Citation
Authentication Techniques for Heterogeneous Telephone Networks

Material Information

Title:
Authentication Techniques for Heterogeneous Telephone Networks
Creator:
Reaves, Bradley G
Place of Publication:
[Gainesville, Fla.]
Florida
Publisher:
University of Florida
Publication Date:
Language:
english
Physical Description:
1 online resource (184 p.)

Thesis/Dissertation Information

Degree:
Doctorate ( Ph.D.)
Degree Grantor:
University of Florida
Degree Disciplines:
Computer Engineering
Computer and Information Science and Engineering
Committee Chair:
TRAYNOR,PATRICK
Committee Co-Chair:
BUTLER,KEVIN
Committee Members:
WILSON,JOSEPH N
SHRIMPTON,THOMAS
FORTE,DOMENIC J

Subjects

Subjects / Keywords:
authentication -- computersecurity -- telephone
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre:
bibliography ( marcgt )
theses ( marcgt )
government publication (state, provincial, terriorial, dependent) ( marcgt )
born-digital ( sobekcm )
Electronic Thesis or Dissertation
Computer Engineering thesis, Ph.D.

Notes

Abstract:
The global telephone network is relied upon daily by billions worldwide for reliable communications. Beyond their use for communications, telephones are being used as a solution to identity users on Internet because almost every person globally has at least one phone number. Unfortunately, telephones are also plagued with fraud and abuse, making this use and many others insecure. This abuse is ultimately caused by the fact that the phone network offers no strong guarantees of identity, and addressing this problem is complicated by the fact that the network is composed of many different and largely incompatible technologies. In this study, we examine the poor state of authentication in telephone networks and provide new mechanisms to authenticate callers to each other. We begin by examining how the telephone network -- specifically, text messaging -- is being used to bolster claims of identity and authentication in Internet systems, finding that public gateways negate many of the supposed advantages of these techniques. We then turn our attention to interconnect bypass fraud, showing that while telephone networks cannot effectively determine the true origin of a phone call, we can provide mechanisms based on in-call audio measurements to detect so-called "simboxing fraud." Finally, we develop two new systems: Authloop and AuthentiCall to address call authentication. Both systems provide strong cryptographic authentication of callers. Authloop transmits this information through call audio, while AuthentiCall uses an auxiliary data channel to authenticate both call end points and call content. In total, this thesis provides mechanisms to prevent robocalling, phone phishing, interconnect bypass fraud, preventing billions of dollars in fraud and restoring trust and confidence in the phone network. ( en )
General Note:
In the series University of Florida Digital Collections.
General Note:
Includes vita.
Bibliography:
Includes bibliographical references.
Source of Description:
Description based on online resource; title from PDF title page.
Source of Description:
This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Thesis:
Thesis (Ph.D.)--University of Florida, 2017.
Local:
Adviser: TRAYNOR,PATRICK.
Local:
Co-adviser: BUTLER,KEVIN.
Statement of Responsibility:
by Bradley G Reaves.

Record Information

Source Institution:
UFRGP
Rights Management:
Applicable rights reserved.
Classification:
LD1780 2017 ( lcc )

Downloads

This item has the following downloads:


Full Text

PAGE 1

AUTHENTICATIONTECHNIQUESFORHETEROGENEOUSTELEPHONE NETWORKS By BRADLEYGALLOWAYREAVES ADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOL OFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENT OFTHEREQUIREMENTSFORTHEDEGREEOF DOCTOROFPHILOSOPHY UNIVERSITYOFFLORIDA 2017

PAGE 2

2017BradleyGallowayReaves

PAGE 3

ForSarah

PAGE 4

ACKNOWLEDGMENTS Iamonlywritingthistodaybecauseofthemultitudeoffamily,friends,teachers,and colleagueswhohelpedgetmehere.Thisjourneybeganinhighschool,whenMrs.Reid, myEnglishteacher,suggestedthatIwouldmakeagoodcollegeprofessor.Iwasn'tsure abouttheideauntilmysecondprogrammingclassincollege.Ilovedprogramming,soI woulddothelabassignmentsathome,thenshowupinthelabtodemonstratetheproject totheTA.Myworkfortheweekwasdone,butIdidn'tleavethelab.Instead,Istayedfor thenextfewhourshelpingotherstudentswhentheyneededhelpwiththeprogramming assignments.Itbecamethebestpartofmyweek,andIrealizedthattherewasnocareerI wantedmorethantobeaprofessorofcomputing. Havingagoalandknowingwhatittakestoachieveitaretwoverydi!erentthings. AtthetimeIknewIneededaPhD,butnothingofwhatittooktogetone.Luckily,I hadwonderfullysupportiveprofessorsandadvisorswhotoldmewhatittook,andonein particularhelpedmetaketherststepstowardaresearchcareer.TommyMorriswasa newprofessoratMississippiState,andafterteachingmydigitaldesignclasso!eredmea (paid!)positioninhisresearchlab.IthoughtI'dbedoingscutwork,butheveryquickly letmedenemyownproject:analyzingthesecurityofdigitalradios.Alongtheway,he taughtmethebasicsofcomputersecurity,howtodeneandexecutearesearchproject, howthepublicationprocessworks,andhelpedmewinanNSFGraduateFellowship. AsInishedmymaster'sdegree,Idesperatelywantedtolearnhowtodothebest researchIcould,andIknewIstillhadsomuchtolearn.Bycertaindivineprovidence,I joinedPatrickTraynor'sgroupatGeorgiaTech. PatrickTraynorhas,overthecourseofthepastsixyears,becomethesinglegreatest professionalinuenceonmylife.Hehasbeennotjustanamazingacademicadvisor, butalsoanincomparablefriend,condant,occasionalrunningcoach,andanexemplar ofwhatitmeanstolivelifefully.Hetaughtmeeveryaspectofmycraft,including howtobeanimpactfulteacher,mentor,manager,technologist,andresearcher,andhe 4

PAGE 5

believedinmeevenwhenIdidnotbelieveinmyself.Heshowedmebyhisexamplethat asimportantandrewardingasitisdopoureverythingyouhaveintoyourcareer,itisfar moreimportanttocareforyourfamilyandputtheirneedsrst.IfIamafractionofthe teacher,advisor,husband,andfatherthatheisIwillleadafullandrichlife. Veryfewdoctoralcoursesfollowastraight-linepath,andmycoursewasnoexception. ThegreatestsurpriseandkismetoccurredwhenPatrickTraynormovedtotheUniversity ofFloridain2014tofoundtheFloridaInstituteforCyberSecurityResearch(FICS),and Ijoinedhimasafoundingmemberofthegroup.WhileleavingGeorgiaTechandAtlanta wasbittersweetandmeantleavingbehindgoodfriendsandcolleagues,UFprovided bountifulopportunitiesthatIwouldhavebeenafooltomiss.AtFICS,Ihadthepleasure ofworkingwithagroupoffriendsandcolleagueswhowerenotonlyalldedicatedto buildingoneoftheworld'snestcomputersecurityresearchgroups,buttohavefundoing so.IknowthatwhatsuccessIhavehadhasbeenenabledbythesupportandcamaraderie ofthegreatgroupofstudentsandfacultyatFICS.Thereisnothingbetterthanworking withagroupoffriendsyoucanrelyuponinthetrenches. UFprovidedawonderfulhometowritemydissertation,butsatisfyingtheUniversity's rigorousrequirementsasatransferstudentwouldnothavebeenpossiblewithoutthe supportoftheCISEgraduateadvisor,AdrienneCook.Icansaywithnoreservation thatIwouldnothavegraduatedwithouthertirelesssupportandassistance.Shenot onlyregularlymadetheseeminglyimpossiblehappen,herexceptionaloptimismand friendlinessmadeeveryvisittohero"ceadelight. Iwouldalsoliketothankmydissertationcommitteefortheirhelpfuladviceand guidanceincompletingthisdissertation. OneofthelessonsIlearnedfromPatrickTraynorwasthatitisfarbettertowork withothersonprojectsthantoworkalone,andheprovedthattomebygraftingme intoanextensiveacademicfamily.KevinButlerwasalwaysreadywithabrilliantinsight orhelpfulcommenttomakemyworkmuchbetterthanitwouldhavebeenotherwise. 5

PAGE 6

WillEnckshowedmehowwonderfulcollaborationcanbeandwasalwaysreadywith encouragement.PatrickMcDanielgavemetheadviceIneededatpreciselytheright times. I'malsogratefultomyfamily,whogavemeeverythingIneededtobesuccessful. Mymothernurtured(andsometimesevenbravelyendured)myinsatiablecuriosity,while myfathertaughtmetolovelearninghowthingsworked,buildingandmakingthings, andthecouragetobelieveIcandoanythingIputmymindto.MystepmotherAngela showedmewhatitmeanstolovesomeoneasyourown.PatBradley,mygrandmother, taughtmetolovereadingandtondhumorineverything.MygrandmotherAnnshowed mewhatendlesspatienceandself-sacricinglovetrulymean,andmygrandfatherJohn demonstratedwhatdisciplineandastrongworkethiccanachieve. SarahAndersonReaveshasbeenwithmesincewellbeforethislongjourneywaseven anidea.Shehasselesslylovedmethrougheverything:adecadeofrootlessnessandthe uncertaintyofcollegeandgraduateschool;thelongdaysandsometimesevenlongernights ofcoursework,research,andtravel;self-doubtanddelusionsofgrandeur;celebrationsand disappointments;crisesandopportunities.Throughallofitshehasbeenmygreatest supporterandmybestfriend.Thisthesisandthedegreeitcompleteswouldneverhave happenedwereitnotfortheloveshegaveandthesacricesshemade,largeandsmall.I amsoveryluckyIgettosharemylifewithher. Toeveryonementionedhere,andallthosewhohavehelpedmebecomewhoIam: thankyoufromthebottomofmyheart. 6

PAGE 7

TABLEOFCONTENTS page ACKNOWLEDGMENTS ................................. 4 LISTOFTABLES ..................................... 10 LISTOFFIGURES .................................... 11 ABSTRACT ........................................ 13 CHAPTER 1INTRODUCTION .................................. 15 1.1ThesisStatement ................................ 17 1.2Contributions .................................. 17 1.3Organization .................................. 17 1.4Publications ................................... 18 2BACKGROUNDANDRELATEDWORK ..................... 19 2.1TheModernSMSEcosystem ......................... 19 2.2TelephoneNetworkBackground ........................ 22 2.2.1LandlineNetworks ........................... 23 2.2.2CellularNetworks ............................ 24 2.2.3VoIP ................................... 26 2.2.4ChallengestoAuthenticatingPhoneCalls ............... 27 2.3RelatedWork .................................. 29 2.3.1PriorWorkonSMSUseandAbuse .................. 29 2.3.2TelephonyFraudandDetection .................... 30 2.3.3PriorWorkAuthenticatingPhoneCalls ................ 31 2.3.4AudioQualityMeasurement ...................... 32 3CHARACTERIZINGTHESECURITYOFTHESMSECOSYSTEMWITH PUBLICGATEWAYS ................................ 34 3.1Methodology .................................. 36 3.1.1PublicGateways ............................. 36 3.1.2CrawlingPublicGateways ....................... 40 3.1.3AdditionalDataSourcesandAnalyses ................ 40 3.1.4MessageClustering ........................... 43 3.1.5MessageIntentions ........................... 45 3.2DataCharacterization ............................. 46 3.2.1GatewaysandMessages ......................... 46 3.2.2Infrastructure .............................. 46 3.2.3Geography ................................ 48 3.2.4Clusters ................................. 49 7

PAGE 8

3.2.5SMSUsage ................................ 49 3.3UsesofSMSasaSecureChannel ....................... 51 3.3.1PIIandotherSensitiveInformation .................. 51 3.3.2SMS code Entropy ........................... 55 3.3.3Takeaways ................................ 58 3.4AbusesofSMS ................................. 59 3.4.1GatewaysandPVA ........................... 59 3.4.2DetectingGateways ........................... 61 3.4.3AbuseCampaignsinSMS ....................... 65 3.4.4Takeaways ................................ 69 4DETECTINGINTERCONNECTBYPASSFRAUD ............... 73 4.1WhatisaSimbox? ............................... 75 4.1.1HowSimboxFraudWorks ....................... 76 4.1.2ConsequencesofSimboxOperation .................. 78 4.2Methodology .................................. 79 4.2.1InputstoAmmit ............................ 80 4.2.2DetectingUnconcealedLosses ..................... 81 4.2.3DetectingConcealedLossesinGSM-FR ................ 84 4.2.4SimboxDecisionandSIMDetection .................. 85 4.2.5E"ciencyofAmmit ........................... 86 4.3ThreatModelandEvasion ........................... 86 4.3.1SecurityAssumptions .......................... 87 4.3.2Evasion .................................. 87 4.4ExperimentalSetup ............................... 90 4.4.1SpeechCorpus .............................. 90 4.4.2VoIPDegradationandLoss ....................... 91 4.4.3GSMAirLoss .............................. 93 4.4.4SimboxingSIMDetectionTest ..................... 93 4.4.5RealSimboxTests ............................ 94 4.4.6TechnicalConsiderations ........................ 95 4.5DetectionResults ................................ 97 4.5.1SimulatedCallAnalysis ......................... 98 4.5.2DetectionofRealSimboxes ....................... 99 4.5.3Discussion ................................ 99 4.5.4AmmitPerformance ........................... 100 5PRACTICALEND-TO-ENDCRYPTOGRAPHICAUTHENTICATIONFOR TELEPHONYOVERVOICECHANNELS .................... 102 5.1VoiceChannelDataTransmission ....................... 104 5.1.1ChallengestoDataTransmission .................... 104 5.1.2ModemDesign .............................. 105 5.1.3LinkLayer ................................ 108 5.1.4FramingandErrorDetection ...................... 108 8

PAGE 9

5.1.5AcknowledgmentandRetransmission ................. 110 5.1.6NaveTLSoverVoiceChannels ................... 111 5.2SecurityModel ................................. 111 5.3AuthLoopProtocol ............................... 114 5.3.1DesignConsiderations .......................... 114 5.3.2ProtocolDenition ........................... 115 5.3.3FormalVerication ........................... 116 5.3.4ImplementationParameters ...................... 116 5.4Evaluation .................................... 118 5.4.1PrototypeImplementation ....................... 118 5.4.2ModemEvaluation ........................... 120 5.4.3LinkLayerEvaluation ......................... 120 5.4.4HandshakeEvaluation ......................... 121 5.5Discussion .................................... 122 5.5.1ClientCredentials ............................ 122 5.5.2TelephonyPublicKeyInfrastructure ................. 123 5.5.3DeploymentConsiderations ....................... 125 6EFFICIENTIDENTITYANDCONTENTAUTHENTICATIONFORPHONE CALLS ........................................ 126 6.1SecurityModel ................................. 128 6.2ProtocolDesignandEvaluation ........................ 130 6.2.1EnrollmentProtocol ........................... 131 6.2.2HandshakeProtocol ........................... 134 6.2.3CallIntegrityProtocol ......................... 136 6.2.4Evaluation ................................ 137 6.3SpeechDigestDesignandEvaluation ..................... 137 6.3.1Construction ............................... 140 6.3.2ImplementationandEvaluation .................... 142 6.4SystemImplementation ............................. 149 6.5Results ...................................... 150 6.5.1ExperimentSetup ............................ 150 6.5.2EnrollmentProtocol ........................... 150 6.5.3HandshakeProtocol ........................... 151 6.5.4SpeechDigestPerformance ....................... 152 6.6Discussion .................................... 153 7SUMMARYANDCONCLUSIONS ......................... 158 REFERENCES ....................................... 161 BIOGRAPHICALSKETCH ................................ 184 9

PAGE 10

LISTOFTABLES Table page 3-1MessageandPhoneNumberCountbyGateway .................. 37 3-2GatewayMessageandPhoneNumberCountbyCountry ............. 47 3-3TypesofCarriersUsedByGateways ........................ 47 3-4Messagecountsby code type ............................ 50 3-5 code RandomnessStatisticsbyService ...................... 56 3-6Message,URLClick,andTestMessageCountsbyCountry ............ 62 3-7SimilarPhoneNumberCountsbyGateway .................... 63 3-8SimilarNumberCountsbyCarrierType ...................... 64 3-9PhishingDomainsinGatewayMessages ...................... 67 3-10VirusTotalScansforURLSinGatewayMessages ................. 68 5-1TLSHandshakeSizes ................................. 112 5-2Biterrorrates. .................................... 120 5-3Linklayertransmissionof2000bits. ........................ 120 5-4Handshakecompletiontimes. ............................ 121 10

PAGE 11

LISTOFFIGURES Figure page 2-1SMSEcosystemDiagram ............................... 20 2-2TelephoneNetworkArchitecture ........................... 22 2-3E!ectsofAMRCodeconSampleAudio ...................... 27 3-1ClusterSizes ..................................... 49 3-2Heatmapsof codes ................................. 57 3-3GatewayNumberLifetimeStatistics. ........................ 70 3-4MapsIndicatingLocationsofGatewayMessageSenders ............. 71 3-5PhishingSMSMessage ................................ 72 3-6SMSPhishingPageScreenshot ........................... 72 4-1TypicalandSimboxedCalls ............................. 77 4-2ShortTermEnergyLossDetection ......................... 82 4-3GSM-FRPLCinTimeandCepstralDomain ................... 84 4-4SimboxTestbedBlockDiagram ........................... 94 4-5LaboratorySimboxTestbed ............................. 96 4-6CallDetectionvs.LossRate ............................. 97 4-7SIMDetectionPerformance ............................. 98 4-8AmmitAnalysisTime ................................ 101 5-1ExampleModemTransmission ........................... 105 5-2Linklayerstatemachine. ............................... 110 5-3AuthLoopAuthenticationProtocol ......................... 112 5-4AuthLoopmessagesizes. ............................... 117 5-5TelephonyPublicKeyInfrastructure ........................ 124 6-1CallerIDandCallContentAttacks ......................... 128 6-2EnrollmentProtocol ................................. 132 6-3HandshakeProtocol ................................. 134 11

PAGE 12

6-4CallIntegrityProtocol ................................ 136 6-5RSHDigestProcess ................................. 139 6-6RSHBERafteraudiodegradation ......................... 144 6-7RSHBERonAdversarialAudio ........................... 145 6-8RSHReceiverOperatingCharacteristic ....................... 146 6-9AuthentiCallEnrollmentTime ........................... 151 6-10AuthentiCallHandshakeTime ............................ 152 6-11DigestPerformanceonRealCalls .......................... 154 6-12PrototypeUserInterface ............................... 156 12

PAGE 13

AbstractofDissertationPresentedtotheGraduateSchool oftheUniversityofFloridainPartialFulllmentofthe RequirementsfortheDegreeofDoctorofPhilosophy AUTHENTICATIONTECHNIQUESFORHETEROGENEOUSTELEPHONE NETWORKS By BradleyGallowayReaves August2017 Chair:PatrickG.Traynor Major:ComputerEngineering Theglobaltelephonenetworkisreliedupondailybybillionsworldwideforreliable communications.Beyondtheiruseforcommunications,telephonesarebeingusedasa solutiontoidentifyusersonInternetbecausealmosteverypersongloballyhasatleastone phonenumber.Unfortunately,telephonesarealsoplaguedwithfraudandabuse,making thisuseandmanyothersinsecure.Thisabuseisultimatelycausedbythefactthat thephonenetworko!ersnostrongguaranteesofidentity,andaddressingthisproblem iscomplicatedbythefactthatthenetworkiscomposedofmanydi!erentandlargely incompatibletechnologies. Inthisstudy,weexaminethepoorstateofauthenticationintelephonenetworksand providenewmechanismstoauthenticatecallerstoeachother.Webeginbyexamining howthetelephonenetworkspecically,textmessagingisbeingusedtobolster claimsofidentityandauthenticationinInternetsystems,ndingthatpublicgateways negatemanyofthesupposedadvantagesofthesetechniques.Wethenturnourattention tointerconnectbypassfraud,showingthatwhiletelephonenetworkscannote!ectively determinethetrueoriginofaphonecall,wecanprovidemechanismsbasedonin-call audiomeasurementstodetectso-called"simboxingfraud."Finally,wedeveloptwonew systems,AuthloopandAuthenticall,toaddresscallauthentication.Bothsystemsprovide strongcryptographicauthenticationofcallers.Authlooptransmitsthisinformation throughcallaudio,whileAuthenticallusesanauxiliarydatachanneltoauthenticate 13

PAGE 14

bothcallendpointsandcallcontent.Intotal,thisthesisprovidesmechanismstoprevent robocalling,phonephishing,interconnectbypassfraud,preventingbillionsofdollarsin fraudandrestoringtrustandcondenceinthephonenetwork. 14

PAGE 15

CHAPTER1 INTRODUCTION Sinceitsinventioninthelatenineteenthcentury,telephoneshaverevolutionized personalandprofessionalcommunications.Evendecadesaftertheemergenceofthe Internetasacommoditycommunicationnetworksforbothpeopleandnetworks,the telephoneremainsanimportantcommunicationssystem.Theglobaltelephonenetwork supports4.7billionmobileusers[ 1 ],1billionxed-linesubscribers[ 2 ],andatleast100 millionVoIPlines[ 3 ]. Oneofthereasonsforthecontinuedrelevanceofthetelephoneisthatithaschanged drasticallyoverthepastcentury.Telephoneshaveevolvedfromtheoriginalxedlandline analogtelephones,toadddigitalswitchinganddialing,mobileservice,andnallyInternet telephony(VoIP).Whencellularnetworksenabledtheshortmessagesystem(i.e.,text messages),theymademobileinstantmessaginganessentialpartofeverydaylife.Allof thesenewtechnologiesweredeployedconcurrentlywithlegacysystems,andinfactthe phonenetworktothisdayremainsinteroperablewithlegacyequipmentlikerotary-dial phonesthataredecadesold. Thesechangeshavechangedhowusershaveusedtelephonesystems,andnew innovationshavemademanynewservicespossible.Theyhavealsocreatednewsecurity issues.SMSspamisordersofmagnitudeeasiertodistributethanrobodialingendusers. DigitalPBXs 1 havereducedthecostsofsmallandlargebusinesstelephony,buttheyare vulnerabletocompromiseofthesamevulnerabilitiesthata!ecttraditionalservers.VoIP providershavemadeelasticallysizingtelephonydemandssimpleandinexpensive,butthey alsofacilitatefraudsthatrelyontheabilitytospoofcallerIDandchurnnumbersrapidly. Manyoftheseissuesarecomplicatedbytherequirementofthenetworktobecompatible withheterogeneoustechnologies. 1 PrivateBranchExchangesarethetelephonyequivalentofaLANswitchorrouter 15

PAGE 16

Inspiteoftheseissues,heterogeneoustelephonynetworks(includingvoiceand textmessaging)arestillreliedupondailyforthemostsensitivetransactions,including banking,nance,andsensitiveinformationexchange.Telephonesarealsoincreasingly usedtoserveasauthenticatorsforaccountcreationandloginformanyonlineservices. Thissituationisunfortunatebecausethetelephonesystemo! ersnonetworksupportfor authentication.Inthegeneralcase,users,devices,andcarriershavenonon-assertedway ofdeterminingendpointsofacallevenfortrainedexperts.Thislackofauthentication abetsbillionsofdollarsayearinfraudaccordingtotheCommunicationsFraudControl Association[ 4 ]. Authenticationthedeterminationofidentityisoneofthemostfundamental propertiesanysecurenetworkmustprovide.Withoutstrongauthentication,network entitiescannotknowwithreliabilitywhotheyarespeakingto.Alsowithoutauthentication, networksfacesignicantdi" cultiesdetecting,preventing,orevenattributingthesourceof fraudulentorabusivebehavior.Telephonenetworkoperatorsrealizedthisproblemearlyin thehistoryofthephonenetwork[ 5 ],andasaresulttheydevelopedstrongauthentication techniquestoauthenticateuserstothenetworksthatservethem.Inthecaseofcellular andVoIPnetworks,thisinvolvedcryptographicauthenticationofendpoints.However, thisstrongauthenticationonlyauthenticatesthephonetothenetworknotphonesto otherphones.Asaresult,thislackofauthenticationmeansthatpretendingtobeanother partyinthephonenetworkistrivialinmanycases.Thislackofauthenticationprevents attributingthetruesourceofphonescams,includingvoicespamandphishing,andisat therootofmanyoftheproblemsinthephonenetworks. Inthisthesis,weprovidenewtechniquesforauthenticatingusersandcallsin telephonenetworks.Weaddressthreecriticalsecurityproblems:SMSauthentication problems,interconnectbypassfraud,andcallerIDspoong.Theseproblemsrepresent billionsofdollarsinfraudcausedbypoorauthenticationintelephonenetworks. Oursolutionstotheseproblemshavethepotentialtotransformtelephonyfroma 16

PAGE 17

"weakest-link"networkintoasourceofstrongauthenticationnotjustfortelephony butforInternetauthenticationaswell. 1.1ThesisStatement Thepurposeofthisworkistocharacterizeauthenticationintelephonenetworks andprovidepracticaldeployablesystemsthatimproveauthenticationforcarriers, organizations,andendusers.Accordingly,thecentralthesisofthisdissertationis: Weakauthenticationinheterogeneoustelephonenetworksenablesfraudandabuse ofthenetworkandotherservices.Newauthenticationmechanismscanusecallaudio todetectorpreventfraudandprovidestrongerguaranteesthanthenetworkcurrently provides. 1.2Contributions Thisthesismakesthefollowingcontributions: 1. Measurementofrelianceontelephonenetworksforauthentication: We showempiricallythatmanyorganizationsandusersrelyonthetelephonenetwork forauthenticatingneworexistingaccounts. 2. Detectionofinterconnectbypassfraud: WedeveloptheAmmitsystemto detectinterconnectbypasscallsinrealtimewithhighaccuracy. 3. End-to-endauthenticationforheterogeneoustelephonynetworks: We developtheAuthloopsystemtoprovideauthenticationofendusersoverthevoice channels. 4. End-to-endauthenticationoverdatachannels: Werelaxtheassumptionswe madeinAuthloopandprovideanovelcallauthenticationsystemforendpointsthat haveasimultaneousdataconnection. 1.3Organization Theremainderofthisdissertationisorganizedasfollows: Chapter2providesbackgroundonphonenetworksandadiscussionoftheprior workontelephonesecurity.Chapter3characterizeshowtheSMSnetworkisusedfor 17

PAGE 18

authenticationpurposesandhowthatauthenticationisabused.Chapter4describesa mechanismtodetectinterconnectbypassfraud.Chapter5describestheAuthloopsystem toauthenticatephonecallsusingthevoicechannelofthecall.Chapter6describesthe Authenticallsystemtoauthenticatephonecallsusinganauxiliarydatachannel.Finally, Chapter7providesadiscussionofconcludingremarksandfutureresearchdirections. 1.4Publications Thisdissertationisbasedonthefollowingpublications: BradleyReaves,NolenScaife,DaveTian,LoganBlue,PatrickTraynor,andKevin Butler.SendingOutanSMS:CharacterizingtheSecurityoftheSMSEcosystem withPublicGateways.InProceedingsofthe37thIEEESymposiumonSecurityand Privacy,SanJose,CA,May2016.(AcceptanceRate:13.0%). BradleyReaves,EthanShernan,AdamBates,HenryCarter,andPatrickTraynor. BoxedOut:BlockingCellularInterconnectBypassFraudattheNetworkEdge. InProceedingsofthe24thUSENIXSecuritySymposium,2015.(Acceptance Rate:15.7%). BradleyReaves,LoganBlue,andPatrickTraynor.Authloop:PracticalEnd-to-End CryptographicAuthenticationforTelephonyoverVoiceChannels.InProceedings of25thUSENIXSecuritySymposium,Austin,TX,August2016.(Acceptance Rate:15.5%). BradleyReaves,LoganBlue,HadiAbdullah,LuisVargas,PatrickTraynor,andTom Shrimpton.AuthentiCall:E"cientIdentityandContentAuthenticationforPhone Calls.InProceedingsof26thUSENIXSecuritySymposium,Vancouver,BC,August 2017.(AcceptanceRate:16.3%). 18

PAGE 19

CHAPTER2 BACKGROUNDANDRELATEDWORK Thisthesisconcernsend-to-endauthenticationofusersandphonecallsinthe complexanddiverselandscapeofmoderntelephony.Therstsectionofthischapter providesbackgroundinformationontextmessaging,andthesecondsectionofthis chapterprovidesbackgroundontelephonecallsthatwillbeneededtounderstandlater chapters.Thethirdsectionofthischapterdescribesrelatedworkintheareaofsecurityof telephony. 2.1TheModernSMSEcosystem Inthissection,wedescribeatahighlevelhowtextmessagesaresentandreceived, withaspecialemphasisonrecentdevelopmentsthathavegreatlyexpandedtheSMS ecosystem.ThisinformationprovidesbackgroundforChapter 3 ,whichdescribeshowtext messagesareusedforauthenticatingendusers. Figure 2-1 showsthecomponentsofthemodernSMSecosystemindetail.Short MessagingServiceCenters(SMSCs)routemessagesthroughcarriernetworksandarethe heartoftheSMSsystem[ 6 ].Theseentitiesreceiveinboundtextmessagesandhandle deliveryofthesemessagestomobileusersinthenetworkusingastore-and-forwardregime similartoemail.Whenamobiledevicesendsorreceivesatextmessage,themessageis encryptedbetweenthephoneandthebasestationservingthephone;however,onceinside thecorenetworkthemessageistypicallynotencrypted. Textmessages 1 arenotjustsentbetweenindividuals,butalsobypartiesexternalto thenetworkknownasExternalShortMessageEntities(ESMEs).ESMEsformanentire industrydedicatedtofacilitatingthesendingandreceivingofmessagesforlarge-scale organizationsforpurposesasdiverseasemergencyalerts,donationstocharities,or receivingone-timepasswords[ 7 ].TheseESMEsactasgatekeepersandinterfacesto 1 WeuseSMSand"textmessage"interchangeably. 19

PAGE 20

Cell Network Core SMSC SMSC ESME Gateway ESME Gateway VOIP Carrier ESME Reseller ESME Reseller ESME Reseller Web Services OTT Services Cloud Web Services Encrypted Not Encrypted Over Internet VOIP Carrier Key Core Figure2-1.Whileviewedasexistingsolelywithincellularnetworks,themodernSMS ecosystemincludesawidevarietyofnon-traditionalcarriers,ESMEgateways andresellers,andOTTservices.Thisevolutionchallengesoldassumptions (e.g.,phonenumbersrepresentmobiledevicestiedtoasingleidentity)and createnewopportunitiesforinterception.Accordingly,evaluatingthestateof thisecosystemiscriticaltounderstandingthesecurityitprovides. SMS.SomehavedirectconnectionstoSMSCsincarriernetworksviaSMPP(Short MessagePeer-to-Peer)[ 8 ],whileothersresellsuchaccesspurchasedfromotherESMEs. Forexample,theVoIPcarrierBandwidth.comprovidesSMSaccesstomanythirdparty services.Recently,startupslikeTwilio[ 9 ],Nexmo[ 10 ],andPlivo[ 11 ]serveasESMEs andprovideeasy-to-deploy,lowcostvoiceandSMSservices.Theyserveanumberof high-proleclients,includingUber,CocaCola,andeBay. JustasthemethodsforSMSdistributionhaveevolvedoverthepasttwodecades, howendusersreceiveSMShasevolvedaswell.Originally,SMSwereonlydeliveredto mobilephonesortoESMEs.Withtheadventofsmartphones,thisecosystemischanging rapidly.Over-the-topnetworkslikeBurner[ 12 ],Pinger[ 13 ],andGoogleVoice[ 14 ]provide SMSandvoiceservicesoverdatanetworks(includingcellulardataaswellasInternet). ManyoftheseservicescontractouttothirdpartyESMEsforserviceanddonotactually actasESMEsthemselves.Additionally,messagesthataredeliveredtoamobiledevice maynotremainrestrictedtothatdevice.SystemslikeAppleContinuity[ 15 ],Google Voice,Pushbullet[ 16 ],andMightyText[ 17 ]uselocalwirelessnetworksorcloudservices 20

PAGE 21

tostoreandsyncSMSfromthereceivingdevicetotheuser'sotherdevices.Millionsof subscribersusetheseservicestotransfertheirmessagesfromtheirlocalizedmobiledevice tobestoredinthecloud. ThemodernSMSecosystemhastheconsequencefromasecurityperspectivethata singleSMSmaybeprocessedbymanydi! erententitiesnotjustcarrierswhoin totopresentabroadattacksurface.Attacksagainstthesesystemsmaybetechnicalin natureandtakeaformsimilartopublicizeddatabreaches[ 18 ][ 21 ].Whiletodatethere arenodisclosedattacksagainsttheseSMSservices,wenotethatthereisprecedentfor inltrationofcarriernetworks[ 22 ].Socialengineeringattacksarealsopossible.Mobile TransactionAuthenticationNumbers(mTANs) 2 havebeenstolenusingSIMSwap attacks[ 23 ]whereanattackerimpersonatesthevictimtoacarriertoreceiveaSIMcard forthevictim'saccount,allowingtheattackertointerceptsecurity-sensitivemessages. Attackershavealsocompromisedaccountsprotectedbyone-time-passwordsdeliveredover SMSbyimpersonatingthevictimtosetupnumberforwardingtoanattacker-controlled device[ 24 ].Accordingly,itisworthdeterminingwhatkindsofdataarebeingsentvia SMSsothattheconsequencesoffuturecompromisearewellunderstood. Chapter 3 measureshowdi!erententitiesimplementsecuritymechanismsviatext messagesthroughtheuseofpublicSMSgateways.Assuch,weareabletoobserveawide arrayofservicesandtheirbehaviorthroughtime.Additionally,becausethesegateways providephonenumberstoanonymoususers,wearealsoabletomeasuretheextentto whichsuchgatewaysarebeingusedformaliciouspurposes.Thiscombinedmeasurement willhelptoprovidetheresearchcommunitywithamoreaccurateandinformedpictureof thesecurityofthisspace. 21

PAGE 22

IP Networks PSTN Cell Network Gateway Gateway Intermediary Telco Networks Internet VOIP Carrier Web Services VOIP Proxy Figure2-2.Ahigh-levelrepresentationofmoderntelephonysystems.Inadditiontovoice beingtranscodedateachgateway,allidentitymechanismsbecomeasserted ratherthanattestedascallscrossnetworkborders.Astrongend-to-end authenticationmustbedesignedawareofallsuchlimitations. 2.2TelephoneNetworkBackground NowthatwehavedescribedthemodernSMSecosystem,wecanbegintodiscuss thedi!erenttechnologiesthatareusedtofacilitatetelephonecalls.Subscriberscan receiveservicefrommobile,landline,andVoIPnetworks,andcallstothosesubscribers maysimilarlyoriginatefromnetworksimplementinganyoftheabovetechnologies.In thissection,weprovidebackgroundoneachofthesetechnologies,withanemphasison howeachhandlesauthentication,andhoweachtechnologyinteroperateswiththeglobal telephonenetwork.Figure 2-2 providesahigh-leveloverviewofthisecosystem. 2 mTANsareusedtoauthenticatemobilebankingtransactionsviaSMSinmany countries,includingGermany,SouthAfrica,andRussia. 22

PAGE 23

2.2.1LandlineNetworks Earlylandlinenetworkswereentirelyanalogthroughoutthenetwork.Overtime, whatwasanentirelyanalognetworkswitchedexclusivelybyhumanoperatorsbecame anautomatednetwork,andlater,anetworkentirelydigitalinthecore.Whilelandline networksnowhaveadigitalcore,endpointsretainthesametwistedpairanalogconnection tothenetworkthatwereusedacenturyago. Attacksagainstlandlinenetworksweretheverybeginningsofbotho!ensiveand defensivenetworksecurity[ 5 ].Inlandlinenetworks,theprincipalsecurityquestionwas whetheruserscouldbeaccuratelybilledfortheservicetheyused.Whilemany"attacks" weremotivatedentirelybycuriosity,othershadthesolemotiveofplacinglong-distance callswithoutpayingfortollcharges.Beforeoperatorassistancewasunnecessaryand wasstillcommon,"phreakers"wouldsocialengineertheseoperatorsintoconnecting circuitsortrunkstoplacecallsthatwouldnotbebilledcorrectly.Afterlong-distance callingwasnolongerrequiredtobeoperatorassisted,phreakersporedthroughBell technicalmanualstodeterminehowin-bandlongdistancesignalingworkedandhowit couldbeexploitedtoplacetoll-freecalls.Infact,earlyphreakersevencomputerizedand automatedattacksthatabusedMIT'sinternalphonenetworkpeeringrelationshipsto makeunauthorizedlongdistancecalls[ 25 ].TheBellsystemandfederalagentsactively pursuedthesephreakers,developingautomatedanomalydetectionsystemsthatwould beusedtoisolateandattributetheseillicitcalls.Exploitationofin-bandsignalingwasa majormotivationinamovetoanall-digital,out-of-bandsignalingsystemknownasSS7. TheimportanceofSS7tomoderntelephonycannotbeoverstated.Eventhough itwasdeployedinthe1980's,itstillservesasalinguafrancaforalloftelephony;it istheprimarymechanismcarriersusetointerconnectandsharecallinformation.It hasalsoservedasafoundationalcoreprotocoluponwhichnewnetworktechnologies andfunctionalityhavebeenbuilt.FeatureslikecallerID,callforwarding,andnumber 23

PAGE 24

portabilityarefacilitatedbySS7.TheSS7protocolwasalsosignicantlyexpandedto supportmobiletelephony,especiallymobilitymanagement. Whileimprovedsecurityoverin-bandsignalingwasamajormotivationofdeploying SS7,itssecurityimprovementcameprimarilyfromisolationbecauseendpointsnolonger hadtheabilitytosendsignalinginformationtothenetwork.Inparticular,SS7didnot providemechanismsforcondentiality,integrity,authenticationorauthorizationinthe protocol.Initsinitialdeployment,SS7wasusedamongarelativelysmallnumberof trustedentities.However,withtheadventofVoIPanditsassociatedproliferation ofsmallcarrierswithaccesstoSS7attacksbecamemorerealisticandpractical.In recentyears,attackshavebeendemonstratedagainstSS7thatallowfortrackingofmobile users[ 26 ],denialofserviceagainstendpoints,andredirectionandinterceptionofcallsand textmessages[ 27 ].Theseattacksmotivatetheneedforsystemsthatcanprotectagainst interceptedorredirectedcallslikethosepresentedinthisthesis. WenotethatSS7attacksarenottheonlythreatstoplain-oldtelephoneservice (POTSdevices).SoonafterthedeploymentofCallerIDtoendconsumers,phreakers developedso-called"orangeboxes"tofabricateCallerIDinformationduringacall.These devicessendsignalingtonestoCallerIDboxesimmediatelyafterthecallisestablished tochangetheCallerIDdisplaytoanattacker-controlledvalue.Orangeboxesaresimply anothermechanismthatdemonstratesthephonenetworkprovidesnotrustworthy guaranteesofthesourceofaphonecall. 2.2.2CellularNetworks Firstgeneration(1G)cellularsystemswerethersttoconsidersuchmechanisms giventhemulti-usernatureofwirelessspectrum.Unfortunately,1Gauthentication reliedsolelyontheplaintextassertionofeachuser'sidentityandwasthereforesubject tosignicantfraud[ 28 ].Secondgeneration(2G)networks(e.g.,GSM)designed cryptographicmechanismsforauthenticatinguserstothenetwork.Theseprotocols failedtoauthenticatethenetworktotheuserandleadtoarangeofattacksagainst 24

PAGE 25

subscribers[ 29 ][ 32 ].Thirdandfourthgeneration(3Gand4G)systemscorrectly implementmutualauthenticationbetweentheusersandproviders[ 33 ][ 35 ]. TheGlobalSystemforMobileCommunications(GSM)isasuiteofstandardsusedto implementcellularcommunications.ItisusedbythemajorityofcarriersintheUSand throughoutEurope,Africa,andAsia.GSMisa"secondgeneration"(2G)cellularnetwork andhasevolvedintoUMTS(3G)andLTE(4G)standards. GSMmanagesuseraccesstothenetworkbyissuingusersasmallsmartcardcalleda SubscriberIdentityModule(SIMcard)thatcontainsidentityandcryptographicmaterials. AcarrierSIMcardcanbeplacedinanydeviceauthorizedtooperateonacarrier's network.BecauseGSMnetworkscryptographicallyauthenticatealmosteverynetwork transaction,cellularnetworkactivitycanalwaysbeattributedtoaspecicSIMcard.In thepast,theabilitytocloneaSIMcardnegatedthisguarantee;however,modernSIM cardsnowhavehardwareprotectionsthatpreventpracticalkeyrecoveryandcardcloning. Inadditiontodescribingnetworkfunctionality,theGSMstandardsalsospecifya methodforencodingaudioknownastheGSMFullRate(GSM-FR)codec[ 36 ].Although designedformobilenetworks,itisalsousedasageneralpurposeaudiocodecandis frequentlyimplementedinVoIPsoftware.Toavoidambiguity,weuse"GSM"or"air transmission"tomeanGSMcellularnetworksand"GSM-FR"toindicatetheaudiocodec. WhilethissectionhasfocusedonGSM,whichwasinmanywaysaprogenitorand modelforalllatersystems,wenotethatsecurityproblemsinnewerstandardshave beendiscovered.UMTS,the3GsuccessortoGSM,hasseenquiteabitofworkonits security.MeyerandWetzelfoundthatatypeofdowngradeattackfromUMTStoGSM securityenablesmaninthemiddleattacksagainstUMTSdevices[ 37 ].Kambourakis etal.ndseveralsignalingattacksthatresultindenialofservice[ 38 ].Arapinisetal. identifyattacksthatcanleadtotrackingofmobileUMTSusers[ 39 ].LTE,thesuccessor toUMTS,hasalsoseensecurityresearch.Independently,Kimetal.[ 40 ]andLietal.[ 41 ] identiedattacksagainstVoLTEthatallowfordatatheft,andinlaterworkbyTuet 25

PAGE 26

al.[ 42 ]identiedsimilarattackswithSMStransmissioninLTEnetworks.Shaiketal. disclosetrackingattacksagainstLTEnetworks[ 43 ]. 2.2.3VoIP VoiceoverInternetProtocol(VoIP)isatechnologythatimplementstelephonyover IPnetworkssuchastheInternet.TwoclientscancompleteaVoIPcallusingexclusively theInternet,orcallsmayalsoberoutedfromaVoIPclienttoaPSTNline(orvice-versa) throughaVoIPGateway.ProvidersincludingVonage,Skype,andGoogleVoiceprovide bothIP-onlyandIP-PSTNcalls.ThemajorityofVoIPcallsaresetupusingatext-based protocolcalledtheSessionInitiationProtocol(SIP).OneofthejobsofSIPistoestablish whichaudiocodecwillbeusedforthecall.Onceacallhasbeenestablished,audioows betweencallersusingtheRealtimeTransportProtocol(RTP),whichistypicallycarried overUDP. ThewidespreaddeploymentofVoIPhasprobablybeenthesinglemostsecurity-relevant developmentinthehistoryofthephonenetwork.First,mostmodernattacksincluding phishing,robocalls,PBXhacking,interconnectbypassfraudaremademuchsimplerto executeandavoiddetectioninVoIPnetworksasopposedtoothertechniques.MostVoIP providers,forexample,makeittrivialtospoofcallerIDinformation. VoIPcallqualityisa!ectedbypacketlossandjitter.Absentpackets,whetherthey aretheresultofactuallossorjitter,causegapsinaudio.Suchgapsarelledinwith silencebydefault.SomeVoIPclientsattempttoimproveoverthisstandardbehavior andimplementPacketLossConcealment(PLC)algorithmstollinmissingpacketswith repeatedorgeneratedaudio.Specically,PLCalgorithmstakeadvantageofthefact thatspeechwaveformsaremoreorlessstationaryforshorttimeperiods,soclientscan generateaplausiblesectionofaudiofrompreviouspackets.Manycodecshavemandatory PLCs,althoughsomeareoptional(asinthecaseoftheG.711audiocodec)orarenot implemented(asisfrequentlythecasewhenGSM-FRisusedoutsideofcellularnetworks). 26

PAGE 27

a) 1-second chirp sweep from 300 3300 Hz before AMR-NB encoding b) 1-second chirp sweep from 300 3300 Hz after AMR-NB encoding Figure2-3.Acomparisonofasignal(a)beforeand(b)afterbeingencodedwiththeAMR codec.Notethatwhiletheentiretyofthesignaliswithintherangeof allowablefrequenciesforcallaudio,thereceivedsignaldi!erssignicantly fromitsoriginalform.Itisthereforecriticalthatahigh-delitymechanismfor deliveringdataoveramobileaudiochannelbedesigned. SomeVoIPsoftware(includingAsterisk)implementstheirownPLCalgorithms,butdo notactivatethemunlessconguredbyanadministrator. 2.2.4ChallengestoAuthenticatingPhoneCalls Theprevioussubsectionshaveprovidedbackgroundonthedi! erenttechnologiesthat makeuptheglobalPSTN.Inthissubsection,wenowdescribewhythatmixoftechnology makesauthenticatingphonecallsdi"cult. Whileperformingsimilarhigh-levelfunctionality(i.e.,enablingvoicecalls),the globaltelephonenetworkisbuiltonarangeofoftenincompatibletechnologies.From circuit-switchedintelligentnetworkcorestopacketswitchingoverthepublicInternet, allofthesedisparateentitiesrelyongatewaystotranslateprotocolinformationbetween incompatiblenetworks.Asaresult,verylittleinformationbeyondthevoicesignalactually propagatesacrossthebordersofthesesystems.Infact,becausemanyofthesenetworks relyondi!erentcodecsforencodingvoice,oneofthemajordutiesofgatewaysbetween thesesystemsisthetranscodingofaudio.Accordingly,voiceencodedatoneendofa phonecallisunlikelytohavethesame(orevensimilar)bitwiserepresentationwhenit arrivesattheclientsideofthecall.Asevidence,thetopplotofFigure 2-3 showsasweep ofanaudiosignalfrom300to3300Hz(allwithintheacceptableband)across1second. 27

PAGE 28

ThebottomplotshowsthesamesignalafterishasbeenencodedusingtheAdaptive Multi-Rate(AMR)audiocodecusedincellularnetworks,resultinginadramatically di !erentmessage.Thismassivedi!erenceisaresultofthevoice-optimizedaudiocodecs usedindi!erenttelephonynetworks.Accordingly,successfullyperformingend-to-end authenticationwillrequirecarefuldesignforthisnon-traditionaldatachannel. Beyondvoice,otherdatathatmaybegeneratedbyauserortheirhomenetwork isnotguaranteedtobedeliveredorauthenticatableend-to-end.Thatis,becausethe underlyingtechnologiesareheterogeneous,thereisnoassurancethatinformation generatedinonesystemispassed(yetaloneauthenticated)toanother.Thishastwo criticalimplications.Therstisthatanyproofsofidentityausermaygeneratetotheir providerarenotsenttotheotherendofthecall.Forinstance,amobilephoneona4G LTEconnectionperformsstrongcryptographicoperationstoproveitsidentitytoits provider.However,thereexistsnomeanstosharesuchproofswithacalleewithinthis systemyetaloneoneinanotherprovider'snetwork.Second,claimsofidentity(e.g.,Caller ID)aresentbetweenproviderswithnomeansofverifyingsaidclaims.Asevidencedby greaterthan $ 7billioninfraudin2015[ 44 ],itisextremelysimpleforanadversaryto trickareceiverintobelievinganyclaimofidentity.Thereisnosimplesolutionascalls regularlytransitmultipleintermediatenetworksbetweenthesourceanddestination. Oneofthefewpiecesofdigitalinformationthatcanbeoptionallypassedbetween networksistheCallerID.Unfortunately,thesecurityvalueofthismetadataisminimal suchinformationisassertedbythesourcedeviceornetwork,butnevervalidatedby theterminatingorintermediarynetworks.Assuch,anadversaryisabletoclaimany phonenumber(andthereforeidentity)asitsownwithease.Thisprocessrequireslittle technicalsophistication,canbeachievedwiththeassistanceofawiderangeofsoftware andservices,andistheenablerofgreaterthanUS $ 2Billioninfraudannually[ 4 ]. 28

PAGE 29

2.3RelatedWork Inthissection,wehighlightprecedingworkintheareasoftelephonysecurity addressedbythisdissertation.WebeginbydescribingpriorworkonSMSuseand abuse,continuetoworkdetectingtelephonyfraud,followedbyworkauthenticatingphone calls.Weconcludebybrieydiscussingsingle-endedaudiotechniquesthatwillbeusedin Chapter 4 2.3.1PriorWorkonSMSUseandAbuse Priormeasurementworkhasstudiedtheundergroundeconomies[ 45 ]thatdrive spam[ 46 ][ 48 ],malware[ 49 ][ 51 ]andmobilemalware[ 52 ][ 54 ],andothermalicious behavior.WhileothershaveinvestigatedSMScontentandmetadatainthecontext ofSMSspam[ 55 ][ 58 ],thisworkisthersttoexpansivelymeasurehowSMSisused forsecuritypurposesbylegitimateservices.Wenotethatmuchoftheresearchinthis areahasbeenforcedtorelyonsmalldatasets(somelessthan2000messages[ 58 ]). Mobiletwo-factorauthenticationisincreasinginpopularity,withsomeeagerlyheralding itsarrival[ 59 ]andotherscautioningthatitmayonlyprovidealimitedincreasein security[ 60 ].Muchofthedatawecollectedcontainedmobiletwo-factorauthentication tokenssentoverSMS.WhileSMStokensarepopularinmanycontexts,includingmobile bankingandnance[ 61 ],otherapproacheshavebeenimplementedinavarietyofforms includingkeychainfobs[ 62 ],[ 63 ],one-timepads[ 64 ],[ 65 ],biometricscanners[ 66 ],[ 67 ], andmobilephones[ 68 ][ 70 ].Analysisofindividualsystemshasledtothediscovery ofanumberofweaknesses,includingusabilityconcerns[ 71 ]andsusceptibilityto desktop[ 72 ]ormobilemalware[ 73 ][ 78 ].SMS-basedtokensareespeciallyvulnerable tolink-layerattacksagainstthecellularnetwork.Thesenetworksusevulnerablechannel encryption[ 31 ],[ 79 ],[ 80 ],allowenddevicestoconnecttoillicitbasestations[ 81 ][ 83 ], andarevulnerabletolow-ratedenialofserviceattacks[ 84 ],[ 85 ].However,themajorityof theinfrastructurebehindmanytwo-factorauthenticationsystemstheportionsofthe 29

PAGE 30

systemoutsidethecellularnetworkhasnotbeenpreviouslyexploredfromasecurity perspective. Dmitrienkoetal.werethersttoexamineSMSmessagestostudysecurityof two-factorauthenticationschemes[ 77 ].Wegreatlyexceedthescopeoftheirworkin veimportantways.First,ourworkpresentsacohesiveexaminationoftheentireSMS infrastructurefromonlineservicestoenddevices.Second,wefocusonhowonline servicesuseSMSwellbeyondtwo-factorauthentication.Third,ourdataincludestwo ordersofmagnitudemoreservicesandweidentifyandclassifytheintentofeachmessage. Fourth,weprovideamoredetailedclassicationoftwo-factorauthenticationsystems. Finally,ourmorerigorousentropyanalysisoftwo-factorauthenticationPINsallowus tomakestrongclaimsformorethan30services(insteadofjust3),helpingustond egregiousentropyproblemsinthepopularWeChatandTalk2services. Ouremphasisonphoneveriedaccountsprovidesaseparatecontribution.Thomas etal.studythee! ectsofphoneveriedaccountsatGoogle[ 86 ].Whiletheyusedatasets ofpurchasedordisabledPVAs,weprovideinsightintoPVAfraudfromenablingservices. Whileweconrmsomeoftheirobservations,ourdataindicatedtheirrecommendations mayproveine!ectiveatdefeatingPVAevasion. 2.3.2TelephonyFraudandDetection Telephonyfrauddetectionisawell-studiedproblem,ande!ortstoghttelecommunications fraudhaveprimarilydependedoncallrecords.Machinelearninganddatamininghave beenusedextensivelytodetectfraudulentactivityusingcallrecords[ 87 ][ 90 ]. Giventheimportanceofthesimboxingproblemina! ectedcountries,thereare anumberofcommercialsimboxdetectionproducts,aswellastwopublishedresearch papers[ 91 ],[ 92 ].Mostsimboxdetectionsystemsuseoneoftwotechniques:testcall generationandcallrecordanalysis.Afewproductsusehybridtechniques[ 93 ],[ 94 ].Test callgenerationapproaches[ 95 ][ 99 ]useprobeswidelydeployedinmanynetworksto verifythattheCLI(i.e.Caller-ID)recordsoncallsarecorrectifasimboxisused,the 30

PAGE 31

CLIrecordwouldindicatetheMSISDN(i.e.thephonenumber)oftheSIMcardrouting thecallandnottheoriginatingprobe.Testcallmethodsonlyworkforcertainkindsof simboxing(whenasimboxersellsservicestoanothertelecom,notthroughthecommon caseofsellingcallingcardstoconsumers).Bycontrast,callrecordanalysisdetectall typesofsimboxing.ThoseapproachesrelyonthefactthatSIMsusedinsimboxeshave usagepatternsdistinctfromlegitimatecustomers[ 91 ],[ 100 ][ 103 ].Thesetechniquesare pronetofalsepositivesandactiveevasionbysimboxers.Inrecentwork,Murynetsetal. publishedacallrecordanalysisapproachthatusedmachinelearningtoidentifyIMEIs (deviceidentiers)usedbysimboxes[ 92 ].Theauthors'publishedaccuracyratesmeasure identifyingindividualcalls(notsimboxdevices)onlyaftersimboxesareidentied,and thusarenotdirectlycomparabletotheaccuracyguresforAmmit.Additionally,that workidentiesIMEIs(whichareanassertedandthusspoofableidentier)ofdevices onlyafterasimboxmakesdozensorhundredsofcallswithasingleSIMcard;evenifthe workdescribedinthatpaperisdeployed,simboxingwillcontinuetobeprotable.Our workisanimprovementoverthestateoftheartbecausewecanreliablydetectsimboxed callsusingfeaturesinherenttosimboxingatthetimeofthecall,thusmakingsimboxing unprotable. ThePindr0psystemcombatstelephonyfraudbyidentifyingcallersusingaudio "ngerprints."Thesengerprintsconsistofnoisecharacteristicsandindicatorsofdi! erent codecsusedbythedi! erentPSTNandVoIPnetworksthatrouteacall.ForPindr0p, capturingcharacteristicsofend-to-endcallpathisessentialtoidentifyrepeatcallers.For Ammit,itissu"cienttohearaudiothathasbeendegradedbyanypriornetwork.us makingsimboxingunprotable. 2.3.3PriorWorkAuthenticatingPhoneCalls Whileanumberofseemingly-cellularmechanismshaveemergedtoprovideauthentication betweenendusers(e.g.,Zphone,RedPhone)[ 104 ][ 114 ],thesesystemsultimatelyrelyon adata/Internetconnectiontowork,andarethemselvesvulnerabletoanumberofattacks 31

PAGE 32

[ 115 ],[ 116 ].Accordingly,thereremainsnoend-to-endsolutionforauthenticationacross voicenetworks(i.e.,authenticationwithanynon-VoIPphoneisnotpossible). Mechanismstodealwithsuchattackshavehadlimitedsuccess.Websiteshave emergedwithreputationdataforunknowncallers[ 117 ];however,thesesiteso!er noprotectionagainstCaller-IDspoong,andusersgenerallyaccesssuchinformation aftersuchacallhasoccurred.Othershavedesignedheuristicapproachesaroundblack lists[ 118 ],speakerrecognition[ 119 ][ 124 ],channelcharacterization[ 125 ],[ 126 ],post hoccalldatarecords[ 127 ][ 130 ]andtiming[ 131 ].Unfortunately,thefuzzynatureof thesemechanismsmaycausethemtofailunderarangeofcommonconditionsincluding congestionandevasion. AuthenticationbetweenentitiesontheInternetgenerallyreliesontheuseof strongcryptographicmechanisms.TheSSL/TLSsuiteofprotocolsarebyfarthe mostwidelyused,andhelpprovideattestableidentityforapplicationsasdiverseas webbrowsing,email,instantmessagingandmore.SSL/TLSarenotwithouttheirown issues,includingarangeofvulnerabilitiesacrossdi!erentversionsandimplementations oftheprotocols[ 132 ][ 135 ],weaknessesinthemodelanddeploymentofCerticate Authorities[ 136 ][ 142 ],andusability[ 143 ][ 149 ].Regardlessofthesechallenges,these mechanismsprovidemorerobustmeanstoreasonaboutidentitythantheapproachesused intelephony.WewillexplorethisideafurtherinChapters 5 and 6 2.3.4AudioQualityMeasurement Chapter 4 isconcernedwithdetectingsimboxfraud,andthetechniquesusedin thatchapterbelongtothelongtraditionofnon-intrusivecallqualitymeasurement. Non-intrusivemeasurementsaretakenpassivelyandwithoutareferenceaudio;thisis inoppositiontointrusivemeasurements[ 150 ],[ 151 ]whichmeasurethedegradationof aknownreferencesignal.Traditionalcallqualitymetricsmeasurelistenerexperience, andimperceptibledegradationsdonotsignicantlya!ectthesescores.Thesescores havebeenshowntovarywidelybasedonrandomconditions,languagechoice[ 152 ]or 32

PAGE 33

VoIPclient[ 153 ].Themostwidelyusednon-intrusivemeasurementstandardisITU specicationP.563[ 154 ],butothermetricshavebeendevelopedforholisticquality measurements[ 155 ][ 157 ]andforindividualartifactslikerobotization[ 158 ]andtemporal clipping[ 159 ].BecausecallqualitymetricslikeP.563areonlyconcernedwithperceptible degradationandvarywidelyinresults,theyareunsuitablefordetectionofsimboxfraud. 33

PAGE 34

CHAPTER3 CHARACTERIZINGTHESECURITYOFTHESMSECOSYSTEMWITHPUBLIC GATEWAYS Textmessaginghasbecomeanintegralpartofmoderncommunications.First deployedinthelate1990s,theShortMessagingService(SMS)nowdeliversupwardsof 4.2trillionmessagesaroundtheworldeachyear[ 160 ].Becauseofitsubiquityandits perceptionasprovidingasecondarychannelboundtightlytoauser'sidentity,arangeof organizationshaveimplementedsecurityinfrastructurethattakeadvantageofSMSinthe formofone-timecodesfortwo-factorauthentication[ 68 ][ 70 ]andaccountvalidation[ 48 ]. Thetextmessagingecosystemhasevolveddramaticallysinceitsinception,andnow includesamuchwiderrangeofparticipantsandchannelsbywhichmessagesaredelivered tophones.Whereasphonenumbersonceindicatedaspecicmobiledeviceasanendpoint andwerecostlytoacquire,textmessagesmaynowpassthrougharangeofdi! erent domainsthatnevertouchacellularnetworkbeforebeingdeliveredtoanon-cellular endpoint.Moreover,thesesystemsallowuserstosendandreceivemessagesforfreeor lowcostusingnumbersnotnecessarilytiedtoamobiledevice,specicgeographicarea orevenasinglecustomer.Assuch,theyviolatemanyoftheassumptionsuponwhichthe previouslymentionedsecurityserviceswerefounded. Inthischapter,weperformtherstlongitudinalsecuritystudyofthemoderntext messagingecosystem.BecauseofthepublicnatureofmanySMSgateways(i.e.,messages aresimplypostedtotheirwebsites),weareabletogainsignicantinsightintohowa broadrangeofcompaniesareimplementingSMS-basedsecurityservices.Moreover, thesesystemsallowustoseethewaysinwhichdefensessuchasphone-veriedaccounts TextofthischapterisreprintedwithpermissionfromBradleyReaves,Nolen Scaife,DaveTian,LoganBlue,PatrickTraynor,andKevinButler.SendingOutan SMS:CharacterizingtheSecurityoftheSMSEcosystemwithPublicGateways.In Proceedingsofthe37thIEEESymposiumonSecurityandPrivacy,SanJose,CA,May 2016.(AcceptanceRate:13.0%). 34

PAGE 35

(PVAs)aresuccessfullybeingcircumventedinthewild.Ourworkmakesthefollowing contributions: LargestpublicanalysisofSMSdata: Whileothershavelookedataspectsof SMSsecurityinthepast[ 77 ],[ 161 ],oursisthelargestandlongeststudytodate. Ouranalysistracksover400phonenumbersin28countriesoverthecourseof14 months,resultinginadatasetof386,327messages.Thisdataset,whichisorders ofmagnitudelargerthananypreviousstudyofSMS,allowsustoreasonaboutthe messagingecosystemasawhole,whichhasnotbeenpossibleinpreviouspublic studies. Evaluationofsecuritypostureofbenignservices: Weobservehowarange ofpopularservicesuseSMSaspartoftheirsecurityarchitecture.Whilewend manyservicesthatattempttooperateinasecurefashion,weidentifyasurprising numberofotherservicesthatsendsensitiveinformationintheclear(e.g.,credit cardnumbersandpasswords),includeidentifyinginformation,anduselowentropy numbersfortheirone-usecodes.Becausethereisnoguaranteethatthischannelis indeedseparate,suchobservationscreatethepotentialforattacks. CharacterizationofmaliciousbehaviorviaSMSgateways: Weclusterand characterizethelifetime,volumeandcontentofthetra"cseeninSMSgateways. Ouranalysisuncoversnumerousmaliciousbehaviors,includingbulkspamand phishing.Mostcritically,ourdatashowsthatthesesystemsarebeingusedto supportphone-veriedaccountfraud,andthewaysinwhichthesesystemsareused makesproposedmitigationsfrompreviouswork[ 86 ]largelyine!ective. Wenotetheveryfactthatsomeusersarewillingtointentionallydirecttextmessages topublicportalsisobviouslydangerous.Wedonotaddressthisphenomenonandinstead focusontherisksofcompromiseoftheSMSchannel.Becausethesemessagesareknown bytherecipienttobepubliclyavailable,thisdatasetwouldnaturallynotbeentirely representativeofallSMSactivityofatypicaluser.Nevertheless,thisdatasetenablesthe rstpublicinsightsintoissuessuchasPVAscams,SMSspam,andsensitiveinformation sentbylegitimateservices.Furthermore,thisdataiswidelyavailabletothecommunity forcontinuedevaluationandmeasurementinthefuture. Theremainderofthechapterisorganizedasfollows:Section 3.1 discussesour collectionandanalysismethodology;Section 3.2 characterizesourdataset;Section 3.3 35

PAGE 36

discussesouranalysisonlegitimateusageofSMSviathegateways;Section 3.4 discusses themaliciousbehaviorsseeninourdataset. 3.1Methodology Inthissection,wedescribetheoriginsofourdataset,discusssomelimitationsof thisdataset,discusssupplementarysourcesthatgiveusadditionalinsightsintoourSMS dataset,andnallydescribethetechniquesweusetoextractmeaningfulinformationfrom thisdataset. 3.1.1PublicGateways Intheprevioussectionwenotedthatthereareanumberoforganizationsthat processtextmessages,includingcarriers,ESMEs,resellers,andvalue-addedserviceslike messagesyncing.WithinthecategoryofESMEslieanicheclassofoperator:publicSMS gateways.Manythirdpartyentities(includingcellularcarriers)provideexternalpublic interfacestosendtextmessages(butnotreceivethem).Exampleusecasesincludethe convenienceofanemailgatewayortheabilitytouseawebservicetosendamessagetoa friendafterone'smobilephonebatterydies. Whiletherearemanypublicservicesforsendingmessages,theyalsohavecounterparts inpublicwebsitesthatallowanyonetoreceiveatextmessageonline.Thesesystems publishtelephonenumbersthatcanreceivetextmessages,andwhenatextmessage arrivesatthatnumberthewebsitepubliclypublishesthetextmessage.Theseservicesare completelyopentheyrequirenoregistrationorlogin,anditiscleartoallusersthat anymessagesenttothegatewayispubliclyavailable.Werecognizedtheresearchvalue ofthesemessagesforthepotentialtoinformadata-drivenanalysis,andcollectedthem overa14monthperiodfrom8distinctpublicgatewaysthatfacilitatethereceivingoftext messages, 1 listedinTable 3-1 .Thesegatewayshavesimilarnamesthatarepotentially 1 Notethatthroughouttherestofthechapterweusetheterm"gateway"torefer exclusivelytothesereceive-onlySMSgateways. 36

PAGE 37

Table3-1.SMSgatewaysanalyzedandthenumberofmessagesandphonenumbers collectedfromeach. SiteMessagesPhone#s (1)receivesmsonline net8131338 (2)receive-sms-online info6938959 (3)receive-sms-now com6379748 (4)hs3x com5549957 (5)receivesmsonline com4464093 (6)receivefreesms com3748593 (7)receive-sms-online com2709419 (8)e-receivesms com710714 confusing,sowhereappropriatewereferencethembyanassignednumber18based onmessagevolume.Despitetheirsimilarnames,mostoftheseservicesappeartobe una liated,andeachhasdistincthostinginfrastructure.Gateways4,5,and7share21 phonenumbers,indicatingalikelyrelationshipbetweenthesegateways. Thesedi! erentserviceshaveessentiallythesamefunctionality,butadvertisetheir intendeduseindi!erentways.Forexample,Gateway2claimstobe"usefulifyouwant toprotectyourprivacybykeepingyourrealphonenumberawayfromspammers,"while Gateway4instructsusersto"Enterthenumberwhereyouwantverify[sic]likeGmail, Yahoo,Microsoft,Facebook,Amazon,VKetc."Gateway7hasperhapsthemostspecic usecase:"Whenyourex-wifewantstosendyouatextmessage."Gateway4indicates thattheyexpectuserstousetheirserviceforaccountverication,whileGateways2 and7simplyadvertisethemselvesasprivacyservices.Wesuspectthatthebusiness modelofmostofthesewebsitesreliesonadvertisingrevenue,andthisisconrmedbyat leastGateway2,whichprominentlydisplays"almostallof[ourincome]comesfromour onlineadvertising"inabannerrequestingthatusersdisabletheiradblocker.However, advertisingisnotthesolesourceofrevenueforeverysystem:Gateways3,4,5,6,and 8sellprivatenumbersforreceivingSMS,whileGateways4and5actuallysellveried GoogleVoiceandWhatsAppaccounts. 37

PAGE 38

Ethicalconsiderations. Asresearchers,ourultimategoalistoimprovethesecurity practicesofusersandorganizations,butwemustdosoethically.Inparticular,weshould makeeverye!orttorespecttheuserswhosedataweuseinourstudies. Asupercialethicalanalysiswouldconcludethatbecauseitisclearthatallmessages senttothesegatewaysarepublic,andtheiruseisstrictly"opt-in",usershaveno reasonableexpectationofprivacyinthecollectionandanalysisofthisdata.While webelievethisanalysistobetrue,thesituationismorecomplexandrequiresfurther discussion,asthereareanumberofpartiestothesemessages.Inadditiontouserswho knowinglyprovideagatewaynumberastheirownphonenumber,otherindividuals andinstitutions(companies,charities,etc.)maysendinformationtoindividuals,not knowingthatthemessagesaredeliveredtoapublicgateway.Whileinstitutionsrightfully haveprivacyrightsandconcerns,theydi!erfromthoseofindividuals.Asweshowin ourresults,thevastmajorityoftheinformationthatwecollectissentindiscriminately andautomaticallybyorganizationstoalargenumberofrecipients.Thesemessagesare unlikelytocontaininformationthatwouldnegativelyimpacttheinstitutionifdisclosed. Althoughwestudybulkinstitutionalmessages,wedonotanalyzefurtherthosemessages determinedtobeofastrictlypersonalnature.Whilethosemessagesmayhavearesearch value,wedeliberatelyavoidthesemessagestopreventfurtherpropagatingthisdata. Nevertheless,theuseofgatewaysabsolutelycreatescondentialityandprivacy concerns.Forexample,whenpersonallyidentifyinginformation(PII)oraccount credentialsaresenttoagateway(whetherornotallpartiesareaware),thecompromise ofthatinformationisimmediateandirrevocable. 2 Becausewedonotmakeourdata availabletoothers,thisstudydoesnotchangeinseverityordurationtheharmdone bytheexistenceanduseofthegateway.Furthermore,whileinSection 3.3.1 wedescribe 2 Exceptperhapsbythegatewayitself;however,itisclearfromourdatathatgateways arenottakingstepstopreventPIIexposure 38

PAGE 39

ahostofsensitiveinformationfoundinthedataset,wedonotpublish,use,orotherwise takeadvantageofthisinformation.Inparticular,weespeciallydonotattempttoaccess accountsownedbygatewayusersoroperators. Werecognizethatthereareethicalquestionsraisednotjustwiththecollectionof thisdata,butalsobycombiningitwithotherdatasources.Ourdataaugmentationis su"cientlycourse-grainedthatnoindividualuserofagatewaycouldbeidentiedthrough ouradditionaldata. 3 Geographicinformationnotalreadydisclosedintextmessageswas limitedtocountry-scalerecordsinthecaseofgatewayusersandcity-scaleinthecase ofgatewaynumbers(whichinanycasedonotlikelycorrelatewiththelocationofthe gatewayoperator). Overall,ourhopeisthisstudywouldraiseawarenessoftherisksofsendingsensitive informationoverinsecuremediaandpreventfutureharm. Limitations. Tothebestofourknowledge,thischapterpresentsananalysisofthe largestdatasetofSMSpublishedtodate.However,therearesomelimitationstothis data.First,becausethemessagesarepublic,manyservicesthatuseSMS(likemobile banking)arelikelyunderrepresentedinourdataset.Forthisreason,ourndingsabout sensitivedataappearinginSMSarelikelyunderestimated.Second,becausegateways changetheirphonenumberswithregularity,itisunlikelythatlong-termaccountscan besuccessfullycreatedandmaintainedusingthesenumbers,whichmaybiasthenumber ofservicesweobserveinourdataset.Accordingly,thoseusersareunlikelytoenable additionalsecurityserviceslikemobiletwo-factorauthentication(2FA)usingone-time passwords(OTP),furtherlimitingourvisibilitytoawiderrangeofservices.These limitationsmeanthattheoveralldistributionsthatwereportmaynotgeneralizeto 3 Theoneexceptiontothiswasanindividualwhoseinformationwasused(likely withouthis/herknowledge)toregisteradomainusedinaphishingscam.This informationwasdiscoveredafteraroutineWHOISlookupafterdiscoveringthephishing domain. 39

PAGE 40

broaderpopulations.Nevertheless,webelievethatthisworkprovidesusefulconclusions forthesecuritycommunity. 3.1.2CrawlingPublicGateways Togathermessagesfromgateways,wedevelopedawebcrawlerusingtheScrapy[ 162 ] framework.Every15minutes,ourcrawlerconnectedtoeachgateway,obtainednew messages,andstoredtheseinadatabase.Wefacedtwochallengestoaccuratelyrecording messages:ignoringpreviouslycrawledmessagesandrecoveringmessagereceivedtimes. Ignoringpreviouslycrawledmessageswasdi"cultbecausegatewaysdisplaythesame messagesforaconsiderableamountoftime(days,months,orevenyears).Aconsequence ofthisisthatourdatasetcontainsmessagesthatgatewaysreceivedbeforeourdata collectionbegan.Inordertopreventstoringthesamemessagesrepeatedly(andthus skewingtheresults),wediscardpreviouslycrawledmessagesuponarrivalbycomparing thehashofaconcatenationofthesenderandreceiverMSISDNsandthemessagecontent againsthashesalreadyinthedatabase.Ifamatchisfound,themessagesenttimesare comparedtoensurethattheywerethesameinstanceofthatmessage,ensuringthat messagesthatwererepeatedlysentarestillincludedinthedata. Messagetimesrequirednessetomanagebecausegatewaysreportarelative timesincethemessagewasreceived(e.g.,"3hoursago")insteadofanidealISO-8601 timestamp[ 163 ].Parsingthesetimestampsisfairlysimple,butcaremustbetakenwhen doingcomparisonsusingthesetimesastheprecisioncanvary("3minutes"vs."3days"). Toensureaccuracy,westoreandtakeintoaccounttheprecisionofeverytimestampwhen comparingmessagetimestamps. 3.1.3AdditionalDataSourcesandAnalyses Phonenumberanalysis. Afterthescraperspulltheinitialdatafromthegateways, thedataisaugmentedwithdatafromtwooutsidesources.Therstservice,Twilio[ 9 ], providesaRESTfulservicethatprovidesmobile,VoIP,andlandlinenumberlookups. Twilioresolvesthenumber'scountryoforigin,nationalnumberformatforthatcountry, 40

PAGE 41

andthenumber'scarrier.Carrierinformationincludesthecarrier'sname,thenumber's type,andthemobilenetworkandcountrycodes.Twilioisaccurateandappropriately handlesissueslikenumberporting,whichcouldcauseinconsistenciesinourdataif incorrect. Thesecondservice,OpenCNAM[ 164 ],providescalleridentityinformationforNorth Americannumbers.Thisdatabasecontainsamappingofphonenumbersandstrings; carriersconsultthisdatabasetoprovideCallerIDinformationwhenconnectingacall. Therefore,OpenCNAMisalsothemostaccuratepubliclocationtoobtainidentity informationforNorthAmericannumbers. WeobtaineddatafrombothTwilioandOpenCNAMforallthenumbersthatwere hostedonthegatewaysaswellasasubsetofthenumbersthatcontactedthehosted numbers. URLanalysis. Weextracted20,793URLsfrommessagesbymatchingURLregular expressionswitheachmessageinthedataset.Overall,therewere848uniquesecond-level domainsand1,055uniquebaseURLs(fully-qualieddomainnamesandIPaddresses)in thisset.Foreachofthesedomains,weobtaineddomainregistrationdata.Adomain's WHOISregistrationdatacontainsusefulmetadataaboutthehistoryofadomain, includingitscreationdate.Sincethisdataisdistributedamongregistrars,itisnotalways availableandsomeeldsmayberestricted.Wewereabletoobtaincompleteregistration datafor532ofthesecond-leveldomainsinourset. DuetothelimitedlengthofanSMSmessage,shortenedURLsareoftensentinthese messages.TheshortURLisahopbetweentheuserandthedestination,allowingURL shorteningservicestocollectdataabouttheusersfollowingthelinks.ForeachBitly-and Google-shortenedURL,weobtainedstatistics(e.g.,numberofclicks)whenpossible.The SMSgatewayservicesdonotpublishdataontheirusers,sothisdatarepresentsoneofthe bestinsightsintouserdemographicsinourdataset. 41

PAGE 42

Finally,sincethesegatewaysfreelyacceptandpubliclypostSMSmessages,the gatewaysrepresentaneasymechanismfordeliveringmaliciousmessagesincluding phishingormaliciousURLs.VirusTotal[ 165 ]canprovidevaluableinsightintothe maliciousnessofagivenURL.WerequestedscansofeachoftheURLsviaVirusTotal andcollectedthescanreports.IfaURLhadapreviously-requestedscan,wecollected thecachedscananddidnotrescantheURL.Duetotheshortlifetimesofsomemalicious domains,weanticipatedearlierscanresultswouldbemoreaccurate.Foreachproduct thatVirusTotalusestoscantheURL,itreportswhetherornottheproductalertedandif so,thecategoryofdetection. Personally-identifyinginformationanalysis. Wesearchedthemessagesfor personally-identifyinginformation(PII)[ 166 ]usingregularexpressions.Inparticular, wesearchedformajorcreditcardaccountnumbers(e.g.,Visa,Mastercard,American Express,Discover,JCB,andDinersClub).Foreachmatch,wefurtherveriedthese numbersusingtheLuhnalgorithm[ 167 ].Thisalgorithmperformsachecksumandcan detectsmallinputerrorsinanaccountnumber.Thischecksumisbuiltintoallmajor creditcardaccountnumbersandcanalsoassistindistinguishinga16-digitVisaaccount numberfroma16-digitpurchaseordernumber,forexample.Thischeckisrudimentary, however,andwemanuallyveriedthattheremainingmatchesappearedtobeaccount numbersincontext(i.e.,themessagescontainingthesenumbersappearedtoreferencean accountnumber). Furthermore,wealsocheckedstringsofnumberstodetermineiftheywereidentication numberssuchasUSSocialSecurityNumbersornationalidentiersfromAustria, Bulgaria,Canada,China,Croatia,Denmark,Finland,India,Italy,Norway,Romania, SouthKorea,Sweden,Taiwan,ortheUnitedKingdom.Wefoundnovalidmatchesinour data. 42

PAGE 43

3.1.4MessageClustering Amajorgoalofthisstudyistodeterminewhattypesofmessagesaresentvia SMSandhowserviceprovidersareusingSMS.Whilethereareavailablemachine learningtechniquesforthistypeofanalysisandclustering(e.g.,topicdiscoveryand textclustering),scalabilityisamajorproblemwhendealingwiththelargenumberof messagesinourdataset.Accordingly,weexploreothermethodsasdescribedbelow. Keywordanalysis. Asarstattempt,weautomaticallylabeledmessagesinthedataset usingsearchesinmultiplelanguagesforkeywordssuchas"password,""email,"and "verication."Wefoundthatthesekeywordsareoftenoverloadedandinsu" cientfor successfullyseparatingthedata.Forexample,Talk2[ 168 ]uses"vericationcode"for thepurposeofnewaccountcreation,whileSMSGlobal[ 169 ]uses"vericationcode" forone-timepasswords.Addingfurthercomplication,LiqPay[ 170 ]uses"password"for one-timepasswords. Furthermore,weidentiedmessagesthatreferencedourkeywordswithoutcontaining anyobviousauthenticationdata.Thesemessagesareofteninformativemessagesaboutthe keywords(e.g.,"Donotdiscloseyourpassword.").Conversely,somemessagescontaining sensitiveinformationdidnotincludekeywords.Ultimately,theoutcomeofthisexperiment wasunsuccessful,leadingustoadoptamanuallabelingapproach. Clusteringanalysis. Throughfurtheranalysis,wediscoveredthatmanymessagesfrom thesameserviceprovidersharethesamepattern.Wemanuallyreviewedmessagesand groupedsimilarmessagestogetherinto"clusters." 4 Theessenceofourclusteringalgorithmisdistance-basedclustering[ 171 ].However, wewantedahigh-accuracyclusteringalgorithmwithminimalandeasilyestimated 4 Ourdenitionofthistermshouldnotbeconfusedwiththeclassicmachinelearning denitionof"clustering." 43

PAGE 44

tuningparameters,rulingout k -means.Weattemptedtouseanedit-distancemetricto groupsimilarmessagesintoaconnectedgraph(whereedgesarecreatedbetweensimilar messages),butapairwisealgorithmexceededthetimeandhardwareavailabletothe project.Instead,wenotedthatthemessageswewereinterestedinwerevirtuallyidentical, apartfromknowncommonvariablestringslike codes oremailaddresses.Byreplacing thesewithxedvalues,asimplelexicalsortwouldgroupcommonmessagestogether.We thenidentiedclusterboundariesbyndingwherethenormalizededitdistancewaslower thanathreshold(0.9)betweentwoconsecutivesortedmessages.Ourthresholdwaswas empiricallyselectedtoconservativelyyieldcorrectclusters,andwewereabletoclusterall 386,327messagesinafewminuteswithhighaccuracy. Amoreexplicitstatementofthisprocessfollows: 1. Loadallmessages. 2. Preprocessmessagesbyreplacingnumbers,emailsandURLswithxedstrings. 3. Alphabeticallysortpreprocessedmessages. 4. Separatemessagesintoclustersbyusinganeditdistancethresholdtonddissimilar consecutivemessages. 5. Manuallyinspecteachclustertolabelserviceproviders,messagetypes,etc.Inthis step,weculledclustersthathad < 43messages. 5 Preprocessingisperhapsthemostimportantstep,becauseitallowsustoavoid aligningmessagesfromdi!erentserviceproviderstogether.Whenusingnaivesorting ontheoriginalmessages,thesortingplacestogethermessagesfromvariousservicesthat startwithavericationcode.Weavoidthisproblembyreplacingvariablecontentwith axedstring,causingthenalsortordertoberelatedtothenon-variablecontentof 5 Weinitiallyplannedonlabelingonlyclusterswithmorethan50messages,butour labellingprocessresultedinmorelabeledclustersthanexpected. 44

PAGE 45

themessages.Unliketraditionalmachinelearningmethods,oursorting-basedclustering methodisfast(minutesforourdataset). Afterclustering,wemanuallylabeledeachcluster,atime-consumingprocesswhich allowedustobothverifythecorrectnessoftheclustergeneration,andguaranteescorrect labels. Itisdi"culttodeterminetheintentofthemessagewhenthemessagecontainslittle context(e.g."XisyourGooglevericationcode.").Forthemostcommon100services, weattemptedtoidentifymessageintentionsusingthoseservices'publicdocumentation. Wherethisinformationwasunavailable,weattemptedtoregisteraccountswiththe servicestoobtainmessagesandmatchthesetoourclusters.Ifwewerestillunableto determinethemessagetype,weclassiedthesewithagenericlabel.Wealsodeneand applylabelsbasedontheoverallcontentofthemessage,includingcontentsuchasPIIor anysensitive,security-relatedinformation. 3.1.5MessageIntentions Duetothelackofstandardizedtermsfortheintentionsoftheauthenticationand vericationvaluessentviaSMS,wedividedthevariousmessageintentionsintocategories inthissection.Inthischapter,weuse code todescribethevalueextractedfromany messagesenttoauserforanyofthebelowintentions.Toourknowledge,thereisno authoritativesourcefortheseintentions,despitetheirpopularity.Morethan261,000 (67.6%)ofthemessagescontaina code ,andthefollowingcategoriesenabledustomore accuratelyclusterourmessages: Accountcreationverication :Themessageprovidesa code toauserfroma serviceproviderthatrequiresaSMSvericationduringanewaccountcreation. Activityconrmation :Themessageprovidesa code toauserfromaservice provideraskingforauthorizationforanactivity(e.g.,paymentconrmation). One-timepassword :Themessagecontainsa code forauserlogin. 45

PAGE 46

One-timepasswordforbindingdi!erentdevices :Themessageissentto ausertobindanexistingaccountwithanewphonenumberortoenablethe correspondingmobileapplication. Passwordreset :Themessagecontainsa code foraccountpasswordreset. Generic :Weusethiscategoryforany codes towhichweareunabletoassigna morespecicintent. 3.2DataCharacterization Inthissection,weprovidehigh-levelinformationaboutourcollecteddata.The datasetincludesdatafrom8gatewaysover14months.Overall,ourdatasetincludes 386,327messagessentfrom421phonenumbersfrom52knowncarriersin28countries. Table 3-2 showsthemessagecountforgatewayphonenumbersalongsidethetotalnumber ofgatewaynumbersbycountry. 3.2.1GatewaysandMessages Table 3-1 showstheeightgatewayswescraped,thenumberofmessagesfromeach, andthenumberofuniquephonenumbershostedateachserviceduringthecollection time.Thenumberofmessagesreceivedbyeachgatewayrangedfrom7,107to69,389.The numberofhostednumbersperservicerangedfrom14to93. 3.2.2Infrastructure WeobtaineddetaileddatafromTwilioaboutthephonenumbersinourdataset,as showninTable 3-3 .Twilioidentied52carriers,ofwhich46aremobile,3areVoIP, andthreearelabeledaslandlinecarriers.Webelievethatthenumbersseenfrom these"landline"carriersaresimplymislabeledaslandlinesbyTwilioandareactually mobilenumbers,duetoallthreebeingcarriersthatadvertisebothmobileandlandline service.Furthermore,Twilioindicatesnumbersfrombandwidth.comas"mobile"numbers (thisisnotduetoporting,asTwilioresolvesportingscenarios).Thecarrierknownas bandwidth.comisactuallyaVoIPprovider.Thenumbersinthischapterarecorrectedto reectthis. 46

PAGE 47

Table3-2.Gatewayshaveaninternationalpresence,withmostmessagevolumetaking placeinNorthAmericaandWesternEurope.Themessagecountrepresentsthe numberofmessagessenttonumbersineachcountry. CountryMessageCountNumberCount UnitedStates9513898 Canada7703655 Germany5349746 UnitedKingdom4403975 Poland1610315 Sweden1484922 Spain1132311 France827310 RussianFederation7344Norway66748 Mexico64315 Romania60436 Australia596413 Belgium52533 India50642 Ukraine43633 Italy43263 Thailand40735 HongKong32517 Israel19715 Switzerland17223 Finland171413 Lithuania5201 Estonia4051 Ireland3313 Austria1582 Denmark541 CzechRepublic62 Belgium-3 Table3-3.UsingTwilio-provideddata,weobtainedthecarriertypeforeachofthe carriersassociatedwithsenderandreceivernumbersonthegateways. CarrierTypeAmountPercentofTotal Mobile26162.0% VoIP14935.4% Landline112.6% 47

PAGE 48

3.2.3Geography Twilio'snumberdataalsoincludesgeolocationinformationforeachnumberwhich showsourdataisbasedin28countries.TheUnitedStateshasthemostgateway controllednumberswith98numbersseenreceiving95,138messages,themosttra"c ofanycountry.Conversely,Lithuaniaonlyhadonegateway-controllednumberregistered toit,thelowestofthecountriesinourdata.TheCzechRepublichasthefewestmessages senttothegateway-controllednumbersregisteredtoacountry,withtwonumbers receivingonlysixmessages.Interestingly,9ofournumbersareassociatedwithproviders whoservicetheChannelIslands,locatedo!thecoastofFrancewithatotalpopulationof lessthan170,000people. Twiliodataprovidesonlythecountryoforigin,soforall153numbersintheUnited StatesandCanadaweobtaincallerIDname(CNAM)data. 6 Wefoundthatthevast majorityofnumbers(55.4%)havenoCNAMdataatall.Ofthosemessagesthat havedata,theo"cialrecordintheCNAMdatabaseissimply"CONFIDENTIAL," "WIRELESSCALLER,"or"Unavailable."Notethat"Unavailable"istheactualstring thatwouldbedisplayedtoauser,notanindicationofnodatainthedatabase. TheremainderofthemessagesaresenttophonenumbersthathaveCNAMdata indicatingthenumberisinoneof57citiesor3provinces(BritishColumbia,Ontario, andQuebec)intheUnitedStatesorCanada.Bymessagevolume,thetoplocationsare "Ontario",followedbyCentennial,CO(intheDenverarea);SanFrancisco,CA;Little Rock,AR;Airdrie,AB;Columbia,SC;SanAntonio,TX;Detroit,MI;Cleveland,OH; andWashington,MD.Thereareseveralobservationstomakefromthesendings:rst, numbersareselectedtowellbeyondwhatislikelythegateways'mainlocation.Second isthatneithergatewaysnorusersfeelaneedtousenumbersbasedinlargepopulation centers.WiththeexceptionofCentennial,CO,alllocationshadfourorfewernumbers, 6 CNAMdataonlycoverstheUSandCanada. 48

PAGE 49

Figure3-1.Clustersizesareexponentiallydistributed,andsoappearasastraightline whensortedandplottedonalog-logscale. regardlessofpopulationofthelocation.Gateways4and5registeredthenumbersin Centennial. 3.2.4Clusters Wegenerated44,579clustersfromourdataset.Allmessageswithmorethan43 messagesweremanuallytaggedandanalyzedgivingus754taggedclusters.Theseclusters representthemessagesfromthemostpopularservicesinourdataset.Thetaggedclusters onlyrepresent1.7%ofthetotalclustersbutthetaggedclusterscover286,963messages (74.2%).Figure 3-1 representsthedatathatsupportsthisassertionbyshowingthe exponentialdistributionoftheclustersizes. 3.2.5SMSUsage AsshowninTable 3-4 ,messagescontaininga code constitutethemajorityofour datasetat67.6%ofthetotalmessages,enforcingthatamainusageofSMSinourdata isvericationandauthentication. 7 Accountcreationandmobiledevicebinding codes arethelargestsubcategorieswith51.6%ofthemessages.Comparedtoothermessages containinga code ,one-timepasswordmessagesareonly7.6%ofmessages.TheURL 7 Aswenoteintheprevioussection,thesepercentagesarereectiveofgateway messages,andmaynotnecessarilyberepresentativeofbroaderSMStrends. 49

PAGE 50

Table3-4.Weseparatedandlabeledeachclustercontaininga code theintentofthe message.Thistablecontainseachofthoselabelsandthenumberofmessages ineach,whichtotal74.2%ofthemessagesinourdataset. TagMessages%Tagged otp-dev9568533.4% code5287218.5% ver5218118.2% conf3852113.4% otp219197.6% pw-reset36021.3% ver-url31391.1% advertising29991.0% pw-reset-url26960.9% test26120.9% info23390.8% otp-dev-url8630.3% password6970.2% code-url6760.2% conf-ro4010.1% otp-url3200.1% stop2840.1% username1780.06% conf-url920.03% variationsforthese code messagesarealsorare,constitutingonly2.6%ofmessages.This reectsthatmostservicesprefertoplaincodes,insteadofURLs,whichmaynotworkwell forolderphones. Passwordresetmessagescomprise1.3%ofourdataset.ThecorrespondingURL versiontakesanother1.0%ofourdataset.Interestingly,thesepasswordresetURLs overwhelminglyconsistofFacebookresults. Asmallpart(0.8%)consistsof"test"messages.Thesearemessagesthatconsistof textsuchas"Test,""Hello,"or"Hi"withnootherinformation.Thiscategoryconsistsof largeclustersofmessagessentbyindividualstoprobethattheserviceworksasadvertised andiscurrentlyworking.Thesenderphonenumbers,therefore,provideinsightintousers ofthegateways.WeexplorethismorefullylaterinSection 3.4 50

PAGE 51

Finally,afewmessagescontainpartialorcompleteusernamesandpasswords.These messagesareparticularlyegregiousbecausetheymayleadtoaccountcompromiseand/or useridentication.Wediscussthisfurtherbelow. 3.3UsesofSMSasaSecureChannel Inthissection,wediscusswhatweobservedaboutthesecurityimplicationsifanyof thecomponentsoftheSMSecosystemdescribedinFigure 2-1 arecompromised.Although theusagewediscussinthissectionisbenign,weobservethepresenceofPIIandlow code entropy,whicharedangerouswhenavailabletoanadversaryinthisecosystem. 3.3.1PIIandotherSensitiveInformation SMShasbecomeamajorportionofglobaltelecommunicationsworldwide,andits usebycompaniesandotherorganizationscomesasunsurprising.However,ourdataset containedinstancesofcompaniesusingSMStodistributepaymentcredentialsorother nancialinformation,logincredentials,andotherpersonallyidentiableinformation.We alsoseeinstanceswheregatewaysareusedforsensitiveservices. Financialinformation. Wefoundseveraldistinctinstancesofcreditcardnumbers beingdistributedoverSMSinourdataset.Twooftheseappeartobeintentionalmethods ofdistributingnewcards,whileanothertwoappeartobetheresultofcommerce.We discoveredtheseusingPIIregularexpressions.Wealsodiscoveredseveralinstancesof CVV2codesinourdata.CVV2codesarecreditcardcodesmeanttoverifythattheuser isinpossessionofthephysicalcardatthetimeofpurchase. Wefoundthattwoservicesthatprovide"virtual"creditcardnumberstoallowaccess tomobilewalletfundsdistributethenumbersoverSMS.Thesecardnumbersare"virtual" inthesensethattheyarenotbackedbyacreditline,butinfactseemtobepersistent. TherstserviceisPaytoo,basedintheUnitedStates.Werecoveredthreedistinctcards fromthisservice,andadditionalmessagescontainingbalanceupdates,accountnumbers andtransactionidentiers.Whilepasswordresetwashandledoveremail,identierssuch asemail,username,phonenumber,oraccountnumbercouldallbeusedforlogin. 51

PAGE 52

TheotherserviceisiCashCard,basedinIndia.Theydistributeaprepaidcreditcard accountnumberoverSMS;thiscardisprotectedbyaPINalsodistributedoverSMS. AdditionalmessagescontainedaseparatePINwhichallowsforaccountloginwiththe phonenumber,meaningthataccesstoSMSrevealsaccesstotheentirepaymentcredential andaccount. Wefoundanadditionalcreditcardnumber,CVV,andexpirationvaluefroman unnamedservicewhoseidentityorpurposewecouldnotidentify.Themessageindicated thatitwasbeingsenttoauserwhohadpurchaseda"package"ofsomesort,and conrmedthepurchaseusingthefullcreditcardnumber.Incidentally,thepurchaser's IPaddresswaslistedintheSMS,andthatIPaddresswasplacedinSANSblocklistfor suspectedbotsandforumspammers. OurPIIregularexpressionsdiscoveredonenalcreditcardnumberpresentina textmessagesenttoaMexicanphonenumber.Themessagecontainsareferenceto aVenezuelanbank,thecardholder'sname,andincludesthecreditcardnumber,the CVV2,andtheexpirationdate.Todeterminethecontextforthismessage,weexamined othermessagesfromthissenderandfoundwhatappearedtobeanSMS-basedmailing listforpurchasingitemsontheblackmarketinVenezuela;itemsforsaleincludedUS paperproducts(diapers,tissue),oil,andtires,aswellasUSdollarsatnon-o"cial rates[ 172 ].Ourbesthypothesisforthepresenceofthecreditcardisthatapurchaser ofanitemmistakenlysentpaymentinformationtothelistinplaceoftheactualsender. Nevertheless,thishighlightsthathighlysensitiveenterprisesrelyonSMS. Inadditiontocreditcardinformation,wediscoveredoneunidentiedPolishservice thatincludesaCVV2codeintheirmessagesafterregisteringforaprepaidservice. Translated(byGoogle),thesemessagesread:"Thankyouforregisteringonthesite prepaid.YourCVV2codeis:194" Thenancialinformationinourgatewaydataisnotlimitedtocreditcardnumbers. WefoundseveralinstancesofmessagessentbyaprepaidcreditcardproviderinGermany, 52

PAGE 53

PayCenter[ 173 ],thatdistributesbankaccountnumbers(IBANs)inSMSmessages.The sameprovideralsosendsavericationtexttotheuserwithaURLthatincludesthe user'sfullname. Themessagesaboveindicatethatsomeservicesunwiselytransmitsensitivenancial informationoverSMS. Usernamesandpasswords. Inscanningourlabeledclusters,weidentiedseveral servicesthatwouldallowuseraccountstobecompromisedifSMScondentialityis lost.ThemostprominentexampleoftheseisCanadianinternationalcallingprovider BossRevolution[ 174 ].TheiruserpasswordsaredistributedviaSMS,andusernamesare simplytheuser'sphonenumber.Thus,anattackerwithreadaccesstothesemessages cancompromiseanaccount.AnotherexamplewastheFrimmessagingservice[ 175 ].That servicealsousestheuser'sphonenumberandapassworddistributedoverSMS.Other servicesdistributingusernamesandpasswordsinSMSincludeeCall.ch(aSwissVoIP provider)[ 176 ]andRedOxygen(abulkSMSprovider)[ 177 ].Fortunatelyforusers,most onlineservicesinourdatadonotdistributepasswordinformationthroughSMS. Passwordreset. Severalorganizations,includingFacebookandtheinvestmentplatform xCFD,distributepasswordresetinformationviaSMSinadditionto,orinplaceof,other methods.ThemostcommonpasswordrequestinourdatawasforFacebookaccount resets.Uponinvestigatingthesemessages(usingonlyourownaccounts),wefound thatthemessagescontainedaURLthatwouldallowapasswordresetwithnoother identifyinginformationorauthenticationnotevenanameorusername.Thiswould allowanyadversarywithaccesstothemessageeitherasittransitscarriernetworks, thereceivingdevice,oranyotherentitythathandlesthemessagetocontroltheaccount. Iftheadversaryhastheusername,he/shecouldcauseresetmessagestobesentforthat account,allowingtheadversarytotakecompletecontroloftheaccount.Thishighlights theconsequencesofacompromiseoftheSMSecosystem. 53

PAGE 54

Otherpersonallyidentiableinformation. WefoundnumerousexamplesofPII includingaddresses,zipcodes,andemailaddresses.Emailaddressesareworthnoting becausethepresenceofanemailaddressindicatinganassociationbetweenaphone numberanaccountcouldbeusedtoassociate codes orotherauthenticatorssenttothat devicetotheparticularaccount.OurPIIregularexpressionsidentied522messageswith emailsmostoftheseweresentbylive.com,gmail.com,inbox.ru,orpop.co(ahosting provider). SMSactivityfromsensitiveapplications. Finally,wenoticedseveralinstanceswhere messagesappearedinthegatewayfromorganizationswhoseverynatureissensitive. TheworstamongthesewastheroomsharingserviceAirbnb.Oneofourmessages containedthefulladdressofthesharedproperty(personalinformationobscured):"Airbnb reservationreminder:Jan25-28@ < address > < name > : < email > or < phone > Althoughwesuspectthattheownerofthepropertylisteditinsuchawaythatthis datawasrevealed,theuseofSMSgatewaysfortheseservicesistroublingasitcould facilitatereal-worldabuses. Otherexamplesofsensitiveapplicationsincludealargesetofregistrationswithother telecommunicationsservices.TheseincludepopularphoneserviceslikeTelegram,Viber, Line,BurnerandFrim.Thepresenceoftheseservicesingatewaydatamayindicatethe useofthesegatewaysfor"numberchaining,"apracticethatallowsphoneveriedaccount evaderstoacquirealargenumberoftelephonenumbersforfree[ 48 ].Inaddition,wesee registrationandactivityinthegatewaydatatoanumberofbulkSMSservices.This mayindicatetheuseofgatewaynumberstoobtainaccesstobulkSMSservicesforthe purposesofsendingSPAM,inadditiontoapotentialusefornumberchaining. Casestudy:QIWIwallet. Wehaveidentiedoneservicethatusesmostofthe previouslydiscussedproblematicSMSpractices:QIWIwallet,aRussianmobilewallet operatedinpartnershipwithVISA[ 178 ].First,QIWIwalletsendsemailaddressesin messagestobindemailstoaccounts.Second,thisservicealsosendspasswordresetcodes 54

PAGE 55

overSMS,whileallowingloginwiththeuser'sphonenumbermeaninganyreaderofthe messagecanresettheuser'spassword.QIWIalsoprovidesVISAnumbersforitsusers, andtheysendpartially-blindedcardnumbersandfullCVV2numbersthroughSMS.Such partially-blindedinformationcanstillbesensitive,asknowingthelastfourdigitsofa creditcardissometimesusedforover-the-phoneauthentication,andsuchinformation hasbeenusedinthepasttotargetcallcenters[ 179 ].Moreworrisome,theyseemtouse twodi!erentblindingschemessometimesblockingtherstandlastfourdigits,other timesblockingthemiddle8digitsofthecard.Ifbothblindingschemesareusedforthe samecard,itwouldbepossibletoacquireallcardinformationoverSMS.Thisservicealso sendsbalanceupdatesoverSMS,whicharealsosometimesusedforcallerauthentication. Finally,wefoundatleastonemessageinourdatacorrespondingtoaQIWIblocked accountnotication;onepossiblereasonforthisistheuseoftheQIWIaccount(registered withthegatewaynumber)forfraudorabuse. 3.3.2SMS code Entropy Ourmessagedataseta! ordedussamplesof codes sentbymanyservicesoverSMS. These codes providevaluablephonevericationcapabilitiestoservicesthatwishto increasetheburdenofobtaininganaccount(e.g.,topreventfraudulentaccountcreation), andthese codes provideaglimpseintothesecurityofthecode-generationschemes.We groupedthoseclusterscontainingcodesbyserviceandextractedthenumeric code from eachmessage.Overall,weextractedfrom33clusterscontaining35,942authentication codesacross25services,asshowninTable 3-5 Wersttestedtheentropyofeachsetof codes usingachi-squaretest.The chi-squaretestisanullhypothesissignicancetest,andinourusecaseindicatesif the codes areuniformlygeneratedbetweenthelowestandhighestvalue.Thep-valueless than0 01meansthatthereisastatisticallysignicantdi! erencebetweentheobserved dataandanidealuniformdistribution.Only12of34clusters(35%)had p> 0 05.We alsomeasurethee! ectsize w foreachtest,whichindicateswhetherstatisticallysignicant 55

PAGE 56

Table3-5.Theresultsofourstatisticalanalysisofauthenticationcodesfromeachservice. Someservicesappearmorethanonceinthedatabecausetheirmessageswere splitintomultipleclusters(e.g.,oneforpasswordresetsandoneforlogins). Thistablepresentsthep-value,andif p< 0 05,whetherthee! ectseenwas largeormediumaccordingtoestablishedguidelines. ServiceUniform?p-valueE!ectSize(w)E!ect?MeanCode Google 0.0000.721Large547948 Google 0.0000.793Large558380 Instagram 0.0000.622Large503172 Instagram 0.0000.574Large498365 Instagram 0.0000.600Large497936 Jamba 0.0006.009Large4719 LINE 0.0000.595Large5476 LINE 0.0000.519Large5530 LINE 0.0000.530Large5442 Microsoft 0.0002.929Large357494 Odnoklassniki 0.0000.675Large433997 Origin 0.0000.512Large502627 QQ 0.0000.522Large505555 SMSGlobal 0.0000.500Large5540 Talk2 0.0001.327Large5732 Telegram 0.0000.478Medium54961 Viber 0.0008.138Large112075 WeChat 0.0000.664Large4989 Alibaba 0.988548652 Backslash 0.325556223 Baidu 0.015505165 BeeTalk 0.595544719 Circle 0.080506514 Gett 0.4615512 Google 0.917501623 Hushmail 0.527503161 LINE 0.6985511 Origin 0.086500739 RunAbove 0.427494697 Skout 0.0045492 Tuenti 0.9815010 Weibo 0.395512458 WhatsApp 0.022543563 56

PAGE 57

AWeChat BTalk2 CLINE Figure3-2.Thesegurespresentheatmapsofcodeswherethersttwodigitsare representedonthey-axisandthelasttwodigitsarerepresentedonthex-axis. Darkervaluesrepresenthigherfrequenciesofacodeinourdata.Thesegures showthatWeChatandTalk2presentanegregiouslackofentropyintheir authenticationcodes,whileLinegeneratesrandomcodeswithoutleading zeros. di !erenceshavesubstantialdi!erences.Wendthatmoste!ectsizeswerelarge( w> 0 5) withonlyonemedium( w> 0 3),indicatingourstatisticallysignicantdi! erenceswere infactmeaningful.Finally,weconrmedthatalltestsperformedhadastatisticalpower of0 98orhigher,indicatingthatourtesthadahighlikelihoodofobservinganye! ect present. Oftheclusters,thosebelongingtotheWeChatandTalk2serviceshadtheleast entropyoftheauthentication codes weanalyzed.Notonlydidbothserviceshave p< 0 001intheabovechi-squaretest,theservice's codes eachgenerateaspecic pattern.Wemappedthersttwodigitsofeach code withthebacktwodigitsandshow thesetwoservices' codes inFigure 3-2 WeChat. UntilApril2015,WeChat'sauthenticationcodesfollowedapatternof rand () 16mod10000,whichcausedthestair-stepo!set-by-16heatmapinFigure 3-2A Thepatterncouldbeexplainedbyarandomnumbergeneratorwithlowentropyinthe fourleastsignicantbits.Thise! ectivelyreducedthepossiblespaceof4-digit codes to625.InApril2015,WeChatchangedits code generationalgorithm.Weremovedthe 57

PAGE 58

625known-patterncodesfromtheWeChatsetandrecomputedthechi-squareentropy test.Thep-valueincreasedto0 761withstatisticalpowerande! ectsizeof0 989and 0 423,respectively,indicatingthatthenewalgorithmislikelyproducinguniformly-random codes. Talk2. Thisservicehasanextremelackofentropyinits code -generationalgorithm,as seeninFigure 3-2B .Inparticular,itappearstoavoiddigits0,1,2,5,and8inpositions 1and3ofa4-digit code .Wemadeseveralattemptstoreproducethisentropypattern, butwewereunabletoproduceareasonableexplanationforthisdramaticreductionin entropy. Google. WhiletheGoogle codes weharvesteddidnotappeartobeuniformly-random inourexperiments,thisappearstobecausedbyduplicate codes .Whenrequestingthat a code beresent,Googlewillsendthesame code again.Thispracticeispotentially problematicbecauseitindicatesthattheGoogle codes havealonglifetime.Since messagesongatewaysmaybeaccessibleforweeksormonths,itmaybepossibleforan adversarythatcanidentifytheassociatedaccounttouseanunclaimedcode.Without accesstotheassociatedaccounts,however,wewereunabletodeterminetheexactlifetime ofGoogle's codes LINE. AlthoughourexperimentsshowLINE's codes arelikelyuniformlygenerated,the servicedoesnotgenerate codes withaleadingzero,reducingtheoverallspaceof codes by10%.Thispracticeiscommonamongourclusters,with13totalclustersexhibitingthis behavior.Forcomparison,wedisplayLINE's codes inFigure 3-2C 3.3.3Takeaways Inthissection,weexploredthedatathatisexposedintheSMSchannelforbenign purposes.ThisisproblematicifanadversaryhasaccesstoSMSmessages,asisthecase withthegateways.WeobservedservicesthatexposesensitiveuserdataviaSMSincluding nancialdata,accountinformation,passwordresetURLs,andpersonalinformation 58

PAGE 59

suchasphysicalande-mailaddresses.Wethenfoundthat65%ofservicesthatuse SMStodeliver codes generatelow-entropy codes ,whichmaybepredictableandgrant unauthorizedaccesstoaccounts.Thedesignofsuchservicesisguidedbyanassumption thattheSMSchannelissecurefromexternalobservation,andourobservationsshowthat thisresultsinpoorsecuritydesigninthoseapplications. 3.4AbusesofSMS HavingexploredhowservicesattempttouseSMSasasecurechannel,wenow discusswhatweobservedaboutthesecurityimplicationsandevidenceofabuserelatedto gatewayactivity.Thisincludesphoneveriedaccountevasion,failedattemptsatlocation anonymity,whethersimilargatewaynumberscanbedetected,andspamandfraudinthe messagesthemselves. 3.4.1GatewaysandPVA Inthissubsection,wediscusstherelevanceofourdatatophone-veriedaccounts. Inparticular,wepresentevidencethattheprimaryactivityofthegatewaysweobserve isevadingphoneveriedaccountrestrictions,andthatexistingcountermeasuresare ine!ective. Messageactivitystatistics. InSection 3.2 ,wenotedthatmorethanhalfofthe messagesreceivedbygatewaysarerelatedtoaccountverication.Thisvastlyoutweighed anyotherpurposeofsendingSMS.Beyondthisinformation,messageactivitystatistics alsosupportthisclaim.Themediannumberlifetime(thetimefromrstmessagetolast) inourdatasetis20days,andtheCDFofnumberlifetimeisshowninFigure 3-3A .This lifetimeisfairlyshort,andinfact73.9%ofnumbersdonotevenlastafullbillingcycle (31days). Therearetwolikelyexplanationsfortheshortlifetime:oneisthatservicesthat facilitatePVAneedtoreplacetheirnumbersoftenastheyexhausttheirusefulnessto createnewaccounts.Thesecondisthatmanyofthesenumbersareincarriers(especially 59

PAGE 60

mobilecarriers)thatshuto!numbersforanomalousmessagevolume.Theseexplanations arenotnecessarilymutuallyexclusive. Togaininsightintothisquestion,wecomputedthedailyvolumeofmessagesfor eachphonenumberusedbyagateway,andwecallthisseriesthe"dailyactivity" ofthenumber.Ifthesenumberswerebeingprimarilyusedforpersonalmessagesor informationalactivities(likesigningupforadvertisingalerts),wewouldexpectthedaily activityofthenumbertobefairlyconstantacrossthelifetimeofthenumber,orforthere tobea"rampup"periodasnewusersdiscoverthenewline. Instead,weseealmosttheexactoppositebehavior.Toconciselyexpressthis,we computedskewnessandkurtosisstatisticsofthedailyactivityofeverynumber.Simply, kurtosisisastatisticthatindicatesifaseriesis"at"or"peaky,"whileskewnessindicates whetherapeakfallsclosertothemiddle,beginning,orendofaseries.Askewofbetween ( 1 1)indicatesthepeakfallsinthemiddleoftheseries,whileapositiveskewindicates apeakthatarrives"earlier"intheseries.Weplottheskewnessandkurtosisforevery numberinFigure 3-3B .Notethatwereversethex-axis,sothatthefurtherleftintheplot anumberfalls,the"earlier"itspeak. Figure 3-3C showstheCDFofthedailyactivityskew,andweobservethat approximately60%ofnumbershaveaskewtowardsearlyactivity.Thisimpliesthat mostnumbershaveahighmessagevolumeearlyinthelifetime,andconsequently,most oftheactivityofthenumberhasbeencompletedbythetimeitisshutdown.Ifcarriers aredisablingnumbers(forexceedingamessageratecap,forexample),theyaredoing sowellaftermostnumbershaveseentheirpeakuse.Likewise,ifonlineservicesare consideringanumberinvalidforphoneverication,theyarestillpermittingahigh-volume ofregistrationrequestsforanumber(inaggregate)beforeblacklistingthenumber. Userlocationleakage. Somegatewaysadvertisetheirservicestowardsusersthat maybeseekingprivacyoranonymity.AlthoughSMSdoesnotprovideeitherofthese properties,theuseofagatewaymayprovideasenseofanonymityforauserregistering 60

PAGE 61

foraservice.ShortenedURLs(oftenprovidedinspace-constrainedSMSmessages) leakinformationabouttheuserclickingthelinktotheURL-shorteningservice.With thestatisticswecollectedfromtheseservices,wehaveidentiedboththesourceand destinationcountriesforeachmessage,wealsofoundthattheusersoftheseservicesare locatedinsignicantlydi!erentlocations.Wedonotattempttodeanonymize,track,or identifyanyusers.Ourdataconsistssolelyofpublicly-availableaggregateclickstatistics. Thenumberofclicksrecordedrangedfrom01,582,634withamedianof10.This datarepresentsanyclicktotheseURLs,notjustthosefromthegatewaypages.Asa result,topreventskewingourdatawithpopularandspammessages,wefocusedonURLs with # 10clicks,sincemanyincominglinksexpectedbyusersofSMSgatewaysarelikely clickedasmallnumberoftimes.Wecollectedthecountriesassociatedwitheachofthe remaining2,897clicksandaggregatedtheresults.Figure 3-4C showsthetotalclicksfor eachcountryacrossallshortenedURLs.Wecouldnotmap194clicksbecausethespecic countryinformationwasnotavailableortheserviceidentiedthattherequestwasfrom ananonymizingproxyservice. Alsoinourdatawere"test"messagessentbyuserstestingtheservices.These messagesprovideanotherwindowintotheuserbase.Figure 3-4B andTable 3-6 showthat thegeographicalextentoftheseusersgoeswellbeyondthehomecountriesofgateway numbers.UsersofgatewaysmaynotbeawarethattheseURLsandmessagesareleaking metadata,andgatewaysdonotadequatelywarnusersofthisdanger.Weconsidertheuse ofagatewayasananonymizingservicetobeasubsetofPVAevasion,however,because usersareattemptingtoevadephoneverication,albeitforadi!erentintent. 3.4.2DetectingGateways Aswehavediscussedabove,thesegatewaysfacilitatePVAevasionandthedemographic datawecanobtainabouttheusersoftheseservicesclearlyshowsusagepatterns consistentwithPVAfraud.Itisclearthatinmostcasesevenreputablewell-fundedonline servicesarenotsuccessfullydefendingagainstthese(andsimilarly,for-paygateways). 61

PAGE 62

Table3-6.Thistablecontainsthecountsofthegeolocatedsenderphonenumbersforeachcountryalongsidethenumberof URLclicksfromusersbasedinthosecountriesandthenumberoftestmessagessenttothosecountries.Thisdata underscoresthevariationbetweentheusersofthegatewayservicesandthenumberssendingmessagestothe gateways. Country MessagesClicksTestMessages Country MessagesClicksTestMessages UnitedStates95138964744 Pakistan -311 Canada 77036656 Moldova -3 Germany 534979565 Turkey -3 UnitedKingdom440391089 Malaysia -2 8 Poland 161031117 Morocco -2 1 Sweden 14849299 Hungary -2 Spain 113235 1 Algeria -2 France 827347820 Taiwan -1144 RussianFederation734427614 SaudiArabia -1 6 Norway 6674111 Ghana -1 5 Mexico 64317114 Brazil -1 4 Romania 6043190SouthAfrica -1 4 Australia 5964-43 Egypt -1 3 Belgium 5253310 Bulgaria -1 1 India 50648113 Vietnam -1 1 Ukraine 43634 Argentina -1 Italy 4326411 Iceland -1 Thailand 40731 IvoryCoast -1 HongKong 3251-13 Jordan -1 Israel 19716 6 Myanmar -1 Switzerland 1722914 SriLanka -9 Finland 17141911 Iraq -7 Lithuania 5201 Singapore -6 Estonia 4052 UnitedArabEmirates-5 Ireland 3312 3 IsleofMan -4 Austria 1587 8 Kuwait -4 Denmark 54Bangladesh -3 CzechRepublic63 Lebanon -3 Netherlands -24712 NewZealand -3 Portugal -211 Cambodia -2 China -106 CostaRica -1 Indonesia -9 7 Jamaica -1 Nigeria -5 7 Maldives -1 Serbia -5 1 Oman -1 Luxembourg -5 Philippines -1 Iran -418 ReunionIsland -1 Japan -4 Slovakia -1 62

PAGE 63

Table3-7.Weanalyzedthenumbersfromeachgatewayforsimilarity.In7of8gateways, atleast40%ofthegateways'numbersweresimilar. SiteSimilar/TotalPercent [1]receive-sms-online info15 / 5925.4% [2]receivesmsonline net16 / 3842.1% [3]e-receivesms com7 / 1450.0% [4]hs3x com28 / 5749.1% [5]receivefreesms com52 / 9355.9% [6]receivesmsonline com38 / 9340.9% [7]receive-sms-online com8 / 1942.1% [8]receive-sms-now com20 / 4841.7% Althoughnumberlifetimesareshort,thesheervolumeofvericationmessagesinourdata indicatesthatevasionisstillane!ectivedriverofprotforgateways. PVAevasionisnotnewtoonlineservices.Inparticular,Googleisacutelyaware ofthisproblem,havingpublishedapaperonthetopic[ 86 ].Inthatpaper,Thomaset al.proposeseveralstrategiestodetectPVAevasion.Theyincludeblockingirreputable carriers,restrictinghowquicklynumberscanverifyaccounts,andphonere-verication.In thissectionweexploretherecommendationsin[ 86 ]anddiscusshowourdatashowsthat theserecommendationsareunlikelytobee!ective. Carrierreputation. Whileweonlyseeoneofthecarriersidentiedasabuse-prone in[ 86 ](bandwidth.com),blacklistingblocksofnumbersbycarrierwouldnotstopall PVAevasion.Carrier-basedblockingisprohibitivelyexpensiveforallbutthelargestof organizations.WeobtainedTwiliodataforeachnumberinourdatasetandalthough thecostwasrelativelysmall( $ 0.005/lookup),scalingthis(andadditionalnumber metadatasuchasCNAMandHLRdata)tocoverallofabusiness'scustomersrepresents asubstantialcost.Furthermore,thiskindofbulkblacklistingisdi"culttoenforcein thefaceofgatewayservicesthatmaintainalargepoolofnumbersovermanycarriers. Onlineservicesthatattempttorestrictthespeedatwhichnumberscanbereusedfornew accountsfaceanarmsraceagainstgateways. 63

PAGE 64

Table3-8.Ananalysisofthesimilarityofgatewaynumbersshowsthatthemajorityof numbersareinmobilecarriernumberblocks,notVoIPasweexpected.Asa result,attemptingtoblockthesenumberblocksmayresultinhighfalse positives. CarrierTypeSimilar/TotalPercent Mobile159/18486.4% Landline5/1842.7% VoIP20/18410.9% Phonereputation. Oneoptionsuggestedin[ 86 ]fordeterminingphonereputationis tocreateaservicewhichsharesabusedatabetweenserviceproviders.Althoughlittle informationabouthowsuchaservicecouldbecreated,weconsideredthatitmightbe possibletoblacklistabusivenumbersiftheyaresimilartoeachother. Weconductedaself-similarityanalysisagainstthephonenumbersinourdatasetto determinehownumbersarepurchased.Iftheyarepurchasedinbulk,itmaybepossible todetectthem.Weanalyzedallofthegateways'numberstodeterminesimilarnumbers usingHammingdistance.Wefoundthatmostcarriersusesimilarnumbers(i.e.,those withaHammingdistanceof2orless),andtheresultsareshowninTable 3-7 .Over40% ofallofagateway'snumbersweresimilarin7of8gateways,howeverwefoundthatmost oftheserepeatednumbersareinmobilecarriers,notVoIP,asshowninTable 3-8 .The datashowsthatthegatewaynumbersareinthecarriersthataremostlikelytoserve legitimateusers,soattemptingtoblockthesenumbersmayresultinahighfalsepositive rate. Phonere-verication. Phonenumberre-vericationwouldfailifthenumberwere checkedagainoutsidetheexpectedlifetimeofagatewaynumber.In[ 86 ],Thomasetal. sawamediannumberlifetimeofonehour,areasonablepointtoperformare-verication. Inourdataset,however,wehaveseenthathalfofallgatewaynumberslastupto20days. Therefore,re-vericationatanyintervalisunlikelytobeuniversallye!ectivesincephone numberlongevityisnotguaranteed. 64

PAGE 65

3.4.3AbuseCampaignsinSMS Sincegatewaysacceptunsolicitedmessages,oftendonotltermessages,andare subjecttousersprovidingthesenumberstovariousservices,ourdatacontainsSMS fromSPAMcampaigns,phishingcampaigns,andevenoneblackmarketasdiscussedin Section 3.3.1 .Inthissection,wewilldiscussthesecampaigns. Spamcampaigns. Wefound1.0%oftaggedmessagesacross32clustersrelatedto advertising.Uponmanualinspectionnoneoftheseappearedtobesolicitedmessages,so weconsiderthesetobespammessages.Oftheadvertisingclustersweidentied,15are UK-basednancialservices(e.g.,paydayloans,creditlines)from14numbers.Fiveare fordistinctbulkmessagingservices.Theseservicesadvertisegatewaysandtheabilityto avoidphoneverication:"Usingourservicetocreateandverifyaccountswithoutyour ownphonenumber." Anothersixclustersarefromaspecicjobsta"ngsiteandappeartobebulk messagesrelatedtoajobsearch.Curiously,thesemessagescontainanameandzipcode. Weexpandedthesearchbeyondthelabeledclustersandfound282messagesin107 clusters.ThesemessagesmayberelatedtothisorganizationtestingtheirbulkSMSAPI. Allofthesemessagesweresenttoasinglegatewaynumberwithinaseven-hourtimespan, whichisunusualwhencomparedtootherbulkmessagecampaignsinourdataset.Finally, twoofthesemessageshavelinkstosurveysviaBitlylinks.Theselinkswerecreatedby user"smsautodialer",whohasbeenamembersinceJuly2015andhassharedover2,802 Bitlylinks.Thedestinationdomainhasa0/65detectionratioonVirusTotal. Weweresurprisedatthelowspamvolumeobservedinpublicgateways,asthey marketthemselvesasaserviceforavoidingspam.Thishasbeenamajortopicofresearch, butthevolumeofspamtra" cinourdatasetislowerthanpreviouslymeasured[ 161 ], [ 180 ]. Phishingcampaigns. Incontrasttospam,phishingmessagesattempttotricktheuser intobelievinghe/sheiscommunicatingwithalegitimateentity(e.g.,tostealservice 65

PAGE 66

credentials).Thesescamstypicallyuse"fast-ux"domainregistrationstodefeatdomain blacklistingstrategies.Therefore,theageofthedomainatthetimeamessagearrives containingthatdomainisofparticularvalue;ifthedomainisnew,itmayindicatethat thedomainismalicious.WematchedthetimestampsforincomingSMSmessageswiththe registrationtimesforthedomainsincludedineachmessage. Thefastestdomaintoappearinourdatasetwasdanske-mobile*com 8 ,adomain thathadbeenregisteredforonly11hoursbeforeitappearedinanSMSmessage.The textofthemessage(translatedfromGerman)is"DearDanskeBankcustomer,youhave receivedaninternalmessage"alongsidetheURL.Webelievethistobeabankingphishing message,howeverwewereunabletoverifytheURL'spurpose.Atthetimeofthiswriting, thespecichostinthemessagereturnsaDNSNXDOMAINerrorandthesecond-level domainreturnsaregistrarparkingpage.TheSMSgatewaythatreceivedthismessage didnotdisplaythesenderMSISDNnumber,insteadreplacingitwith"DanskeBank," whichmayindicatenumberspoong.Curiously,thedomainWHOISdatashowsdetailed personalinformation(name,address,phonenumber)oftheregistrant,whoisbasedin theUnitedStates.TherealDanskeBankwebsitehasregistrationdatawithcontact informationinitshomecountry,Denmark.Giventhisdomain'sintendedpurpose,we believethatthisdataiseitherincorrectorstolenpersonalinformation,andwedidnot pursuetheownershipfurther. Intotal,8domainsappearedinmessagesafterbeingregisteredforlessthanoneday, asshowninTable 3-9 .OnlyoneofthesedomainswasaccessibleviaHTTPatthetime ofwriting.Thedomain,phone-gps*com,hasanerroranddeliversastacktracewhenno HTTPuser-agentstringisprovided;whenweprovidedone,itdeliversemptycontent(0 bytes).Thissite,therefore,maybeusinguser-agentstringstodeterminewhatcontent 8 WesubstituteanasteriskintosuspiciousURLsinthischaptertopreventPDFreaders frominferringhyperlinks. 66

PAGE 67

Table3-9.UsingdomainWHOISinformation,wemeasuredthedistancebetweenthetime adomainwasrstregisteredandthetimeagatewayrstreceivedamessage containingaURLwiththisdomain.Intotal,8domainsappearedinmessages within24hoursofbeingregistered. DomainSenderMSISDNTimetoFirstMessage danske-mobile*comDanskeBank0days11:41:02 location-message*com2438582343460days13:38:02 it-panels*com163122377150days16:30:02 iurl-sms*com141565373520days16:30:02 phone-gps*com2438582144900days18:41:03 url-sms*com2438583619400days18:47:03 location-device*com2438580977490days19:42:02 sms-new-page*com2438582896420days20:08:02 todeliver,howeverwewerenotabletogetthesitetodeliveranycontentwithcommon stringsfordesktopandmobilebrowsers.Theremaining7domainsareallregisteredwith contactaddressesandregistrarsbasedinChinaandtaketheformofhyphen-separated Englishwords.Sincenoneofthesedomainshadaccessiblehostsatthetimeofwriting,we wereunabletodeterminetheirpurpose. Sincewewereunabletoverifytheintentoftheabovedomains,wemanuallysearched ourdatasetforarecently-seennewly-registereddomain.Wefoundlostandfounds-icloud*com, asitethatisdesignedtoappearlikethelegitimate"FindMyiPhone"Appleservice. Figure 3-5 showstheSMSmessagecontainingthisURL,whichalsoindicatesaphishing attempt. Thepage'scodeappearstorejectanyusernameorpasswordenteredintotheelds (acommonpracticeamongphishingsites),andindeed,uponputtinganycontentinthese elds,thepagereturnedtheerrorseeninFigure 3-6 .AsofNovember2015(lessthanone monthsincethemessagearrivedatthegateway),thesitehasbeentakeno# ine.Dueto thenecessityofretrievingworkingdomainsfromnewly-obtainedmessages,thismessage appearslaterinourdatasetthanothermessageswediscussinthischapter. Othermaliciousbehavior. Anotherempiricalmeasureofthemaliciousnessofthe URLsisscanningtheseURLswithsecurityproducts.VirusTotalprovidesonesuch 67

PAGE 68

Table3-10.WerequestedVirusTotalscansforeachextractedURLinourdataset.This tableshowsthenumberofdetectionsforeachproductthatdetecteda maliciousURL.Overall417URLshadatleastonedetection. ProductDetections ADMINUSLabs1 AutoShun144 Avira7 BitDefender15 Blueliv5 C-SIRT1 CLEANMX11 CRDF5 Dr.Web62 ESET6 Emsisoft23 Fortinet31 GoogleSafebrowsing15 Kaspersky3 Malekal3 MalwareDomainBlocklist20 MalwarebyteshpHosts1 ParetoLogic54 Phishtank1 Quttera2 SCUMWARE.org4 Sophos28 Spam4043 SucuriSiteCheck94 TrendMicro1 Trustwave55 WebSecurityGuard1 WebsenseThreatSeeker81 Webutation2 YandexSafebrowsing1 68

PAGE 69

measurebyrequestingscansfrommultipleproducts.Thefullresultsaredisplayedin Table 3-10 .VirusTotalreturned417URLswithatleastonedetection.Only3URLs had5detections,andnoURLhadmorethan5detections.Ofthesedetections,508 weredetectedas"malicioussite,"147as"malwaresite,"and25as"phishingsite." Unsurprisingly,danske-mobile*comwasnotdetectedbyanyproduct,sincethisdomain nolongerappearstohostanycontentanditisunlikelythatanyoftheseproductscan determinephishingattemptsusingthemetadatawepreviouslydiscussed. Overall,abusivemessages(spam,phishing,andmalware)consistedofonlyasmall portionofourdataset,despitebeingbilledasamajorprobleminpopularpress.Thisis especiallystrangegiventhatevasionofspamissomethingmanyofthegatewaysadvertise, aswediscussedinSection 3.1 .GivenpreviousreportsonthepervasivenessofSMSspam, webelievethatsomeentityintheSMSecosystemisperformingadequatespamltering andthatthisproblemmaynolongerbeassevereasitoncewas. 3.4.4Takeaways Inthissection,weexploredmalicioususesoftheSMSchannel.First,wediscussed howourdatashowstheprevalenceofPVAevasionduetothestarkcontrastbetween gatewaynumberlocationsandlocationsofusersinteractingwiththegateways.We thendiscussedthedi" cultyofdetectinggatewayswithcarrierblockingduetocostand numberlifetimes.Finally,weexploredabusecampaignsviaSMSandfoundthatspam, phishing,andsuspiciousURLsareinfrequent,whichmayindicatethatSMSlteringat thegatewaysandinthenetworkaresu" cient. 69

PAGE 70

A B C Figure3-3.Gatewaynumberlifetimestatistics.A)Only25%ofgateway-controlled numbersareusedafteronemonth.Themediannumberlifetimeisonly20 days.B)Theskewandkurtosisofnumberlifetimeindicatesthat60%of messageshaveasignicantskewtowardsheavieruseatthebeginningofthe lifetime,whilethekurtosisindicatesthatthesenumbersseeasharpincreasein activityfollowedbysteepdecline.C)60%ofnumbersusedshowastrong tendencyforheavyuseintheearlylifetimeofthenumber. 70

PAGE 71

A B C Figure3-4.ThesemapsvisualizethesenderphonenumberlocationsofA)allmessages andB)testmessagessenttothegateways.InC),wemapthelocationsof usersthathaveclickedBitly-orGoogle-shortenedURLs.Theselocations provideinsightonboththeservicesusersareattemptingtoaccessandthe gatewayusersthemselves.Overall,thelocationsofthegateways'users signicantlydi! ersfromtheservicessendingmessages,implyingtheprimary purposeofthesegatewaysisPVAfraud. 71

PAGE 72

AppleCustomer, YourlostiPhonehasbeenfound\ andtemporarilyswitchedON. ToviewiPhonemaplocation lostandfounds-icloud*com Apple Figure3-5.ThephishingSMSmessage,asreceivedbyagateway.Thismessageistherst steptodeceivingauserintoprovidinghis/herAppleIDcredentials.We substitutedtheasteriskintopreventaccidentalclicks. Figure3-6.Thepagedeliveredtotheuserafterfollowingalinkprovidedinaphishing SMS.Thesiterefusesanyusernameandpasswordcombinationprovidedand displaystheerrorshowninthisgure. 72

PAGE 73

CHAPTER4 DETECTINGINTERCONNECTBYPASSFRAUD Cellularnetworksprovidedigitalcommunicationsformorethanvebillionpeople aroundtheglobe.Assuch,theyrepresentoneofthelargest,mostintegralpiecesof criticalinfrastructureinthemodernworld.Deployingthesenetworksrequiresbillions ofdollarsincapitalbyprovidersandoftennecessitatesgovernmentsubsidiesinpoorer nationswheresuchinvestmentsmaynotproducereturnsformanydecades.Asameans ofmaintainingthesesystems,internationalcallsdestinedforsuchnetworksareoften chargedasignicanttari!,whichdistributesthecostsofcriticalbutexpensivecellular infrastructuretocallersfromaroundtheworld. Manyindividualsseektoavoidsuchtari!sbyanymeansnecessarythrougha classofattacksknownas"interconnectbypassfraud".Specically,byavoidingthe regulatednetworkinterconnectsandinsteadndingunintendedentrancestotheprovider network,acallercanbeconnectedwhiledramaticallyloweringhisorhercosts.Suchfraud constitutesa"freerider"problem,atermfromeconomicsinwhichsomeparticipants enjoythebenetsofexpensiveinfrastructurewithoutpayingtosupportit.Themost commonimplementationofinterconnectbypassfraudisknownassimboxing.Enabled byVoIP-GSMgateways(i.e.,"simboxes"),simboxingconnectsincomingVoIPcallsto localcellularvoicenetworkviaacollectionofSIMcardsandcellularradios.Suchcalls appeartooriginatefromacustomerphonetothenetworkproviderandaredelivered atthesubsidizeddomesticrate,freeofinternationalcalltari! s.Interconnectionbypass fraudnegativelyimpactsavailability,reliabilityandqualityforlegitimateconsumersby TextofthischapterisreprintedwithpermissionfromBradleyReaves,Ethan Shernan,AdamBates,HenryCarter,andPatrickTraynor.BoxedOut:BlockingCellular InterconnectBypassFraudattheNetworkEdge.InProceedingsofthe24thUSENIX SecuritySymposium,2015.(AcceptanceRate:15.7%). 73

PAGE 74

creatingnetworkhotspotsthroughtheinjectionofhugevolumesoftunneledcallsinto underprovisionedcells,andcostsoperatorsover $ 2Billionannually[ 4 ]. Inthischapter,wediscussAmmit 1 ,asystemfordetectingsimboxingdesignedtobe deployedinacellularnetwork.Oursolutionreliesonthefactthataudiotransmittedover theInternetbeforebeingdeliveredtotheGSMnetworkwillbedegradedinmeasurable, distinctiveways.WedevelopnoveltechniquesandbuildonmechanismsfromthePindr0p callngerprintingsystem[ 125 ]tomeasurethesedegradationsbyapplyinganumber oflightweightsignalprocessingmethodstothereceivedcallaudioandexaminingthe resultsfordistinguishingcharacteristics.Thesetechniquesrapidlyandautomatically identifysimboxedcallsandtheSIMsusedtomakesuchconnections,therebyallowingus toquicklyshutdowntheserogueaccounts.Insodoing,ourapproachmakestheseattacks farlesslikelytobesuccessfulandstable,therebylargelyclosingtheseillegalentrancesto providernetworks. Wemakethefollowingcontributions: Identifyaudiocharacteristicsusefulfordetectingsimboxes: Weidentify featuresinsimboxedcallaudiothatmakeiteasilydi! erentiablefromtraditional GSMcellularcallsandarguewhysuchfeaturesaredi"cultforadversariestoavoid. Developrapiddetectionarchitectureforthenetworkedge: Wedesign andimplementAmmit,adetectiontoolthatusessignalprocessingtechniquesfor identifyingillicitlytunneledVoIPaudioinaGSMnetwork,anddemonstratethat ourtechniquescaneasilyexecuteinrealtime.Suchperformancemeansthatour solutioncanbepracticallydeployedatthecellularnetworkedge. DemonstratehighdetectionrateforSIMcardsusedinsimboxes: Through experimentalanalysisonarealsimbox,weshowthatAmmitcanquicklyproleand terminate87%ofsimboxedcallswithnofalsepositives.Suchahighdetectionrate arguablymakesinterconnectbypassfrauduneconomical. 1 AmmitwasanEgyptianfunerarydeitywhowasbelievedtoseparatepureandimpure souls,preventingthelatterfromachievingimmortalityintheafterlife. 74

PAGE 75

Wenotethatourtechniquesdi!ersignicantlyfromrelatedwork,whichrequires eitherlarge-scaleposthocanalysis[ 92 ]orserendipitoustestcallstonetworkprobes[ 95 ] [ 99 ].Ourapproachisintendedtobeusedinrealtime,allowingforrapiddetectionand eliminationofsimboxes. Itshouldbenotedthatwearenotattemptingtocombatthespreadofinexpensive VoIPcallsinthischapter.TraditionalVoIPcalls,whichconnectusersthroughIPora licensedVoIP-PSTN(PublicSwitchedTelephoneNetwork)gateway,arenotconsidered aproblemincountriesthatcombatsimboxes.Instead,weseektopreventthecreation ofunauthorizedentrypointsintoprivatecellularnetworksthatdegradeperformance forlegitimateusersandcostprovidersandgovernmentstwobilliondollarsannually. ThisisanalogoustotheproblemofrogueWi-Fiaccesspoints;simboxingprevents networkadministratorsfromcontrollingaccesstothenetworkandcandegradeservicefor otherusers.Moreover,similartoothereconomicfree-riderproblems,failuretocombat suchbehaviorcanleadtobothunderprovisioningandtheoveruseofsuchnetworks, makingqualityandstabilitydi" culttoachieve[ 7 ].Failuretocombatsimboxfraud mayultimatelyleadtoraisingpricesandlowerreliabilityforsubsidizeddomesticcallsin developingnations,wherethemajorityofcitizenscanrarelya!ordsuchcostincreases. Theremainderofthischapterisorganizedasfollows:Section 4.1 describessimbox operationandtheirconsequences;Section 4.2 presentsourdetectionmethodology; Section 4.4 describesourexperimentalmethodology;andSection 4.5 discussesourresults; 4.1WhatisaSimbox? AsimboxisadevicethatconnectsVoIPcallstoaGSMvoice(notdata)network. AsimplementalmodelforasimboxisaVoIPclientwhoseaudioinputsandoutputsare connectedtoamobilephone.Theterm"simbox"derivesfromthefactthatthedevice requiresoneormoreSIMcardstowirelesslyconnecttoaGSMnetwork. Thereisastronglegitimatemarketforthesedevicesinprivateenterprisetelephone networks.GSM-VoIPgatewaysaresoldtoenterprisestoallowthemtouseacellular 75

PAGE 76

callingplantoterminate 2 callsoriginatinginano"ceVoIPnetworktomobiledevices. Thisistypicallyacostsavingmeasurebecausethecostofmaintainingamobilecalling planisoftenlowerthatthecostofpayingterminationfeestodelivertheVoIPcall throughaVoIPPSTNprovider(aswellasthecosttothereceivingparty).Suchasetup isdonewiththepermissionofalicensedtelecommunicationsproviderandisonlydone fordomesticcalls.Thisisindirectoppositiontosimboxers,whopurchasesubsidizedSIM cardstodelivertra"ctoalocalnetworkwithoutpayingthelegallymandatedtari! s. BecausethereisahighdemandforGSM-VoIPgateways,theyspanawiderange offeaturesandnumberofconcurrentcallssupported.Somegatewayssupportlimited functionalityandonlyasingleSIMcard,whileothersholdhundredsofcardsandsupport manyaudiocodecs.Somesimboxesusedinsimboxfraudringsareactuallydistributed, withonedeviceholdinghundredsofcardsina"SIMserver"whileoneormoreradio interfacesconnectcallsusingthe"virtualSIMcards"fromtheserver.Thisallowsfor simpleprovisioningofSIMcards,aswellastheabilitytorotatethecardstoprevent high-useorlocation-basedfrauddetection. 4.1.1HowSimboxFraudWorks Simboxingisalucrativeattack.Becausesimboxerscanterminatecallsatlocal callingrates,theycansignicantlyundercuttheo"cialrateforinternationalcalls, whilestillmakingahandsomeprot.Indoingso,simboxersaree! ectivelyactingas anunlicensedandunregulatedtelecommunicationscarrier.Simboxers'principalcosts includesimboxequipment(whichcanrepresentaninvestmentupto $ 200,000USin somecases),SIMcardsforlocalcellularnetworks,airtime,andanInternetconnection. Successfullycombatingthistypeoffraudcanbeaccomplishedbymakinganyofthese costsprohibitivelyhigh. 2 Incellularandtelephonenetworks,"terminatingacall"hasthecounterintuitive meaningof"establishingacompletecircuitfromthecallertothecallee." 76

PAGE 77

Domestic PSTN Core Foreign PSTN Core Regulated Interconnect (RI) ATypicalInternationalCall Simboxed Call Domestic PSTN Core Internet GSM VoIP Simbox Foreign PSTN Core International Border Legitimate Local Call Legitimate VoIP Call RI BSimboxedCall Figure4-1.Atypicalinternationalcall(A)isroutedthrougharegulatedinterconnect. NotethatVoIPcallsfromservicessuchasSkypethatterminateonamobile phonealsopassthroughthisregulatedinterconnectandarenotthetargetof thisresearch.Asimboxedinternationalcall(graybox,subgureB)avoidsthe regulatedinterconnectbyroutingthecalltoasimboxthatcompletesthecall usingthelocalcellularnetwork. Figure 4-1 demonstratesingreaterdetailhowsimboxingcomparestotypical legitimateinternationalcalltermination.Figure 4-1 showstwointernationalcallpaths:a typicalpath(Figure 4-1A )andonesimboxpath(Figure 4-1B ). Inthetypicalcase,whenAlicecallsBob,hercallisroutedthroughthetelephone networkinhercountry(labeled"ForeignPSTNCore")toaninterconnectbetweenher networkandBob'snetwork.Thecallispassedthroughtheinterconnect,routedthrough Bob'sdomestictelephonenetwork("DomesticPSTNCore")toBob'sphone.IfAliceand Bobarenotinneighboringcountries,theremaybeseveralinterconnectsandintermediate networksbetweenAliceandBob.TheprocessessentiallyremainsthesameifAliceor Bobareusingmobilephones.Theinterconnectinthisscenarioiscrucialinterconnects 77

PAGE 78

areheavilyregulatedandmonitoredtoensurebothcallqualityandbillingaccuracy (especiallyfortari!s). Inthesimboxcase,Alice'scallisroutedthroughherdomestictelephonenetwork, butratherthanpassingthrougharegulatedinterconnect,hercallisroutedoverIPtoa simboxinthedestinationcountry.Thesimboxthenplacesaseparatecallonthecellular networkinthedestinationcountry,andthenroutestheaudiofromtheIPcallintothe cellularcall,whichisroutedtoBobthroughthedomestictelephonenetwork. Inpractice,simboxersexecutethisattackandprotinoneoftwoways.Themost commonmethodisforthesimboxertopresentthemselvesasalegitimatetelecommunications companythato!erscallterminationasaservicetoothertelecomcompanies.Asacall isroutedthroughtheseintermediatenetworks,neitheroftheendusersisawarethatthe callisbeingroutedthroughasimbox.Thisagreementisanalogoustoacontractbetween twoISPswhohaveagreedtoroutetra"cbetweentheirnetworks.Whiletheenduserhas noknowledgeofhowhistra" cisrouted,theintermediatenetworkownersprotfrom reducedpricesforroutedtra" c. Thesecondmethodsimboxersusetoprotistoo!erdiscountedcallratesdirectly toendconsumers,primarilythroughthesaleofinternationalcallingcards.Suchcards haveanumberthattheusermustdialbeforeshecandialtherecipient'snumber;this numberwillroutetoanumberprovidedbyaVoIPproviderthatpointstothesimboxin therecipient'scountry.Whentheusercallsthenumberonhercallingcard,thesimbox willanswer,prompthertodialtherecipient'snumber,thenthesimboxwillconnectthe call. 4.1.2ConsequencesofSimboxOperation Theconsequencesofsimboxingaresignicanttouserswhoplacesimboxcalls,users whosharethecellularnetworkwithsimboxers,andtocellularcarriersandnational governments. 78

PAGE 79

Asforthee!ectsonusers,Aliceislikelyunawareofthedetailsofhercallrouting. However,AliceandBobmaybothnoticeadegradationinquality,andBobmaynotice thattheCallerIDforAlicedoesnotshowhercorrectnumber.Bobmayblamehislocal carrierforpoorcallquality,andsothecarrierunfairlysu!ersinreputation. Otherusersinthesamecellasthesimboxalsosu! ernegativeconsequences.Cellular networksareprovisionedtomeetanexpecteddemandofmobileuserswhoonlyusethe networkafractionofthetime,andaccordinglymayonlybeabletosupportafewdozen simultaneouscalls.Whenasimboxersetsupanunauthorizedcarrierandroutesdozens ofcallsthroughacellprovisionedtosupportonlyahandfulofsimultaneouscalls,the availabilityofthatcelltoservicelegitimatecallsissignicantlyimpaired.Connectivity withinthecellmaybefurtherimpairedbythedramaticincreaseincontroltra"c[ 181 ]. 4.2Methodology LegitimateVoIPcallsandotherinternationalcallsenteracellularnetworkthrougha regulatedinterconnectornetworkbordergateway.Tohaltsimboxedcalls,weonlyneed tomonitorincomingcallsfromdevicescontainingaSIMcard.Figure 4-1B showsthe pathoflegitimateandsimboxedaudio,respectively,fromthecallingsourcetothenal destination.Inbothcases,thetowerbelievesitisservicingavoicecallfromamobile phone.However,theaudioreceivedbythetowerfromasimboxedcallwillcontainlosses, indicatingthattheaudiosignalhastraveledoveranInternetconnection,whiletheaudio fromalegitimatecallwillnotcontaintheselosses,havingbeenrecordeddirectlyonthe transmittingmobilephone.AsdiscussedinChapter 2 ,jitterandlossinInternettelephony manifestasunconcealedandconcealedgapsofaudiotothereceivingclient(thesimbox, inthiscase).ThesefeaturesareinherenttoVoIPtransmission,andtheonlyvariantis thefrequencyoftheseevents.Allsimboxedcallswillhavesomeamountofpacketloss andjitter,sowedesignAmmittodetecttheseaudiodegradations.Becausetheaudio transmittedtothemobiledevicecouldhaveoriginatedfromavarietyofconnection types,Ammitonlyanalyzesaudioreceivedfrommobiledevices.Ifthemobiledeviceis 79

PAGE 80

asimbox,thecharacteristicsofthisaudiowillexhibitthelosspatternsconsistentwith aVoIPconnection,makingthecalldistinguishablefromaudiorecordedandsentbya mobilephone. 4.2.1InputstoAmmit ThemostcommoncodecsupportedbysimboxesisG.711[ 182 ].TheG.711codecis computationallysimple,royalty-free,andservesasaleastcommondenominatorinVoIP systems.Itwasoriginallydevelopedin1972fordigitaltrunkingofaudiointhePSTN, anditisstillthedigitalencodingusedinPSTNcorenetworks.Theoriginalstandard indicatedthatG.711shouldinsertsilencewhenpacketsaredelayedorlost,soweexamine G.711usingthissetting. Simboxerswillhaveaclearincentivetoconguretheirsimboxestoevadedetection, andanobviousevasionstrategyistoensurethataudioisascloseaspossibletolegitimate audiobyusingtheGSM-FRcodecfortheVoIPlink.Therefore,weshowhowAmmit accountsforthisdi"cultcasewhereGSM-FRisusedwithandwithoutpacketloss concealment.WediscusshowAmmitaddressesotherevasiontechniquesinSection 4.3 Insummary,Ammitmustdetectthetwoaudiophenomenathatarecharacteristicof VoIPtransmission:concealedandunconcealedpacketlosses.Thefollowingsubsections detailhowAmmitdetectsthesephenomena,butrstwebrieydescribethedatathat Ammitreceivesfromthetowerbeforedetectingaudiofeatures. InGSM,audioencodedwiththeGSM-FRcodecistransmittedbetweenamobile station(MS,i.e.,aphone)andabasetransceiverstation(BTS,i.e.,acelltower)usinga dedicatedtra"cchannel.TheencodingusedbyGSM-FRcausescertainbitsinaframe tobeofgreaterimportancethanothers.Whenanaudioframeistransmitted,frame bitsareseparatedbytheirimportance."Class1"bitscontainingthemostimportant parametersareprotectedbyaparitycheckanderrorcorrectingcodes,while"Class2"bits aretransmittedwithnoprotectionsbecausebiterrorinthesebitshasonlyasmalle! ect onthequalityoftheaudio.Theapproachofonlyprotectingsomebitsisacompromise 80

PAGE 81

betweenaudioqualityandthecostoftheerrorcorrectingcode.WhenClass1biterrors cannotbecorrected,thereceivererases(i.e.,drops)theentireframe.WhenClass2bits aremodied,theaudioismodied,butthereceiverhasnomechanismtodetectorcorrect thesemodications.Thisistermed"biterror."Itshouldbenotedthatbiterrorand frameerasurearedistinctconcernsinGSM. Thereceivingdevice(MSorBTS)mayusePLCtoconcealthisframeerasure. WhenaBTSerasesaframe,itconcealsthelossbeforeforwardingtheaudiointothe corenetwork.VisibilityintoframeerasuresmotivatesourchoicetoplaceAmmitatthe tower.However,thereareadditionalbenetstolocatingAmmitatatower.Specically, thisallowsforscalabledetectionofsimboxesbecauseasingleAmmitinstanceisonly responsibleforthedozensofcallsthatpassthroughthetowerinsteadofthethousandsof concurrentcallsinaregionornation.Finally,ifAmmithasahighcondencethatacall issimboxed(asdenedbyanetworkadministratorpolicy),endingacallatthetoweris simplerthaninotherpartsofthenetwork.Thispolicywouldfurtherfrustratethee! orts ofsimboxers.ItisalsopossibletodeployAmmitclosertothenetworkcore,perhapsat BSCorMSCnodes,butGSMlossinformationwouldneedtobeforwarded. Ammittakestwoinputs:astreamofGSM-encodedaudioframesandavector indicatingwhichaudioframeswereerased(bothofwhichcanbecollectedbytheBTS connectingthecall).Ammitusestheframeerasurevectortoignorethee!ectsoftheair interfaceonthecallaudio.Ignoringerasedframesensuresthatlossesontheairinterfaces arenotmisinterpretedaslossescausedbyVoIP. 4.2.2DetectingUnconcealedLosses Ammitmustdetecttwodegradationtypes:unconcealedpacketlossandconcealed packetloss.Todetectunconcealedloss,Ammitlooksforportionsofaudiowherethe energyoftheaudiodropstoaminimumvaluethenquicklyrisesagain.Thistechnique isalsousedinthePindr0psystem[ 125 ].ThefollowingdiscussiondescribesthePindr0p 81

PAGE 82

0 50 100 150 200 250 0 0.002 0.004 0.006 0.008 0.01 0.012 0.014 0.016 0.018 0.02 Time (ms) Short time energy Packet Loss Detected Loss True Positive Undetectable Loss Figure4-2.Theshort-termenergyofspeechduringaudiocanrevealsilenceinsertion. Packetlossthatfallsinnaturallysilentsectionsofaudioisundetectable. approachtodetectingunconcealedlosses,withadditionalimplementationinsightand details. Figure 4-2 demonstratesunconcealedpacketlossinaclipofaudioat78msand215 ms.At78ms,apacketislostandsilencebegins.Ashorttimelater,at90ms,theenergy risesagain,indicatingthatanewpackethasarrivedcontainingspeech.Becausethetime betweentheenergyfallandriseislessthantypicalinspeech,Ammitmarksthatsection ofaudioascontainingalostpacket. Whiletheintuitionissimple,thereareseveralchallengestousingthistechniqueto detectlossesfromsimboxedaudio.Therstchallengeisthatmanypacketlosseswill occurduringnaturallysilentaudiomeaningthattherewillbenosignicantchangein energy.Thisfactmerelylimitstheamountofdetectablelossevents.Thesecondchallenge isthatspeechregularlyhasshortpauses,causingfalsepositives.Athirdchallengeisthat becausethereisnoguaranteethatVoIPframesarefullycontainedwithinasingleGSM frame,aVoIPlosscouldbegininthemiddleofaGSMpacket.Finally,uncorrectedpacket 82

PAGE 83

losseswillhaveverylowbutnon-zeroenergybecausethepuresilenceisalteredbybit errorsinairtransmissionorbydegradationswithinthesimbox. Therststepofdetectingunconcealedpacketlossistocomputetheenergyofthe audiosignal.AmmitusesShortTimeEnergy(STE)asitsmeasureofsignalenergy.Short timeenergyisafrequentlyusedmetricinspeechanalysis[ 183 ].STEiscomputedby takingsmallwindowsofdataandsummingthesquaredvaluesofthesignalinthewindow. Moreformally,STEcanbewrittenas E n = n i = n N +1 (( x ( i )) w ( n i )) 2 (41) where x istheaudiosignal, w isthewindowfunction, n istheframenumberand N isthe framesize. AmmitcomputesSTEusinga10msaudioframe,notthe20msframesusedin GSM-FRandmanyothercodecs,because10msistheminimumframesizeusedbya VoIPcodec,asstandardizedinRFC3551[ 184 ].Weusethestandardpracticeofusinga Hammingwindowhalfthelengthoftheframewitha50%overlap.Therefore,eachSTE measurementcovers5msofaudioandoverlapswith2.5msofaudiowiththelastwindow. Thisne-grainedmeasurementofenergyensuresthatAmmitcandetectpacketlossthat beginsinthemiddleofaGSMairframe. WithSTEcomputed,Ammitthencomputesthelowerenvelopeoftheenergy.Inthe presenceofnoise,the"silence"insertedintheVoIPaudiowillhavenon-zeroenergy.We denethelowerenvelopeasthemeanoftheminimumenergyfoundinthe10msframes. Wealsodetermineatolerancearoundtheminimumenergyconsistingof50%ofthelower envelopemean(thiswasdeterminedexperimentally). OnceAmmithasdeterminedthelowerenvelope,itlooksforenergiesthatfallwithin theminimumenvelopetolerancebutthenriseafterashortnumberofenergysamples.We experimentallychose40msasthemaximumvalueforasuddendropinpacketenergy,and 83

PAGE 84

0 10 20 30 40 50 60 0.04 0.02 0 0.02 0.04 Time (ms) Audio Amplitude 0 5 10 15 20 25 0.4 0.2 0 0.2 0.4 0.6 Quefrency (ms) Cepstrum Magnitude Original Signal Repeated, Attenuated Signal Repeated, Attenuated Signal Figure4-3.GSM-FRrepeatsandattenuatesthelastgoodframetoconcealpacketloss. Thisresultsinaclearpeakat20msinthecepstrumoftheaudiothatcanbe usedtodetectasimboxedcall. ourexperimentalresultsreectthefactthatthisperiodislowerthantheminimumfor pausesinstandardspeech(whichisaround5060ms). Becausethismethodsimplylooksforsilence,itise!ectiveforbothcodecswestudy, anditisfundamentallysuitedforallcodecsthatinsertsilenceintheplaceoflostpackets. 4.2.3DetectingConcealedLossesinGSM-FR BeforewedescribehowAmmitdetectsGSM-FRpacketlossconcealment,werst describeGSM-FRPLC[ 185 ]atahighlevel.Ontherstframeerasure,theerasedframe isreplacedentirelybythelastgoodframe.Oneachconsecutiveframeerasure,the previousframeisattenuatedbeforereplacingtheerasedframe.After320ms(16frames)of consecutiveframeerasures,silenceisinserted.Attenuationofrepeatedframesismotivated bythefactthatwhilespeechisstationaryintheshortterm,longer-termpredictionof audiohasahigherrorthatusersperceiveasunnatural. 84

PAGE 85

Repeatingframeswholesalehasthefrequencydomaine!ectofintroducingharmonics every 1 20 ms =50 Hz [ 158 ].Thus,therewillbeaspikeinthecepstrum 3 atthe20ms quefrency.Because50Hziswellbelowhumanpitch,thisisadistinctiveindicatorof GSMpacketloss.Figure 4-3 showsaclipofaudiothathashadGSM-FRpacketloss concealmentappliedandthecorrespondingcepstrum.Notethattheaudiorepeats(butis attenuated)every20msresultinginapeakatthecepstrumat20ms.TodetectGSM-FR PLC,Ammitcomputesthecepstrumofawindowofthreeframesofaudioandlooksfor acoe"cientamplitudeinthe20msquefrencybinthatisdoublethestandarddeviationof amplitudesoftheothercepstralcoe" cientsandnotlocatedinasilentframe. 4.2.4SimboxDecisionandSIMDetection Whileconcealedandunconcealedpacketlossaremeasurableindicatorsofsimboxing, thereisasmallfalsepositiveratecausedbytheimperfectionofoursignalprocessing techniques.Accordingly,asingleinstanceofadetectedlossorconcealedlossisnot su"cienttoconsideracalltobeoriginatedfromasimbox.Instead,wenormalize thecountsoflosseventsbythenumberoftotalframesinacallandconsideracall assimboxedifthelosseventpercentageismuchhigherthantheaveragelossevent percentageforlegitimateaudio.Weshowinthefollowingsectionthatthisapproachis e ectiveforallbutthehighestqualityVoIPlinks,whichprovidefewlosseventstodetect. Evenwiththisthresholding,somelegitimatecallswilloccasionallybemarkedas asimbox.Toensuredetectionofsimboxeswithevenimprobablylowlossrates,andto reducetheimpactoffalsepositives,weproposethatthenetworkshouldkeeptrackof thenumberoftimesacallplacedfromaSIMismarkedasasimboxedcall.Wetermthis 3 A"cepstrum"isasignalrepresentationdenedastheinverseFouriertransformofthe logarithmoftheFouriertransform.Aroughmentalmodelistothinkofthe"cepstrum" asthe"FouriertransformoftheFourierTransformofasignal."Thedomainofthe functionistermed"quefrency"andhastheunitsofseconds 85

PAGE 86

technique"SIMdetection"andshowinthefollowingsectionsthatbyusingthistechnique wecanfurtherdiscriminatethelegitimatesubscribersfromsimboxers. 4.2.5E"ciencyofAmmit Ammitisdesignedtoanalyzecallaudioinrealtimeasitisreceivedbythecellular tower.So,thesystemmustbedesignedtofunctione" cientlyusingminimalcomputation andnetworkresources.Toaccomplishthis,weavoidusingcostlyanalysisassociatedwith machinelearningorcomplexsignalfeatureanalysis,andinsteadapplysimplethreshold checkstoprocessedaudiosignals.ForeachtimewindowcollectedbyAmmit,weapply twoiterationsoftheFastFourierTransform(FFT)andacomparisonoperationtothe distinguishingcriterianotedabove.TheFFTisawell-knownalgorithmthatcanberun with O ( n log n )complexity,andisusedtoanalyzeaudioinrealtimeforapplicationssuch asaudiovisualizers.Wefurtherverifyempiricallythattheseoperationscanbeexecutedin realtimeinSection 4.5 Inaddition,anyaddedloadonthenetworkwillcauseaminimalimpactonthe overallthroughput.WhileTraynoretal.[ 181 ]demonstratedthataddedsignalingwithin thecellularnetworkcancauseaDDoSe!ect,Ammitsendsonlyasinglemessagetothe HLR 4 foranycallaggedasasimboxedcall.Forthisaddedmessagingtocauseane! ect ontheinternalcellularnetwork,acellcontainingasimboxwouldhavetosimultaneously sendsignicantlymoremessagesthantherearechannelstohandlecellularcalls,whichis notpossible. 4.3ThreatModelandEvasion ToevadeAmmit,simboxersmusteithercompromiseAmmit'smeasurementabilities orsuccessfullypreventorhideVoIPlosses.Whilesimboxerswilltakeeveryeconomically rationalactiontopreservetheirprotability,attemptingtoevadeAmmitwillbedi"cult 4 TheHomeLocationRegisterisacentraldatabaseinacellularnetworkthatmanages subscriberinformation 86

PAGE 87

andlikelyexpensive.ThiswillholdtrueevenifsimboxersareawareofAmmit'sexistence anddetectiontechniques,andevenifsimboxersareabletoplacearbitrarynumbersof callstotestevasiontechniques.Inthissection,weoutlinebasicassumptionsaboutour adversary.WethenprovidedetailsabouthowAmmitcanbeexpandedtoaddressstronger adversariesthatcoulddefeattheprototypedescribedinthischapter. 4.3.1SecurityAssumptions Thee!ectivenessofAmmitreliesonfourreasonableassumptionstoensurethat Ammitcannotbetriviallyevadedbysimboxers.First,weassumethattheAmmitsystem (hardwareandsoftware)isnomoreaccessibletotheattackerthananyothercorenetwork system(includingroutingandbillingmechanisms).Second,weassumethatAmmitwillbe usedtoanalyzeallcallaudiosothatsimboxerscannotevadeaknownevaluationperiod. WeshowinSection 4.5.4 thatAmmitcane"cientlyanalyzecalls.Third,weassumethat Ammitwillreportmeasurementstoasinglelocation(liketheHLR)sothatsimboxers cannotevadeAmmitbyfrequentlychangingtowers.Finally,werecommendthatAmmit bewidelydeployedthroughoutacarrier'sinfrastructurebecauseawiderdeploymentwill providefewerplacesforsimboxestooperate. 4.3.2Evasion IfthesimboxercannotavoidAmmitanalysis,hemusthideorpreventVoIPpacket lossandjitter.Hidingpacketlossandjitterwastheverygoalofovertwodecades ofintenseacademicandindustrialresearchthathassofaronlyprovidedgoodbut algorithmicallydetectablesolutions,includingjitterbu! eringandlossconcealment. Extremejitterbu!ering. VoIPclients(includingsimboxes)routinelyuseshortaudio bu !erstopreventlowlevelsofjitterfromcausingdelaysinplayback.Simboxerscould setthejitterbu! ertoalargevalue(say,severalsecondsofaudio)topreventjitterfrom causingnoticeableaudioartifacts.However,thiswouldbeintrusivetousers,andAmmit couldstilldetecttruelossesaswellastheaddedfalsestartsanddoubletalk.While weleavethetestingofthisapproachtofuturework,webrieydescribehowhighjitter 87

PAGE 88

bu!erscouldbedetectedbymeasuringtheincidenceofdoubletalk.Doubletalkisthe phenomenonwhere,afteralullinconversation,twousersbegintotalk(apparently) simultaneously.Becausedoubletalkincreaseswithaudiolatency,increaseddoubletalk willbeindicativeofincreasedlatency.Becauseanincreasedjitterbu! er(combinedwith thealreadyhighcalllatencyfromaninternationalcall)willleadtohigherthan"normal" latency,detectinganomalousdoubletalkwillhelpindetectingsimboxing.Detecting doubletalkisanimportanttaskinequipmentqualitytesting,andITU-TstandardP.502 providesano!-the-shelfmethodformeasuringit.Feasibilityandappropriatethresholds canbedeterminedusingcalldatathroughsimboxesandfromlegitimatesubscribers. Whilesuchdataisunavailabletooutsideresearchers,itisavailabletothecarrierswho wouldbeeldingsuchasystem. AlternativePLCapproaches. AmmitlooksforbriefsilencesasonesignalofVoIPloss, sosimboxerscouldreplacesilencewithnoiseorotheraudio.Thisisawellknownformof PacketLossConcealment.Ingeneral,PLCalgorithms(liketheGSM-FRPLC)fallinto threecategories:insertion,interpolation,andregeneration[ 186 ].Althoughtherearea numberofalgorithmsineachcategory,themajorityarepublished(andthosethatarenot areoftensimilartothosethatare).Allwillhavesomeartifactsthatcanleadtodetection, andbecausethePindr0pprojecthasdevelopedtechniquestoidentifyothercodecs[ 125 ], weleavedetectingotherPLCsasfutureengineeringworknotessentialtoconrmingour hypothesisthataudiofeaturescanidentifysimboxes. Improvedlinkquality. Inadditiontojitterandlossconcealment,simboxerscould reducelossesandjitterwithhigh-qualitynetworklinksoraredundanttransmission scheme,butthereareseveralbarrierstothis.First,ndingareliableprovidermaynot bepossiblegiventhelowconnectivityconditionsinsimboxingnations.Ifaprovideris available,thecostswilllikelybeprohibitive.Forexample,inKenyaonecanexpectto pay $ 200,000USpermonthforahigh-quality1Gbpslink[ 187 ].Thisconnectionalso guaranteeslittlebeyondtherstroutinghop.Beyondthecosts,havingabetterquality 88

PAGE 89

connectionthanmanyuniversitiesandbusinessesmayraiseundesirablescrutinyand attentiontothesimboxers.Evenifahigh-qualitylinkisavailable,itwouldnotremove degradationsfromthecallthatoccurbeforethecallarrivesattheentrypointtothe simbox. Garbledframetransmission. Finally,simboxerscouldevadeAmmitdetectionby failingtotransmitvalidGSMairframeswhenanIPframeislost.Ine!ect,Ammitwould believethatallVoIPlosseswereairlossesandwouldnotdetectVoIPlosses.Ammitcould detectthisevasionbynotinganomalousairlosspatterns. Currently,conductingasimboxingoperationrequiresthetechnicalsophisticationof systemsadministrator.Thisevasiontechniquewillrequiresignicantengineeringresources (withexpertiseinembeddedsystemdesign,implementation,andproduction)because GSMmodemsaretypicallysoldaspackagesthatacceptanaudiostreamandhigh-level controlcommands(e.g."placeacall"or"sendanSMS").Thesetightlyintegratedchips arenotcapableofsendingdamagedpacketsoncommand.WhiletheOsmocombaseband project[ 188 ]couldprovideastartforacustomradio,Osmocomtargetsinexpensive (thoughrelativelyrare)featurephonevariantsandwouldnotbeaturnkeyGSMbaseband foracustomsimbox 5 .Finally,evenifthesimboxersdevelopsuchamodem,theywould havetoconcealalldetectableartifactsfromboththenalVoIPstepaswellasany intermediatenetworks(likeacaller'smobilenetwork).Forthesereasons,thisstrategy wouldonlybee!ectiveforthemostmotivatedandverywell-fundedsimboxers. However,intheeventthatsimboxersdopursuethisstrategy,weproposethe followingmethodologytodetectsuchanattack.Giventheconsiderabledi"cultyin developingtheattackaswellasconstructingasuitabletestenvironment,weleavetesting thisdetectionmethodologytofuturework.Wehypothesizethatthisagarbledpacket 5 Wepursuedthislineofresearchourselvesbeforenallypurchasingacommercial simbox 89

PAGE 90

evasionstrategycanbedetectedfromanomalousairinterfacelosspatternsbecause simboxedcallswillseethe"typical"amountoflossplusthelosscreatedbythesimboxer. Losspatternsmaybeanomalousforimprobableamountsofloss,orforimprobablybursty sequencesoflostframes.Theseanomaliescouldbedeterminedonatower-by-towerbasis totakeintoaccountlocaltransmissionconditions(likeatunnela!ectingsignalquality). Becausemobilestations(i.e.phones)donotknowwhichframesareerasedwhenthey arriveatthetower,simboxerswillnotbeabletotunetheirlossratetobewithinthe boundsusedbythisstrategy. 4.4ExperimentalSetup Inthissection,wedescribehowwecharacterizeAmmitthroughtheuseofsimulation andtestitse! ectivenessagainstarealsimbox. Wesimulatesimboxedcallsbytakingacorpusofrecordedaudioandpassingthem rstthroughaVoIPsimulatorthenthroughaGSMairsimulator(again,weusetheterm "air"todistinguishGSMcellulartransmission).TheGSMairsimulatorprovidesAmmit withbothaudioandavectorofGSMframeerrors.Tosimulatelegitimatecalls,wepass theaudiocorpusthroughtheairsimulatoronly.Wemotivatetheuseofsimulationin Section 4.4.6 WetestAmmitagainstthreesimboxcodecchoices:G.711withnopacketloss concealmentandGSM-FRwithandwithoutpacketlossconcealment(wediscussedthis choiceinSection 4.2 .WeevaluatesinglesimboxcalldetectionandSIMdetectionat1%, 2%,and5%lossrates(wejustifythischoicelaterinthissection). 4.4.1SpeechCorpus ThesourceofvoicedataforourexperimentswastheTIMITAcoustic-Phonetic ContinuousSpeechcorpus[ 189 ].Thisisadefactostandarddatasetforcallaudiotesting. TheTIMITcorpusconsistsofrecordingsofaudioof630Englishspeakersfrom8distinct 90

PAGE 91

regionseachreading10"phoneticallyrich"standardsentences 6 .Therecordingsare 16kHz16-bitsignedPulseCodeModulation(PCM),whicharedownsampledto8kHz toconformtotelephonequality.Forthesinglecalldetectiontests,weconcatenatethe 10sentencesforeachofthe462speakersinto1callperspeaker,creatingadatasetof 462calls 7 .Eachcallisapproximately30secondsinlength.TheSIMdetectiontest requiresalargercallcorpus,sofor98randomlyselectedspeakerswegenerate20callsfor eachspeakerusingpermutationsofthe10sentencesforeachspeaker(foratotalof1960 calls).CallsconsistofonlyonespeakerbecauseAmmitanalyzeseachdirectionofthecall separately. 4.4.2VoIPDegradationandLoss VoIPsimulationtakesTIMITcallaudioasinputandoutputsaudiothathasbeen degradedbyVoIPtransmission.Thesimulatormustconverttheinputaudiofromits originalformat(PCM)totheVoIPcodecsimulated(GSMorG.711),simulateloss, implementpacketlossconcealmentinthecaseofGSM-FR,andoutputthenaldegraded audio.Weexaminethesestepsingreaterdetailinthissubsection. Audioconversions. Theinputaudioles,encodedusingPCM,musteitherbeconverted toG.711orGSM-FR.Weusethewidely-usedopen-sourceutilitysox[ 190 ]forallcodec transitionsthroughouttheAmmittestinginfrastructure.Notethatthesecodectransitions arestandardpracticethroughoutPSTNandVoIPnetworks. Packetlossmodeling. WemodelInternetlosseswiththewidely-used[ 191 ]Gilbert-Elliot packetlossmodel[ 192 ].TheGilbert-Elliotmodelisa2-stateMarkovmodelthatmodels packetlosseswithburstytendencies.Agivenchannelcanbeineithera"good"stateora "bad"state.Ifthechannelisinthe"bad"state,packetsaredropped.TheGilbert-Elliot 6 N.B.Weuseasubsetof462maleandfemalespeakersfromall8regions 7 Wesetaside12ofthesecallsasatrainingsettodevelopandverifyouralgorithms andsetdetectionthresholds.Thesecallswerenotusedfortesting. 91

PAGE 92

modelcanbedescribedwithtwoparameters: p ,thelikelihoodthatthechannelenters the"bad"state,and r ,thelikelihoodthatthechannelleavesthebadstate.The parameter p controlsthefrequencyoflosseventswhile r controlshowlongburstslast. Weparameterizethemodelsuchthat p isthetargetlossrate(fortheseexperiments, 1%,2%,and5%)and r =1 p .Thismeansthatthehigherthelossrate,thegreaterthe tendencyoflossestobebursty. Althoughjitterisasourceofaudioartifacts,wedonotmodeljitterexplicitly. Instead,becausetheaudiosymptomsofjitterandpacketlossarethesame(i.e.,audiois notpresentwhenneeded),wesimplyconsiderjitterasaspecialcaseofpacketloss,asis donebyJiangandSchulzrinne[ 191 ]. Lossratejustication. Thereadermaynotethatwearemodelinglossratesthatare consideredhighforInternetloss.Ourmodelisjustiedforseveralreasons.Therst considerationisthatthetypicalInternetconnectionconditionsinsimboxingcountries areofmuchlowerqualitythanwhatmostofEurope,EastAsia,orevenNorthAmerica experiences[ 187 ],[ 193 ],withlossratesoftenexceeding10%.Second,becauseconditions canvaryfromhourtohourorevenmomenttomoment,examiningperformanceathigher lossratesthantypicalisjustied[ 191 ]. G.711processing. ToimplementVoIPlossinG.711audio,weuseapacketloss simulationtoolfromtheG.711referenceimplementationavailableintheITUSoftware ToolsLibrary[ 194 ].Thistoolimplementsconcealedandunconcealedlosson16-bit8kHz PCMaudio.WeusesoxtoencodeourinputlestoG.711andbackto16-bitPCMbefore processingbythetool.ThisstepisrequiredbecauseG.711isalossycodec,andtheactof encodinganddecodingirreversiblychangestheaudio.Thetooltakesaframeerrorvector asinput,allowingustousetheGilbert-ElliotModeldescribedabove. GSM-FRprocessing. WedevelopedourownGSM-FRVoIPlosssimulatorinMatlab. AllaudioprocessinginthistoolisdoneonGSM-FRencodedaudio.Thetoolimplements 92

PAGE 93

thepreviouslydiscussedpacketlossmodel,theGSM-FRPLCasdenedin3GPP Standard46.011[ 185 ],andunconcealedpacketlossbyinsertingGSM-FRsilentframes. 4.4.3GSMAirLoss AswediscussedinSection 4.4.6 ,wesimulatesimboxcallsoutofnecessity.To simulateGSMcellulartransmission(i.e.,"airloss")wemodifyaGSMTra"cChannel simulationmodelforSimulink[ 195 ].ThismodeltakesframesofGSM-encodedaudio andencodesthemastransmissionframesfortransmissionoveraGSMtra" cchannelas speciedin3GPPStandard45.003[ 196 ].Thetransmissionencodingincludesinterleaving aswellastheerrorcorrectingcodesandparitychecksappliedtoClass1bits(asdiscussed inSection 4.2 ). Themodelthensimulatesthemodulationandtransmissionoftheencodedframe usingGMSK(GaussianMinimumShiftKeying)inthepresenceofGaussianwhitenoise intheRFchannel.Thiswhitenoiseisthesourceofrandomtransmissionerrorsinthe model. Themodelthendemodulatesthetransmittedchannelframe,evaluatestheerror correctingcodes,andcomputestheparitychecktodetermineiftheframeiserasedornot. Finally,themodeloutputsthereceivedaudioandavectorindicatingwhichframeswere erased. Thechannelmodelsignal-to-noiseratioistunedtoproduceaframeerasurerate (FER)of3%atthereceiver,whichisconsiderednominalaccordingto3GPPStandard 45.005[ 197 ]. 4.4.4SimboxingSIMDetectionTest OurSIMdetectionmechanismistailoredtoreducethee! ectofasinglefalsepositive orfalsenegativecalljudgmentbyexaminingmultiplecalls. Tomeasurethee!ectivenessofthismechanism,weuse20audiolesfrom98unique speakers(foratotalof1960calls)tosimulatelegitimateandsimboxedcallsusingour GSMandVoIPsimulators.Weexaminelegitimatecallsaswellassimboxescoveringall 93

PAGE 94

Internet GSM VoIP Simbox TIMIT Audio Audio Soft Phone PlanetLab OpenBTS Asterisk Simbox Audio Base Station Figure4-4.Ourdetectionmechanismsarerunagainstarealsimboxdeployment (HybertoneGoIP-1)communicatingtoamodiedRangeNetworksOpenBTS basestation. threecodecs(GSM-FR,GSM-FRwithPLC,andG.711)at1%,2%,and5%lossrates. WemodelindividualSIMcardsasgroupsof20calls.ForlegitimateSIMcards,allcalls fromaparticularspeakerareassignedtoasingleSIMcard,whilesimboxSIMcards consistofgroupsofrandomlyselectedcalls.ThismodelsthefactthatsimboxSIMswill rarelybeusedtoprovideserviceforthesameusertwice. WeanalyzedalllegitimateandsimboxedcallswithAmmit,thencomputedthe percentageofcallsineachSIMcardgroupthatweremarkedassimboxed.Weconsidera SIMtobeusedinasimboxifatleast25%ofthecallsitmakesaremarkedassimboxed byAmmitcallanalysis. 4.4.5RealSimboxTests Wecollectaudiotracesfromcallsmadethrougharealsimboxtovalidateour simulationexperiments. Figure 4-4 showsaschematicdiagramofourexperimentalsetup.Weuse100 randomlyselectedaudiolesfromthesinglecalldetectioncorpus(discussedinSection 4.4.1 ) tomodeltheoriginalcallsource.ThecallpathbeginsataPJSIPsoftphoneata 94

PAGE 95

PlanetLabnodelocatedinThailand,acountrywithmajorsimboxingproblems[ 198 ] 8 Thisstepemulatesthearrivalofacalltoasimboxer. ThecalloriginatesfromasoftphoneandisroutedthroughanAsteriskPBX 9 (not showninthegure)toourHybertoneGoIP-1simboxintheUnitedStates.Hybertone simboxeso! erusefulfeaturestosimboxing,includingtheabilitytoautomaticallychange theIMEInumberbroadcasttoevadelteringanddetectionsystemslikethosepresented inpriorwork[ 92 ].Hybertoneproductshavebeenadvertisedforsalespecicallyfor simboxing[ 199 ],andentrepreneursevensellvalue-addedmanagementconsolesspecically forsimboxers[ 200 ].WhiletheGoIP-1supportsseveralincomingcodecs,itdoesnot disclosewhichPLCalgorithmituses.Wehavedeterminedexperimentallythatitisusing avariantoftheGSM-FRPLC. Thesimboxdeliversthecalltoacellularbasestationunderourcontrol.Ourbase stationisaRangeNetworksProfessionalDevelopmentKitrunningtheOpenBTS5.0 open-sourcebasestationsoftwareandAsterisk11.7.Thisbasestationisalow-power researchfemtocellandallowsustorecordcallaudiodigitallyasthebasestationreceivesit includingframeerasureinformation.Todeterminefalsepositives,wecreatecontrolcalls byplayingthesame100randomly-selectedaudiolesintoaBLUSambaJr.Plusfeature phoneandcapturingthecallaudioatthebasestation.Figure 4-5 showsourbasestation andsimboxexperimentalapparatus. 4.4.6TechnicalConsiderations Ourexperimentalsetupusesbothsimulationandrealsimboxdatawecollect ourselvesforseveralreasons.First,simulationsprovidethebestwaytoexamine 8 NotethatThailandistheonlymajorsimboxingcountrywithfunctionalPlanetLab nodeatthetimeofwriting 9 APrivateBranchExchange(PBX)isatelephonyswitchanalogoustoanintelligent routerintheInternet 95

PAGE 96

Figure4-5.Oursimboxexperimentalapparatus,includingourOpenBTSGSMbase station,mobilephonetomodellegitimatecalls,andourGoIP-1simbox. thee!ectsofcodecchoice,packetlossconcealment,andlossratesreproduciblyand accurately.Second,theyallowustobuildgenericmodelsofsimboxessothatourdetection mechanismisnottiedtoanyparticularsimboxmodel.Third,becauseweusetools andmodelsthatareextensivelystudied,veried,andfrequentlyusedthroughoutthe literature[ 125 ],[ 191 ],[ 192 ],[ 194 ],[ 195 ],[ 201 ],wecanhavecondencethatourresultsare correct.Wesupplementoursimulationswithdatacollectedthroughacommonlyused simboxtosupportandconrmoursimulationresults. Thereaderwillnotethatourrealsimboxcallswereoriginatedinasimboxing country,notterminatedthere.Whilesimboxingisaglobalproblem[ 92 ],wewantedto focusonareaswheretheproblemisendemicandhasasubstantialimpact.However, logistical,economic,andlegalconsiderationspreventedusfromplacingoursimboxand researchbasestationabroad.Instead,wecapturetheexactlossandjittercharacteristics oftheInternetconnectionsinasimboxingcountrybyoriginatingthecalltherewhile terminatingthecallinourlab. Legalandprivacyconcernspreventusfromreceivingsimboxaudiofrommobile operators(sincetheaudiowouldbefromcallerswhocouldnotgivetheirconsentforsuch use).However,wenotethattherearenoadditionalprivacyconcernscreatedwhenan operatordeploysAmmitinarealnetwork.Operatorsregularlyuseautomatedtechniques 96

PAGE 97

1 2 5 1 15 26 30 49 66 87 92 100 % Calls Detected % Loss Rate GSM FR GSM FR PLC G.711 Legitimate Calls (FP) Figure4-6.AmmitdetectiondependsonthelossrateandSimboxcodecused.Fora2% lossrate,Ammitdetectsover55%ofsimboxedcallswithlessthana1%false positiverate.ThisperformancemakesSIMdetection(showninFig. 4-7 )very reliable. tomonitorcallqualityofongoingconversations,andAmmitdoesnoanalysisthatcould beusedtoidentifyeitherthespeakersorthesemanticcontentofthecall. Finally,wenotethattheuseofTIMITaudioisextremelyconservative;itpresumes pristineaudioqualitybeforethecalltransitsanIPlink.Infact,therewillbedetectable degradationsfromthePSTNevenbeforetheVoIPtransmission.Chiefamongthesewill beGSM-FRPLCappliedifAlicecallsfromamobilephone.Becausemobilephones regularlyseehighlossrates 10 ,simboxerscarryingmobile-originatedtra"cwillbeeven morevulnerabletodetectionbyAmmitthanthismethodologyreects. 4.5DetectionResults ThissectiondemonstrateshowAmmitdetectssimboxfraud.Werstdiscussed Ammit'se!ectivenessatidentifyingarealsimbox,followedbyadiscussionoftheresults ofdetectingsimulatedsimboxedcalls.WethenexaminehowAmmitcanbeusedto 10 Recallfrom3GPPstandard45.005[ 197 ]that3%lossisconsiderednominal 97

PAGE 98

1% 2% 5% 0 28 43 96 100 % SIMs Detected % Loss Rate G.711 GSM FR GSM FR PLC Figure4-7.Evenwithunusuallyhigh-qualitynetworkconnections,Ammitcanbeusedto identifySIMcardsusedforsimboxing. identifySIMcardsusedinsimboxingfraud.Finally,weshowthatAmmitisfastenough tobee!ectiveinrealnetworks. 4.5.1SimulatedCallAnalysis Inthissubsection,weevaluateAmmit'sabilitytodetectindividualsimboxedcalls andSIMcardsusedinsimboxing. Figure 4-6 presentsthepercentageofsimboxedcallsdetectedforthreesimboxtypes atthreedi!erentlossrates.Atthestillplausible5%lossrate,Ammitdetectsfrom87% to100%ofsimboxedcalls.Lowerdetectionratesforlowlossratesaresimplyaresultof fewerlosseventsforAmmittodetect.However,inthecaseofnopacketlossconcealment, Ammitstilldetectsfrom1566%ofthesimboxedcallsfor1and2%loss.Asdiscussedin theprevioussection,theselossratesincludethee!ectofjitter,solossratesaslowas1% and2%areunlikelytobeencounteredofteninpractice[ 187 ],[ 193 ]. Third,thelowestdottedlineinFigure 4-6 showsthelow(butnon-zero)detection rateforthecontrolgroupofsimulatedlegitimatecallslessthan1%(0.87%tobe exact). 98

PAGE 99

Figure 4-7 showsthepercentageofsimboxSIMcardsthatcanbeautomatically disabledatthethresholdof25%ofcalls.Fora5%lossrate,ourpolicycanidentify100% ofSIMcardsusedinsimboxes.ForcallsusingGSM-FRwithpacketlossconcealmentour policycanalsodetect100%ofSIMcards.Asthelossratesdecrease,weidentifyfewer SIMcardsforcodecswithoutpacketconcealment.Inthecaseof2%loss,weidentify 96%and100%ofSIMsusedinGSM-FRandG.711simboxes,respectively.Inthecaseof 1%loss,westillidentify43%ofG.711SIMsand28%ofGSM-FRSIMs.Ourthreshold resultsinafalsepositiverateof1%andwasdeterminedexperimentallyfromaROC curve(omittedforspacereasons).Tocounterthee! ectsoffalsepositives,theoperator couldimplementasimplepolicystepallowinguserstoreactivatecanceledSIMsaftersome verication.OnepossibilityisrequiringaggeduserstoverifytheNationalIDnumbers usedtoregistertheSIMcardoverthephoneorinpersonatasalesagent. 4.5.2DetectionofRealSimboxes WebeginwiththemostimportantresultthatAmmitise!ectiveatdetecting realsimboxes.WendAmmitcandetect87%ofrealsimboxedcallswithzerofalse positivesonthecallset.TheseguresaretheresultofrunningourGSM-FRpacketloss concealmentaftertuningonsimulatedindividualcalldata;improveddetectionmaybe possibleatacostofalowfalsepositiverate.Whilesimulationsproduceusefulinsights aboutAmmit'sperformanceinawiderangeofconditions,theseresultsconrmour hypothesisthatcallaudiocanbeusedtoe!ectivelycombatsimboxfraud. 4.5.3Discussion Wemakethreeobservationsfromtheindividualcallsimulations.First,theresults showaclearrelationshipbetweenthelossrateofacallandAmmit'sabilitytodetecta call.Second,Figure 4-6 showsthecounterintuitiveresultthatusingGSM-FRpacketloss concealmentmakescallseasiertodetect.Evenata1%lossrate,Ammitdetects30%of simboxedcallsusingGSM-FRPLC.Ammitissoe!ectiveatdetectingconcealedpacket losseventsbecausetheGSM-FRPLCcepstralpeakisdistinctiveandrareinspeech.The 99

PAGE 100

corollarytothisndingisthatsimboxerswillhaveanincentivetodisablepacketloss concealment.Thiswillnoticeablyimpaircallqualityanduseracceptability.Third,the non-zerofalsepositiveratemeansthatdiscretionwillberequiredwhenAmmitindicatesa positivesimboxcall. OurSIMdetectionresultsshowthatAmmitcanbeusednotonlytodetectsingle callsbutasalargerinitiativeagainstsimboxing.At2%and5%loss,wecandetectand disableasingleSIMcardafteratmost20calls.Evenat1%loss,wecanstilldetectand disablemanySIMcards.GiventhatSIMcardscomeatanon-trivialcost(eitherata legitimatepointofsaleoronablackmarket),byreducingthelifetimeofaSIMcardwe makesimboxersunabletooperate. Finally,wemaketwoobservationsfromtherealsimboxresults.First,wenote thatoursimulationsweree!ectivefortuningAmmitbeforeapplyingrealdata.This validatesourmethodologicalstrategy.Second,oursimulationfalsepositiverateswere conservativelyhigh;whilewesaw1%falsepositivesonoursimulateddata,wesawnofalse positivesonouractualdata. 4.5.4AmmitPerformance ToshowthatAmmitisscalableandperformant,weexaminetheamountoftime Ammitrequirestoanalyzeacallforconcealedandunconcealedpacketlosses.Although intheprevioussubsectionsweanalyzedAmmit'sperformancefor30secondcalls,we hypothesizethatlongeranalyseswouldleadtoevenbetterresults,especiallyforlowerloss ratecalls.WetestedAmmit'sperformanceonasetof10callsofapproximately30s,60s, and120s;wepresenttheaveragesof10analysesofeachcallinFigure 4-8 WetestAmmitonalate2011iMacwithaquadcore3.4GHzIntelCorei7,16GB RAM,anda1TBsolidstatediskrunningOSX10.9.Althoughthisiscapablehardware, thedetectionisdoneentirelywithMatlabinasinglethread,andthedetectioncode iscorrectbutfarfromoptimal.OptimizingtheMatlabcodefore"ciencywouldlikely reduceanalysistime.Beyondthat,implementingAmmitinamoreperformantlanguage 100

PAGE 101

29.9 59.5 119 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Average Analysis Time (s) Average Call Time (s) Concealed Packet Loss Detection Unconcealed Packet Loss Detection Figure4-8.Ammitanalyzesaudiomuchfasterthanrealtimeandise"cientenoughto deployincelltowers. likeCcouldreduceanalysistimefurther.Foracommercialimplementation,code customizedforadigitalsignalprocessorcouldfurtherimproveperformance.Ammit maybedeployeddirectlyasaBTSorBSCsoftwareupdateorasinexpensivestandalone hardware. AsFigure 4-8 shows,themajorityofanalysistimeisspentdetectingconcealedpacket loss.Nevertheless,callscanbeanalyzed150timesfasterthanrealtime,indicatingthata singlethreadofexecutioncouldanalyzeapproximately150callsperunittime.Evenour unoptimizedcodewouldbeabletoanalyzealltra" catatowerinrealtime. 101

PAGE 102

CHAPTER5 PRACTICALEND-TO-ENDCRYPTOGRAPHICAUTHENTICATIONFOR TELEPHONYOVERVOICECHANNELS Moderntelephonysystemsincludeawidearrayofend-userdevices.Fromtraditional rotaryPSTNphonestomoderncellularandVoIPcapablesystems,thesedevicesremain thedefactotrustedplatformforconductingmanyofourmostsensitiveoperations.Even morecritically,thesesystemso!erthesolereliableconnectionforthemajorityofpeoplein theworldtoday. Suchtrustisnotnecessarilywellplaced.CallerIDisknowntobeapoorauthenticator [ 202 ],[ 125 ],[ 203 ],andyetissuccessfullyexploitedtoenableoverUS $ 2Billioninfraud everyyear[ 4 ].Manyscammerssimplyblocktheirphonenumberandexploittrusting usersbyassertinganidentity(e.g.,abank,lawenforcement,etc.),takingadvantageofa lackofreliablecuesandmechanismstodisputesuchclaims.Addressingtheseproblems willrequiretheapplicationoflessonsfromarelatedspace.Thewebexperiencedvery similarproblemsinthe1990s,anddevelopedanddeployedtheTransportLayerSecurity (TLS)protocolsuiteandnecessarysupportinfrastructuretoassistwiththeintegrationof moreveriableidentityincommunications.Whilebynomeansperfectandstillanarea ofactiveresearch,thisinfrastructurehelpstomakeahugerangeofattackssubstantially moredi"cult.Unfortunately,thelackofsimilarlystrongmechanismsintelephonymeans thatnoteventrainedsecurityexpertscancurrentlyreasonabouttheidentityofother callers. TextofthischapterisreprintedwithpermissionfromBradleyReaves,LoganBlue, andPatrickTraynor.Authloop:PracticalEnd-to-EndCryptographicAuthenticationfor TelephonyoverVoiceChannels.InProceedingsof25thUSENIXSecuritySymposium, Austin,TX,August2016.(AcceptanceRate:15.5%). 102

PAGE 103

Inthischapter,weaddressthisproblemwithAuthLoop. 1 AuthLoopprovidesa strongcryptographicauthenticationprotocolinspiredbyTLS1.2.However,unlikeother relatedsolutionsthatassumeInternetaccess(e.g.,SilentCircle,RedPhone,etc[ 104 ] [ 112 ]),accessibilitytoasecondaryandconcurrentdatachannelisnotaguaranteein manylocations(e.g.,highdensitycities,ruralareas)norforalldevices,mandatingthat asolutiontothisproblembenetworkagnostic.Accordingly,AuthLoopisdesignedfor andtransmittedovertheonlychannelcertaintobeavailabletoallphonesystems audio.Theadvantagetothisapproachisthatitrequiresnochangestoanynetworkcore, whichwouldlikelyseelimitedadoptionatbest.ThroughtheuseofAuthLoop,userscan quicklyandstronglyidentifycallerswhomayfraudulentlybeclaimingtobeorganizations includingtheirnancialinstitutionsandtheirgovernment[ 4 ]. Wemakethefollowingcontributions: Designacompletetransmissionlayer: Wedesigntherstcodec-agnostic modemthatallowsforthetransmissionofdataacrossaudiochannels.Wethen createasupportinglinklayerprotocoltoenablethereliabledeliveryofdataacross theheterogeneouslandscapeoftelephonynetworks. DesignAuthLoopauthenticationprotocol: Aftercharacterizingthebandwidth limitationsofourdatachannel,wespecifyoursecuritygoalsanddesignthe AuthLoopprotocoltoprovideexplicitauthenticationofoneparty(i.e.,the "Prover")andoptionallyweakauthenticationofthesecondparty(i.e.,the "Verier"). Evaluateperformanceofareferenceimplementation: Weimplement AuthLoopandtestitusingthreerepresentativecodecsG.711(forPSTN networks),AMR(forcellularnetworks)andSpeex(forVoIPnetworks).We demonstratetheabilitytocreateadatachannelwithagoodputof500bpsand biterrorratesaveragingbelow0.5%.WethendemonstratethatAuthLoopcanbe runoverthischannelinanaverageof9seconds(whichcanbeplayedbelowspeaker 1 Anamereminiscentofthe"LocalLoop"usedtotietraditionalphonesystemsinto thelargernetwork,weseektotiemoderntelephonysystemsintotheglobalauthentication infrastructurethathasdramaticallyimprovedtransactionsecurityoverthewebduringthe pasttwodecades. 103

PAGE 104

audio),comparedtorunningadirectportofTLS1.2inanaverageof97seconds(a 90%reductioninrunningtime). Theremainderofthischapterisorganizedasfollows:Section 5.1 presentsthedetails ofoursystemincludinglower-layerconsiderations;Section 5.2 discussesoursecurity model;Section 5.3 formallydenestheAuthLoopprotocolandparameterizesoursystem basedonthemodem;Section 5.4 discussesourprototypeandexperimentalresults;and Section 5.5 providesadditionaldiscussionaboutoursystem; 5.1VoiceChannelDataTransmission Toprovideend-to-endauthenticationacrossanytelephonenetworks,weneedaway totransferdataoverthevoicechannel.Thefollowingsectionsdetailthechallengesthat mustbeaddressed,howweimplementedamodemthatprovidesabasedatarateof 500bps,andhowwedevelopedalinklayertoaddresschannelerrors.Weconcludewith adiscussionofwhatthesetechnicallimitationsimplyforusingstandardauthentication technologiesovervoicenetworks. 5.1.1ChallengestoDataTransmission Manyreadersmayfondlyrememberdial-upInternetaccessandatimewhendata transmissionovervoicechannelswasacommonoccurrence.Intheheydayoftelephone modems,though,mostvoicechannelswereconnectedoverhigh-delityanalogtwisted pair.Althoughthevoicechannelwasbandlimitedanddigitaltrunksusedalowsample rateof8kHz,thechannelwasquite"wellbehaved"fromadigitalcommunicationsand signalprocessingperspective. Inthelasttwodecades,telephonyhasbeentransformed.CellularvoiceandInternet telephonynowcompriseamajorityofallvoicecommunications;theyarenotjust ubiquitous,theyareunavoidable.Whilebenecialfromanumberofperspectives,one ofthedrawbacksisthatbothofthesemodalitiesrelyonheavilycompressedaudio transmissiontosavebandwidth.Thesecompressionalgorithmsaudiocodecs aretechnologicalfeats,astheyhavepermittedcheap,acceptablequalityphonecalls, 104

PAGE 105

Header Footer 17 data bits Figure5-1.This74msmodemtransmissionofasingleframedemonstrateshowdatais modulatedandwrappedinheadersandfootersforsynchronization. especiallygiventhattheyweredevelopedduringeraswhencomputationwasexpensive. Todothis,codecdesignersemployedanumberoftechnicalandpsychoacoustictricksto produceacceptableaudiotoahumanear,andthesetricksresultedinachannelpoorly suitedfor(ifnothostileto)thetransmissionofdigitaldata.Asaresult,existingvoice modemsarecompletelyunsuitedfordatatransmissionincellularorVoIPnetworks. Voicecodecspresentseveralchallengestoageneral-purposemodem.First,amplitudes arenotwellpreservedbyvoicecodecs.Thisdiscountsmanycommonmodulation schemes,includingASK,QAM,TCM,andPCM.Second,phasediscontinuitiesare rareinspeech,andarenote!ectivetotransmitdatathroughpopularvoicecodecs. ThisdiscountsPSK,QPSK,andothermodulationschemesthatrelyoncorrectphase information.Furthermore,manycodecslosephaseinformationonencoding/decoding audio,preventingtheuseofe" cientdemodulatorsthatrequirecorrectphase(i.e., coherentdemodulators).Becauseoftheproblemswithamplitudeandphasemodulation, frequency-shiftmodulationisthemoste!ectivetechniquefortransmittingdatathrough voicecodecs.Evenso,manycodecsfailtoaccuratelyreproduceinputfrequencies eventhosewellwithintelephonevoicebands(3003400Hz).Ourphysicallayerprotocol addressesthesechallenges. 5.1.2ModemDesign TheAuthLoopmodemhasthreegoals: 1. Supporthighestbitratepossible 2. Atthelowesterrorratepossible 105

PAGE 106

3. Inthepresenceofdeformingcodecs Wearenotthersttoaddresstransmissionofdataoverlossycompressedvoice channels.Mostpriore!orts[ 204 ][ 206 ]havefocusedontransmissionoverasinglecodec, thoughoneproject,Hermes[ 207 ]wasdesignedtosupportmultiplecellularcodecs. Unfortunately,thatprojectonlydealtwiththemodulationscheme,anddidnotaddress system-levelissueslikereceiversynchronization.Furthermore,thepublishedcodedidnot haveacompletedemodulator,andourownimplementationfailedtoreplicatetheirresults. Thus,wetookHermesasastartingpointtoproduceourmodem. Mostmodemsaredesignedaroundtheconceptofmodulatingoneormoreparameters amplitude,frequency,and/orphaseofoneormoresinewaves.Ourmodem modulatesasinglesinewaveusingoneofthreediscretefrequencies(i.e.itisafrequency shiftkey,orFSK,modem).Theselectionofthesefrequenciesisakeydesignconsideration, andourdesignwasa! ectedbythreedesigncriteria. First,ourmodemisdesignedforphonesystems,soourchoiceoffrequenciesare limitedtothe3003400Hzrangebecausemostlandlineandcellularphonesarelimited tothosefrequencies.Second,becausewecannotaccuratelyrecoverphaseinformationfor demodulation,ourdemodulationmustbedecoherent;theconsequenceisthatourchosen frequenciesmustbeseparatedbyatleastthesymboltransmissionrate[ 208 ].Third,each frequencymustbeanintegermultipleofthesymbolfrequency.Thisensuresthateach symbolcompletesafullcycle,anditalsoensuresthateachcyclebeginsandendsona symbolboundary.Thisproducesacontinuousphasemodulation,anditiscriticalbecause somevoicecodecswillproduceartifactsoraliasedfrequenciesinthepresenceofphase discontinuities.Theseconstraintsledtotheselectionofa3-FSKsystemtransmitting symbolsat1000Hzusingfrequencies1000,2000,and3000Hz. Unfortunately,3-FSKwillstillfailtoperforminmanycompressedchannelssimply becausethosechannelsdistortfrequencies,especiallyfrequenciesthatchangerapidly. TomitigateissueswithFSK,weuseadi!erentialmodulation:bitsareencodednotas 106

PAGE 107

individualsymbols,butbytherelativedi!erencebetweentwoconsecutivesymbols.For example,a"1"isrepresentedbyanincreaseintwoconsecutivefrequencies,whilea"0" isrepresentedbyafrequencydecrease.Becauseweonlyhave3frequenciesavailable,we havetolimitthenumberofpossibleconsecutiveincreasesordecreasesto2.Manchester encoding,whereeachbitisexpandedintotwo"half-bits"(e.g.a"1"isrepresentedby "10",and"0"representedby"01")limitstheconsecutiveincreasesordecreaseswithinthe limit. Whilethesedetailscoverthetransmissionofdata,thereareafewpracticalconcerns thatmustbedealtwith.Manyaudiocodecstruncatetherstfewmillisecondsofaudio. Inspeechthisisunnoticeable,andsimpliestheencoding.However,ifthetruncated audiocarriesdata,severalbitswillbelosteverytransmission.Thise!ectiscompounded ifvoiceactivitydetection(VAD)isused(asistypicalinVoIPandcellularnetworks). VADdistinguishesbetweenaudioandsilence,andwhennoaudioisrecordedinacall VADindicatesthatnodatashouldbesent,savingbandwidth.However,VADaddsan additionaldelaybeforevoiceistransmittedagain. TodealwithearlyvoiceclippingbycodecsandVAD,weadda20msheaderand footerattheendofeachpacket.Thisheaderisa500Hzsinewave;thisfrequencyis orthogonaltotheother3transmissionfrequencies,andishalfthesymbolrate,meaning itcanbeusedtosynchronizethereceiverbeforedataarrives.Afullmodemtransmission containing17bitsofrandomdatacanbeseeninFigure 5-1 Todemodulatedata,wemustrstdetectthatdataisbeingtransmitted.We distinguishsilenceandatransmissionbycomputingtheenergyoftheincomingsignal usingashortslidingwindow(i.e,theshort-timeenergy).Thenwelocatetheheaderand footerofamessagetolocatethebeginningandendofadatatransmission.Finally,we computetheaverageinstantaneousfrequencyforeachhalf-bitandcomputedi! erences betweeneachbit.Anincreaseinfrequencyindicates1,adecreaseindicates0. 107

PAGE 108

5.1.3LinkLayer Despiteacarefullydesignedmodem,receptionerrorswillstilloccur.Theseare artifactscreatedbylinenoise,thechannelcodec,oranunderlyingchannelloss(e.g., alostIPpacket).Toaddresstheseissues,wedevelopedalinklayertoensurereliable transmissionofhandshakemessages.Thislinklayermanageserrordetection,error correction,frameacknowledgment,retransmission,andreassemblyoffragmented messages. Becauseerrorratescansometimesbeashighasseveralpercent,arobustretransmission schemeisneeded.However,becauseouravailablemodemdatarateissolow,overhead mustbekepttoaminimum.Thisrulesoutmoststandardtransmissionschemesthatrely onexplicitsequencenumbers.Instead,ourdatalinklayerchunkstransmittedframesinto smallindividualblocksthatmaybecheckedandretransmittediflost.Weareunawareof otherlinklayersthatusethisapproach.Theremainderofthissubsectionmotivatesand describesthisscheme. 5.1.4FramingandErrorDetection Mostlinklayersaredesignedtotransmitlarge(upto12,144bitsforEthernet) frames,andthesechannelseitheruselarge(e.g.,32-bit)CRCs 2 forerrordetectionto retransmittheentireframe,oruseexpensivebutnecessaryerrorcorrectingschemesin lossymedialikeradio.Errorcorrectingcodesrecoverdamageddatabytransmitting highlyredundantdata,ofteninatingthedatatransmittedby100%ormore.The alternative,sendinglargeframeswithasingleCRC,wasunlikelytosucceed.Toseewhy, notethat: P ( C )=(1 p ) l (51) 2 ACyclicRedundancyCheck(CRC)isacommonchecksumthatisformedby representingthedataasapolynomialandcomputingtheremainderofpolynomial division.Thepolynomialdivisorisadesignparameterthatmustbechosencarefully. 108

PAGE 109

where C isa"correctCRC"event, p isprobabilityofasinglebiterror,and l isthelength oftheCRC. Fora3%biterrorrate,theprobabilityofjusttheCRCbeingundamagedislessthan 38%meaningtwothirdsofpacketswillbedroppedforhavingabadCRCindependent ofothererrors.Evenatlowerlossrates,retransmittingwholeframesforasingleerror wouldcauseamassiveoverhead. Instead,wedivideeachframeinto32-bit"blocks".Eachblockcarries29bitsofdata anda3-bitCRC.Thisallowsshortsectionsofdatatobecheckedforerrorsindividually andretransmitted,whichisclosertooptimaltransmission.BlockandCRCselectionwas notarbitrary,butrathertheresultofcarefulmodelingandanalysis.Inparticular,we aimedtondanoptimaltradeo!betweenoverhead(i.e.,CRClength)anderrordetection. Intuitively,longerCRCsprovidebettererrordetectionandreducetheprobabilityof anundetectederror.Moreformally,aCRCoflength l canguaranteedetectionof upto h biterrors 3 ina B -lengthblockofdata,andcandetectmorethan h errors probabilistically[ 209 ]. Thetradeo!ismaximizingtheblocksizeandminimizingtheCRClengthwhile minimizingtheprobabilityofalossintheframeortheprobabilityofanundetectederror U ,representedbythefollowingequations,whichtakeintoaccounttheprobability L ofa lostframeandprobability S ofasuccessfulframe Pr ( L )=1 Pr ( S )(52) =1 (1 p ) B (53) Pr ( U )=1 h i =0 B i # p i (1 p ) B i (54) 3 TheHammingdistanceofthetransmittedandreceiveddata 109

PAGE 110

IDLE (START) SEND ERROR FRAME SEND STANDARD FRAME RECEIVE STANDARD FRAME RECEIVE OTHER FRAME AWAIT ACK SEND ACK SEND REPEAT FRAMES SEND ERROR MESSAGE NACKs>0 Timeout / Error NACKs==0 AWAIT REPEAT BLOCKS SEND ERROR FRAME ANY STATE RECEIVE ERROR FRAME Timeout Receive Repeat Blocks NACKs >0 NACKs==0 Figure5-2.Linklayerstatemachine. where p representstheprobabilityofasinglebiterror.Theprobabilityofundetected errorisderivedfromthecumulativebinomialdistribution.Usingtheseequationsand thecommonbiterrorrateof0.3%(measuredinSection 5.4 ),weselected32-bitblocks witha3-bitCRC.Wechosetheoptimal3-bitCRCpolynomialaccordingtoKoopman andChakravarty[ 209 ].Theseparametersgivealikelihoodofundetectederrorofroughly 0.013%,whichwillrarelya! ectaregularuser.Evenacallcenteruserwouldseeaprotocol failureduetobiterroronceeverytwoweeks,assuming100callsperday. 5.1.5AcknowledgmentandRetransmission Errordetectionisonlytherststepoftheerrorrecoveryprocess,whichisreectedas astatemachineinFigure 5-2 Whenamessageframeisreceived,thereceivercomputeswhichblockshavean errorandsendsanacknowledgmentframe("ACK")tothetransmitter.TheACKframe containsasinglebitforeachblocktransmittedtoindicateiftheblockwasreceived successfullyornot.Blocksthatwerenegativelyacknowledgedareretransmitted;the retransmissionwillalsobeacknowledgedbythereceiver.Thisprocesswillcontinueuntil alloriginalblocksarereceivedsuccessfully. Byusingasinglebitofacknowledgmentforeachblockwesavetheoverheadof usingsequencenumbers.However,evenasinglebiterrorinanACKwillcompletely 110

PAGE 111

desynchronizethereassemblyofcorrectlyreceiveddata.Havingmeta-ACKandACK retransmissionframeswouldbeunwieldyandinelegant.Instead,wetransmitredundant ACKdataasaformoferrorcorrection;wesendACKdata3timesinasingleframeand takethemajorityofanybitsthatconict.ThelikelihoodofadamagedACKgivena probabilityofbiterror p andblockcount N is: 3 Np 2 (55) insteadof 1 (1 p ) N (56) Notethattherearee!ectivelydistincttypesofframesoriginaldata,ACKdata, retransmissiondata,anderrorframes.Weuseafour-bitheadertodistinguishthese frames;likeACKdata,wesendthreecopiesoftheheadertoensureaccuraterecovery.We willexploremorerobusterrorcorrectingcodesinfuturework. 5.1.6NaveTLSoverVoiceChannels Withamodemandlinklayerdesignestablished,wecannowexaminehowastandard authenticationschemeTLS1.2wouldfareoveravoicechannel. Table 5-1 showstheamountofdataintheTLShandshakesoffourpopularInternet services:Facebook,Google,BankofAmerica,andYahoo.Thesehandshakesrequire from41,000toalmost58,000bitstotransmit,andthisexcludesapplicationdataand overheadfromtheTCP/IPandlinklayers.At500bitspersecond(thenominalspeed ofourmodem),thesetransferswouldrequire83116secondsasalowerbound.Froma usabilitystandpoint,standardTLShandshakesaresimplynotpracticalforvoicechannels. Accordingly,amoree"cientauthenticationprotocolisnecessary. 5.2SecurityModel Havingdemonstratedthatdatacommunicationispossiblebutextremelylimitedvia voicechannels,wenowturnourattentiontodeningasecuritymodel.Thecombination ofourmodemandthismodelcanthenbeusedtocarefullydesigntheAuthLoopprotocol. 111

PAGE 112

Table5-1.TLSHandshakeSizes SiteNameTotalBitsTransmissionTime(secondsat500bps) Facebook41,54483.088 Google42,85685.712 BankofAmerica53,144106.288 Yahoo57,920115.840 Average48,68897.732 Mobile (Verier) Call Center (Prover) (1) V, N V (2) P, N P C P D(K P P, N P ) (3) E(K P + ,S), H(k,'VRFY', #1, #2) (4) H(k,'PROV', #1, #2) (0) Initiate Call ... (n-1) H(k, V, N V+n-1 ) (n) H(k, P, N P+n ) C : E : H : D: K +,: k : N : P : S : V : Certicate Encryption HMAC Digital Signature Public/Private Key Symmetric Key Nonce Prover Pre-Master Secret Verier Figure5-3.TheAuthLoopauthenticationprotocol.Solidarrowsindicatetheinitial handshakemessageows,anddottedarrowsindicatesubsequentauthenticated "keepalive"messages.Notethat#1and#2inmessages2and3indicatethat thatcontentsofmessages1and2areincludedinthecalculationofthe HMAC,asisdoneinTLS1.2. ThegoalofAuthLoopistomitigatethemostcommonenablerofphonefraud: claimingafalseidentityviaCallerIDspoong.Thisattackgenerallytakestheform oftheadversarycallingthevictimuserandextractingsensitiveinformationviasocial engineering.Theattackcouldalsobeconductedbysendingthevictimamaliciousphone numbertocall(e.g.,viaaspamtextoremail).Anadversarymayalsoattempttoperform aman-in-the-middleattack,callingboththevictimuserandalegitimateinstitution andthenhangingupthecalloneitherwhentheywishtoimpersonatethatparticipant. Finally,anadversarymayattempttoperformacallforwardingattack,ensuringthat correctlydialednumbersareredirected(undetectedtothecaller)toamaliciousendpoint. Assumptions. Webaseourdesignonthefollowingassumptions.Anadversaryisable tooriginatephonecallsfromanytelephonydevice(i.e.,cellular,PSTN,orVoIP)and 112

PAGE 113

spooftheirCallerIDinformationtomimicanyphonenumberoftheirchoosing.Targeted deviceswilleitherdisplaythisspoofednumberor,iftheycontainadirectory(e.g.,contact databaseonamobilephone),anameassociatedorregisteredwiththatnumber(e.g., "BankofAmerica").Theadversarycanplayarbitrarysoundsovertheaudiochannel, andmaydelivereitheranautomatedmessageorinteractdirectlywiththetargeteduser. Lastly,theadversarymayuseadvancedtelephonyfeaturessuchasthree-waycalling toconnectanddisconnectpartiesarbitrarily.Thismodeldescribesthemajorityof adversariescommittingCallerIDfraudatthetimeofthiswork. Ourscenariocontainstwoclassesofparticipants,aVerier(i.e.,theuser)andProver (i.e.,eithertheattackerofthelegitimateidentityowner).Theadversaryisactiveand willattempttoassertanarbitraryidentity.AsiscommonontheWeb,weassumethat Provershavecerticatesissuedbytheirserviceprovider 4 containingtheirpublickeyand thatVeriersmayhaveweakcredentials(e.g.,accountnumbers,PINs,etc)butdonot havecerticates.Weseektoachievethefollowingsecuritygoalsinthepresenceofthis adversary: 1. (G1)Authenticationofprover: TheVeriershouldbeabletoexplicitly determinethevalidityofanassertedCallerIDandtheidentityoftheProver withoutaccesstoasecondarydatachannel. 2. (G2)Proofofliveness: TheProverandVerierwillbeaskedtodemonstratethat theyremainonthecallthroughoutitsduration. Notethatwedonotaimtoachievevoicecondentiality.AsdiscussedinChapter 2 thepathbetweentwotelephonyparticipantsislikelytoincludearangeofcodec transformations,makingthebitwiserepresentationofvoicevarysignicantlybetween sourceanddestination.Accordingly,end-to-endencryptionofvoicecontentisnot currentlypossiblegiventherelativelylowchannelbitrateandlargeimpactoftranscoding. 4 SeeSection 5.5 fordetails. 113

PAGE 114

SolutionssuchasSilentCircle[ 112 ]andRedPhone[ 110 ]areabletoachievethisguarantee strictlybecausetheyareVoIPclientsthattraverseonlydatanetworksandthereforedo notexperiencetranscoding.However,aswediscussinSection 5.5 ,ourtechniquesenable thecreationofalow-bandwidthchannelthatcanbeusedtoprotectthecondentiality andintegrityofweakclientauthenticationcredentials. 5.3AuthLoopProtocol ThissectiondescribesthedesignandimplementationoftheAuthLoopprotocol. 5.3.1DesignConsiderations Beforedescribingthefullprotocol,thissectionbrieydiscussesthedesignconsiderations thatledtotheAuthLoopauthenticationprotocol.Aspreviouslymentioned,weare constrainedinthatthereisnofully-edgedPublicKeyInfrastructure(PKI),meaningthat Veriers(i.e.,endusers)donotuniversallypossessastrongcredential.Moreover,because wearelimitedtotransmissionovertheaudiochannel,theAuthLoopprotocolmustbe highlybandwidthe" cient. ThemostnaturalchoiceforAuthLoopwouldbetoreuseanauthenticationprotocol suchasNeedham-Schroeder[ 210 ].Reusingwell-understoodsecurityprotocolshasgreat value.However,Needham-Schroederisinappropriatebecauseitassumesthatbothsides havepublic/privatekeypairsorcancommunicatewithathirdpartyforsessionkey establishment.GoalG1isthereforenotpracticallyachievableinrealtelephonysystems ifNeedham-Schroederisused.Thisprotocolisalsounsuitableasitdoesnotestablish sessionkeys,meaningthatachievingG2wouldrequirefrequentre-executionoftheentire authenticationprotocol,whichislikelytobehighlyine" cient. TLScanachievegoalsG1andG2,andalreadydoessoforawiderangeoftraditional applicationsontheWeb.Unfortunately,thehandshakingandnegotiationphasesofTLS 1.2requiresignicantbandwidth.AswedemonstrateinSection 5.1 ,unmodieduseof thisprotocolcanrequireanaverageof97secondsbeforeauthenticationcanbecompleted. However,becauseitcanachievegoalsG1andG2,TLS1.2isusefulasatemplatefor 114

PAGE 115

ourprotocol,andwediscusswhatcouldbeconsideredahighly-optimizedversionbelow. WenotethatwhileTLS1.3providesgreatpromiseforreducinghandshakingcosts,the currentdraftversionrequiresmorebandwidththantheAuthLoopprotocol. 5.3.2ProtocolDenition Figure 5-3 providesaformaldenitionforourauthenticationprotocol.Wedescribe thisprotocolbelow,andprovidedetailsaboutitsimplementationandparameterization (e.g.,algorithmselection)inSection 5.3.4 TheAuthLoopprotocolbeginsimmediatelyafteracallisterminated. 5 Eitherparty, theProver P (e.g.,acallcenter)ortheVerier V (e.g.,theenduser)caninitiatethecall. V thentransmitsitsidentity(i.e.,phonenumber)andanonce N V to P .Uponreceiving thismessage, P transmitsanonce N P ,itscerticate C P ,andsignsthecontentsofthe messagetobindthenoncetoitsidentity.Itsidentity, P ,istransmittedviaCallerIDand isalsopresentinthecerticate. V thengeneratesapre-mastersecret S ,anduses S togenerateasessionkey k ,which istheresultofHMAC( S,N P ,N V ). V thenextracts P 'spublickeyfromthecerticate, encrypts S usingthatkeyandthencomputesHMAC( k, VRFY' #1 #2),whereVRFY' isaliteralstring,and#1and#2representthecontentsofmessages1and2. V then sends S andtheHMACto P P decryptsthepre-mastersecretandusesittosimilarly calculate k ,afterwhichiscalculatesHMAC( k, PROV' #1 #2),whichitthenreturnsto V Atthistime, P hasdemonstratedknowledgeoftheprivatekeyassociatedwiththe publickeyincludedinitscerticate,therebyauthenticatingtheassertedidentity.Ifthe Proverdoesnotprovidethecorrectresponse,itsclaimoftheCallerIDasitsidentityis rejected.SecuritygoalG1isthereforeachieved.Moreover, P and V nowshareasession 5 Thisisthetelephonytermfor"deliveredtoitsintendeddestination"andsigniesthe beginningofacall,notitsend. 115

PAGE 116

key k ,whichcanbesubsequentlyusedtoprovidecontinuedande"cientproofs(i.e., HMACsoverincrementingnonces)thattheyremainonthecall,therebyachievingGoal G2. Wenotethatthesessionkeygenerationstepbetweenmessages2and3canbe extendedtoprovidekeysforprotectingcondentialityandintegrity(asisdonein mostTLSsessions).Whilethesekeysarenotofvalueforvoicecommunications(given thenarrowbitrateofourchannel),theycanbeusedtoprotectclientauthentication credentials.WediscussthisingreaterdetailinSection 5.5 5.3.3FormalVerication WeusetheProverifv1.93[ 211 ]automaticcryptographicprotocolveriertoreason aboutthesecurityoftheAuthLoophandshake.Proverifrequiresthatprotocolsbe rewrittenasHornclausesandmodeledinPiCalculus,fromwhichitcanthenreason aboutsecrecyandauthenticationintheDolev-Yaosetting.AuthLoopwasrepresentedby atotalof60linesofcode,andProverifveriedthesecrecyofthesessionkey k 5.3.4ImplementationParameters Table 5-4 providesaccountingofeverybitusedintheAuthLoopprotocolforeach message.Giventhetightconstraintsonthechannel,weusethefollowingparametersand considerationstoimplementourprotocolase"cientlyaspossiblewhilestillproviding strongsecurityguarantees. Weuseellipticcurvecryptographyforpublickeyprimitives.WeusedthePyelliptic libraryforPython[ 212 ],whichisaPythonwrapperaroundOpenSSL.Keyswere generatedoncurvesect283r1,andkeysonthiscurveprovidesecurityequivalentto RSA3456[ 213 ].Forkeyedhashes,weuseSHA-256astheunderlyinghashfunctionfor HMACs.Toreducetransmissiontime,wecomputethefull256-bitHMACandtruncate theresultto80bits.BecausethesecurityfactorofHMACisdependentalmostentirely onthelengthofthehash,thistruncationmaintainsasecurityfactorof2 80 [ 214 ].This 116

PAGE 117

Figure5-4.AuthLoopmessagesizes. securityfactorisacommonlyacceptedsafevalue[ 215 ]forthenearfuture,andasourdata transmissionimproves,thesecurityfactorcanincreaseaswell. WhilesimilartoTLS1.2,wehavemadeafewimportantchangestoreduceoverhead. Forinstance,wedonotperformciphersuitenegotiationineverysessionandinstead assumethedefaultuseofAES256 GCMandSHA256.Ourlinklayerheadercontainsa biteldindicatingwhethernegotiationisnecessary;however,itisourbeliefthatstarting withstrongdefaultsandnegotiatingintherarescenariowherenegotiationisnecessary iscriticaltosavingbandwidthforAuthLoop.Similarly,weareabletoexcludeadditional optionalinformation(e.g.,compressiontypessupported)andtherigidTLSRecordformat toensurethatouroverheadisminimized. Wealsolimitthecontentsofcerticates.Ourcerticatesconsistofaprotocol version,theprover'sphonenumber,claimedidentication(i.e.,aname),validityperiod, uniquecerticateidenticationnumber,thecerticateowner'sECCpublickeyanda signature.Becausecerticatetransmissioncomprisesnearlyhalfofthetotaltransmission 117

PAGE 118

time,weimplementedtwovariantsofAuthLoop:thestandardhandshakeandaversion withaverier-cachedcerticate.Certicatecachingenablesasignicantlyabbreviated handshake.Forcerticatecaching,weincludea16-bitcerticateidentierthatthe veriersendstotheprovertoidentifywhichcerticateiscached.Wediscusshowwelimit transmittedcerticatechainsizetoasinglecerticateinSection 5.5 Finally,wekeepthemostsecurity-sensitiveparametersasdenedintheTLS specication,includingrecommendedsizesfornonces(96bits). Whileourprotocolimplementationsignicantlyreducestheoverheadcompared toTLS1.2forthisapplication,thereisstillroomforimprovement.Inparticular,the encryptedpre-mastersecretrequires1224bitsforthe256-bitpremastersecret.This expansionisduetothefactthatwithECConemustuseahybridencryptionmodelcalled theIntegratedEncryptionScheme(IEC),soakeymustbesharedseparatelyfromthe encrypteddata.PyellipticalsoincludesaSHA-256HMACoftheECCkeyshareand encrypteddatatoensureintegrityofthemessage(whichisstandardpracticeinIEC). BecausethemessagealreadyincludesanHMAC,infutureworkweplantosave256bits (or15%ofthecachedcerticatehandshake)byincludingtheHMACoftheECCshare intothemessageHMAC. 5.4Evaluation Previoussectionsestablishedtheneedforacustomauthenticationprotocolusing avoicechannelmodemtoprovideend-to-endauthenticationfortelephonecalls.In thissection,wedescribeandevaluateourprototypeimplementation.Inparticular,we characterizetheerrorperformanceofthemodemacrossseveralaudiocodecs,computethe resultingactualthroughputafterlayer2e!ectsaretakenintoaccount,andnallymeasure theendtoendtimingofcompletehandshakes. 5.4.1PrototypeImplementation Ourprototypeimplementationconsistsofsoftwareimplementingtheprotocol, linklayer,andmodemrunningoncommodityPCs.WhileweenvisionthatAuthLoopwill 118

PAGE 119

eventuallybeastand-aloneembeddeddeviceorimplementedintelephonehardware/software, aPCservedasanidealprototypingplatformtoevaluatethesystem. WeimplementedtheAuthLoopprotocolinPythonusingthePyellipticlibraryfor cryptography.WealsoimplementedthelinklayerinPython.Ourmodemwaswrittenin Matlab,andthatcodeisresponsibleformodulatingdata,demodulatingdata,andsending andreceivingsamplesoverthevoicechannel.WeusedthePythonEngineforMatlabto integrateourmodemwithPython.OurchoiceofMatlabfacilitatedrapidprototypingand developmentofthemodem,buttheMatlabruntimeplacedaconsiderableloadonthePCs runningtheprototype.Accordingly,computationresults,whilealreadyacceptable,should improveforembeddedimplementations. Weevaluatethemodemandhandshakeusingsoftwareaudiochannelscongured touseoneofthreeaudiocodecs:G.711( -law),AdaptiveMultiRateNarrowBand (AMR-NB),andSpeex.Theseparticularcodecswereamongthemostcommoncodecs usedforlandlineaudiocompression,cellularaudio,andVoIPaudio,respectively.Weuse thesox[ 190 ]implementationsofG.711andAMR-NBandthe!mpeg[ 216 ]implementation ofSpeex.Weusesoftwareaudiochannelstoprovideacommonbaselineofcomparison,as noVoIPclientorcellulardevicesupportsallofthesecodecs. Aslinklayerperformancedependsonlyonthebiterrorcharacteristicsofthemodem, weevaluatethelinklayerusingasoftwareloopbackwithtunablelosscharacteristics insteadofavoicechannel.Thisallowedustofullyandreproduciblytestandevaluatethe linklayer. 119

PAGE 120

Table5-2.Biterrorrates. CodecAverageBitErrorStd.Dev G.7110.0%0.0% AMR-NB0.3%0.2% Speex0.5%5% Table5-3.Linklayertransmissionof2000bits. BitErrorRateTransmissionTimeGoodput 0.1%4.086s(0.004)490bps 1%6.130s(0.009)326bps 2%11.652s(0.007)172bps 5.4.2ModemEvaluation Themostimportantcharacteristicofthemodemisitsresistancetobiterrors.To measurebiterror,wetransmit100framesof2,000randombits 6 eachandmeasurethebit errorafterreception. Table 5-2 showstheaverageandstandarddeviationofthebiterrorforvariouscodecs. ThemodemsawnobiterrorsontheG.711channel;thisisreectiveofthefactthatG.711 ishigh-qualitychannelwithveryminimalprocessingandcompression.AMR-NBand Speexbothsawminimalbiterroraswell,thoughSpeexhadamuchhighervariancein errors.Speexhadsuchahighvariancebecauseoneframewastruncated,resultingina higheraverageerrordespitethefacttheother99frameswerereceivedwithnoerror. 5.4.3LinkLayerEvaluation Themostimportantcharacteristicofthelinklayerisitsabilitytooptimizegoodput theactualamountofapplicationdatatransmittedperunittime(removingoverhead fromconsideration). Table 5-3 shows,asafunctionofbiterror,thetransmissiontimeandthegoodput oftheprotocolcomparedtothetheoreticaloptimaltransmissiontimeandgoodput.The 6 2,000bitswaschosenastherst"round"numberlargerthanthelargestmessagein theAuthLoophandshake. 120

PAGE 121

Table5-4.Handshakecompletiontimes. CodecCachedCerticateCerticateExchanged G.7114.463s(0.000)8.279s(0.000) AMR-NB5.608s(0.776)10.374s(0.569) Speex4.427s(0.000)8.279s(0.000) Average4.844s8.977s optimalnumbersarecomputedfromtheoptimalbittime(at500bitspersecond)plus 40msofheaderandfooter.Theexperimentalnumbersaretheaverageoftransmissionof 50messageswith2000bitseach.Thetableshowsthatinspiteofhighbiterrorrates(up to2%)thelinklayerisabletocompletemessagetransmission.Ofcourse,thee!ectofbit errorsongoodputissubstantialatlargerrates.Fortunately,lowbiterrorrates(e.g.0.1%) resultinaminorpenaltytogoodputonly5bpslowerthantheoptimalrate.Higher rateshaveamoresevereimpact,resultingin65.8%and34.7%ofoptimalgoodputfor 1%and2%loss.Givenourobservationsofbiterrorratesatlessthan0.5%forallcodecs, theseresultsdemonstratethatourLinkLayerretransmissionparametersaresetwithan acceptablerange. 5.4.4HandshakeEvaluation Toevaluatethecompletehandshake,wemeasurethecompletetimefromhandshake starttohandshakecompletionfromtheverier'sperspective.Weevaluatebothvariantsof thehandshake:withandwithouttheproversendingacerticate.Handshakesrequiringa certicateexchangewilltakemuchlongerthanhandshakeswithoutacerticate.Thisisa naturalconsequenceofsimplysendingmoredata. Table 5-4 showsthetotalhandshaketimesforcallsovereachofthethreecodecs. Theseresultsareover10callseach.Notethatthesetimesarecorrectedtoremovethe e!ectsofinstrumentationdelaysandarticialdelayscausedbyinterprocesscommunication amongthedi!erentcomponentsofourprototypethatwouldberemovedorconsolidated indeployment. 121

PAGE 122

Fromtheverierperspective,wendthatcached-certicateexchangesarequite fastaveraging4.844secondsacrossallcodecs.Whencerticatesarenotcached,our overallaveragetimeis8.977seconds.Di!erencesintimestakenforcerticateexchanges fordi!erentcodecsarecausedbytherelativeunderlyingbiterrorrateofeachcodec. G.711andSpeexhavemuchlowererrorratesthanAMR-NB,andthisresultsinalower overallhandshaketime.Infact,becausethosecodecssawnoerrorsduringthetests,their executiontimeswerevirtuallyidentical. Mostofthetimespentinthehandshakeisspentintransmittingmessagesover thevoicechannel.Infact,transmissiontimeaccountsfor99%ofourhandshaketime. Computationandmiscellaneousoverheadaveragetolessthan50millisecondsfor allmessages.ThisindicatesthatAuthLoopiscomputationallyminimalandcanbe implementedonavarietyofplatforms. 5.5Discussion Thissectionprovidesadiscussionofclientauthentication,publickeyinfrastructure, anddeploymentconsiderationsforAuthLoop. 5.5.1ClientCredentials Upuntilthispoint,wehavefocusedourdiscussionaroundstrongauthenticationof onepartyinthephonecall(i.e.,theProver).However,clientsalreadyengageinaweaker "application-layer"authenticationwhentalkingtomanycallcenters.Forinstance,when callinganancialinstitutionorISP,usersentertheiraccountnumberandadditional valuesincludingPINsandsocialsecuritynumbers.Withoutonenalstep,ourthreat modelwouldallowforanadversarytosuccessfullystealsuchcredentialsasfollows:An adversarywouldlauncha3-Waycalltoboththevictimclientandthetargetedinstitution. Afterpassivelyobservingthesuccessfulhandshake,theadversarycouldcapturethe client'scredentials(i.e.,DTMFtoneinputs)andhangupbothendsofthecall.The adversarycouldthencallthetargetedinstitutionbackspoongthevictim'sCallerIDand presentthecorrectcredentials. 122

PAGE 123

OneoftheadvantagesofTLSisthatitallowsforthegenerationofmultiplesession keys,forusenotonlyincontinuedauthentication,butalsointheprotectionofdata condentialityandintegrity.AuthLoopisnodi!erent.Whilethedatathroughputenabled byourmodemislow,itissu"cientlylargeenoughtocarryencryptedcopiesofclient credentials.Accordingly,anadversaryattemptingtoexecutetheaboveattackwould beunabletodososuccessfullybecausethissensitiveinformationcouldeasilybepassed throughAuthLoop(andthereforeuselessinasecondsession).Moreover,becauseusersare alreadyaccustomedtoenteringsuchinformationwheninteractingwiththeseentities,the userexperiencecouldcontinuewithoutanyobservabledi!erence. 5.5.2TelephonyPublicKeyInfrastructure OneofthemostsignicantproblemsfacingSSL/TLSisitstrustmodel.X.509 certicatesareissuedbyavastnumberofCerticateAuthorities(CAs),whoseroot certicatescanbeusedtoverifytheauthenticityofapresentedcerticate.Unfortunately, theunregulatednatureofwhocanissuecerticatestowhom(i.e.,whatauthoritydoes X havetoverifyandbindnamestoentity Y ?)andevenwhocanactasaCAhave beenknownsincetheinceptionofthecurrentPublicKeyInfrastructure[ 138 ].This weaknesshasleadtoawiderangeofattacks,andenabledboththemistakenidentity ofdomainownersandconfusionastowhichroot-signedcerticatecanbetrusted. Traditionalcerticatespresentanotherchallengeinthisenvironmenttheexistenceof longvericationchainsinthepresenceofthebitratelimitedaudiochannelmeansthat theblindadoptionoftheInternet'straditionalPKImodelwillsimplyfailifappliedto telephonysystems.AswedemonstratedinourexperimentinTable 5-1 ,transmitting theentiretyoflongcerticatechainswouldsimplybedetrimentaltotheperformanceof AuthLoop. Thestructureoftelephonynetworksleadstoanatural,singlerootedPKIsystem. CompetitiveLocalExchangeCarriers(CLECs)areassignedblocksofphonenumbers bytheNorthAmericanNumberingPlanAssociation(NANPA),andownershipofthese 123

PAGE 124

bankof america.com Symantec Verisign Root (800) 432-1000 Bank of America AT&T (NPA/NXX Administrator) NANPA Root AddTrust Root Entrust Root xyz.bankof america.com Current Internet PKI Proposed TPKI Stored at Endpoint . Stored at Endpoint Figure5-5.TheTelephonyPublicKeyInfrastructure(TPKI).UnlikeinInternetmodel, theTPKIhasasingleroot(NANPA)whichisresponsibleforallblock allocation,andalimitedsecondlevelofCLECswhoadministerspecic numbers.Accordingly,onlythecerticateforthenumberclaimedinthe currentcallneedstobesentduringthehandshake. blocksiseasilyconrmedthroughpubliclypostedresourcessuchasNPA/NXXdatabases inNorthAmerica.AsimilarobservationwasrecentlymadeinthesecureInternetrouting community,andresultedintheproposaloftheResourcePublicKeyInfrastructure (RPKI)[ 217 ].Theadvantagetothisapproachisthatbecauseallallocationofphone numbersisconductedundertheultimateauthorityofNANPA,allvalidsignatureson phonenumbersmustultimatelyberootedinaNANPAcerticate.ThisTelephony PublicKeyInfrastructure(TPKI)reducesthelengthofcerticatechainsandallows ustoeasilystoretherootandallCLECcerticatesintheUSandassociatedterritories ( $ 700[ 218 ])injustover100KiBofstorage(1600bitspercerticate % 700).Alternatively, ifcerticatesareonlyneededfortoll-freenumbers,asinglecerticateforthecompany thatadministersallsuchnumbers(i.e.,Somos,Inc.)wouldbesu"cient. Figure 5-5 showstheadvantagesofourapproach.Communicatingwithaspecic server(xyz.bankofamerica.com)mayrequirethetransmissionofthreeormorecerticates beforeidentitycanbeveried.Additionally,theexistenceofdi!erentrootsaddsconfusion 124

PAGE 125

tothelegitimacyofanyclaimedidentity.OurproposedTPKIreliesonasingleNANPA root,andtakesadvantageoftherelativelysmalltotalnumberofCLECstorequireonly singlecerticateforthecallingnumbertobetransmittedduringthehandshake.Further specifyingdetailsoftheproposedTPKI(e.g.,revocation,etc)presentsanopportunityfor interestingfuturework. 5.5.3DeploymentConsiderations AsourexperimentsdemonstratethatAuthLoopisbandwidthandnotprocessor bound,webelievethatthesetechniquescanbedeployedsuccessfullyacrossawiderange ofsystems.Forinstance,AuthLoopcanbeembeddeddirectlyintonewhandsethardware. Moreover,itcanbeusedimmediatelywithlegacyequipmentthroughexternaladapters (e.g.,RaspberryPi).Alternatively,AuthLoopcouldbeloadedonmobiledevicesthrougha softwareupdatetothedialer,enablinglargenumbersofdevicestoimmediatelybenet. FulldeploymentshavetheopportunitytomakeaudiosignalingofAuthLoopalmost invisibletotheuser.IfAuthLoopisin-linewiththecallaudio,thesystemcanremove AuthLooptransmissionsfromtheaudiosenttotheuser.Inotherwords,userswillnever heartheAuthLoophandshakesorkeep-alivemessages.Whileourcurrentstrategyisto minimizethevolumeofthesignalingsoastonotinterruptaconversation(ashasbeen doneinothersignalingresearch[ 219 ]),webelievethatthein-lineapproachwillultimately providethegreateststabilityandleastintrusiveuserexperience. Lastly,wenotethatbecauseAuthLoopistargetedacrossalltelephonyplatforms,a rangeofsecurityindicatorswillbenecessaryforsuccessfullycommunicatingauthenticated identitytotheuser.However,giventhelimitationsofspaceandthebreadthofdevices andtheirinterfaces,weleavethissignicantexplorationtoourfuturework. 125

PAGE 126

CHAPTER6 EFFICIENTIDENTITYANDCONTENTAUTHENTICATIONFORPHONECALLS Telephonesremainofparamountimportancetosocietysincetheirinvention140 yearsago,andtheyareespeciallyimportantforsensitivebusinesscommunications, whistleblowersandjournalists,andasareliablefallbackwhenothercommunication systemsfail.However,aswehavediscussed,thesenetworkswereneverdesignedtoprovide end-to-endauthenticationorintegrityguarantees.Adversarieswithminimaltechnical abilityregularlytakeadvantageofthisfactbyspoongCallerID,avulnerabilityenabling over $ 7billioninfraudin2015[ 44 ].Morecapableadversariescanexploitweaknessesin corenetworkprotocolssuchasSS7toreroutecallsandmodifycontent[ 220 ].Unlikethe web,wheremechanismssuchasTLSprotectdataintegrityandallowexpertstoreason abouttheidentityofawebsite,themoderntelephonyinfrastructuresimplyprovidesno meansforanyonetoreasonabouteitheroftheseproperties. Inthischapter,wediscussAuthentiCall,asystemdesignedtoprovideend-to-end guaranteesofauthenticationandcallcontentintegrityovermodernphonesystems (e.g.,landline,cellular,orVoIP).Whilemostphoneshaveaccesstosomeformofdata connection,thatconnectionisoftennotrobustorreliableenoughtosupportsecure VoIPphonecalls.AuthentiCallusesthisoftenlow-bitratedataconnectiontomutually authenticatebothpartiesofaphonecallwithstrongcryptographybeforethecallis answered.Evenintheworstcase,thisauthenticationaddsatmostanegligible1.4seconds tocallestablishment.Onceacallisestablished,AuthentiCallbindsthecallaudiotothe originalauthenticationusingspecialized,low-bandwidthdigestsofthespeechinthecall. Thesedigestsprotecttheintegrityofcallcontentandcandistinguishlegitimateaudio TextofthischapterisreprintedwithpermissionfromBradleyReaves,LoganBlue, HadiAbdullah,LuisVargas,PatrickTraynor,andTomShrimpton.AuthentiCall:E"cient IdentityandContentAuthenticationforPhoneCalls.InProceedingsof26thUSENIX SecuritySymposium,Vancouver,BC,August2017.(AcceptanceRate:16.3%). 126

PAGE 127

modicationsattributabletothenetworkfrom99%ofmaliciouslytamperedcallaudio evenwhileatypicaluserwouldexpecttoseeafalsepositiveonlyonceeverysixyears. Oursystemisthersttousethesedigeststoensurethatreceivedcallaudiooriginated fromthelegitimatesourceandhasnotbeentamperedwithbyanadversary.Most critically,AuthentiCallprovidestheseguaranteesforstandardtelephonecallswithout requiringchangestoanycorenetwork. Thischaptermakesthefollowingcontributions: Designschannelbindingandauthenticationprotocols: Wedesignand implementprotocolsthatbindidentitiestophonenumbers,mutuallyauthenticate bothpartiesofaphonecall,andprotectcallcontentintransit. Evaluatesrobustspeechdigestsforsecurity: Weshowthatproposed constructionsfordigestingspeechdatainsystemsthatdegradeaudioquality canbemadee! ectiveinadversarialsettingsinrealsystems. Evaluatescallperformanceinrealnetworks: Ourprototypeimplementation showsthatthetechniquespioneeredinAuthentiCallarepracticalandperformant, addingonly1.4secondsintheworstcasetophonecallestablishmentintypical settings. Wearenotthersttoaddressthisproblem[ 104 ][ 106 ],[ 110 ],[ 111 ],[ 125 ],[ 221 ],[ 222 ]. However,otherapproacheshaverelieduponweakheuristics,failtoprotectphonecalls usingthepublictelephonenetwork,arenotavailabletoendusers,neglecttoprotectcall content,aretriviallyevaded,oraddsignicantdelaytocallestablishment.AuthentiCall istheonlysystemthatauthenticatesphonecallsandcontentwithstrongcryptographyin theglobaltelephonenetworkwithnegligiblelatencyandoverhead. Theremainderofthischapterisorganizedasfollows:Section 6.1 describesour assumptionsaboutadversariesandoursecuritymodelindetail;Section 6.2 givesa formalspecicationoftheAuthentiCallsystem;Section 6.3 discussedhowanalogspeech digestscanbeusedtoachievecallcontentintegrity;Section 6.4 providesdetailsof theimplementationofoursystem;Section 6.5 showstheresultsofourexperiments; Section 6.6 o ersadditionaldiscussion. 127

PAGE 128

Telephony Core Caller ID Spoong Telephony Core Telephony Core HI CC#? Content Injection Bank Figure6-1.BroadoverviewofattackspossibleonCallerIDandcallcontentincurrent telephonylandscape. 6.1SecurityModel Inordertoauthenticatevoicecallsandcontent,AuthentiCallwillfaceadversaries witharangeofcapabilities.Thesimplestadversarywillattempttocommitphonefraud byspoongCallerIDwhencallingatarget.Anequivalentformofthisattackmayoccur bytheadversarytrickingtheirtargettocallanarbitrarynumberundertheircontrol (e.g.,viaspamorphishing)andclaimingtorepresentsomeotherparty(e.g.,anancial institution).Additionally,thisadversarymayperformacallforwardingattack,which forcesatargetcallingalegitimatenumbertoberedirectedtotheadversary.Lastly,the adversarymayplaceavoicecallconcurrentwithotherlegitimatephonecallsinorderto createaraceconditiontoseewhichcallarrivesatthedestinationrst.Inallofthese cases,thegoaloftheadversaryistoclaimanotheridentityforthepurposeofextracting sensitiveinformation(e.g.,bankaccountnumbers,usernames,andpasswords). Amoresophisticatedadversarymaygainaccesstoanetworkcoreviavulnerabilities insystemssuchasSS7[ 220 ],orimproperlyprotectedlegalwiretappinginfrastructure[ 22 ]. Thisadversarycanactasaman-in-the-middle,andisthereforecapableofredirectingcalls toanarbitraryendpoint,actingasanarbitraryendpoint,hanginguponesideofacallat anypointintime,andremoving/injectingaudiotooneorbothsides.Suchanadversary ismuchmorelikelytorequirenation-statelevelsophistication,butexistsnonetheless. ExamplesofbothclassesofadversaryareshowninFigure 6-1 128

PAGE 129

Giventhatthebitwiseencodingofaudioisunlikelytobethesameateachendpoint, end-to-endencryptionisnotaviablemeansofprotectingcallcontentorintegrityacross theheterogeneoustelephonylandscape.Moreover,whilewearguethatthemajorityof phoneshaveaccesstoatleastalow-bandwidthdataconnection,solutionsthatdemand high-speeddataaccessatalltimes(i.e.,pureVoIPcalls)donoto!ersolutionsforthe vastmajorityofcalls(i.e.,cellularcalls).Finally,weclaimnoabilitytomakechanges throughoutthevastanddisparatetechnologiesthatmakeupthecorenetworksofmodern telephonyandinsteadfocusstrictlyonaddressingthisprobleminanend-to-endfashion. Wedenefourparticipants:theCaller( R ),theCallee( E ),theServer( S ),and theAdversary( Adv ).CallersandCalleeswillregisterwiththeAuthentiCallservice asdescribedinthenextsectionandwillgeneratecredentials 1 thatincludeapublic key.AuthentiCallwillachievethefollowingsecuritygoalsinthepresenceofthe above-describedadversaries: 1. (G1)Proofofnumberownership: Duringtheprocessofregistration, R will activelydemonstrateownershipofitsclaimedCallerIDto S beforeitreceivesa signedcerticate. 2. (G2)Authenticationofthecaller: E willbeabletocryptographicallyverifythe identityof R priortoacceptinganincomingcall. 3. (G3)Authenticationofthecallee: R willbeabletocryptographicallyverifythe identityof E assoonasthecallbegins. 4. (G4)Integrityprotectionofcallcontent: Both R and E willbeabletoverify thattheanalogvoicecontenthasnotbeenmeaningfullyaltered,orthatnewcontent hasnotbeeninjectedbyamaninthemiddle.Additionally,bothwillbeprotected againstconcurrentcallattacks. 1 ThedetailsofwhicharedescribedindepthinSection 6.2 129

PAGE 130

5. (G5)Proofofliveness: Both R and E willbeabletodetectiftheotherparty isnolongeronthecall,perhapsastheresultofamaninthemiddleattemptingto engageinthecallaftertheinitialauthenticationphase. 6.2ProtocolDesignandEvaluation Intheprevioussection,wesawthatAuthentiCallhasvesecuritygoalstomeet,and thissectiondescribesthethreeprotocolsthatAuthentiCallusestoachievethesegoals. ThesearetheEnrollment,Handshake,andCallIntegrityprotocols. Theseprotocolsmakeuseofcerticatesissuedtoeachclientthatindicatethat aparticularclientcontrolsaspecicphonenumber.InChapter 5 weproposedafull publickeyinfrastructurefortelephony[ 222 ]calleda"TPKI"thatwouldhaveasitsroot theNorthAmericanNumberingPlanAdministrationwithlicensedcarriersactingas certicateauthorities.ThisPKIwouldissueanauthoritativecerticatethataphone numberisownedbyaparticularentity,andAuthentiCallcouldenforcethatcallstake placebetweentheentitiesspeciedinthosecerticates.WhileAuthentiCallcanleverage theproposedTPKI,afully-deployedTPKIisnotnecessaryasAuthentiCallcanactasits owncerticateauthority(thisisdiscussedfurtherintheenrollmentprotocol). Alloftheseprotocolsmakeuseofaclient-serverarchitecture,whereanAuthentiCall serveractsaseitheranendpointorintermediarybetweenuserclients.Thereareseveral reasonsforthisdesignchoice.First,havingacentralizedrelaysimpliesthedevelopment ofAuthentiCall.Second,itallowstheservertopreventabusesofAuthentiCalllike robodialingbyasinglepartybyimplementingratelimiting.Theservercanauthenticate callersbeforeallowingthemessagestobetransmitted,providingamechanismforbanning misbehavingusers.Finally,allprotocols(includinghandshakeandenrollment)implement end-to-endcryptography.AssumingtheintegrityoftheAuthentiCallcerticateauthority infrastructureandtheintegrityoftheclient,nootherentityoftheAuthentiCallnetwork canreadorfabricateprotocolmessages.Wealsoassumethatallcommunicationsbetween clientsandserversuseasecureTLScongurationwithserverauthentication. 130

PAGE 131

Ourprotocolshaveanothergoal:nohumaninteractionexceptforchoosingtoaccept acall.Therearetwoprimaryreasonsforthis.First,itiswellestablishedthatordinary users(andevenexperts)havedi" cultyexecutingsecureprotocolscorrectly[ 223 ].Second, inotherprotocolsthatrelyonhumaninteraction,thehumanelementhasbeenshownto bethemostvulnerable[ 115 ]. ThefollowingsubsectionsdetailthethreeprotocolsinAuthentiCall.Therst protocol,theenrollmentprotocol,ensuresthatagivenAuthentiCalluseractually controlsthephonenumbertheyclaimtoown(G1).Theenrollmentprotocolalso issuesacerticatetotheuser.Thesecondprotocol,thehandshakeprotocol,mutually authenticatestwocallingpartiesatcalltime(G2andG3).Thenalprotocol,thecall integrityprotocol,ensuresthesecurityofthevoicechannelandthecontentitcarries(G4 andG5). 6.2.1EnrollmentProtocol Theenrollmentprotocolensuresthataclientcontrolsaclaimednumberand establishesacerticatethatbindstheidentityoftheclienttoaphonenumber.For ourpurposes,"identity"maybeauser'sname,organization,oranyotherpertinent information.Bindingtheidentitytoaphonenumberisessentialbecausephonenumbers areusedastheprincipalbasisofidentityandroutinginphonenetworks,andtheyare alsousedassuchwithAuthentiCall.Theenrollmentprotocolissimilartoothercerticate issuingprotocolsbutwiththeadditionofaconrmationofcontrolofthephonenumber. Figure 6-2 showsthedetailsoftheenrollmentprotocol.Theenrollmentprotocolhas twoparticipants:aclient C andanAuthentiCallenrollmentserver S .Inmessage1, C sendsanenrollmentrequestwith S 'sidentity, C 'sidentityinformation, C 'sphonenumber, and C 'spublickey.Inmessage2,theserversendsanonce N Net ,theidentitiesof C and S andthephonenumbersof C and S withatimestamptoensurefreshness,liveness,andto providea"token"forthisparticularauthenticationsession. 131

PAGE 132

Client (C) Server (S) (1) Data Channel Audio Channel N Net ID ( C ) PhNum ( C ) ID ( S ) PhNum ( S ) ,TS ID ( C ) PhNum ( C ) ID ( S ) ,K + C N Audio N Audio ,N Net ID ( C ) PhNum ( C ) ID ( S ) TS Sign k C Cert ( ID ( C ) PhNum ( C ) K + C Sign K S ) (2) (3) (4) (5) Figure6-2.Ourenrollmentprotocolconrmsphonenumberownershipandissuesa certicate. Inmessage3,theserverbeginstoconrmthat C controlsthephonenumberit claims.Thenumberisconrmedwhen S placesacallto C 'sclaimedphonenumber. Whenthecallisanswered, S transmitsanonceoverthevoicechannel.Having S call C isacriticaldetailbecauseinterceptingcallsisfarmoredi" cultthanspoongasource number. 2 Usingavoicecallisimportantbecauseitwillworkforanyphoneincluding VoIPdevicesthatmaynothaveSMSaccess. Inmessage4, C sendsboth N Net and N Audio alongwiththeIDsofserver,client,a timestamp,andasignaturecoveringallotherelds.Thisnalmessageconrmsthree things:possessionof N Net ,theabilitytoreceiveacallbyproviding N Audio andpossession by C oftheprivatekey K C byvirtueofsigningthemessage. Inmessage5, S replieswithasignedcerticateissuedto C .Thiscompletesthe enrollmentprotocol. 2 Wewillrevisitthethreatofcallinterceptionlaterinthissubsection. 132

PAGE 133

Wenotethatthisprotocolissubjecttothesamelimitationsoncertifyingidentityas everyotherInternetcerticateauthority.Inparticular,wewillrequireanout-of-band processtoverifyidentityforhigh-valuecerticates,andwillrequiretheabilityto authenticatesupportingdocumentation.AuthentiCallcanalsouseotherauthoritative informationsourceslikeCNAM 3 lookupstoverifynumberownershipinsomecases. Whilenosystemorprocessisperfect,thesetypesofpolicieshavebeenlargelye!ectiveon theInternet. Wealsonotethatthisisatrust-on-rst-use(TOFU)protocol.Whiletheprotocol issecureinthepresenceofpassiveadversariesonboththedataandvoicenetworks,if anadversarycanactivelyinterceptacalladdressedtoavictimphonenumber(andalso supplyanyout-of-bandidentityconrmation),theymaybeabletoobtainacerticate foranumbertheyillicitlycontrol.IfaTPKIweredeployed,thisattackwouldnotbe possible.EvenwithoutaTPKI,thelikelihoodofasuccessfulattackislimited.Success islimitedbecausetheattackwouldeventuallybedetectedbythelegitimateownerwhen theyattempttoregisterorauthenticateusingthelegitimatenumber.Tofurtherprotect againstthepriorattack,ourprotocolmeetsanadditionalgoal:humaninteractionis notrequiredforenrollmentandconrmingcontroloftheclaimedphonenumber.This meansthatautomaticperiodicrevericationofphonenumbercontrolispossible.Thisis importanttopreventlong-terme!ectsofabriefphonenumbercompromise,butalsofor moremundaneissueslikewhenphonenumberschangeownership. 3 CNAMisthedistributeddatabasemaintainedbycarriersthatmapsphonenumbers tothenamespresentedintraditionalcallerID.Whilespoonganumberistrivial,CNAM lookupsoccurout-of-bandtocallsignalingandresultscouldonlybespoofedbyacarrier, notacallingparty. 133

PAGE 134

(1) Call PhNum ( E ) E AuthentiCallUsers Incomingcallfrom R ID ( R ) PhNum ( R ) Cert ( R ) TS 1 ,N R DH R Sign K R ID ( E ) PhNum ( E ) Cert ( E ) TS 2 ,N E DH E Sign K E HMAC K ER 1 ( msg 4 a msg 4 b "Caller") HMAC K ER 2 ( msg 4 a msg 4 b "Callee") Server (S) Caller (R) Callee (E) (2) (3) (4a) (4b) (5a) (5b) TLS to Server Voice Call Message via Server TLS Figure6-3.Ourhandshakeprotocolmutuallyauthenticatesbothparties. 6.2.2HandshakeProtocol Thehandshakeprotocoltakesplacewhenacallerintendstocontactacallee.Inthis protocol,thecallerplacesavoicecalloverthetelephonenetworkwhilesimultaneously usingadataconnectiontoconductthehandshakeprotocol. Thehandshakeprotocolconsistsoftwophases.TherstindicatestotheAuthentiCall serverandthecallingpartythatacallisimminent.Thesecondphaseauthenticatesboth partiesonthecallandestablishessharedsecrets.Thesesecretsareonlyknownend-to-end andarecomputedinamannerthatpreservesperfectforwardsecrecy.Figure 6-3 shows thehandshakeprotocol. Therstphaseconsistsofmessages13.Inmessage1,acaller R indicatestoan AuthentiCallserver S that R wouldliketoplaceacalltothecallee E .Inmessage2, S informsthecallee E thatanauthenticatedvoicecallisincoming. Inmessage3, S informs R whether E isanAuthentiCalluserornot,butdoes notprovideinformationabout E 'spresenceoravailability.Message3hasseveralaims. Therstistoprotecttheprivacyof E .Astrawmanmechanismtoprotectprivacyis forAuthentiCalltoprovidenoinformationabout E until E agreestoacceptthecall. However,thispresentsaproblem:ifanadversarytampersorblocksmessagesfrom E itprevents E fromparticipatinginthehandshake,and R wouldhavetoassume(inthe 134

PAGE 135

absenceofoutsideknowledge)that E isnotaparticipantinAuthentiCall.Thiswould allowanadversarytoevadeAuthentiCall.Tosolvethisproblem, S simplyindicatesto R whetherornot R shouldexpecttocompleteanAuthentiCallhandshakeforthiscallif E isavailableandchoosestoacceptthecall.Thisrevealsonly E 'spreferencetoauthenticate aphonecall,andnothingaboutheravailabilityorwhethershehasevenchosentoaccept orrejectacall.Protectingthisinformationisimportantbecauseifanunwantedcallee knowsthatauserisavailable,theymaycallrepeatedlyorusethatinformationinother undesirableways(e.g.,harassmentortelemarketing).Ifmessage3indicatesthat E isnot anAuthentiCalluserbut E doesnotchoosetoacceptthecall, R mustsimplywaitforthe callrequesttotimeout.From R 'sperspective,thisisnodi!erentfromdialingandwaiting forabusysignalorvoicemailandshouldaddlittletonolatencytothecall.Ifmessage3 indicatesthat E isnotanAuthentiCalluser,theprotocolendsatthisstepand R isforced tofallbacktoaninsecurecall. Thesecondhandshakephaseauthenticates R and E andconsistsofmessages4A-B and5A-B.ThesemessagesareindicatedbylettersAandBbecausethemessagescontain thesameeldsforcallerandcalleerespectively.Theycanbecomputedindependentlyand sentinparallel,reducingroundtriplatencies. Message4containsallinformationnecessaryforaDi"e-Hellmankeyestablishment authenticatedwithasignaturekeydenedinthecerticateof R or E .Italsocontains identityinformationfor R or E ,thecallingorcalledphonenumber,atimestamp,anda nonce.EachsidealsoprovidesaDi"e-Hellmanshare,andtheentiremessageissigned withthepublickeyinthecerticateissuedbyAuthentiCall. Aftermessage4,bothsidescombinetheirDi"e-Hellmansecretwiththeshare theyreceivedtogeneratethederivedsecret.Eachclientthengenerateskeysusingthe Di"e-Hellmanresult,thetimestampsofbothparties,andthenoncesofbothparties. Message5Aand5BcontainanHMACofmessages4Aand4Balongwithastring todi!erentiatemessage5Afrommessage5B.Thepurposeofthismessageistoprovide 135

PAGE 136

Server (S) Caller (R) Callee (E) (0a) (0b) (1a) (1b) Voice Call Message via Server TLS "CallConnected" TS 1 HMAC K ER ( TS 1 ) "CallConnected" TS 2 HMAC K ER ( TS 2 ) Index AudioDigest 1 AuD 2 ... AuD 5 HMAC K ER ( Preceding ) Index AudioDigest 1 AuD 2 ... AuD 5 HMAC K ER ( Preceding ) "CallEnded" TS 3 HMAC K ER ( TS 3 ) ( N a) ( N b) "CallEnded" TS 4 HMAC K ER ( TS 4 ) . . . Figure6-4.Ourcallintegrityprotocolprotectsallspeechcontent. keyconrmationthatbothsidesoftheexchangehaveaccesstothekeysgeneratedafter messages4Aand4B.Thismessageconcludesthehandshakeprotocol. 6.2.3CallIntegrityProtocol Thecallintegrityprotocolbindsthehandshakeconductedoverthedatanetworkto thevoicechannelestablishedoverthetelephonenetwork.Partofthisprotocolconrms thatthevoicecallhasbeenestablishedandconrmswhenthecallends.Theremainderof themessagesinthisprotocolexchangecontentauthenticationinformationfortheduration ofthecall.Thiscontentintegritytakestheformofshort"digests"ofcallaudio(we discussthesedigestsindetailinthefollowingsection).Thesedigestsaree!ectivelyheavily compressedrepresentationsofthecallcontent;theyallowfordetectionoftampered audioatalowbitrate.Additionally,thedigestsareexchangedbybothpartiesand authenticatedwithHMACs. Figure 6-4 showsthedetailsofthecallintegrityprotocol.Theprotocolbeginsafter thevoicecallisestablished.Bothcaller R andcallee E sendamessageindicatingthatthe 136

PAGE 137

voicecalliscomplete.ThismessageincludesatimestampandHMACofthetimestamp. Thesemessagesaredesignedtopreventattackswhereacallisredirectedtoanother phone.Onepossibleattackisanadversarymaliciouslyconguringcallforwardingona target;thehandshakewouldbeconductedwiththetarget,butthevoicecallwouldbe deliveredtotheadversary.Insuchacase,thetargetwouldnotsenda"callestablished" messageandtheattackwouldfail. Oncethevoicecallbegins,eachsidewillsendtheotheraudiodigestsataregular interval.ThismessageisprotectedwithanHMACtopreventanetworkadversaryfrom tamperingwiththeaudiodigests. Whenthevoicecallends,eachsidesendsa"callconcluded"messagecontaininga timestampwithanHMAC.Thisalertstheendpointtoexpectnomoredigests.Italso preventsaman-in-the-middlefromcontinuingacallthatthevictimhasstartedand authenticated. 6.2.4Evaluation Ourprotocolsusestandardconstructionsforcerticateestablishment,certicate-based authentication,authenticatedkeyestablishment,andmessageauthentication.Weused ProVerif[ 224 ]tofurtheranalyzethehandshakeandenrollmentprotocols.Theanalysis veriedthatourhandshakeprotocolestablishesandneverleaksthesecretkey.The protocolalsoprovidesauthenticationandperfectforwardsecrecyforboththecallerand callee.Theenrollmentprotocolisveriedtoneverleaktheprivatekeysofeitherparty. Thispropertyallowsustoassertthatbothsignaturesandcerticatescannotbeforged. 6.3SpeechDigestDesignandEvaluation TheprevioussectiondescribeshowAuthentiCallenrollsandauthenticatesusersprior toacall.Duringacall,AuthentiCallneedsawaytosummarizespeechcontentinorder toauthenticateaudiousingalow-bandwidthdataconnection.Wetermthesesummaries "speechdigests."Aspeechdigesthastwogoals.First,itmustaccuratelysummarize thecontentofthecall.However,itisnotnecessaryforthissummarytobelosslessor 137

PAGE 138

meaningfulforhumaninterpretation.Wearealsoconcernedmorewithsemantics(i.e., wordsspoken)thanwearewithspeakervoicecharacteristics(e.g.,tone,identity)or extraneousfeatureslikenoise.Second,thedigestmustberobusttonon-semanticchanges inaudio. Becauseofambientorelectronicnoise,intermittentloss,andtheuseofdi! ering encodingsthroughoutthephonenetwork,theaudiotransmittedbyaphonewillnotbe thesameastheaudioreceived.Inparticular,theaudioreceivedispracticallyguaranteed tonotbesimilaronabitleveltotheaudiosentbythephone.Thismeansthatcommon datadigestapproacheslikecryptographichasheswillfail. Whiletheoriginalphonesystemusedanalogtransmissionofvoice,itisnowcommon ineverytelephonenetwork(landline,VoIP,cellular,etc.)forspeechtobedigitizedand compressedusinganaudiocodec.Atnetworkboundaries,itiscommonforaudiotobe decodedandrecodedintoadi!erentcodec(knownastranscoding).Codecsusedinthe phonenetworkarehighlylossyanddrasticallydistortthecallaudio,andsohavethe potentialtosignicantlyimpactaudiodigestperformance.Indigitalaudiosystems,voice dataisencodedintodiscreteframesof10-30milliseconds(dependingoncodecchoice andotherfactors)ofaudiothataretransmitted.Becausesomephonesystems(especially cellularandVoIP)uselossynetworksfortransmission,framesareroutinelylost.For example,lossratesof4%areconsiderednominalforcellularvoice[ 197 ].Finally,fora digestschemetobee!ective,thedigestsmustbecomputedonthesameaudio,requiring timesynchronizationonbothendsofthecalltoknowwhereeachdigestshouldstartand end.WhilewediscusshowweachievethissynchronizationinSection 6.3.2 ,wenotethat slightdeviationinsynchronizationislikely,andwemustusedigeststhataccountforallof theaboverealities. 138

PAGE 139

1 Second of Audio . DCT DCT > 8 8 8 Digest Bits Index l 1 Index l 2 Audio Features (once per second) Compression Function (64 times per second) Index l 1 + w Index l 2 + w Matrix L B 1 B 2 Figure6-5.ThisgureillustratesthedigestconstructiondescribedinSection 6.3.1 .Audio digestssummarizecallcontentbytakingonesecondofspeechdata,deriving audiofeaturesfromthedata,andcompressingblocksofthosefeaturesintoa bitstring. Toaccomplishthesegoals,weleverageresearchfromanareaofsignalprocessing thatproducestechniquesthatareknownas"perceptualhashes"or"robusthashes." 4 Unlikecryptographichashes,whichchangedrasticallywithsmallchangesininput,robust digestsgiveverysimilaroutputsforsimilarinputs.Robustdigestshavebeendeveloped forawidedomainofinputs,includingmusic,images,andspeech,buttheirapplicability hasremainedlimited.Toourknowledge,thisworkpresentsoneoftherstusesofrobust speechdigestsforsecurity. Thefollowingsubsectionsprovideadescriptionofthespeechdigestsweusein AuthentiCallandathoroughanalysisoftheperformanceofthesedigestsfortelephone calls. 139

PAGE 140

6.3.1Construction Thereareanumberofconstructionsofspeechdigests,andtheyallusethefollowing basicprocess.First,theycomputederivedfeaturesofspeech.Second,theydenea compressionfunctiontoturnthereal-valuedfeaturesintoabitstring.Inthiswork,we usetheconstructionofJiaoetal.[ 225 ],whichtheycallRSH.Wechosethistechnique overothersbecauseitprovidesgoodperformanceonspeechatalow-bitrate,amongother properties.Wenotethattheoriginalworkdidnotevaluatethecriticalcasewherean adversarycancontroltheaudiobeinghashed.OurevaluationshowsthatRSHmaintains audiointegrityinthiscrucialcase.Finally,toourknowledgewearethersttouseany robustspeechdigestforanauthenticationandintegrityscheme. Figure 6-5 illustrateshowRSHcomputesa512-bitdigestforonesecondofaudio.In therststepofcalculatingadigest,featurecomputation,RSHcomputestheLineSpectral Frequencies(LSFs)oftheinputaudio.LSFsarecommonlyusedinspeechcompression algorithmstorepresentthemajorfrequencycomponentsofhumanvoice(knownas formants),whichcontainthemajorityofsemanticinformationinspeech.Thatis,LSFs representphonemestheindividualsoundunitspresentinspeech.Whilepitchisuseful forspeakerrecognition,LSFsarenotaperfectrepresentationofallofthenuancesof humanvoice.Thisisonereasonwhyitissometimesdi"cultforhumanstocondently recognizevoicesoverthephone.Thismeansthatthedigestmoreaccuratelyrepresents semanticcontentratherthanthespeaker'svoicecharacteristics.Thisisimportantbecause anumberoftechniquesareabletosynthesizenewspeechthatevadesspeakerrecognition fromexistingvoicesamples[ 123 ],[ 226 ].Finally,LSFsarenumericallystableandrobust toquantizationmeaningthatmodestchangesininputyieldsmallchangesinoutput. 4 Inthiswork,wecallthese"robustdigests"or"digests"toavoidconfusionwith cryptographichashes 140

PAGE 141

InRSH,theinputaudioisgroupedinto30msframeswith25msaudiooverlapbetween frames,and10linespectralfrequenciesarecomputedforeachframetocreateamatrix L Thesecondphaseofdigestcomputationinvolvescompressingthelargeamountof informationabouttheaudiointoadigest.Becauseaudiorarelychangesonmillisecond timescales,therepresentation L ishighlyredundant.Tocompressthisredundantdata, RSHusesthetwo-dimensionaldiscretecosinetransform(DCT).TheDCTisrelatedtothe Fouriertransform,iscomputationallye"cient,andiscommonlyusedincompression algorithms(e.g.,JPEG,MP3).RSHcomputestheDCToverdi!erentsectionsof thematrix L toproducethenaldigest.RSHonlyusesrsteightDCTcoe" cients (correspondingtothehighestenergycomponentsanddiscardinghigh-frequency information). Thesecondphaseofdigestcomputationthecompressionfunctionusesthe DCTalgorithminthecomputationofthebitwiserepresentationoftheaudiosample.The followingprocessgenerates8bitsofadigest;itisrepeated64timestogeneratea512bit digest. 1. Obtainawindowsize w andtwowindowstartindexes l 1 and l 2 fromtheoutputofa keyedpseudorandomfunction. 2. Selectfrom L twoblocksofrows.Theseblocks B 1 and B 2 containallcolumnsfrom l 1 : l 1 + w and l 2 : l 2 + w respectively. 3. Compresstheseindividualblocksintoeightcoe"cientseachusingtheDCT. 4. Seteightdigestbitsbywhetherthecorrespondingcoe" cientsoftherstblock( B 1 ) aregreaterthanthecoe" cientsofthesecondblock( B 2 ). Wenotethatsectionsofaudioareselectedprobabilistically;Reavesetal.showthat theprobabilitythatasectionofaudioisnotusedinadigestisnegligible[ 227 ].This simplymeansthatdigestscoverpracticallyallcontentinthecall. Animportantconsiderationistonotethatthedigestiskeyed.Thesedigestsare clearlynotintendedtobeusedforthesamepurposesasacryptographichash,andthe 141

PAGE 142

useofakeyinthesefunctionsisforadi!erentpurposethankeyinginacryptographic construction.Byusingapseudorandomfunction,digestsbecomedependentontime.This dependenceaddsentropytodigestconstructionsothatrepeatedphrasesgenerateunique digests.Italsohastheadvantagethatitmakesitdi"culttocomputedigestsforaudio withoutknowledgeofthekey,whichinAuthentiCallisderivedduringthehandshakefor eachcall.InAuthentiCall,digeststhemselvesarealsoauthenticatedusinganHMACto guaranteedigestintegrityintransit. Digestsarecomputedbythecallerandarereceivedandveriedbythecallee.The verifyingpartycomputesthedigestofthereceivedaudio,thencomputesthehamming distancebetweenthecalculatedandreceiveddigests.Becausedegradationofaudioover aphonecallisexpected,digestswillnotmatchexactly.However,theHammingdistance betweentwoaudiodigestsorbiterrorrate(BER)isrelatedtotheamountof changeintheaudio.BysettinganappropriatethresholdonBER,legitimateaudiocanbe distinguishedfromincorrectaudio. 6.3.2ImplementationandEvaluation NowthatwehaveseenhowRSHdigestsarecomputed,wecanevaluateproperties ofRSHdigests.Thisincludese! ectsoflegitimatetransformationsandtheresultsof comparingdigestsofunrelatedaudiosamples(asmightbegeneratedbyanadversary). Wealsodescribehowweusedigeststodetecttamperedaudio. WeimplementRSHusingMatlab,andwedeployitinourAuthentiCallprototypeby usingtheMatlabCodertoolboxtogenerateCcodethatiscompiledasanAndroidnative codelibrary.WeusetheTIMITaudiocorpus[ 189 ]whichisastandardtestdatasetfor speechprocessingsystems.Itconsistsofhigh-delityrecordingsof630maleandfemale speakersreading10Englishsentencesconstructedforphoneticdiversity.BecauseRSH computeshashesofonesecondofaudio,wesplittheTIMITaudiodataintodiscrete secondsofaudiocorrespondingtoauniquesectionofaudiofromaspeakerandsentence. Thisresultedin22,487secondsofuniqueaudio. 142

PAGE 143

Robustness. Robustnessisoneofthemostcriticalaspectsofourspeechdigests,andit isimportanttoshowthatthesedigestswillnotsignicantlychangeafteraudioundergoes anyofthenormalprocessesthatoccurduringaphonecall.Theseincludethee!ectsof variousaudioencodings,synchronizationerrorsinaudio,andnoise.Totestrobustness, wegeneratemodiedaudiofromtheTIMITcorpusandcomparetheBERofdigestsof standardTIMITaudiotodigestsofdegradedaudio.WerstdownsampletheTIMIT audiotoasamplerateof8kHz,whichisstandardformosttelephonesystems.We usedthesox[ 190 ]audioutilityfordownsamplingandaddingdelaytoaudiotomodel synchronizationerror.Wealsousedsoxtoconverttheaudiototwocommonphone codecs,AMR-NB(AdaptiveMulti-RateNarrowBand)andGSM-FR(GroupeSpecial MobileFull-Rate).WeusedGNUParallel[ 228 ]toquicklycomputetheseaudioles.To modelframelossbehavior,weuseaMatlabsimulationthatimplementsaGilbert-Elliot lossmodel[ 229 ].Gilbert-Elliotmodelsburstylossesusingatwo-stateMarkovmodel parameterizedbyprobabilitiesofindividualandcontinuedlosses.Weusethestandard practiceofsettingtheprobabilityofanindividualloss( p )andprobabilityofcontinuing theburst(1 r )tothedesiredlossrateof5%forourexperiments.WealsouseMatlab's awgnfunctiontoaddGaussianwhitenoiseata30decibelsignaltonoiseratio. Figure 6-6 showsboxplotsrepresentingthedistributionofBERratesofeachtypeof degradationtested.AlldegradationsshowafairlytightBERdistributionnearthemedian withalongtail.Weseethatofthee!ectstested,10msdelayhastheleaste!ect;thisisa resultofthefactthatthedigestwindowstheaudiowithahighoverlap.Formostdigests, additionofwhitenoisealsohaslittlee!ect;thisisbecauseLSFanalysisdiscardsall frequencyinformationexceptforthemostimportantfrequencies.Weseehighererrorrates causedbytheuseofaudiocodecslikeGSM-FRandAMR-NB;thesecodecssignicantly alterthefrequencycontentoftheaudio.Wecanalsoseethata5%lossratehasnegligible e!ectontheaudiodigests.Finally,weseethatcombiningtranscoding,loss,delay,and noisehasanadditivee!ectontheresultingdigesterrorinotherwords,themore 143

PAGE 144

Figure6-6.Theseboxplotsshowthedistributionofdigestsbiterrorratesasaresultof variousaudiodegradations.Theseerrorratesarewellbelowtheratesseenby adversarialaudio,showninFigure 6-7 degradationthattakesplace,thehigherthebiterror.TheseexperimentsshowthatRSH isrobusttocommonaudiomodications. Adversarialaudio. Whilerobustnessisessential,theultimategoalofthesedigestsisto detectmaliciouslytamperedorinjectedaudio,whichweterm"adversarialaudio."Such ananalysishasnotbeenpreviouslyperformed.TovalidatetheabilityofRSHtodetect adversarialaudiowecomputetheBERofdigestsofeverypairofsecondsofTIMITaudio discussedintheprevioussection.Thisdatasetincludes252,821,341pairsofsingleseconds ofaudio.Forthistest,weusethesamekeyforeveryhash;thismodelsthesituation whereanadversarycancausethetargettoreceiveaudioofitschoicebutnotmodifythe associateddigest. WendthatthemeanBERbetweentwodistinctaudiopairsis0.478.Ahistogram andkerneldensityestimateofthesevaluesisalsoshowninFigure 6-7 .Thisplotshows thatthebiterrorisnormallydistributedwithameanandmedianof0.478and0.480 (respectively).Theexpectedbiterrorfortworandombitstringsis50%,andthe meanseenforRSHbiterrorisclosetotheoptimal,bestpossibledistancebetween twoadversarialdigests. 144

PAGE 145

Figure6-7.Thisgraphshowsthehistogramandkerneldensityestimateofdigestof adversarialaudioonover250millionpairsof1-secondspeechsamples.While themajorityoflegitimatelymodiedaudiohasdigesterrorslessthan35%, adversarialaudiohasdigestBERsaveraging47.8%. BecausetheTIMITcorpuscontainsspeakersspeakingseveralidenticalsentences, wecaninvestigatetheresilienceofthedigesttomorespecicadversarialscenariosin twoimportantways.First,wecanlookatwhetherusingdi!erentspeechfromthesame speakercancreateafalsepositive.Ifso,thiswouldbeaseriousproblembecausean adversarycoulduserecordedwordsfromthetargetspeakerundetected.Second,wecan determineifadi!erentspeakerutteringthesamewordscausesfalsepositives.Thistest indicatestowhatextentthedigestisprotectingcontentinsteadofspeakercharacteristics. Wefoundthatdigestsfromthesamespeakerspeakingdi!erentcontentareacceptedat practicallythesamerateasaudiothatdi!ersinspeakerandcontent.AtaBERdetection thresholdof0.384(derivedanddiscussedinthefollowingsubsection),thedetectionrate fordi! erentcontentspokenbythesamespeakeris0.901482,whilethedetectionratefor di!erentcontentspokenbyadi!erentspeakeris0.901215.However,identicalphrases spokenbydi!erentspeakersresultsinamuchhigherrateofcollisionandadetectionrate of0.680353.ThislowerdetectionrateisnotaproblemforAuthentiCallbecauseitisstill 145

PAGE 146

Figure6-8.ThedigestperformanceROCgraphshowsthatdigestscaneasilydistinguish betweenlegitimateandsubstitutedaudio,eveninthepresenceoftranscoding, loss,delay,andnoise.Theseresultsarecomputedoverdigestsofasingle second.Thegraphisscaledtoshowtheextremeuppercorner. highenoughtodetectmodiedcallaudiowithhighprobability.Moreimportantly,it indicatesthatRSHishighlysensitivetochangesincallcontent. Thresholdselectionandperformance. Distinguishinglegitimateandillegitimate audiorequireschoosingaBERthresholdtodetecttamperedaudio.Becausetheextreme valuesofthesepopulationsoverlap,atradeo!betweendetectionandfalsepositives mustbemade.Thetradeo!isbestdepictedinaROCcurveinFigure 6-8 .Thisgure showsthetruepositive/falsepositivetradeo!measuredontheadversarialaudioand twolegitimatemodicationsGSMencodingandacombinationofGSM,AMR-NB, 5%frameloss,10msdelay,and30dBofwhitenoise.Thiscombinationrepresentsan approximate"worstcase"oflegitimateaudio.Figure 6-8 showsexcellentperformance intermsofdistinguishingaudio.ForGSM-onlyaudio,weseeanarea-under-curveof 0.998,andforthe"worstcase"audio,weseeanarea-under-curveof0.992.However, becausedigestswillbeusedatahighrate(onepersecond),evenwithaverysmallfalse positiverate,alertingusersforeveryindividualdetectionwilllikelyresultinwarning fatigue.Asaresult,themostimportantmetricforevaluatingathresholdisminimizing 146

PAGE 147

theusers'slikelihoodofafalsepositive.Thisproblemsuggeststradingo!sensitivity toshortchangesincallcontentforalowerfalsepositiverate.Toreduceoverheadand networkload,AuthentiCallsendsdigestsingroupsofve.Toprovidehighdetectionrates whilelimitingfalsepositives,AuthentiCallalertstheuserifany3outof5digestsare greaterthantheBERthreshold.Wemodeltrueandfalseperformanceofthisschemeas asetofveBernoulitrialssuccessfulauthenticationfortruepositivesandsuccessful digestcollisionforfalsepositives.Thus,wecancompute3-out-of-5performanceusingthe binomialdistribution. Afterthisanalysis,weselectedanindividual-digestBERthresholdof0.384.This correspondstoanindividualadversaryaudiotruepositivedetectionrateof0.90,while presentinga0.0058falsepositiverateagainstour"worst-case"audioanda0.00089false positiverateagainstcleanGSM-FRencodedaudio.Usingour"three-out-of-ve"alerting scheme,theprobabilityofdetecting3ormoresecondsoftamperedaudiois0.992.The falsepositiverateisdrasticallyreduced:thefalsepositiverateis1 96 % 10 6 ,andforclean GSM-FRaudiothefalsepositiverateis7 02 % 10 9 .Thiscorrespondstoafalsealert onaverageevery425.1hoursoftalktimeforworstcaseaudio,andforGSM-FRaudio onefalsepositiveevery118,766hours.Forreference,theaverageBritishmobilephone useronlyplaces176minutespermonthofoutboundcalls[ 230 ];assuminginboundand outboundtalktimeareroughlyequal,theaverageuseronlyplaces70.4hoursofcallsper year.ThismeansthattheaverageAuthentiCalluserwouldonlyseeafalsealertonce everysixyears. Limitations. Nosecuritysolutionisperfect,andouruseofaudiodigestshavesomelimitations. Thechieflimitationisthataudiodigestscannotdetectalteredaudiolessthanone secondinlength.Thislimitationissimplyaresultoftheconstraintsofdoinglow-bitrate authenticationofmutableandanalogdata. 147

PAGE 148

Whilethedigestsarenotperfect,wearguethattheyaresecureagainstmost adversaries.Wenotethataudiodigestshavetwopurposes:1)toprovideaguarantee thatthevoicecallestablishedwastheonethatwasnegotiatedinthehandshakeand2) thatthevoicecontenthasnotsignicantlychangedduringthecall.Thesetwogoalsdeal withadversariesofdi!erentcapabilities.Inparticular,interceptingandmodifyingcall audiorequiresfarmoreadvancedaccessandcapabilitythansimplyspoongacallerID duringahandshakealreadyoccurring.Audiodigestswilldetecttherstscenariowithin vesecondsofaudio,anditwillalsoquicklydetectchangesthate!ectanythreeseconds inveforthesecondscenario. Inlimitedcircumstances,itmaybepossibleforaman-in-the-middleadversaryto makesmallmodicationstothereceivedaudio.Forthesecondattacktobesuccessfulin thepresenceofthesedigests,anumberofconditionsmusthold:First,theadversarycan changenomorethantwosecondsoutofeveryvesecondsofaudio.Second,theadversary mustchangetheaudioinawaythatwouldsoundnaturaltothevictim.Thiswouldmean thatthechangedaudiowouldhavetoconformtotheboththecurrentsentencepattern aswellasthespeaker'svoice.Whilevoicemodicationalgorithmsexist,modifyingan existingsentenceinanongoingconversationislikelybeyondtheabilitiesofcurrent natural-languageprocessing.Finally,inadditiontothesubstantialdi"cultyofthese limits,theadversarymustalsodoallofthisinsoft-real-time. Nevertheless,auserisstillnotdefenselessagainstsuchanattack.Whilewebelieve suchattemptswouldlikelybenoticeableandsuspicioustothehumanear,userscould alsoreceivepromptsfromAuthentiCallwhenindividualdigestsfail.Thesepromptscould recommendthattheuserasktheopposingspeakertoelaboratetheirpriorpointorto conrmotherdetailstoforcetheadversarytorespondwithenoughtamperedaudiothat theattackcouldbedetected. 148

PAGE 149

6.4SystemImplementation Theprevioussectionsdescribedtheprotocoldesignandcharacterizedourspeech digests.Inthissection,wedescribeourAuthentiCallclientandserverimplementation, andinthefollowingsectionevaluateitsperformance. Server. OurserverwasimplementedinJava,usingTwilio'sCallAPItocallclients duringtheregistrationphasetosharetheaudiononcethatconrmscontrolofaphone number.GoogleCloudMessaging(GCM)isusedtogenerateapushnoticationtoinform clientsofincomingcalls. Client. OurprototypeAuthentiCallclientconsistsofanAndroidapp,thoughwe anticipatethatinthefutureAuthentiCallwillbeavailableforalltelephonyplatforms, includingsmartphones,VoIPphones,PBXs,andevenlandlines(withadditionalhardware similarinconcepttolegacyCallerIDdevices). ATLSconnectionisusedtoestablishasecurechannelbetweenclientandserver. WeimplementtheAuthentiCallprotocolinJavausingtheSpongyCastlelibrary[ 231 ]. TheaudiodigestswereimplementedinMatlab,compiledtoC,andlinkedintotheappas nativecode.Inourimplementation,digestprotocolmessagescontainvesecondsofaudio digests. WeuseRSA-4096toasourpublickeyalgorithmandSHA-3fortheunderlyinghash functionforHMACs.Toreducehandshaketime,weuseastandardsetofNISTDi"e Hellmanparametershardcodedintotheclient.TheseareNIST2048-bitMODPgroup witha256-bitprimeordersubgroupfromRFC5114[ 232 ].WealsousetheHMAC-based keyderivationalgorithmusedbyTLS1.2describedinRFC5869[ 233 ].Uponregistration, theserverissuestheclientanX.509certicate.Thisconsistsofauser'sclaimedidentity, phonenumber,validity,publickeyandsignatureoftheCA. Audiononces. AsdescribedinSection 6.2 ,theAuthentiCallenrollmentprotocol sendsanoncethroughthevoicechanneltoensurethatanclientcanreceiveavoice call.Weusea128-bitrandomnonce.Inourimplementation,thenonceisencodedas 149

PAGE 150

touch-tones(DTMF 5 ).DTMFtoneswereusedbecausetheyarefaithfullytransmitted througheverytelephonesystemandweresimpletosendanddetect.Thereare16possible touch-tonedigits, 6 soeachtonecanrepresentanencodedhexadecimaldigit.These tonesaretransmittedfor200mseachwitha100mspausebetweentones.Thisprovides abitrateof13.3bitspersecondforanoncetransmissiontimeof9.6seconds.This transmissiontimecomprisesthebulkofthetimespentintheenrollmentprotocol. 6.5Results OurAuthentiCallimplementationallowsustotestitsperformanceinenrollment,call handshakes,anddetectingmodiedcallaudioinrealphonecalls. 6.5.1ExperimentSetup Beforedescribingindividualexperiments,wedescribeourexperimenttestbed.The AuthentiCallserverwasplacedonanAmazonWebServices(AWS)serverlocatedin NorthernVirginia.Weusedthesamenetworkprovider,AT&T,andthesamecellular devices,SamsungGalaxyNoteIIN7100s,acrossallexperiments.Theenrollmentand handshakeexperimentswerecarriedout20timesoverbothWiFiand3G,anddigest exchangetestsweredone10timesusingWiFi.DigestexchangewasdoneoverWiFi asthisexperimentwasusedtovalidatecontentprotection,notdeliveryspeed.Inall experiments,callsuseda3Gvoicechannel. 6.5.2EnrollmentProtocol Ourrstexperimentsmeasuretheuserenrollmenttime.Wemeasurethetimefrom theinstantauserbeginsenrollmenttowhentheuserreceivesthelastprotocolmessage, includingallprotocolmessagesandtheaudiononce.Forclients,enrollmentisaone-time 5 Dual-ToneMulti-Frequencytonesarethesoundsmadebydialingdigitsona touch-tonephone. 6 FourDTMFtonesarenotavailableonconsumerphonesbutprovideadditional functionalityinsomespecialphonesystems 150

PAGE 151

Figure6-9.Enrollmenttakeslessthan30secondsandisaonetimeprocessthatmaybe doneinthebackground. processthatisdonebeforetherstcallcanbeplaced,analogoustoactivatingacredit card.Figure 6-9 showstheaveragetimeofenrollment(andstandarderror)using3Gand WiFitoexchangeprotocolmessages.Themaincontributortotheenrollmenttimecomes fromthetransmissionoftheaudiononcewhichisusedtoestablishownership.Though theenrollmenttimesover3GandWiFiare25and22secondsrespectively,thisprotocol requiresnouserinteraction. 6.5.3HandshakeProtocol Wenextmeasurethetimetocompleteanentirehandshake,includingdatamessages andvoicecallsetup.Wenotethatvoicecallsetuptimeissubstantial,andrequiresmany secondsevenwithoutAuthentiCall.Webelievethemostimportantperformancemetric isadditionallatencyexperiencedbytheenduser.AsshowninFigure 6-10 ,AuthentiCall onlyadds1.07secondsforWiFior1.41secondson3Gdatatothetotalcallestablishment time(errorbarsindicatestandarderror).Webelievethatthiswillbeunnoticeabletothe userforseveralreasons.First,callestablishmenttimevariessignicantly.Thisisnormal networkbehavior,notanartifactintroducedbyAuthentiCall.Inour3Gexperiments ouradditionalhandshaketimeisapproximatelyequaltothestandarderrorinvoicecall 151

PAGE 152

Figure6-10.AuthentiCalladds1to1.41secondstothephonecallestablishment,making theoverheade!ectivelyunnoticeabletousers. establishment.Wealsonotethatourtestphoneswereinthesamelocationconnectedto thesametower,sothevoicecallsetuptimeislikelylowerthanatypicalcall.Infact,our measuredtimesareveryclosetothepublishedestimatesof6.5secondsforcallsetupby thetowerbetweenbothphones[ 234 ].Finally,wenotethatthisissubstantiallyfasterthan Authloop[ 222 ]whichtakesninesecondstoperformauthenticationaftercalldelivery. 6.5.4SpeechDigestPerformance Ournalexperimentsevaluateourspeechdigestaccuracyoverrealcallaudio.In these10calls,weplay10sentencesfrom10randomlyselectedspeakersintheTIMIT corpusthroughthecall,andourAuthentiCallimplementationcomputedthesentand receiveddigests.Intotalthisrepresented360secondsofaudio.Forsimplicity,acaller sendsaudioanddigests,andacalleereceivestheaudioandcomparesthereceivedand locallycomputeddigests.Wealsocomparedthese10legitimatecalldigestswithan "adversarycall"containingdi! erentaudiofromthehashessentbythelegitimatecaller. TocompareourlivecallperformancetosimulatedaudiofromSection 6.3 ,werstdiscuss ourindividual-hashaccuracy. 152

PAGE 153

Figure 6-11 showsthecumulativedistributionofBERfordigestsoflegitimateaudio callsandaudiosentbyanadversary.Thedottedlinerepresentsourpreviouslyestablished BERthresholdof0.348. First,intestingwithadversarialaudio,weseethat93.4%oftheindividualfraudulent digestsweredetectedasfraudulent.Oursimulationresultssawanindividualdigest detectionrateof90%,sothismeansthatourrealcallsseeanevengreaterperformance. Usingour3-out-of-5standardfordetection,wedetected96.7%.Thistestshowsthat AuthentiCallcane!ectivelydetecttamperinginrealcalls.Next,forlegitimatecalls, 95.5%ofthedigestswereproperlymarkedasauthenticaudio.Usingour3-out-of-5 standard,wesawnove-secondframesthatweremarkedastampered. Whileourindividualhashperformancefalsepositiverateof4.5%waslow,we weresurprisedthattheperformancedi!eredfromourearlierevaluationonsimulated degradations.Uponfurtherinvestigation,welearnedthatouraudiowasbeingtransmitted usingtheAMR-NBcodecsettothelowestpossiblequalitysetting(4.75kbps);this congurationistypicallyonlyusedwhenreceptionisexceptionallypoor,andweanticipate thiscasewillberareindeployment.Nevertheless,thereareseveralmechanismsthatcan correctforthis.Oneoptionwouldbetodigestaudioaftercompressionfortransmission (ourprototypeusestherawaudiofromthemicrophone);suchaschemewouldreduce falsepositivespartiallycausedbyknown-goodtransformationofaudio.Anotheroption istosimplyaccepttheseindividualfalsepositives.Doingsowouldresultinafalsealert onaverageevery58minutes,whichisstillacceptableasmostphonecallslastonly1.8 minutes[ 235 ]. 6.6Discussion WenowdiscussadditionalissuesrelatedtoAuthentiCall. Applicationsandusecases. AuthentiCallprovidesamechanismtomitigatemany opensecurityproblemsintelephony.Themostobviousproblemsareattacksthatrelyon CallerIDfraud,liketheperennial"IRSscams"intheUnitedStates.Anotherproblem 153

PAGE 154

Figure6-11.Thisgureshowsthat93.4%ofindividualdigestsofadversarialaudioare correctlydetectedwhile95.5%ofindividualdigestsoflegitimateaudioare detectedasauthentic.Usinga3-out-of-5detectionscheme,96.7%of adversarialaudioisdetected. isthatforsensitivetransactionsmanyinstitutions,includingbanksandutilities,haveto useextensiveanderror-pronechallengequestionstoauthenticatetheirusers,andthese challengesstillfailtostoptargetedsocialengineeringattacks.AuthentiCallo!ersastrong methodtoauthenticateusersbeforeandduringacall,increasingsecuritywhilereducing thetimeande!ortrequiredbycustomersandcallcenterworkers. Yetanothervaluableusecaseisemergencyservices.Theseserviceshavefacedprank "swatting"callsthatendangerthelivesofrstresponders[ 236 ]aswellasdenialof serviceattacksthathavemadeitimpossibleforlegitimatecallerstoreceivehelp[ 237 ]. AuthentiCallprovidesamechanismthatwouldallowessentialservicestoprioritize authenticatedcallsinsuchascenariowhileansweringothercallsopportunistically.While 154

PAGE 155

suchaproposalwouldneedtobereviewedbypublicpolicyexpertsandstakeholders,we provideamitigationtoaproblemthathasnoclearsolution. Serverdeployment. AuthentiCallreliesonacentralizedserverinfrastructureto facilitateauthenticatedcallswhileminimizingabuse.AuthentiCall,includingserver infrastructure,couldbeprovidedbyacarrieroranindependentorganization.While acentralizedmodelissimplesttotestourhypothesisthatauxiliarydatachannelscan beusedtoauthenticatetraditionalvoicecalls,weintendtostudydecentralizedand privacy-preservingarchitecturesinfuturework. Cellularnetworkload. Systemsthatmakeuseofthecellularnetworkmustbecareful nottoincreasesignalingloadonthenetworkinaharmfulway[ 238 ][ 240 ].Webelieve thatAuthentiCallwillnotcausenetworkharmbecauseinmodernnetworks(3Gand4G), datasignalingisnolongerasexpensiveasavoicecall,andsimultaneousvoiceanddata usageisnowcommonplace. Certicatemanagement. Anysystemthatreliesoncerticatesmustaddresscerticate revocationandexpiration.AuthentiCall'scentralizedmodelallowstheservertodeny useofanyrevokedcerticate,drasticallysimplifyingrevocationcomparedtoCRLsor protocolslikeOCSP.SimilartoLet'sEncrypt[ 241 ],AuthentiCallcerticatescanhave shortlifetimesbecausecerticaterenewalusingourenrollmentprotocolisfastand requiresnohumaninteractionAsmentionedinSection 6.2 ,AuthentiCallcouldalsomake useoftheproposedTelephonyPKI[ 222 ].Inthisscenario,certicatelifetimewouldbe determinedbytheTPKI,andrevocationmanagedbyacerticaterevocationlist(CRL) publishedbytheTPKI. WhyIPdata. WechoseIPdataoverotherchannelsbecauseitprovidesreliableand fastdatatransmissionformostexistingdevicesincludingsmartphones,VoIPphones,and evenlandlinesifprovidedwithsuitablehardware.Asanexample,SMSasatransmission carrierwouldbeimpractical.Bandwidthislow,anddeliveryisslow(onaverage6.4 155

PAGE 156

(b) (a) Figure6-12.Beforethecallisanswered,AuthentiCallindicatesifthecallisauthenticated orunauthenticated seconds[ 242 ])andnotguaranteed[ 6 ].Inparticular,theaveragetimetosendoneSMS messageis6.4seconds[ 242 ],meaningthatAuthentiCallusingSMSwouldrequirea minimumof38.4secondse!ectivelyincreasingcallsetuptimebyafactorof5. Whynotbiometrics. Robustspeechdigestsareasuperiorsolutionforcontentintegrity thanvoicebiometricsforseveralreasons.First,voiceauthenticationissimplynotsecure inadversarialsettings[ 226 ].Second,voicebiometricswouldassumethatthecallwould onlyconsistofasingleparty(e.g.,speakerphoneswouldnotbesupported).Bycontrast, audiodigestsarespeakerindependentandcanbecomputedlocallywithnoadditional knowledgeabouttheotherparty. Userinterface. WehavedevelopedacompleteworkingprototypeofAuthentiCallfor Android,includingapreliminarysimpleuserinterfaceasshowninFigure 6-12 .Thisis oneoftherstinterfacestoindicatesecureCaller-ID,ourprototypeinterfaceisintended tosimplyandclearlyalerttheusertothesafetyofthecall.Wenotethatindicating 156

PAGE 157

securityinauserinterfacerequiresgreatcare[ 149 ],[ 243 ],andweintendtoformallystudy interfacedesignforAuthentiCallinfuturework. 157

PAGE 158

CHAPTER7 SUMMARYANDCONCLUSIONS Theglobaltelephonenetworkrevolutionizedcommunicationsandremainsa criticalinfrastructureforsociety.Phonesareusedtoconrmsomeofourmostsensitive transactions.Fromcoordinationbetweenenergyprovidersinthepowergridtocorroboration ofhigh-valuetransferswithanancialinstitution,werelyontelephonytoserveas atrustworthycommunicationspath.Despiteitscontinuedimportanceaswellasits continuedtechnologicalevolution,thisnetworkdoesnotprovidethesecurityguarantees thatwerequireofatrustedcriticalinfrastructure.Oneofthesemissingyetcritical guaranteesisauthenticatingusersthatusethenetwork. WebeganthisthesisinChapter 3 byshowinghowtextmessaginghasbecome animportantpartofthesecurityinfrastructure.However,theSMSecosystemhas evolvedsignicantlysinceitsinception,andnowincludesawiderangeofdevicesand participantsexternaltotraditionalcellularproviders.PublicSMSgatewaysdirectly embodythischange,andallowustonotonlyobserveatscalehowarangeofproviders areimplementingsecuritysolutionsviatextmessages,butalsoprovideusevidenceofhow assumptionsaboutSMSarebeingcircumventedinthewild.Ourmeasurementsidentify arangeofpopularserviceswhoseone-timemessagingmechanismsshouldbeimproved, andadditionalentitieswhomaybecreatingnewopportunitiesforcompromisebysending highlysensitivedata(e.g.,creditcardnumbers)viathesechannels.Ontheabuseside, weseetheeasewithwhichthesegatewaysarebeingusedtocircumventauthentication mechanisms,andshowthatpreviouslyproposedmitigationstoPVAfraudsuchasblock banningareunlikelytobesuccessfulinpractice.Thesemeasurementsindicatethatall providersrelyingonSMSasanoutofbandchannelforauthenticationwithstrongtiesto auser'sidentityshouldreevaluatetheircurrentsolutionsforthisevolvingspace. Fromtextmessaging,wemovedtoexaminethefactthatcarrierscannotauthenticate inboundcallsintheirnetworks.Cellularnetworksindevelopingnationsrelyontari!s 158

PAGE 159

collectedatregulatedinterconnectsinordertosubsidizethecostoftheirdeploymentand operation.Thesechargescanresultinsignicantexpensetoforeigncallersandcreate incentiveforsuchcallerstondlessexpensive,albeitunlawful,meansofterminating theircalls.Simboxesenablesuchinterconnectbypassfraudbytunnelingtra"cfroma VoIPconnectionintoaprovidernetworkwithoutproperauthorization.InChapter 4 wedeveloptheAmmittool,whichallowsustodetectsimboxesbasedonmeasurable di!erencesbetweentrueGSMandtunneledVoIPaudio.Ammitusesfastsignalprocessing techniquestoidentifywhetherindividualcallsarelikelymadebyasimboxandthento developprolesofSIMcards.Thisapproachallowsaprovidertodeactivatetheassociated SIMsrapidlyandvirtuallyeliminatestheeconomicincentivetoconductsuchfraud.Inso doing,wedemonstratethatthesubsidizedratesthatallowmuchofthedevelopingworld tobeconnectedcanbeprotectedagainsttheimpactofthisfraud. Wethenmovedtotheproblemofauthenticatingendpoints.Inspiteofthis trustplacedinphonenetworks,authenticationbetweentwoendpointsacrossthe technologicallydiversephonenetworkwaspreviouslynotpossible.InChapter 5 ,we presentAuthLooptoaddressthischallenge.Webeganbydesigningamodemand supportinglinklayerprotocolforthereliabledeliveryofdataoveravoicechannel.With thelimitationsofthischannelunderstood,wethenpresentedasecuritymodeland protocoltoprovideexplicitauthenticationofanassertionofCallerID,anddiscussedways inwhichclientcredentialscouldbesubsequentlyprotected.Finally,wedemonstrated thatAuthLoopreducedexecutiontimebyoveranorderofmagnitudeonaveragewhen comparedtothedirectapplicationofTLS1.2tothisproblem.Insodoing,wehave demonstratedthatend-to-endauthenticationisindeedpossibleacrossmoderntelephony networks. AfterAuthLoop,weexaminedhowtheAuthentiCallsystemcoulduseauxiliary datachannelstoauthenticatephonecalls.AuthentiCallnotonlycryptographically authenticatesbothpartiesonthecall,butalsoprovidesstrongguaranteesoftheintegrity 159

PAGE 160

ofconversationsmadeovertraditionalphonenetworks.Weachievetheseendsthrough theuseofformallyveriedprotocolsthatbindlow-bitratedatachannelstoheterogeneous audiochannels.Unlikepreviouse!orts,wedemonstratethatAuthentiCallcanbeused toprovidestrongauthenticationbeforecallsareanswered,allowinguserstoignorecalls claimingaparticularCallerIDthatareunableorunwillingtoprovideproofofthat assertion.Moreover,wedetect99%oftamperedcallaudiowithnegligiblefalsepositives andonlyaworst-case1.4secondcallestablishmentoverhead.Insodoing,weargue thatstrongande" cientend-to-endauthenticationforphonenetworksisapproachinga practicalreality. Inthisdissertation,wehavedemonstratedthewaysinwhichtelephonesareusedfor authenticationandprovidednewtechniquestoreduceoreliminatefraudulentuseofphone networks.Webeginbydemonstratinghowtextmessagesarebeingusedforauthenticating users,despitethefactthatfraudissimpletoconductanddi"culttoprevent.Wenext turnedtointerconnectbypassfraud,whereonetelephonenetworkmisrepresentsthesource ofanoriginalcall;weshowthatthisisdetectableusingfeaturesinherenttosimboxed audio.Wethenaddressauthenticatingcallersendtoend,rstwiththeAuthLoopsystem, whichusesin-banddataexchangetocryptographicallyauthenticateendpointswiththe voicechannel.WethendeveloptheAuthentiCallsystemtoprovidecryptographicmutual authenticationandcallintegrityguarantees.Intotal,thesee! ortspaveawayforwardfor animprovedtelephonenetworkthatprovidesthesecurityguarantessthatusersexpect andrequire. 160

PAGE 161

REFERENCES [1] eMarketerandAP, Numberofmobilephoneusersworldwidefrom2013to2019(in billions) https://www.statista.com/statistics/274774/forecast-of-mobile-phoneusers-worldwide/ ,2015. [2] ITU, Numberofxedtelephonelinesworldwidefrom2000to2016 https://www. statista.com/statistics/273014/number-of-xed-telephone-lines-worldwide-since2000/ ,2016. [3] TIA, Voipresidentialandbusinesstelephonelinesintheunitedstatesfrom2010to 2018(inmillions) https://www.statista.com/statistics/615387/voip-telephonelines-in-the-us/ ,2015. [4] CommunicationsFraudControlAssociation(CFCA), 2013GlobalFraudLoss Survey http://www.cvidya.com/media/62059/global-fraud loss survey2013.pdf 2013. [5] P.Lapsley, ExplodingthePhone .GrovePress,Feb.2014,p.448. [6] P.Traynor,P.McDaniel,andT.LaPorta, SecurityforTelecommunications Networks ,ser.AdvancesinInformationSecuritySeries978-0-387-72441-6.Springer, Aug.2008. [7] P.Traynor,"CharacterizingtheSecurityImplicationsofThird-PartyEASOver CellularTextMessagingServices," IEEETransactionsonMobileComputing (TMC) ,vol.11,no.6,pp.983994,2012. [8] SMSForum, ShortMessagePeertoPeerProtocolSpecication5.0 ,2003. [9] Twilio http://www.twilio.com ,2015. [10] Nexmo https://www.nexmo.com/ ,2015. [11] Plivo https://www.plivo.com/ ,2015. [12] Burnerapp http://www.burnerapp.com ,2015. 161

PAGE 162

[13] Pinger http://www.pinger.com ,2015. [14] Googlevoice http://www.google.com/voice ,2015. [15] Applecontinuity https://support.apple.com/en-us/HT204681 ,2015. [16] Pushbullet http://pushbullet.com ,2015. [17] Mightytext http://mightytext.net ,2015. [18] B.Krebs, Banks:CreditCardBreachatHomeDepot http://krebsonsecurity.com/ 2014/09/banks-credit-card-breach-at-home-depot/ ,Sep.2014. [19] U.S.O"ceofPersonnelManagement, CybersecurityIncidents https://www.opm. gov/cybersecurity/cybersecurity-incidents/ ,2015. [20] B.Krebs, OnlineCheatingSiteAshleyMadisonHacked http://krebsonsecurity. com/2015/07/online-cheating-site-ashleymadison-hacked/ ,Jul.2015. [21] , ExperianBreachA! ects15MillionConsumers http://krebsonsecurity.com/ 2015/10/experian-breach-a!ects-15-million-consumers/ ,Oct.2015. [22] VassilisPrevelakisandDiomidisSpinellis,"TheAthensA!air," IEEESpectrum Jun.2007. [23] A.Tims,"SIMswap'givesfraudstersaccess-all-areasviayourmobilephone," The Guardian ,Sep.2015. [24] K.Campbell-Dollaghan, HowHackersReportedlySide-SteppedGoogle'sTwo-Factor Authentication http://gizmodo.com/how-hackers-reportedly-side-stepped-gmailstwo-factor-a-1653631338 ,Nov.2014. [25] HenryLichstein,"TelephoneHackersActive," TheTech ,Nov.1963.[Online]. Available: http://tech.mit.edu/V83/PDF/V83-N24.pdf 162

PAGE 163

[26] TobiasEngel, TrackingMobilePhones ,Berlin,2008.[Online].Available: http: //berlin.ccc.de/ tobias/25c3-locating-mobile-phones.pdf [27] KarstenNohl, SS7AttackUpdateandPhonePhreaking ,2016.[Online].Available: https://www.youtube.com/watch?v=BbPLscWQ1Bw [28] A.Ramirez, Theftthroughcellularclone'calls http://www.nytimes.com/1992/04/ 07/business/theft-through-cellular-clone-calls.html ,Apr.1992. [29] C.-H.Lee,M.-S.Hwang,andW.-P.Yang,"Enhancedprivacyandauthentication fortheglobalsystemformobilecommunications," WirelessNetworks ,vol.5,no.4, pp.231243,1999. [30] Y.J.ChoiandS.J.Kim,"Animprovementonprivacyandauthenticationin GSM,"in ProceedingsofWorkshoponInformationSecurityApplications(WISA) 2004. [31] E.Barkan,E.Biham,andN.Keller,"InstantCiphertext-OnlyCryptanalysisof GSMEncryptedCommunication," JournalofCryptology ,vol.21,no.3,pp.392 429,2008. [32] M.TooraniandA.Beheshti,"SolutionstotheGSMsecurityweaknesses,"in ProceedingsoftheSecondInternationalConferenceonNextGenerationMobile Applications,Services,andTechnologies(NGMAST) ,2008,pp.576581. [33] 3rdGenerationPartnershipProject,"AGuideto3rdGenerationSecurity,"Tech. Rep.TS33.900,2000. [34] ,"3GSecurityPrinciplesandObjectives,"Tech.Rep.TS33.120,2001. [35] ,"IPMultimediaSubsystem(IMS),"no.TS23.228,2012. [36] ,"Fullratespeech;Transcoding,"Tech.Rep.TS46.010. [37] U.MeyerandS.Wetzel,"Aman-in-the-middleattackonUMTS," Proceedingsof the2004ACMWorkshoponWirelessSecurity ,p.90,2004. 163

PAGE 164

[38] G.Kambourakis,C.Kolias,S.Gritzalis,andJ.H.Park,"DoSAttacksExploiting SignalinginUMTSandIMS," Comput.Commun. ,vol.34,no.3,Mar.2011. [39] M.Arapinis,L.Mancini,E.Ritter,M.Ryan,N.Golde,K.Redon,andR. Borgaonkar,"Newprivacyissuesinmobiletelephony:Fixandverication,"in Proceedingsofthe2012ACMConferenceonComputerandCommunications Security ,NewYork,NY,USA,2012,pp.205216. [40] H.Kim,D.Kim,M.Kwon,H.Han,Y.Jang,D.Han,T.Kim,andY.Kim, "BreakingandFixingVoLTE:ExploitingHiddenDataChannelsandMisimplementations,"pp.328339,2015. [41] C.-Y.Li,G.-H.Tu,C.Peng,Z.Yuan,Y.Li,S.Lu,andX.Wang,"Insecurityof VoiceSolutionVoLTEinLTEMobileNetworks,"in Proceedingsofthe22ndACM ConferenceonComputerandCommunicationsSecurity ,ACM,2015. [42] G.-H.Tu,C.-Y.Li,C.Peng,Y.Li,andS.Lu,"NewSecurityThreatsCausedby IMS-basedSMSServicein4GLTENetworks,"in Proceedingsofthe2016ACM SIGSACConferenceonComputerandCommunicationsSecurity ,NewYork,NY, USA:ACM,2016,pp.11181130. [43] A.Shaik,R.Borgaonkar,N.Asokan,V.Niemi,andJ.-P.Seifert,"Practicalattacks againstprivacyandavailabilityin4G/LTEmobilecommunicationsystems,"in Proceedingsofthe2016NetworkandDistributedSystemsSecuritySymposium (NDSS) ,2016. [44] M.Hu!man, Survey:11%ofadultslostmoneytoaphonescamlastyear https: //www.consumera!airs.com/news/survey-11-of-adults-lost-money-to-a-phonescam-last-year-012616.html ,2016. [45] K.Thomas,D.Huang,D.Wang,E.Bursztein,C.Grier,T.J.Holt,C.Kruegel, D.McCoy,S.Savage,andG.Vigna,"FramingDependenciesIntroducedby UndergroundCommoditization,"in Proceedingsofthe14thAnnualWorkshopon theEconomicsofInforamtionSecurity ,2015. [46] C.Kanich,C.Kreibich,K.Levchenko,B.Enright,G.M.Voelker,V.Paxson,and S.Savage,"Spamalytics:Anempiricalanalysisofspammarketingconversion," in Proceedingsofthe15thACMConferenceonComputerandCommunications Security ,ACM,2008,pp.314. 164

PAGE 165

[47] C.Kanich,N.Weaver,D.McCoy,T.Halvorson,C.Kreibich,K.Levchenko,V. Paxson,G.M.Voelker,andS.Savage,"ShowMetheMoney:Characterizing Spam-advertisedRevenue.,"in USENIXSecuritySymposium ,2011,pp.1515. [48] K.Thomas,D.McCoy,C.Grier,A.Kolcz,andV.Paxson,"Tra"ckingFraudulent Accounts:TheRoleoftheUndergroundMarketinTwitterSpamandAbuse.,"in USENIXSecurity ,2013,pp.195210. [49] B.Stone-Gross,M.Cova,L.Cavallaro,B.Gilbert,M.Szydlowski,R.Kemmerer, C.Kruegel,andG.Vigna,"YourBotnetisMyBotnet:AnalysisofaBotnet Takeover,"in Proceedingsofthe16thACMConferenceonComputerandCommunicationsSecurity ,ser.CCS'09,NewYork,NY,USA:ACM,2009,pp.635 647. [50] C.Y.Cho,J.Caballero,C.Grier,V.Paxson,andD.Song,"Insightsfromthe inside:Aviewofbotnetmanagementfrominltration,"in USENIXWorkshopon Large-ScaleExploitsandEmergentThreats(LEET) ,2010. [51] C.Grier,L.Ballard,J.Caballero,N.Chachra,C.J.Dietrich,K.Levchenko,P. Mavrommatis,D.McCoy,A.Nappa,A.Pitsillidis,N.Provos,M.Z.Raque, M.A.Rajab,C.Rossow,K.Thomas,V.Paxson,S.Savage,andG.M.Voelker, "ManufacturingCompromise:TheEmergenceofExploit-as-a-service,"in Proceedingsofthe2012ACMConferenceonComputerandCommunicationsSecurity ser.CCS'12,NewYork,NY,USA:ACM,2012,pp.821832. [52] A.P.Felt,M.Finifter,E.Chin,S.Hanna,andD.Wagner,"ASurveyofMobile MalwareintheWild,"in ACMWorkshoponSecurityandPrivacyinMobile Devices ,Chicago,Illinois,USA,Oct.2011. [53] Y.ZhouandX.Jiang,"DissectingAndroidMalware:Characterizationand Evolution,"in 2012IEEESymposiumonSecurityandPrivacy(SP) ,May2012, pp.95109. [54] C.Lever,M.Antonakakis,B.Reaves,P.Traynor,andW.Lee,"TheCoreofthe Matter:AnalyzingMaliciousTra"cinCellularCarriers,"in Proceedingsofthe20th NetworkandDistributedSystemSecuritySymposium ,SanDiego,CA,Feb.2013. 165

PAGE 166

[55] I.MurynetsandR.PiquerasJover,"CrimeSceneInvestigation:SMSSpamData Analysis,"in Proceedingsofthe2012ACMConferenceonInternetMeasurement Conference ,ser.IMC'12,NewYork,NY,USA:ACM,2012,pp.441452. [56] H.Tan,N.Goharian,andM.Sherr," $ 100,000PrizeJackpot.CallNow!: IdentifyingthePertinentFeaturesofSMSSpam,"in Proceedingsofthe35thInternationalACMSIGIRConferenceonResearchandDevelopmentinInformation Retrieval ,NewYork,NY,USA:ACM,2012,pp.11751176. [57] N.Jiang,Y.Jin,A.Skudlark,andZ.-L.Zhang,"Greystar:FastandAccurate DetectionofSMSSpamNumbersinLargeCellularNetworksusingGreyPhone Space,"in Proceedingsofthe22ndUSENIXSecuritySymposium. ,WashingtonDC, USA:USENIXAssociation,2013. [58] A.NarayanandP.Saxena,"TheCurseof140Characters:EvaluatingtheE"cacy ofSMSSpamDetectiononAndroid,"in ProceedingsoftheThirdACMWorkshop onSecurityandPrivacyinSmartphones&MobileDevices ,ser.SPSM'13,New York,NY,USA:ACM,2013,pp.3342. [59] J.Atwood, MakeYourEmailHackerProof http://blog.codinghorror.com/makeyour-email-hacker-proof/ ,Apr.2012. [60] B.Schneier,"Two-factorAuthentication:TooLittle,TooLate," Commun.ACM vol.48,no.4,Apr.2005. [61] B.Reaves,N.Scaife,A.Bates,P.Traynor,andK.Butler,"Mo(bile)Money, Mo(bile)Problems:AnalysisofBranchlessBankingApplicationsintheDeveloping World,"in ProceedingsoftheUSENIXSecuritySymposium(SECURITY) ,2015. [62] RSASecurIDHardwareTokens http://www.emc.com/security/rsa-securid/rsasecurid-hardware-tokens.htm ,2015. [63] IdentityGuardIdentityAuthenticationPlatform https://www.entrust.com/ products/entrust-identityguard/ ,2015. [64] J.Leyden, VisatrialsPINpaymentcardtoghtonlinefraud http://www. theregister.co.uk/2008/11/10/visa one time code card/ ,2008. 166

PAGE 167

[65] SiPixImagining,Inc., World'sFirstISOCompliantPaymentDisplayCardusing SiPixandSmartDisplayer'sFlexibleDisplayPanel http://www.businesswire.com/ portal/site/google/index.jsp?ndmViewId=news view&newsId=20060510006193& newsLang=en ,2006. [66] A.-B.Stensgaard, Biometricbreakthrough-creditcardssecuredwithngerprint recognitionmadefeasible http://www.ameinfo.com/58236.html ,2006. [67] CardTechnology, UAEIDCardToSupportIrisBiometrics http://www. cardtechnology.com/article.html?id=20070423V0XCZ91L ,2007. [68] F.Aloul,S.Zahidi,andW.El-Hajj,"Twofactorauthenticationusingmobile phones,"in IEEE/ACSInternationalConferenceonComputerSystemsand Applications,2009.AICCSA2009 ,May2009,pp.641644. [69] D.DeFigueiredo,"TheCaseforMobileTwo-FactorAuthentication," IEEESecurity Privacy ,vol.9,no.5,pp.8185,Sep.2011. [70] MobileAuthentication ,https://www.duosecurity.com/product/methods/duo-mobile, 2015. [71] M.Adham,A.Azodi,Y.Desmedt,andI.Karaolis,"HowtoAttackTwo-Factor AuthenticationInternetBanking,"in FinancialCryptographyandDataSecurity ser.LectureNotesinComputerScience7859,SpringerBerlinHeidelberg,Apr. 2013,pp.322328. [72] R.K.Konoth,V.vanderVeen,andH.Bos,"HowAnywhereComputingJust KilledYourPhone-BasedTwo-FactorAuthentication,"in Proceedingsofthe20th InternationalConferenceonFinancialCryptographyandDataSecurity ,2016. [73] C.Castillo, SpitmovsZitmo:BankingTrojansTargetAndroid http://blogs.mcafee. com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android ,Sep.2011. [74] L.Koot,"SecurityofmobileTANonsmartphones,"Master'sThesis,Radboud UniversityNijmegen,Nijmegen,Feb.2012. 167

PAGE 168

[75] C.Mulliner,R.Borgaonkar,P.Stewin,andJ.-P.Seifert,"SMS-basedone-time passwords:Attacksanddefense,"in DetectionofIntrusionsandMalware,and VulnerabilityAssessment ,Springer,2013,pp.150159. [76] R.E.Koenig,P.Locher,andR.Haenni,"AttackingtheVericationCode MechanismintheNorwegianInternetVotingSystem,"in E-VotingandIdentity ,ser.LectureNotesinComputerScience,J.Heather,S.Schneider,andV. Teague,Eds.,SpringerBerlinHeidelberg,Jul.2013,pp.7692. [77] A.Dmitrienko,C.Liebchen,C.Rossow,andA.-R.Sadeghi,"Onthe(In)Securityof MobileTwo-FactorAuthentication,"in FinancialCryptographyandDataSecurity (FC14) ,Springer,Mar.2014. [78] J.-E.L.Eide,"SMSOne-TimePasswords:SecurityinTwo-FactorAuthenication," Master'sThesis,UniversityofBergen,May2015. [79] A.Biryukov,A.Shamir,andD.Wagner,"RealTimeCryptanalysisofA5/1 onaPC,"in Proceedingsofthe7thInternationalWorkshoponFastSoftware Encryption ,ser.FSE'00,London,UK,UK:Springer-Verlag,2001,pp.118. [80] O.Dunkelman,N.Keller,andA.Shamir,"APractical-timeRelated-keyAttack ontheKASUMICryptosystemUsedinGSMand3gTelephony,"in Proceedingsof the30thAnnualConferenceonAdvancesinCryptology ,ser.CRYPTO'10,Berlin, Heidelberg:Springer-Verlag,2010,pp.393410. [81] Z.Ahmadian,S.Salimi,andA.Salahi,"NewattacksonUMTSnetworkaccess,"in WirelessTelecommunicationsSymposium,2009.WTS2009 ,Apr.2009,pp.16. [82] N.Golde,K.Redon,andR.Borgaonkar,"WeaponizingFemtocells:TheE!ectof RogueDevicesonMobileTelecommunications.,"in NDSS ,2012. [83] A.Dabrowski,N.Pianta,T.Klepp,M.Mulazzani,andE.Weippl,"IMSI-catch meifyoucan,"in Proceedingsofthe30thAnnualComputerSecurityApplications Conference ,2014. [84] P.Traynor,W.Enck,P.McDaniel,andT.LaPorta,"ExploitingOpenFunctionality inSMS-CapableCellularNetworks," JournalofComputerSecurity(JCS) ,vol.16, no.6,pp.713742,2008. 168

PAGE 169

[85] P.Traynor,P.McDaniel,andT.LaPorta,"OnAttackCausalityinInternet ConnectedCellularNetworks,"in ProceedingsoftheUSENIXSecuritySymposium (SECURITY) ,2007. [86] K.Thomas,D.Iatskiv,E.Bursztein,T.Pietraszek,C.Grier,andD.McCoy, "DialingBackAbuseonPhoneVeriedAccounts,"in Proceedingsofthe2014ACM SIGSACConferenceonComputerandCommunicationsSecurity ,NewYork,NY, USA:ACM,2014,pp.465476. [87] P.BurgeandJ.Shawe-Taylor,"Anunsupervisedneuralnetworkapproachto prolingthebehaviorofmobilephoneusersforuseinfrauddetection," Journalof ParallelandDistributedComputing ,vol.61,no.7,pp.915925,Jul.2001. [88] K.C.Cox,S.G.Eick,G.J.Wills,andR.J.Brachman,"Visualdatamining: Recognizingtelephonecallingfraud,"en, DataMiningandKnowledgeDiscovery vol.1,no.2,pp.225231,Jun.1997. [89] C.S.HilasandP.A.Mastorocostas,"Anapplicationofsupervisedandunsupervised learningapproachestotelecommunicationsfrauddetection," Knowledge-BasedSystems ,vol.21,no.7,pp.721726,Oct.2008. [90] S.Qayyum,S.Mansoor,A.Khalid,K.Khushbakht,Z.Halim,andA.Baig, "Fraudulentcalldetectionformobilenetworks,"in 2010InternationalConference onInformationandEmergingTechnologies(ICIET) ,2010,pp.15. [91] A.H.Elmi,S.Ibrahim,andR.Sallehuddin,"DetectingSIMboxfraudusingneural network,"en,in ITConvergenceandSecurity2012 ,ser.LectureNotesinElectrical Engineering215,K.J.KimandK.-Y.Chung,Eds.,SpringerNetherlands,Jan. 2013,pp.575582. [92] I.Murynets,M.Zabarankin,R.Jover,andA.Panagia,"Analysisanddetectionof SIMboxfraudinmobilitynetworks,"in 2014ProceedingsIEEEINFOCOM ,Apr. 2014,pp.15191526. [93] Mobiusfraudmangement http://www.mobiusws.com/solutions/fraudmanagement/ ,2014. [94] ROCfraudmanagement http://www.subex.com/pdf/bypass-fraud.pdf ,2014. 169

PAGE 170

[95] AraxxeSIMboxdetection http://www.araxxe.com/SIM-box-detection.html ,2014. [96] MeuccisolutionsSIMboxdetection http://www.meucci-solutions.com/solutions/ fraud-and-revenue/sim-box-detection/ ,2014. [97] MoceanSIMboxdetector http://www.mocean.com.my/SIM box detector solution. php ,2014. [98] RoamwareSIMboxdetector http://www.roamware.com/predictive intelligence sim box detector.php ,2014. [99] Telenorsimboxdetection http://www.telenorglobal.com/wp-content/uploads/sites/ 4/2013/09/Global-SIM-Box-Detection1.pdf ,2014. [100] Agilisinternationalsimboxdetection http://www.agilisinternational.com/solutions/ customer-analytics/risk-and-fraud-management/ ,2014. [101] CxBsolutionsSIMboxdetection http://www.cxbsolutions.com/html/sim box detection.html ,2014. [102] FraudBusterSIMBuster http://www.fraudbuster.mobi/new-simbuster-andtra cchecker-deployment-in-africa/ ,2014. [103] XINTECSIMboxdetector http://www.xintec.com/fraud-management/sim-boxdetector/ ,2014. [104] R.Bresciani,"TheZRTPProtocolAnalysisontheDi"e-HellmanMode,"Trinity CollegeDublinComputerScienceDepartment,Tech.Rep.TCD-CS-2009-13,2009. [105] P.R.Zimmermann, TheZfoneProject http://zfoneproject.com/ ,2016. [106] R.Bresciani,S.Superiore,S.Anna,andI.Pisa,"TheZRTPProtocolSecurity Considerations,"LaboratoireSpecicationetVerication,ENSCachan,Tech.Rep. LSV-07-20,2007. [107] PGPfone-PrettyGoodPrivacyPhone http://www.pgpi.org/products/pgpfone/ 2015. 170

PAGE 171

[108] GSMKCryptoPhone http://www.cryptophone.de/en/ ,2015. [109] Signal https://itunes.apple.com/us/app/signal-private-messenger/id874139669? mt=8 ,2015. [110] RedPhone https://play.google.com/store/apps/details?id=com.littlebytesofpi. linphonesip [111] P.Zimmermann,A.Johnston,andJ.Callas,"ZRTP:MediaPathKeyAgreement forUnicastSecureRTP,"IETF,RFC6189,2011. [112] SilentCircle https://www.silentcircle.com/ ,2015. [113] I.DacostaandP.Traynor,"Proxychain:DevelopingaRobustandE"cient AuthenticationInfrastructureforCarrier-ScaleVoIPNetworks,"in Proceedingsof theUSENIXAnnualTechnicalConference(ATC) ,2010. [114] I.Dacosta,V.Balasubramaniyan,M.Ahamad,andP.Traynor,"Improving AuthenticationPerformanceofDistributedSIPProxies," IEEETransactionson ParallelandDistributedSystems(TPDS) ,vol.22,no.11,pp.18041812,2011. [115] M.ShirvanianandN.Saxena,"WiretappingviaMimicry:ShortVoiceImitation Man-in-the-MiddleAttacksonCryptoPhones,"in Proceedingsofthe2014ACM SIGSACConferenceonComputerandCommunicationsSecurity(CCS) ,2014, pp.868879. [116] M.Petraschek,T.Hoeher,O.Jung,H.Hlavacs,andW.Gansterer,"Securityand usabilityaspectsofMan-in-the-MiddleattacksonZRTP," JournalofUniversal ComputerScience ,no.5,pp.673692, [117] DirectoryofUnknownCallers http://www.800notes.com/ ,2015. [118] Finally!NomoreannoyingRobocallsandTelemarketers. http://www.nomorobo. com/ ,2016.[Online].Available: http://www.nomorobo.com/ 171

PAGE 172

[119] Z.Wu,A.Khodabakhsh,C.Demiroglu,J.Yamagishi,D.Saito,T.Toda,andS. King,"SAS:Aspeakervericationspoongdatabasecontainingdiverseattacks,"in ProceedingsoftheIEEEInternationalConferenceonAcoustics,SpeechandSignal Processing(ICASSP) ,2015,pp.44404444. [120] F.Alegre,G.Soldi,andN.Evans,"Evasionandobfuscationinautomaticspeaker verication,"in ProceedingsoftheIEEEInternationalConferenceonAcoustics, SpeechandSignalProcessing(ICASSP) ,2014,pp.749753. [121] Z.WuandH.Li,"Voiceconversionandspoongattackonspeakerverication systems,"in ProceedingsoftheAsia-PacicSignalandInformationProcessing AssociationAnnualSummitandConference(APSIPA) ,IEEE,2013. [122] F.AlegreandR.Vipperla,"Onthevulnerabilityofautomaticspeakerrecognition tospoongattackswitharticialsignals,"in Proceedingsofthe20thEuropean SignalProcessingConference(EUSIPCO) ,2012,pp.3640. [123] Y.Stylianou,"Voicetransformation:Asurvey,"in ProceedingsoftheIEEE ConferenceonAcoustics,SpeechandSignalProcessing(ICASSP) ,2009. [124] Q.Jin,A.R.Toth,A.W.Black,andT.Schultz,"Isvoicetransformationathreat tospeakeridentication?"In ProceedingsoftheInternationalConferenceon Acoustics,SpeechandSignalProcessing(ICASSP) ,2008,pp.48454848. [125] V.Balasubramaniyan,A.Poonawalla,M.Ahamad,M.Hunter,andP.Traynor, "PinDr0p:UsingSingle-EndedAudioFeaturestoDetermineCallProvenance,"in ProceedingsoftheACMConferenceonComputerandCommunicationsSecurity (CCS) ,2010. [126] B.Reaves,E.Shernan,A.Bates,H.Carter,andP.Traynor,"BoxedOut:Blocking CellularInterconnectBypassFraudattheNetworkEdge,"in Proceedingsofthe USENIXSecuritySymposium(SECURITY) ,2015. [127] S.Rosset,U.Murad,E.Neumann,Y.Idan,andG.Pinkas,"DiscoveryofFraud RulesforTelecommunications-ChallengesandSolutions,"in Proceedingsofthe FifthACMSIGKDDInternationalConferenceonKnowledgeDiscoveryandData Mining(KDD) ,NewYork,NY,USA,1999,pp.409413. 172

PAGE 173

[128] B.Mathieu,S.Niccolini,andD.Sisalem,"SDRS:AVoice-over-IPSpamDetection andReactionSystem," IEEESecurity&PrivacyMagazine ,vol.6,no.6,pp.5259, Nov.2008. [129] Mustafa,H.andWenyuanXuandSadeghi,A.R.andSchulz,S.,"YoucanSPIT, butyoucan'thide:Spammeridenticationintelephonynetworks,"in 2011 ProceedingsIEEEINFOCOM ,2011,pp.4145. [130] N.Jiang,Y.Jin,A.Skudlark,W.-L.Hsu,G.Jacobson,S.Prakasam,andZ.-L. Zhang,"Isolatingandanalyzingfraudactivitiesinalargecellularnetworkviavoice callgraphanalysis,"in Proceedingsofthe10thinternationalconferenceonMobile systems,applications,andservices(MobiSys) ,2012,p.253. [131] H.Sengar,"VoIPFraud:Identifyingawolfinsheep'sclothing,"in Proceedingsof the2014ACMSIGSACConferenceonComputerandCommunicationsSecurity (CCS) ,2014,pp.334345. [132] B.MoellerandA.Langley,"TLSFallbackSignalingCipherSuiteValue(SCSV) forPreventingProtocolDowngradeAttacks,"InternetEngineeringTaskForce, Internet-Draft,2014. [133] J.ClarkandP.C.VanOorschot,"SoK:SSLandHTTPS:Revisitingpast challengesandevaluatingcerticatetrustmodelenhancements,"in Proceedings oftheIEEESymposiumonSecurityandPrivacy(S&P) ,2013,pp.511525. [134] T.Zoller, TLS&SSLv3RenegotiationVulnerability http://www.g-sec.lu/ practicaltls.pdf ,2009. [135] Z.Durumeric,J.Kasten,D.Adrian,J.A.Halderman,M.Bailey,F.Li,N.Weaver, J.Amann,J.Beekman,M.Payer,andV.Paxson,"Thematterofheartbleed,"in Proceedingsofthe2014ConferenceonInternetMeasurementConference(IMC) Vancouver,BC,Canada:ACM,2014,pp.475488. [136] R.RivestandB.Lampson, SDSI:ASimpleDistributedSecurityInfrastructure http://research.microsoft.com/en-us/um/people/blampson/59-sdsi/webpage.html 1996. [137] C.Ellison,B.Frantz,B.Lampson,R.L.Rivest,B.Thomas,andT.Ylonen,"SPKI CerticateTheory,"IETF,RFC2693,1999. 173

PAGE 174

[138] C.EllisonandB.Schneier,"TenrisksofPKI:Whatyou'renotbeingtoldabout publickeyinfrastructure," ComputerSecurityJournal ,vol.16,no.1,pp.17,2000. [139] R.Holz,L.Braun,N.Kammenhuber,andG.Carle,"TheSSLlandscape:a thoroughanalysisofthex.509PKIusingactiveandpassivemeasurements,"in Proceedingsofthe2011ACMSIGCOMMconferenceonInternetMeasurement Conference(IMC) ,2011,pp.427444. [140] I.Dacosta,M.Ahamad,andP.Traynor,"TrustNoOneElse:DetectingMITM AttacksAgainstSSL/TLSWithoutThird-Parties,"in ProceedingsoftheEuropean SymposiumonResearchinComputerSecurity(ESORICS) ,2012. [141] L.S.Huang,A.Rice,E.Ellingsen,andC.Jackson,"AnalyzingforgedSSL certicatesinthewild,"in ProceedingsoftheIEEESymposiumonSecurity andPrivacy(SP) ,2014. [142] A.Bates,J.Pletcher,T.Nichols,B.Hollembaek,andK.R.Butler,"Forced perspectives:EvaluatinganSSLtrustenhancementatscale,"in Proceedingsofthe 2014InternetMeasurementConference(IMC) ,ACM,2014,pp.503510. [143] E.Rescorla, SSLandTLS:DesigningandBuildingSecureSystems .Addison-Wesley, 2001,p.499. [144] R.Dhamija,J.D.Tygar,andM.Hearst,"Whyphishingworks,"in Proceedingsof theSIGCHIconferenceonHumanFactorsinComputingSystems(CHI) ,ser.CHI '06,NewYork,NY,USA:ACM,2006. [145] S.E.Schechter,R.Dhamija,A.Ozment,andI.Fischer,"Theemperor'snew securityindicators,"in ProceedingsoftheIEEESymposiumonSecurityand Privacy(SP) ,2007. [146] S.Egelman,L.F.Cranor,andJ.Hong,"You'vebeenwarned:Anempiricalstudy ofthee! ectivenessofwebbrowserphishingwarnings,"in Proceedingsofthe SIGCHIConferenceonHumanFactorsinComputingSystems(CHI) ,2008. [147] J.Sobey,R.Biddle,P.vanOorschot,andA.S.Patrick,"Exploringuserreactions tonewbrowsercuesforextendedvalidationcerticates,"in Proceedingsofthe EuropeanSymposiumonResearchinComputerSecurity(ESORICS) ,2008. 174

PAGE 175

[148] D.Akhawe,B.Amann,M.Vallentin,andR.Sommer,"Here'smycert,sotrust me,maybe?UnderstandingTLSerrorsontheweb,"in Proceedingsofthe22nd InternationalConferenceonWorldWideWeb(WWW) ,2013,pp.5970. [149] D.AkhaweandA.P.Felt,"AliceinWarningland:Alarge-scaleeldstudyof browsersecuritywarninge!ectiveness,"in Proceedingsofthe22ndUSENIX ConferenceonSecurity ,ser.SEC'13,Washington,D.C.:USENIXAssociation,2013, pp.257272. [150] "ITUstandardP.800methodsforsubjectivedeterminationoftransmission quality,"Aug.1996. [151] "ITUstandardP.862:perceptualevaluationofspeechquality(PESQ),"Oct.2007. [152] A.Takahashi,A.Kurashima,andH.Yoshino,"Objectiveassessmentmethodology forestimatingconversationalqualityinVoIP," IEEETransactionsonAudio, Speech,andLanguageProcessing ,vol.14,no.6,pp.19841993,2006. [153] S.Broom,"VoIPqualityassessment:Takingaccountoftheedge-device," IEEE TransactionsonAudio,Speech,andLanguageProcessing ,vol.14,no.6,2006. [154] "ITUstandardP.563:single-endedmethodforobjectivespeechqualityassessment," Apr.2004. [155] T.FalkandW.-Y.Chan,"Single-endedspeechqualitymeasurementusingmachine learningmethods," IEEETransactionsonAudio,Speech,andLanguageProcessing vol.14,no.6,pp.19351947,2006. [156] C.Hoene,H.Karl,andA.Wolisz,"Aperceptualqualitymodelintendedfor adaptiveVoIPapplications:Researcharticles," Int.J.Commun.Syst. ,vol.19, no.3,pp.299316,Apr.2006. [157] L.Ding,Z.Lin,A.Radwan,M.S.El-Hennawey,andR.A.Goubran,"Non-intrusive single-endedspeechqualityassessmentinVoIP," SpeechCommunication ,vol.49, no.6,pp.477489,Jun.2007. [158] M.PapingandT.Fahnle,"Automaticdetectionofdisturbingrobotvoiceand ping-ponge!ectsinGSMtransmittedspeech,"in EUROSPEECH ,1997. 175

PAGE 176

[159] A.Hines,J.Skoglund,A.Kokaram,andN.Harte,"Monitoringthee!ectsof temporalclippingonVoIPspeechquality,"in 14thAnnualConferenceofthe InternationalSpeechCommunicationAssociation ,ISCA,2013. [160] TheOpenUniversity, 2014TextMessagingUsageStatistics http://www. openuniversity.edu/news/news/2014-text-messaging-usage-statistics ,Dec.2014. [161] S.J.Delany,M.Buckley,andD.Greene,"SMSspamltering:Methodsanddata," ExpertSystemswithApplications ,vol.39,no.10,pp.98999908,2012. [162] Scrapy http://scrapy.org ,2015. [163] TheInternationalOrganizationforStandardization, ISO8601-Timeanddate format http://www.iso.org/iso/home/standards/iso8601.htm ,2004. [164] OpenCNAM https://www.opencnam.com ,2015. [165] VirusTotal http://virustotal.com [166] E.McCallister,T.Grance,andK.Scarfone, NISTSP800-122:GuidetoProtecting theCondentialityofPersonallyIdentiableInformation(PII) http://csrc.nist. gov/publications/nistpubs/800-122/sp800-122.pdf ,2010. [167] H.P.Luhn,"Computerforverifyingnumbers,"USPatent2950048,1960. [168] Talk2 http://talk2ph.com ,2015. [169] SMSGlobal https://www.smsglobal.com ,2015. [170] LiqPay https://www.liqpay.com ,2015. [171] B.J.FreyandD.Dueck,"Clusteringbypassingmessagesbetweendatapoints," Science ,vol.315,no.5814,pp.972976,2007. 176

PAGE 177

[172] N.Crooks, Venezuela,theCountryWithFourExchangeRates http://www. bloomberg.com/news/articles/2015-02-19/venezuela-the-country-with-fourexchange-rates ,Feb.2015. [173] PayCenter https://www.paycenter.de ,2015. [174] BossRevolution https://www.bossrevolution.ca ,2015. [175] Frim http://fr.im ,2015. [176] eCall http://www.ecall.ch ,2015. [177] RedOxygen http://www.redoxygen.com ,2015. [178] VisaQIWIWallet https://qiwi.ru ,2015. [179] M.Honan, HowAppleandAmazonsecurityawsledtomyepichacking http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/,Aug. 2012. [180] A.Skudlark,"CharacterizingSMSSpaminaLargeCellularNetworkviaMining VictimSpamReports,"AT&TLabs,Tech.Rep.,Dec.2014. [181] P.Traynor,M.Lin,M.Ongoing,V.Rao,T.Jaeger,P.McDaniel,andT.LaPorta, "Oncellularbotnets:Measuringtheimpactofmaliciousdevicesonacellular networkcore,"in Proceedingsofthe16thACMconferenceonComputerand communicationssecurity ,2009. [182] "ITU-TrecommendationG.711,"Jun.1990. [183] M.Jalil,F.Butt,andA.Malik,"Short-timeenergy,magnitude,zerocrossing rateandautocorrelationmeasurementfordiscriminatingvoicedandunvoiced segmentsofspeechsignals,"in TechnologicalAdvancesinElectrical,Electronicsand ComputerEngineering(TAEECE),2013InternationalConferenceon ,May2013, pp.208212. 177

PAGE 178

[184] SchulzrinneandCasner,"RTPProleforAudioandVideoConferenceswith MinimalControl,"IETF,RFC3551,2003. [185] 3rdGenerationPartnershipProject,"Fullratespeech;Substitutionandmutingof lostframesforfullratespeechchannels,"Tech.Rep.TS46.011. [186] C.Perkins,O.Hodson,andV.Hardman,"Asurveyofpacketlossrecovery techniquesforstreamingaudio," IEEENetwork ,vol.12,no.5,pp.4048,1998. [187] R.LesCottrell,"PingingAfrica-adecadelongquestaimstopinpointtheInternet bottlenecksholdingAfricaback," Spectrum,IEEE ,vol.50,no.2,pp.5459,Feb. 2013. [188] OsmocomBBGSMbaseband http://bb.osmocom.org/trac/ ,2015. [189] J.S.Garofolo,L.F.Lamel,W.M.Fisher,J.G.Fiscus,D.S.Pallett,N.L. Dahlgren,andV.Zue, TIMITAcoustic-PhoneticContinuousSpeechCorpus Philadelphia:LinguisticDataConsortium,1993. [190] Sox http://sox.sourceforge.net/Main/HomePage ,2016. [191] W.JiangandH.Schulzrinne,"Comparisonandoptimizationofpacketlossrepair methodsonVoIPperceivedqualityunderburstyloss,"in Proceedingsofthe12th InternationalWorkshoponNetworkandOperatingSystemsSupportforDigital AudioandVideo ,ser.NOSSDAV'02,Miami,Florida,USA:ACM,2002,pp.7381. [192] G.HasslingerandO.Hohlfeld,"TheGilbert-Elliottmodelforpacketlossin realtimeservicesontheInternet,"in Measuring,ModellingandEvaluationof ComputerandCommunicationSystems(MMB),200814thGI/ITGConference Mar.2008,pp.115. [193] Y.Wang,C.Huang,J.Li,andK.Ross,"Queen:Estimatingpacketlossrate betweenarbitraryinternethosts,"in PassiveandActiveNetworkMeasurement ser.LectureNotesinComputerScience,S.Moon,R.Teixeira,andS.Uhlig,Eds., vol.5448,SpringerBerlinHeidelberg,2009,pp.5766. [194] ITUSoftwareToolLibraryManual .Geneva:ITU,2009. 178

PAGE 179

[195] J.A.S.Molina, GSMtra"cchannelsimulator http://www.mathworks.com/ matlabcentral/leexchange/11078-gsm-tra" c-channel-simulator ,2006. [196] 3rdGenerationPartnershipProject,"ChannelCoding,"Tech.Rep.TS45.003. [197] ,"Radiotransmissionandreception,"Tech.Rep.TS45.005. [198] U.Ratana,"TelcoslosemoneytoSIMfraud," PhnomPenhPost ,Feb.2014. [199] GoipForGreyRouteSIMBox http://www.alibaba.com/product-detail/16-portsgsm-gateway-goip-for 862885942.html [200] GoAntifraud.com .[Online].Available: https://goantifraud.com/ [201] A.M.White,A.R.Matthews,K.Z.Snow,andF.Monrose,"Phonotactic ReconstructionofEncryptedVoIPConversations:HooktonFon-iks,"in Proceedingsofthe2011IEEESymposiumonSecurityandPrivacy ,2011. [202] D.Samfat,R.Molva,andN.Asokan,"Untraceabilityinmobilenetworks,"in ProceedingsoftheFirstAnnualInternationalConferenceonMobileComputingand Networking(MobiCom) ,1995,pp.2636. [203] TelTech, SpoofCard http://www.spoofcard.com/ ,2015. [204] A.Tyrberg,"DataTransmissionoverSpeechCodedVoiceChannels,"Master's Thesis,LinkopingUniversity,2006. [205] M.A.Ozkan,B.Ors,andG.Saldamli,"SecurevoicecommunicationviaGSM network," 20117thInternationalConferenceonElectricalandElectronicsEngineering(ELECO) ,pp.II288II292,2011. [206] N.N.Katugampala,K.T.Al-Naimi,S.Villette,andA.M.Kondoz,"Real-time end-to-endsecurevoicecommunicationsoverGSMvoicechannel," SignalProcessingConference,200513thEuropean ,pp.14,2005. 179

PAGE 180

[207] A.Dhananjay,A.Sharma,M.Paik,J.Chen,T.K.Kuppusamy,J.Li,andL. Subramanian,"Hermes:Datatransmissionoverunknownvoicechannels,"in ProceedingsoftheSixteenthAnnualInternationalConferenceonMobileComputing andNetworking ,ser.MobiCom,NewYork,NY,USA:ACM,2010. [208] Sklar,Bernard, DigitalCommunications:FundamentalsandApplications ,English, Second.UpperSaddleRiver,N.J:PrenticeHall,Jan.2001. [209] P.KoopmanandT.Chakravarty,"Cyclicredundancycode(CRC)polynomial selectionforembeddednetworks,"in 2004InternationalConferenceonDependable SystemsandNetworks ,Jun.2004,pp.145154. [210] R.NeedhamandM.Schroeder,"Usingencryptionforauthenticationinlarge networksofcomputers," CommunicationsoftheACM ,vol.21,no.12,pp.993999, 1978. [211] B.Blanchet, ProVerif:Cryptographicprotocolverierintheformalmodel http: //www.proverif.ens.fr/ ,2016. [212] Pyelliptic https://pypi.python.org/pypi/pyelliptic ,2016. [213] CerticomResearch, SEC2:RecommendedEllipticCurveDomainParameters ,Jan. 2010. [214] M.Bellare, NewProofsforNMACandHMACSecuritywithoutCollisionResistance ,AdvancesinCryptology-CRYPTO'06,2006. [215] NationalInstituteofStandardsandTechnology, NISTSpecialPublication800-107 Revision1:RecommendationforApplicationsUsingApprovedHashAlgorithms 2008. [216] Ffmpeg https://www.!mpeg.org ,2016. [217] M.Lepinski,R.Barnes,andS.Kent,"AnInfrastructuretoSupportSecureInternet Routing,"IETF,RFC6480,2012. 180

PAGE 181

[218] LocalSearchAssociation, CLECInformation http://www.thelsa.org/main/ clecinformation.aspx ,2016. [219] M.Sherr,E.Cronin,S.Clark,andM.Blaze,"SignalingVulnerabilitiesin WiretappingSystems," IEEESecurity&PrivacyMagazine ,vol.3,no.6,pp.1325, 2005. [220] S.Alfonsi, HackingYourPhone http://www.cbsnews.com/news/60-minuteshacking-your-phone/ ,2016. [221] H.Mustafa,A.-R.Sadeghi,S.Schulz,andW.Xu,"YouCanCallButYouCan't Hide:DetectingCallerIDSpoongAttacks,"in ProceedingsoftheIEEE/IFIP InternationalConferenceonDependableSystemsandNetworks(DSN) ,2014. [222] B.Reaves,L.Blue,andP.Traynor,"AuthLoop:End-to-EndCryptographic AuthenticationforTelephonyoverVoiceChannels," 25thUSENIXSecurity Symposium(USENIXSecurity16) ,pp.963978,Aug.2016. [223] A.WhittenandJ.D.Tygar,"WhyJohnnyCan'tEncrypt:AUsabilityEvaluation ofPGP5.0.,"in 25thUSENIXSecuritySymposium(USENIXSecurity16) ,1999. [224] B.Blanchet,"AnE"cientCryptographicProtocolVerierBasedonPrologRules," in Proceedingsofthe14thIEEEWorkshoponComputerSecurityFoundations 2001. [225] Y.Jiao,L.Ji,andX.Niu,"RobustSpeechHashingforContentAuthentication," IEEESignalProcessingLetters ,vol.16,no.9,pp.818821,2009. [226] T.Kinnunen,Z.-Z.Wu,K.A.Lee,F.Sedlak,E.S.Chng,andH.Li,"Vulnerability ofspeakervericationsystemsagainstvoiceconversionspoongattacks:Thecase oftelephonespeech,"in 2012IEEEInternationalConferenceonAcoustics,Speech andSignalProcessing(ICASSP) ,IEEE,2012,pp.44014404. [227] BradleyReaves,LoganBlue,HadiAbdullah,LuisVargas,PatrickTraynor,and TomShrimpton,"AuthentiCall:E"cientIdentityandContentAuthenticationfor PhoneCalls,"in Proceedingsofthe26thUSENIXSecuritySymposium ,2017. 181

PAGE 182

[228] O.Tange etal. ,"Gnuparallel-thecommand-linepowertool," ;login:TheUSENIX Magazine:Volume36,Number1 ,2011. [229] O.Hohlfeld,R.Geib,andG.Ha§linger,"PacketLossinReal-timeServices: MarkovianModelsMeneratingQoEImpairments,"in QualityofService,2008. IWQoS2008.16thInternationalWorkshopon ,IEEE,2008,pp.239248. [230] Statista, Averagemonthlyoutboundminutes https://www.statista.com/statistics/ 273902/average-monthly-outbound-mobile-voice-minutes-per-person-in-the-uk/ 2013. [231] "BouncyCastleCryptoAPI," http://www.bouncycastle.org/ ,2007. [232] M.LepinskiandS.Kent,"AdditionalDi"e-HellmanGroupsforUsewithIETF Standards,"RFCEditor,RFC5114,Jan.2008. [233] H.KrawczykandP.Eronen,"HMAC-basedExtract-and-ExpandKeyDerivation Function(HKDF),"IETF,RFC5869,2010. [234] Qualcomm, Circuit-switchedfallback:Therstphaseofvoiceevolutionformobile LTEdevices. http://www.ericsson.com/res/docs/2012/the rst phase of voice evolution for mobile lte devices.pdf ,2012. [235] Averagecall https://www.statista.com/statistics/185828/average-local-mobilewireless-call-length-in-the-united-states-since-1987/ ,2012. [236] D.Tynan, Theterrorofswatting:Howthelawistrackingdownhigh-techprank callers https://www.theguardian.com/technology/2016/apr/15/swatting-law-teensanonymous-prank-call-police ,Apr.2016. [237] Teen'siphonehackgetshimarrestedforunleashingddoson911system https: //www.neowin.net/news/teens-iphone-hack-gets-him-arrested-for-unleashing-ddoson-911-system ,2016. [238] J.Serror,H.Zang,andJ.C.Bolot,"Impactofpagingchanneloverloadsorattacks onacellularnetwork,"in Proceedingsofthe5thACMWorkshoponWireless Security ,2006. 182

PAGE 183

[239] P.P.Lee,T.Bu,andT.Woo,"OnthedetectionofsignalingDoSattackson 3G/WiMaxwirelessnetworks," ComputerNetworks ,vol.53,no.15,pp.26012616, 2009. [240] W.Enck,P.Traynor,P.McDaniel,andT.LaPorta,"ExploitingOpenFunctionality inSMS-CapableCellularNetworks,"in Proceedingsofthe12thACMconferenceon Computerandcommunicationssecurity ,ACM,2005,pp.393404. [241] Letsencrypt https://letsencrypt.org/ ,2016. [242] R.Pries,T.HoBfeld,andP.Tran-Gia,"Onthesuitabilityoftheshortmessage serviceforemergencywarningsystems,"in 2006IEEE63rdVehicularTechnology Conference ,IEEE,vol.2,2006,pp.991995. [243] C.Amrutkar,P.Traynor,andP.vanOorschot,"AnEmpiricalEvaluationof SecurityIndicatorsinMobileWebBrowsers," IEEETransactionsonMobile Computing(TMC) ,vol.14,no.5,pp.889903,2015. 183

PAGE 184

BIOGRAPHICALSKETCH BradleyReavesisacomputingresearcherandeducator.Hisresearchisdedicatedto measuringandimprovingthesecurityandprivacyofcomputersystems,withaparticular emphasisontelephonenetworksandsoftwareformobileplatforms.Thisworkhas addresseddetectionandmeasurementofmobilemalwareinthewild,identiedsystemic risksindevelopingworldmobilemoneysystems,anddevelopednewtechniquesto distinguishlegitimateandfraudulentphonecalls.Hisworkhasbeenrecognizedwithtwo bestpaperawards,andhewasnamedanNSFGraduateResearchFellowin2010. BradleycompletedhisPh.D.incomputerengineeringinAugust2017atthe UniversityofFlorida,whereheservedastheleadgraduatestudentfortheFlorida InstituteforCyberSecurityResearchin2016.HealsoearnedanM.S.incomputer sciencefromtheGeorgiaInstituteofTechnologyandaB.S.andM.S.incomputer engineeringfromMississippiStateUniversity.Aftergraduation,heacceptedaposition asatenure-trackassistantprofessorintheDepartmentofComputerScienceatNorth CarolinaStateUniversity. 184