommunication System (Phase 2); Point-to-Point (PP) Short Message Service (SMS) Support on Mobile Radio Interface (GSM 04.11), ETSI, Sophia Antipolis, France, 1996.
[44]
Universal Mobile Telecommunications System (UMTS); LTE; Circuit Switched (CS) Fallback in Evolved Packet System (EPS); Stage 2, document TS 23.272, 3GPP, 2020.
[45]
(2023). Tcpdump. [Online]. Available: https://www.tcpdump.org/
[46]
Scapy. Accessed: 2021. [Online]. Available: https://github.com/secdev/scapy/
[47]
IP Multimedia Subsystem, 3GPP, document TS 23.228, 2014.
[48]
Technical Specification Group Core Network and Terminals; Point-to-Point (PP) Short Message Service (SMS) Support on Mobile Radio Interface, document TS 24.011, 2020.
[49]
(2023). Free Carrier Lookup. [Online]. Available: https://www.freecarrierlookup.com/
[50]
G.-H. Tuet al., “New security threats caused by IMS-based SMS service in 4G LTE networks,” in Proc. ACM CCS, 2016, pp. 1–13.
[51]
Y.-H. Luet al., “Ghost calls from operational 4G call systems: IMS vulnerability, call DoS attack, and countermeasure,” in Proc. 26th Annu. Int. Conf. Mobile Comput. Netw., Apr. 2020, pp. 1–14.
[52]
(2021). Global Cellular IoT Module Shipments Q4 2021. [Online]. Available: https://www.counterpointresearch.com/global-cellular-iot-module-shipments-q4-2021/
[53]
B. Ding, J. Zhao, Z. Tan, and S. Lu, “Sonica: An open-source NB-IoT prototyping platform,” in Proc. 27th Annu. Int. Conf. Mobile Comput. Netw., Oct. 2021, pp. 868–870.
[54]
Technical Report on SS7 Vulnerabilities and Mitigation Measures for Digital Financial Services Transactions, ITU, Geneva, Switzerland, 2017.
[55]
D. Carlo. (2012). Random Number Generation: Types and Techniques. [Online]. Available: https://digitalcommons.liberty.edu/honors/308
[56]
I. Gomez-Miguelez, A. Garcia-Saavedra, P. D. Sutton, P. Serrano, C. Cano, and D. J. Leith, “SrsLTE: An open-source platform for LTE evolution and experimentation,” in Proc. 10th ACM Int. Workshop Wireless Netw. Testbeds, Experim. Eval., Characterization, Oct. 2016, pp. 1–9.
[57]
Open IMS Core: An Open Source Implementation of IMS Call Session Control Functions. Accessed: 2022. [Online]. Available: https://openimscore.sourceforge.net/
[58]
(Feb. 25, 2009). Twinkle. [Online]. Available: https://mfnboer.home.xs4all.nl/twinkle/
[59]
(2023). Graphical Network Simulator-3. [Online]. Available: https://www.gns3.com/
[60]
Y. Rekhter, S. Hares, and T. Li, A Border Gateway Protocol 4 (BGP-4), document RFC 4271, Jan. 2006.
[61]
(2023). Shodan Search Engine. [Online]. Available: https://www.shodan.io/
[62]
Q. Xu, J. Huang, Z. Wang, F. Qian, A. Gerber, and Z. M. Mao, “Cellular data network infrastructure characterization and implication on mobile content placement,” in Proc. ACM SIGMETRICS, 2011, pp. 1–12.
[63]
(2023). Sonica With PSM. [Online]. Available: https://www.cse.msu.edu/~ghtu/nets-ciot/index.html
[64]
Srsue. Accessed: 2022. [Online]. Available: https://github.com/srsran/srsRAN_4G
[65]
Z. Tan, B. Ding, J. Zhao, Y. Guo, and S. Lu, “Data-plane signaling in cellular IoT: Attacks and defense,” in Proc. ACM MOBICOM, 2021, pp. 465–477.
[66]
A. Shaik, R. Borgaonkar, S. Park, and J.-P. Seifert, “New vulnerabilities in 4G and 5G cellular access network protocols: Exposing device capabilities,” in Proc. 12th Conf. Secur. Privacy Wireless Mobile Netw., May 2019, pp. 221–231.
[67]
R. Das, A. Gadre, S. Zhang, S. Kumar, and J. M. F. Moura, “A deep learning approach to IoT authentication,” in Proc. IEEE Int. Conf. Commun. (ICC), May 2018, pp. 1–6.
[68]
F. Restuccia, S. D’Oro, and T. Melodia, “Securing the Internet of Things in the age of machine learning and software-defined networking,” IEEE Internet Things J., vol. 5, no. 6, pp. 4829–4842, Dec. 2018.
[69]
Z. B. Celik, E. Fernandes, E. Pauley, G. Tan, and P. McDaniel, “Program analysis of commodity IoT applications for security and privacy: Challenges and opportunities,” ACM Comput. Surveys, vol. 52, no. 4, pp. 1–30, Jul. 2020.
[70]
K. Sun, C. Chen, and X. Zhang, “Alexa, stop spying on me!’: Speech privacy protection against voice assistants,” in Proc. 18th Conf. Embedded Networked Sensor Syst., Nov. 2020, pp. 298–311.
[71]
S. Bagchiet al., “New frontiers in IoT: Networking, systems, reliability, and security challenges,” IEEE Internet Things J., vol. 7, no. 12, pp. 11330–11346, Dec. 2020.
[72]
N. Royet al., “Inaudible voice commands: The long-range attack and defense,” in Proc. USENIX NSDI, 2018, pp. 1–15.
[73]
E. Chatzoglou, G. Kambourakis, and C. Smiliotopoulos, “Let the cat out of the bag: Popular Android IoT apps under security scrutiny,” Sensors, vol. 22, no. 2, p. 513, Jan. 2022.
[74]
S. Neupaneet al., “On the data privacy, security, and risk postures of IoT mobile companion Apps,” in Proc. DBSec, 2022, pp. 162–182.
[75]
X. Wang, Y. Sun, S. Nanda, and X. Wang, “Looking from the mirror: Evaluating IoT device security through mobile companion APPs,” in Proc. USENIX Security, 2019, pp. 1151–1167.
[76]
F. Taziet al., “Accessibility evaluation of IoT Android mobile companion APPs,” in Proc. ACM CHI EA, 2023, pp. 1–7.
[77]
A. Sivanathanet al., “Classifying IoT devices in smart environments using network traffic characteristics,” IEEE Trans. Mobile Comput., vol. 18, no. 8, pp. 1745–1759, Aug. 2019.
[78]
S. J. Saidiet al., “A haystack full of needles: Scalable detection of IoT devices in the wild,” in Proc. ACM IMC, 2020, pp. 87–100.
Recommendations
Insecurity of operational cellular IoT service: new vulnerabilities, attacks, and countermeasures
MobiCom '21: Proceedings of the 27th Annual International Conference on Mobile Computing and NetworkingMore than 150 cellular networks worldwide have rolled out massive IoT services such as smart metering and environmental monitoring. Such cellular IoT services share the existing cellular network architecture with non-IoT (e.g., smartphone) ones. When ...
Distributed denial of service attacks and its defenses in IoT: a survey
AbstractA distributed denial of service (DDoS) attack is an attempt to partially or completely shut down the targeted server with a flood of internet traffic. The primary aim of this attack is to disrupt regular traffic flow to the victim’s server or ...
Denial of service attacks, defences and research challenges
This paper presents a review of current denial of service (DoS) attack and defence concepts, from a theoretical ad practical point of view. Seriousness of DoS attacks is tangible and they present one of the most significant threats to assurance of ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
1063-6692 © 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Press
Publication History
Published: 19 September 2023
Published in TON Volume 32, Issue 2
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 25Total Downloads
- Downloads (Last 12 months)25
- Downloads (Last 6 weeks)7
Reflects downloads up to 28 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in