We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

SPARROW: A Novel Covert Communication Scheme

00:00

Formal Metadata

Title
SPARROW: A Novel Covert Communication Scheme
Title of Series
Number of Parts
84
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
When researching methods for covert communications in the wireless space, we noticed most hackers are barely looking below the IP layer, and even the wireless guys are focused on creating their own radio (PHY layer) solutions rather than looking at what’s already available to them. We discovered a sweet spot that takes advantage of MAC layer protocols in LTE and 5G, enabling long range communication using other people’s networks, GSMA CVD-2021-0045. We can use SPARROW devices almost everywhere in a variety of scenarios, such as data exfiltration and command and control. Despite limited data rates, the new scheme can defeat known covert communication schemes with dedicated PHY in the following ways: - Maximum Anonymity: SPARROW devices do not authenticate with the host network while operating. This eliminates their exposure to network security and lawful intercept systems as well as spectrum scanners. Utilizing limited resources, they cause very minimal impact on the host network services. - More Miles per Watt: SPARROW devices can be several miles apart exploiting broadcast power of base stations or non-terrestrial technologies. The range can be further extended by deploying several of them in a geographically sparse mesh network. - Low Power & Low Complexity: SPARROW devices can utilize existing protocol implementation libraries installed on commodity SDRs. They can operate on batteries or harvest energy from the environment for long durations, just like real sparrows! REFERENCES: There are no direct references of prior study that I (Reza) have (aside from general knowledge of 5G standard and RF), however the following talks and items led me towards this discovery: - DEF CON Safe Mode - James Pavur - Whispers Among the Stars - https://www.youtube.com/watch?v=ku0Q_Wey4K0 - DNS Data Exfiltration techniques - My boss buying me a 5G base station emulator and saying "find something wrong with this!"
Broadcasting (networking)Numbering schemeInformation and communications technologyMathematicsAlgorithmSoftware developerOpen setCartesian coordinate systemInformation securityBroadcasting (networking)Numbering schemeSignal processingTelecommunicationEvent horizonForschungszentrum RossendorfProduct (business)Principal idealMultiplication signComputer animation
Operator (mathematics)Boss CorporationSatelliteInformation securityWireless LANEmulatorWorkstation <Musikinstrument>Information and communications technologyVector potentialSoftwareExploit (computer security)Hacker (term)Direct numerical simulationIntrusion detection systemComputer hardwareBuildingSpektrum <Mathematik>Cellular automatonVulnerability (computing)Standard deviationInsertion lossZugriffskontrolleData modelOSI-ModellLink (knot theory)Frame problemInformation securityBoss CorporationMotion captureCommunications protocolDirection (geometry)Systems engineeringTelecommunicationEmulatorInheritance (object-oriented programming)Level (video gaming)Projective planePresentation of a groupVulnerability (computing)Process (computing)Operator (mathematics)Control flowWireless LANService (economics)MathematicsInternet der DingeRange (statistics)Physical systemSpectrum (functional analysis)OSI-ModellStandard deviationBroadcasting (networking)Numbering schemeComa BerenicesSoftware frameworkCodePhysicalismWind tunnelMultiplication signIntercept theoremContext awarenessPhysical lawAuthorizationMessage passingArithmetic meanSoftwareSystem callHacker (term)SatelliteRevision controlOrder (biology)Gateway (telecommunications)Interface (computing)Thermodynamisches SystemGreatest elementReflection (mathematics)Link (knot theory)Descriptive statisticsTowerWechselseitige InformationBuildingDirect numerical simulationInformation technology consultingCuboidStack (abstract data type)VirtualizationFrame problemInformation and communications technologyPower (physics)RAIDDuplex (telecommunications)Game controller
LaptopTable (information)SimulationTowerCommunications protocolProcess (computing)Server (computing)Coordinate systemTowerSelf-organizationAreaMobile appContext awarenessPlanningPlastikkarteInternetworkingMetropolitan area networkOperator (mathematics)Connectivity (graph theory)Interactive televisionGame controllerSimilarity (geometry)Flow separationCore dumpInformation
Structural equation modelingLaptopGraphics tabletTowerImage resolutionMessage passingProcedural programmingPresentation of a groupTowerPlastikkarteSimulationContext awarenessCommunications protocolWireless LANCore dumpOperator (mathematics)System callLink (knot theory)TelecommunicationConnected spaceInformationNormal (geometry)DiagramType theoryDependent and independent variablesMultiplication signRandom accessSet (mathematics)Functional (mathematics)RadiusComputer animation
Image resolutionSummierbarkeitRaw image formatNetwork-attached storageLemma (mathematics)Multi-agent systemProcess (computing)Broadcasting (networking)Core dumpSoftwareMessage passingSynchronizationParameter (computer programming)Connected spaceString (computer science)TelecommunicationIdentity managementBroadcasting (networking)Content (media)Image resolutionResolvent formalism1 (number)Selectivity (electronic)Computer animation
Raw image formatCodeBroadcasting (networking)Simultaneous localization and mappingLie groupMessage passingVulnerability (computing)Musical ensembleRange (statistics)SatelliteExecution unitIdentity managementBroadcasting (networking)RandomizationMessage passingElectronic signatureInformationProcedural programmingWireless LANVulnerability (computing)Bit
Range (statistics)Broadcasting (networking)Message passingVulnerability (computing)ExistenceSatelliteDistribution (mathematics)Random numberWindowFrequencyMultiplication signDiscrete groupRight angleMessage passingLink (knot theory)Multiplication
Broadcasting (networking)Message passingVulnerability (computing)ExistenceMusical ensembleRange (statistics)SatelliteSpektrum <Mathematik>Computer networkKolmogorov complexityComputer hardwareDemo (music)Personal digital assistantTestbedSoftwareDifferent (Kate Ryan album)Standard deviationPeer-to-peerSelf-organizationPresentation of a groupLevel (video gaming)Complex (psychology)Akkumulator <Informatik>Range (statistics)FrequencySound effectPhysical systemContent (media)MereologySoftware developerScripting languageSoftware testingQuicksortTheoryValidity (statistics)Demo (music)CASE <Informatik>Operator (mathematics)Power (physics)Message passingPoint (geometry)Thermal expansionProcess (computing)Computer configurationMultiplication signInformation securityThermodynamisches SystemTower
TestbedExecution unitRow (database)EmulationFAQAreaIdentity managementRaw image formatImage resolutionEvent horizonControl flowChainFirmwareRemote Access ServiceCellular automatonData recoveryLink (knot theory)Broadcasting (networking)Computer networkComputer networkMessage passingContent (media)Slide ruleVideoconferencingSoftwareTowerBroadcasting (networking)Process (computing)TelecommunicationChainStandard deviationParameter (computer programming)Projective planeProof theoryCartesian coordinate systemRight angleInternet der DingeOnline helpConnected spaceCASE <Informatik>Goodness of fitData managementSoftware testingSynchronizationBlock (periodic table)InformationFrequencyComputing platformScripting languageDistanceDifferent (Kate Ryan album)Overlay-NetzRemote administrationRandom accessIP addressProcedural programmingAdditionMultiplication signWebsiteService (economics)Formal verificationAsynchronous Transfer ModeMereologySource codeEvent horizonInternet service providerUniform resource locatorImage resolutionMultiplicationBit rateIntelligent NetworkType theoryThermodynamisches SystemSieve of EratosthenesComputer animationEngineering drawing
File Transfer ProtocolParallel portLink (knot theory)Vertex (graph theory)Bit rateLie groupPeer-to-peerRange (statistics)Charge carrierMultiplicationAreaExploit (computer security)CASE <Informatik>Power (physics)Slide rulePattern languageParallel portProcess (computing)TowerTelecommunication
Condition numberMessage passingComputer networkCross-correlationCommunications protocolWireless LANSet (mathematics)Data modelVulnerability (computing)AreaVulnerability (computing)ChainRange (statistics)Vermaschtes NetzEndliche ModelltheorieMultiplication signCASE <Informatik>Message passingPolygon meshComputer animationPanel painting
Message passingCommunications protocolComputer networkCross-correlationWireless LANSet (mathematics)Condition numberData modelVulnerability (computing)Communications protocolSoftwareString (computer science)AuthenticationCondition numberKey (cryptography)Message passingSet (mathematics)Procedural programmingNumbering schemeError messageTelecommunicationBroadcasting (networking)OSI-ModellWireless LANLatent heatComputer animation
Identity managementLie groupParameter (computer programming)Message passingCategory of beingImage resolutionContent (media)Selectivity (electronic)
Identity managementDependent and independent variablesInformation privacyShared memoryHash functionFunction (mathematics)CryptographyMiniDiscSimulationFeasibility studyCollisionInformation securityInsertion lossRandom numberError messageCodeComputer data loggingInformation securityBitSoftwareString (computer science)PlastikkarteInteractive televisionTowerMessage passingIdentical particlesCodebuchNumbering schemeTelecommunicationSet (mathematics)Mixed realityAlgorithmEntropie <Informationstheorie>Field (computer science)Cartesian coordinate systemHash functionCryptographyComputational complexity theorySimulationLocal area networkIdentity managementInformation privacyAdditionInformationView (database)Point (geometry)Table (information)Information and communications technologyFunction (mathematics)CollisionInsertion lossFehlererkennungOperator (mathematics)Multiplication signBand matrixError messageAuditory maskingAreaMultiplicationExtension (kinesiology)RandomizationComputer animation
AnwendungsschichtTelecommunicationSystem programmingCommunications protocolSatelliteStaff (military)Data managementCorrelation and dependenceProcess (computing)Computer programmingBoss CorporationData managementQuicksortSpectrum (functional analysis)Game theorySoftwareMilitary baseBroadcasting (networking)Type theoryArithmetic meanBitOSI modelPhysical systemPoint (geometry)
Transcript: English(auto-generated)
Hello, this is Reza Sousabi and with my colleague Chuck McCauley, we would like to present our novel covered communication scheme that explodes broadcast signals in LTE 5G and other technologies. I would like first to give a little introduction about ourselves.
I'm the application research team lead at Keysight ATI Research Center. I do open research on 5G RAN security and develop algorithms to both make or break awesome things. I come from math and signal processing background so try to apply them to new problems as
much as I can and typically I happen to be at the right time and in the right place. So I have been breaking things and triggering rare events for fun when I become a dad and Now I love spending time with my toddler son. So I would like to turn to my colleague Chuck.
Hi, I'm Chuck McCauley. I'm a principal security researcher at the ATI Research Center at Keysight. My hobbies include skiing and breaking my land rover and fixing it pretty frequently. At Keysight, I'm involved in new product initiatives and bring a long 20-year cybersecurity background to everything Keysight works on and touches.
I really would like to expand on the ambitions and the thoughts behind this research. To encourage future research, I believe this is as important as the research I'm presenting here. As my father always put it, talking about phishing is more important than talking about
phish itself. So I had some past academic research experience in wireless security. I published my work on IoT security in IEEE in the past. So most of my work was deep in theories and math. So I decided joining industry to explore more practical problems out there and I was offering R&D consulting services to mobile operators and was a 5G system engineer a while
before joining Keysight in 2018. Without being officially an infosec, I always had the tendency to break things around for fun and curiosity. So my new job at ATI enabled me to explore new ideas, lesser known in wireless community,
most notably protocol tunneling techniques that are used for data exfiltration. I was converging kind of my past and present experiences that one day in fall 2019 or cool bus, I invited me to take a lead in a 5G security research project and got me a lab with a super expensive baseband emulator in there.
So with that level of trust that he vested in me, I decided to go after an all day vulnerability discovery other than simulating existing ones. So I discovered this vulnerability in 5G and LG standards the following winter and we successfully disclosed it with GSMA.
Things kind of went slow due to pandemic and my parenting leave. But after watching this interesting talk in last year, DEFCON on eavesdropping satellite signals, I got really excited and pumped to put this work together and present it for DEFCON this year.
I took a holistic approach of organizing the existing work in the biggest possible picture or call it a box and then discovered a hole in it. So I realized that covert communication is the biggest umbrella that I can put all techniques for data exfiltration, command and control and other means of communications, unauthorized communications together in it.
So it's usually regarded as a potential threat and taken seriously in the context of defense in depth. When I serve a literature related to covert communication or topics related to it, I come in either from hackers or wireless engineers.
So people with hacker mentality like Chuck have targeted software protocol stack most of the time. So like message tunneling in L3-7 protocols such as ICMP, DNS and etc. A lot of cool techniques there. They have barely looked below IP layer.
In fact, as we know it, the security industry has actively been monitoring the research in this area. So they track and block malicious IP traffic using boxes like IPSs, IDSs and lawful intercept. On the other hand, wireless engineers such as myself are really fascinated with the beauty of radio systems, internals and physical layer.
So there is a huge literature on coding and modulation techniques to build optimal radios for covert communication. These techniques usually involve low power communication and avoiding spectrum monitoring systems. So devices such as like LoRaWAN, ham radios and other low power technologies
can be kind of retrofitted and used for covert communication, but their operational range dramatically degrades when both sender and the receivers are at low altitudes. Where the signal in fact is blocked by buildings and foliage. Looking at the protocol stack, I thought of a new viewpoint, come up with a new
viewpoint that combines both mentalities. So I come up with this question, how about exploiting the MAC layer protocol weakness in existing wireless infrastructure? This was the big question that inspired this work. It leads us to a new scheme that can be more effective than existing
ones in many aspects. At this point, I was almost certain that I can find some simple example quickly in LTM 5G standards because I was very familiar with them. So very related to the theme of DEFCON 29, I developed the framework to exploit
the unstoppable signals from cellular base stations that are everywhere. So height is what makes the RF signals unstoppable and operators spend big money to mount antennas on tall comm towers or recently some companies are trying to fly them on low orbiting satellites.
And this is all about getting more and more coverage to as many users as possible. So let's look at this scenario that we're going to be using moving forward. So Trudy has intruded a secure air-gapped building with a program or device. So she would like to send a message to her friend Ricky with a passive sniffing
device sitting somewhere a few miles away. Like these anime geeks that we have down below this frame in the picture. There is no radio signal path between them due to buildings and foliage. So however, both can send and receive signal from a nearby cellular tower.
So what if Trudy send a special low power opening signal that triggers high power broadcast signals from the tower that then are received and decoded by Ricky? So simple, right? So this will create a virtual covert communication channel between Trudy and Ricky.
And this is basically the description of the technique that we are going to present here. Putting it simple and memorable for you, we are creating, in fact, a reflection that are observable everywhere around the cellular tower. That's the key idea. So think of a Batman movie. They did not know where Batman is, right?
So they were reflecting this light beam of the sky to make it visible everywhere so that we can see. So I would like to go and start talking about the example that I discovered in LTE and 5G standard.
So let's take a look at the importable stack. What is the MAC layer and what does that mean exploiting MAC layer? So in portable stack, some initialization or handshake steps always happen within each layer before it starts responding to data from the upper layers.
This is how portable stacks crank up, always from bottom to the top. So this work is related to the layer two in OSI model, often called the MAC layer. And from operating system perspective, this layer is whatever layer that enables devices to send IP packets. So they don't care what happens in it.
They just look at it as an interface or gateway to send IP packets. In order to understand what we are talking about today, it helps to understand the analogous version of what happens when you connect Ethernet cable to a switch. Right when you plug in your cable, before you get a green light on your switch indicating your link speed and duplex sync, a protocol negotiation has already taken place.
The radio signals have synced up and found a signal in both directions. So there are some messages such as like a RAID auto-negotiation that happened very early that people normally do not care about them or observing them in their packet captures.
So let's now talk about the LTE and 5G Big Mac layers. Something more delicious, right? So this hairy R man is searching for signal in the middle of nowhere. So when he finally gets a signal, before he's allowed to send a selfie to Instagram about his situation,
he tries to attach to a cell tower, right? And see if it allows to access it that mostly involves SIM card voodoo stuff. The apps running on his phone only care about sending IP packets to the Internet, right? So the apps do not care about whether it is Wi-Fi or LTE or what happens inside these protocols, neither.
So they see all these voodoo stuffs happening below IP layer as a Big Mac layer. That's why they call it a Big Mac. They do not care what's in it, they just enjoy using it or what it delivers. The commercial wireless infrastructure has many components such as cell towers
and a bunch of core network servers whose job is managing millions of users across a wide area. This Big Mac layer that we're talking about in cellular standards has several sublayer protocols in it. Like a Big Mac, right? They define the interaction of user device with various components of the operator's network, but not the Internet.
So this Big Mac is called control plane as well, or sometimes the people who built this network, they call them layer 2 and 3. In the context of LTE and 5G in particular, related to our talk today, the standards are made by a global organization called 3GPP, for your information.
It uses a protocol known as the RRC or radio resource controller, which is an access protocol that is the toughest layer of this Big Mac, or you can call it the bond layer, that works more like a radius or messages and it looks more like an SNMP. But this is not what this talk about today.
This talk today about is the link establishment for RRC protocol. The very initial Mac layer handshake that happens very early on before establishing an RRC connection. This is what this call is about. Think of it like a handshake between a phone and a cell tower before all other handshakes.
And it has some interesting features to it that we're going to explore. And in fact, it does not travel to the operator's core network, making it suitable for covert communication. Some simple terminology notes in here. So essentially, in the context of LTE and 5G,
we call all the devices that interact with the cell towers, UE or user equipment, whether it has a SIM card or doesn't have a SIM card, doesn't matter. And there is another more important terminology note that I'm going to talk about here, is that the story of a node B. So in LTE, they call these cell towers or base stations E node B.
In 5G, they start calling them G node B. And actually, when I was talking about 5G with Chuck, Chuck said that what happened to the F node B. And I said, interesting, nobody uses F node B. So I decided to use F node B here throughout the following presentation to refer to both LTE and 5G.
So random access procedure is a common functionality in wireless Mac layers. So there is a small set of signals called Ratch that are reserved for the UEs connecting to an F node B for the first time. See, F node B. All the F node Bs respond to the signals regardless of device type or identity, even if it doesn't have a SIM card.
The diagram here shows the normal RRC connection procedure. There are four plaintext messages exchanged between the UE and the F node B before the UE creates an authenticated session with the core network. These messages serve similar purpose to the Ethernet auto-negotiation handshake, which is setting up synchronization.
First, UE randomly sends a scrambled signal from the Ratch set, and then F node B responds with more out of parameters that helps the UE to fine-tune its framing synchronization. But these are not the important ones. The important ones are the message three and four. They enable the F node B to resolve resource contentions
between UEs that are simultaneously attempting Ratch. Per standard, the UE should send a 48-bit string that contains a 40-bit random ID in it, then wait for the F node B to broadcast message four.
This string is called CRI, or contention resolution identity. If the F node B replies with the same string in message four, it means that the UE can proceed with the RRC connection. Otherwise, it knows that someone else is supposed to go ahead and this one has to stay and retry later.
I think probably by now you've guessed what's wrong with this broadcast ping-pong between message three and message four. Coming to the Trudy and Ricky's covert communication scenario, Trudy and Ricky can have prior agreement under target F node B and Trudy's Ratch signal selection. Then Ricky is passively scanning and decoding message two and four
from the F node B using its low-power radio. Instead of including random 40-bit identity in CRI, Trudy can encode a short message in it and sending it up in message three. This message can include a signature byte, indicating it is made by her, not by other users in the cell.
Then Ricky can pick up and decode the same message from the F node B's message four broadcast that happens immediately after. Simple, right? This is kind of like an illustration for a unidirectional channel, but essentially, Ricky can repeat the same procedure to establish a reverse link to Trudy to kind of send information like acknowledgement.
Looking at the history of this procedure, we believe that this vulnerability may exist in other wireless MAC layers as well. This particular example has been in LTE and 5G for over a decade, but no worries. I will share the remediation before this talk ends. Exploiting a little bit,
expanding on what they can gain by using Sparo. Sparo UE can break long messages into chunks of 40-bit messages and send them in multiple Ratch attempts. Successive Ratch attempts do not have much impact on other users in the cell, and there is a back-off also timer
that's built into the standard document, as you can see the snapshot right below, that the UEs have to basically pick up a random value as a back-off timer, but it's all been left to the UEs discretion and the E node Bs or F node Bs do not have any way to enforce it. Picking the back-off time like 10 milliseconds,
usually the message one to four exchange takes on average of like 30 milliseconds. So in total, this can give Trudy a one kilo-bps throughput link to reach messages to Ricky. Very limited, but it's still comparable to other low-power technologies like LoRa.
Outdoor LTM 5G base stations operating at lower frequency bands, particularly below two gigahertz, are more suitable for a Sparo technique, mainly because their signal can reach up to five miles, and also they can reach indoors very well. 5G new radio,
and you'll reduce some new frequency bands above six gigahertz that they involve lots of out-of-wood stuff like beamforming. They're making it difficult for Ricky and his followers down below to decode and broadcast his signals. There is also a new satellite-based 5G standard called 5G-NTN, which is in development.
That might actually give the Sparo UEs 10 times more mileage. Hopefully, we can get our remediation built as a secure RACH option for that standard. Also, benefits of using the Sparo are really great. So you can get really super stealthy with it.
No network footprint because messages are local to the F node B, and nobody is going to log the MAC layer messages at the edge of their network. Also, the Sparo UE activity is indistinguishable from the other UEs, so no radio spectrum footprint that's going to be there
for external passive monitoring systems to geolocate the transmitter. These are the reasons I call them Sparos. So no need for expensive equipment, right? So 100 bucks, low-power SDRs can do the job. They can also leave off rechargeable batteries or solar power. No need for high-gain antennas
since they get the rebroadcast power from the F node Bs, right? I will also show some more range expansion techniques further in the presentation. So they can get higher range per RF wattage in a cluttered environment, and that's a very key point compared to the other complex commercial radios like walkie-talkie or LoRa.
Who cares about the Sparos? I mean, really, Sparos are everywhere. They're among us, right? Nobody cares about them. I know historically, sometimes they cared about them for crops, but nobody cares about them. And this is the same with the Sparo with regards to cellular operators because they do not see any immediate impact
on their network, so they do not care about it. And as a matter of fact, any temporary solution to block Sparos can lead to some performance degradation to real users, and we will talk about that. But the remediations that we have developed has to go be implemented at the standard level. So, so far, Sparos are unstoppable.
So here, I'm going to actually turn the presentation to my colleague, Chuck, to talk about our demo and show the demo and also talk more about the use cases for Sparo. Chuck? Thank you, Reza.
So one of the benefits of working at an organization like Keysight is we get to play with a lot of cool tools. Even though we were in the middle of a pandemic, we were able to work with a lot of our peers in different parts of the world and were able to convince the GSMA that we'd actually found a design flaw
in the Ratch Contention messaging structure. So what you see here is our demo lab that got set up for us by our peers in Italy. At the bottom, you see something that we call a UXM. Now, this device allows us to emulate a E node B, a G node B,
and hopefully, in the future, even an F node B. And what you can do with this device is emulate a cell phone tower, effectively. And at the top, you see what we call UE-SIM, which simulates whatever's going to connect to a mobile network and allows you to play with the messaging structure
and validate a F node B or G node B or E node B, right? But what you can do is if you take both of these two test validation systems, you can put them together and build, effectively, a cell network in isolation and test out some theories. In the lower right-hand corner,
you can see sort of a screenshot here of our test script that enables our UXM to pretend to be a E node B doing the RATCH contention messages. And in our next slide... Well, not really a slide. In the next video that's coming up right here, we're going to introduce our friend Befakouda.
Befakouda works out of Italy, and he has put together a quick video demonstrating Sparrow working for us that we then presented to the GSMA. My name is Befakouda. I'm an application engineer at Keysight Technologies. In this video,
I am going to demonstrate the proof of concept for the Sparrow project. With this ElmoDyke graphical user interface, we configure UEA on ELSU-L that's with an IP address of 10.40.8870 as a TX. Therefore, we set the mode as a TX
and the random access preamble ID to 8, and the plain text message to be sniffed by the receiver UE is set to welcome to the DEFCONF. Similarly, we have set the UEB on ELSU-B
with an IP address of 10.40.88157 as an RX. Therefore, we set the mode to RX and the random access preamble ID to 8. On the currently talk side, the PRT script activated the 5G NR standard load cell
where the synchronization signal block is broadcasted via the EXM platform with a periodicity of 20 milliseconds. If the master information blocks is decoded with success on both UE to the cells, we'll get sync
and in service if the system information block type 1 is decoded. Since both UE are in service, in sync and idle, we can connect the GUI to the layer 3 test manager
and verify if the sieve is decoded, then the cell should get in service. We can run the scenario from the RX side first now
and from the TX side. It seems that the transmitted message is with success from the TX side, and let's verify if the receiver UE side decoded the message successfully. So, from the scenario logger,
here we have decoded that the message welcome to the death conference.
From the TX side, it can be verified that the message 2 is decoded with the valid RAR. Also, on the RX side, we can check the message 2 is decoded with the valid RAR as of the TX UE.
If this is the case, we can also verify the message 3 is decoded with success first from the TX side. So, here we can confirm that the UE contention resolution ID
is decoded with success on the TX side. And let's see also on the RX side. So, the RX side message 3 is also decoded with success. So, since we have implemented a CRC decoding,
if the message is decoded, we can see the message on the RX side. So, as you can see, the message is decoded successfully. Welcome to the death conference. So, there you saw Befe showing us
how you can bounce a message between two UEs across a cell phone tower, which is pretty wild. So, let's talk about what you could do with this sort of technique. A lot of the applications are pretty obvious from the get-go,
but one that we thought was pretty neat to highlight would be the ability to exfiltrate data out of a secure site. There are cell phone towers that are doing these RATCH procedures all the time. So, it'd be very hard for you to notice an additional RATCH procedure occurring with a cell site from a specific UE at a specific location.
When you start thinking about the application layer and digging into data in there, you can either have a service provider or a government entity intercept that communication layer and prevent it in multiple different paths. But at this low layer on the MAC layer, this is happening before any of those things occur.
You could also use this to easily trigger events remotely, like opening a door and more drastically triggering a bomb to occur. And you can be well within, say, 5 to 10 miles away from the site in the event that you're triggering, right? So, that's a long distance to cover
and figure out the source of the message. And lastly, this could also be part of a supply chain attack where you actually bake in some kind of remote control process into the device and then access it at a later date, right? Which is also a big risk these days with our vast and multiple country supply chains that occur.
But there's also good applications for this that are used for good. If a tower loses its uplink to the rest of the data network, it still can provide some use, whereas before it might have been just a thing that just sits there
and waits until the connectivity is reestablished. So, this could be used for broadcast messages in case of disaster or emergency. It could also be used to connect emergency personnel themselves to each other and tell them where help is needed or what needs to be done, which we think is a really neat application of this in general.
And then lastly, we think that there's a lot of opportunities for mischief here. Instead of using LoRaWAN or other IoT-based low bit rate protocols, you could use someone else's cell phone tower
to provide the overlay network for your IoT devices and then simply have one device that picks up all the signals and transmits them on an internet uplink somewhere. You could also use this to help improve a pager network. This device here, this doesn't use it. This uses LoRaWAN right now,
but it's made by Natural Freq, and he uses it to pass messages back between different devices at Schmoo and DEF CON. You could easily hijack a cell phone tower and then instead of having a mile or two of distance or a giant ugly antenna, you could just be passing messages with something a lot smaller and a lot neater.
And now I'm going to bounce it back over to Reza, who's going to talk about increasing the signal boost and some remediation. So in the case of LTE and 5G, this power use can exploit kind of like multiple F node Bs. Except the very rural areas,
it is common for a sparrow to have access to multiple LTE or 5G carrier signals in any area within range of a few miles apart when the UEs are not that much far from each other. So this can help them to essentially establish
a parallel communication channels and enhance their throughput above like one kbps that we estimated. Another cooler way actually to use multiple cells is really to expand the range beyond a single cell radius coverage,
like beyond five miles. So for doing that, in fact, a sparrow, you will need to use sparrow relays. So sparrow relays are dropped basically where they can listen and transmit and interact with multiple cell towers and their job is being Ricky in one cell and being acting like Trudy in the other cell,
as you can see here. So sparrow relays can be small, kind of like a solar-powered devices that are dropped in random places. So to be more specific, LTE cells are deployed in kind of like a hexagonal pattern to cover an area. So this picture that I'm going to show in the next slide
is going to show how the relay nodes can be placed. As you can see in here, so you have multiple ways in here to place them. So you can actually place many of them in where the actual sector coverage areas overlap and create a mesh network so every node can talk to every other node
and relay messages, or you can actually create a specific chain to expand the range between two endpoints. But what is the remediation here? I mean, with all what we said here, what is the remediation? So let's start before I get to the remediation. I think there is a value to learn
in case what is the general weakness model that has enabled the sparrow in LTE and 5G and potentially it can exist in other protocols. So I kind of spent some time and have formulated this and possibly I'm going to be publishing all this work
following the DEFCON. But to kind of give you a general idea about it, a wireless MAC layer protocol I found is vulnerable to sparrow technique if any of these procedures allow forming two sets of uplink messages that I call M and a downlink broadcast message, I call them B, that satisfy the following conditions.
So the first one is a passive reception. So every signal in B or should be receivable and decodable everywhere. So it should be kind of like an omni-directional broadcast that any passive device anonymously can decode it. Another key feature is basically,
we call it bijectivity, but it's a one-to-one relation between them. So essentially if you have a set of 10 messages in each of them, each message B can only be triggered by a specific message that is in the set M. In other words, when a receiver receives B,
it can almost surely assume that its intended transmitter has transmitted a specific message. So that way they can have less error during their communication channel. Another one which is a key important thing, but it's kind of like optional, but it is a good important thing to have
and we have it right now in the example that I showed you in the sparrow, is that anonymous uplink. So essentially the transmitting device doesn't have to attach to the network or authenticate to the network to be able to send those messages, which actually we already constructed a message set, which is actually the CRI and that 40-bit strings
that they can pick are going to form or superset for set of messages that they can transmit. Another key feature down here, number four, is to bring stateless uplink. It is important that the transmitter or Trudy can successively send any messages from M, set M,
without protocol violation, as we talked about it sending successive messages and not caring much about the back-off in between them. So all these four conditions together, if they apply in any specific wireless micro-protocol, that means that some similar techniques to the sparrow can be formed around it for covert communication.
Any remediation too should preserve the purpose of CRI. So why we have this here, why we have that selective message three, message four ping-pong. So as you can see, it's for contention resolution. So there's more details about that. So let's assume that two EODs are picking up the same RAT signals to attempt the eNodeB.
So essentially at this point, eNodeB doesn't know there are two messages coming because of the properties of the RAT signal, only one of them is going to make it to the eNodeB. So eNodeB is going to send additional, basically fine-tuning parameters for one of them.
And, but the point is the message two, both of them are going to receive message two. So at this point, both of them think that they are succeeding. So at that point that fNodeB actually has to have a way to signal only one UE to proceed and the rest of them to back off. And that's the point that it requests every UE
to send a 48-bit CRI message. So, and then it's just going to rebroadcast the one that it has received. That is going to surely indicate that one UE is going to know it can succeed and the rest of the UEs are going to basically
back off and retry. So before I get into the solution that works, I know maybe some of you already are thinking about some solution ideas. So let's talk about them and talk about why they do not work. So what about like pre-setting CRI phone? Why the phones have to randomly select them?
What if we hard code all the phones to like make it like a Mac address? So they have to use the same thing. There are actually some privacy concerns with that. There are already attacks in LTE and 5G on privacy. And we have lots of techniques for catching people phone numbers and MZ. So any tying up, any fixed identity
that can be broadcasted everywhere that can lead to privacy issues for the users. So this is not like a Wi-Fi, which is a local network. It is a global network. Another one is shared secret. No, there is no shared secret between the UE and F node B at this point, because all the cell towers are required
to do this interaction with devices even they don't have any identity or SIM card. So what about like a crypto hashing and salting, right? That's a two good thing. Crypto, the funny stuff. That in fact doesn't work because first of all,
if you think about message three and message four broadcast, if the F node B tries to basically hash what it puts in the message four, so that the designated UE can just check the hash or recompute the hash and compare and proceed and the rest of them are going to back off.
You have to basically, even if it starts like using like a salting technique down here with hash the most sophisticated way to put, even if it is using salting, it has to ship the salt string with the hash all together. But does it really prevent Ricky and Trudy
from exchanging messages? Not, not that much. It just makes, adds a little bit computational complexity to the mix. But in fact, Ricky can still recompute because it's going to have the hashing algorithm, it's going to have the salt and it's going to be able to compute these values
for any set of known codebook messages that they decide to use and they can just stick to that codebook. So it can slightly slow them down, but it's not going to solve the bigger problem. Also, the F node P cannot distinguish between the Trudy and the other users. So any attempt to blocking some of the signals, if they repeat successively,
it is going to have a performance impact. So the actual users have to pay the cost and as I've mentioned before, the operators are reluctant to take such necessary steps. So what is the real solution? This is the solution I put together to be proposed to the standards. So the remediation has to come to the standard level,
which actually might have applications in other fields. I call it like a extensible loss induced security hashing algorithm. What it does is just adding one layer of entropy over that salting and hashing that we were talking about it. So the first few steps are very similar.
So we do some salting. So once the F node receives a message three, it's going to apply salting and apply the crypto hash. Right there, I come up with a new salting algorithm called random multiplicative salting. It's a new algorithm that helps
reduce the collision probability when you're using crypto hash functions with short strings like CRI. And then after that, it starts applying some random erasure to the output of the hash function. So it decides to not transmit all the bits
that come from the hash digest, but randomly select a bunch of them and send them out in message four so that the intended view essentially has to have all the information to repeat the same process and compare the output and if it matches, it can proceed. If it doesn't match, it has to back off.
So that means that in addition to the salt, we have to also ship basically a bit string that indicates which bits we have selected and which bits we have not selected from the output of the crypto hash all together to the UE. So that's what I call it, bit mask.
As you can see, in this case, there are two advantages to this that makes it impossible for Trudy and Ricky to communicate. First of all, they were reconstructing like a rainbow tables and recomputing the hash for the codebook, but the point is that layer of the erasure that we put in between,
they cannot create a codebook that both can be recomputed by a hashing algorithm and at the same time have error-correcting feature and capabilities in it. So that kind of enabling those erasures and errors in their communication is going to totally reduce their chance
to correct those errors so that way their whole communication scheme is going to fall apart. Another key point in here to mention is about the cost, right? I mean, always there is no free lunch out there. So that's the whole point in engineering is that whenever we're trying to improve things, we have to pay the cost, but is it the cost we are paying is the right cost?
In this case, as you can see, significantly increase the number of the bits we are replying the message for instead of like playing by 48 bits. So an example of like a MD5 hash instead of playing back 48 bit, we might be playing back about like 200 bits, but that's not a problem with LTE and 5G and the amount of like the bandwidth and resources that are available for this.
This is not going to be a big cost to pay really for preventing this. As a matter of fact, what we are proposing here is going to be more of an optional secure ranch. So it doesn't have to be implemented everywhere across the network, but maybe the operators want to implement these
near some critical facilities and areas where they are requested to do so. So I would like to kind of get to the wrap up points in here. So I'm going to turn quick to Chuck to share his concluding bits about the story. And he's been all along observing me
working through this. So I would like to also share him to share his feedback with you. Chuck. Thank you Reza. When Reza came to me and he talked about, I think I figured something out in the Mac layer and we can like smuggle messages in and out of a cell phone network. I was like, no, there's no way. Mac layers are boring. The best way you can do with anything like that is
get from port one to port two on a switch. But just because it's layer two doesn't mean that it's localized. And I think that's something that I really sort of took away from all of this. We also really don't think that LTE and 5G are the only systems that are vulnerable
to these types of attacks. If you just start digging around some of the Mac layer protocols that are used by satellites, there seem to be about 10 to 20 of them. And that would give you a lot farther reach than anything that's terrestrial based. There's a whole host of other radio broadcast signals out there as well,
from 802.11 to Bluetooth to LoRaN to other things that can probably be abused in similar fashions. Also, just to note, LTE and 5G is now for everyone. With a budget of about the same as a gaming computer, you can buy enough equipment now to build your own LTE network
and even the FCC's granted spectrum for you to go and play around with it in your own sort of private space, which is pretty wild. So yeah, we'd like to also say thank you to many people in our team, including Befe and Luca. And Reza would like to say thank you to a few others too. Yes, thanks, Chuck.
I think I'm going to thank Chuck for all the work and support that he offered me during the CFP process and putting all this talk together. Also, the ATI management staff, Chris, Steve MacGregory, the cool boss I mentioned early on that who kind of like inspired me
to go to this all-day discovery. And also, I would like to thank our Keysight IP program coordinator, Pete Marisko, that he did a great job of sticking to a very fast timeline so that I can share the remediation bits here with your team. And in general, I really thank DEFCON. It's been a really great experience for me.
And I really love to continue being engaged in the community. Thank you.