The control and management of mobile networks is shifting from manual to automatic in order to boost performance and efficiency and reduce expenditures. Especially, base stations in today's 4G/LTE networks can automatically configure and operate themselves which is technically referred to as Self Organizing Networks (SON). Additionally, they can auto-tune themselves by learning from their surrounding base stations. This talk inspects the consequences of operating a rogue base station in an automated 4G/LTE network. We exploit the weaknesses we discovered in 4G/LTE mobile phones and SON protocols to inject malicious packets into the network. We demonstrate several attacks against the network and discuss mitigation from the mobile network operators perspective.
My presentation in the One day National Level Workshop on
Privacy and Data Security in Online Social Media organised by Department of Mechanical Engineering, Sri Ramakrishna Institute of Technology.
My presentation in the One day National Level Workshop on
Privacy and Data Security in Online Social Media organised by Department of Mechanical Engineering, Sri Ramakrishna Institute of Technology.
HITCON 2015 - Building Automation and Control: Hacking Subsidized Energy Savi...Philippe Lin
BACnet is an ANSI/ISO protocol for building automation and control systems for applications such as heating, ventilation, air-conditioning control, lighting control, etc. (Wikipedia) In this talk, we will demonstrate how to use Shodan to find BACnet devices exposed on the Internet, and to retrieve and analyze information from them. We will also discuss possible security impacts and take subsidized installation in Taiwanese schools as an example.
As of July 29, we found in TW 48 BACnet devices, 59 Ethernet/IP, 23 Moxa NPort. At least 14 of the devices are prone to unauthorized browse and/or changes.
Taking a closer look at level 0 and level 1 securityMatt Loong
Notwithstanding the importance of network monitoring in protecting industrial control systems, it is also important to understand the nuts and bolts of Level 0 and Level 1 devices to defend the system holistically. This presentation provides a brief introduction to process anomaly detection, which complements network anomaly detection.
HITCON 2015 - Building Automation and Control: Hacking Subsidized Energy Savi...Philippe Lin
BACnet is an ANSI/ISO protocol for building automation and control systems for applications such as heating, ventilation, air-conditioning control, lighting control, etc. (Wikipedia) In this talk, we will demonstrate how to use Shodan to find BACnet devices exposed on the Internet, and to retrieve and analyze information from them. We will also discuss possible security impacts and take subsidized installation in Taiwanese schools as an example.
As of July 29, we found in TW 48 BACnet devices, 59 Ethernet/IP, 23 Moxa NPort. At least 14 of the devices are prone to unauthorized browse and/or changes.
Taking a closer look at level 0 and level 1 securityMatt Loong
Notwithstanding the importance of network monitoring in protecting industrial control systems, it is also important to understand the nuts and bolts of Level 0 and Level 1 devices to defend the system holistically. This presentation provides a brief introduction to process anomaly detection, which complements network anomaly detection.
An study material for IOT standardization and protocols.
Protocol Standardization for IoT – Efforts – M2M and WSN Protocols – SCADA and RFIDProtocols –
Issues with IoT Standardization – Unified Data Standards – Protocols – IEEE802.15.4–BACNet Protocol–
Modbus – KNX – Zigbee– Network layer – APS layer – Security
Keynote presentation on the Internet of Things given by Paul Wilson, Director General at APNIC, at the inaugural Taiwan Internet Forum, held in Taipei, Taiwan from 8 December 2015
Link labs 2 g 3g cdma transition webinar slidesBrian Ray
Join us as Link Labs VP of Business Development and Cellular IoT Product Director, Glenn Schatz, discusses what to expect from the end-of-life of several cellular technologies, how companies can avoid being caught without a transition plan, and how business and product leaders can leverage this potential disruption as an opportunity to build a new Internet of Things (IoT) strategy.
Link labs 2G 3G CDMA transition webinar slidesBrian Ray
Join us as Link Labs VP of Business Development and Cellular IoT Product Director, Glenn Schatz, discusses what to expect from the end-of-life of several cellular technologies, how companies can avoid being caught without a transition plan, and how business and product leaders can leverage this potential disruption as an opportunity to build a new Internet of Things (IoT) strategy.
Link labs LTE-M NB-IOT Hype Webinar slidesBrian Ray
Join us as Link Labs VP of Business Development and Cellular IoT Product Director, Glenn Schatz, discusses common misconceptions about LTE Cat-M1 and Cat-NB1 (NB-IoT), as well as how business and product leaders can use these transformative technologies to deliver value to their customers, while avoiding some of the pitfalls companies face when embarking on this journey.
In this Webinar we will cover:
What are the key features and benefits of LTE Cat-M1 and NB-IoT?
What is the state of devices and network availability today?
How do the various low-power modes work (PSM, eDRX, and vendor-specific), and how can they be used in my application?
What are some of the risks and challenges of developing a product with one of these technologies?
How much do these devices cost? What do the data plans look like?
What is in store for the future with 2G and 3G sunsets (both CDMA and GSM) and the emergence of 5G?
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Knowledge engineering: from people to machines and back
LTE Network Automation Under Threat
1. LTE Network Automation
under Threat
Altaf Shaik
(Technische Universität Berlin & Kaitiaki Labs)
Ravishankar Borgaonkar
(SINTEF Digital & Kaitiaki Labs)
8 August 2018
KAITIAKI
Blackhat USA 2018, Las Vegas
2. We Do…
• Mobile network and devices security
• Telecommunication protocol and device analysis
• Attacks and defenses
• Secure network building
8 August 2018
KAITIAKI
3. Overview
• 4G/LTE & SON operations
• Vulnerabilities and exploitation
• Setup and DoS attacks
• Impact and status
• Mitigations
• Takeaways
8 August 2018
4. Mobile Network Architecture
8 August 2018
• UE: User Equipment
• eNodeB: Evolved NodeB
• X2: New interface connecting
eNodeBs
• P: Propreitary
6. Our Focus – Network Automation
• Favorite Target we know ->
• What about attacking base stations ->
• Is it possible?
• Remotely, without detection?
• Base stations can operate automatically (self operated)
• Self Organized Network (SON)
8 August 2018
7. Self Organized Network (SON)
• New X2 interface in LTE
• Plug & play network elements - Low CAPEX and OPEX
• Base stations - Automatic configure and control
• 3GPP standardized from LTE Rel. 8 (32.500)
• 5G SON : low-latency, end-to-end intelligent, complex networks
8 August 2018
X2
8. SON
• Software package installed on eNodeB or OAM
• Mix of standards and implementations
• Vendor implementations (UltraSON, Elastic-SON, NGSON, AirSON)
• 90% Operators support SON
• No reported attacks till now..!
8 August 2018
10. 8 August 2018
SON Operation in Practice
Self-Configuration
Self-Optimization
Self-Healing
Control System
11. SON Technical Features
• ANR – Automatic Neighbor Relation
• Discover & add new base stations into the network
• PCI Optimization
• Solve adjacent cell ID conflicts
• MRO – Mobility Robustness Optimization
• Control handover settings to adjust coverage
8 August 2018
12. SON Operation Modes
• Off
• Collect data, no parameter-change
• Manual apply
• Parameter-change with operator confirmation
• Automatic apply
• Automatic parameter change, autonomous operation
8 August 2018
13. SON Design Issue
information from phones & base stations
8 August 2018
SON logic and
intelligence
Trusted and Unverified
Design Flaw
17. LTE PCI Optimization
8 August 2018
• PCI: Physical Cell ID
• Adjacent cells: unique PCI, same frequency
• Network scanners, UE reports report PCI conflicts
• Same PCI: collision/confusion for UEs
• Handover failures, connection issues
122
PCI = 100
**eNodeB forced to change their config**
155
122
133
129
18. Automatic Neighbor Relation (ANR)
8 August 2018
• Discover new
eNodeBs
• Connect on X2
interface
X2
Source: 3GPP
19. Automatic Neighbor Relation (ANR)
8 August 2018
• Neighbor relation table
• No Remove
• NoHo : No Handover
• NoX2
**No attributes to authorize X2 setup** Source: 3GPP
20. LTE Handover
8 August 2018
• X2 connected handovers
• GSM vs LTE handover
• No neighbor cell list for UE – detect all
• Based on PCI and EARFCN only
**Reported Cells can be real or fake
– No verification**
X2
22. Handover Analysis
• Handover failure types
• Early HO, Late HO, HO to wrong cell
• Identify faults
• RLF reports (UE -> eNodeB)
• HO reports (eNodeB <-> eNodeB)
• Periodic KPI monitoring
• Solve faults, How?
• Adjust coverage settings
**HO blacklist (KPI < HO success threshold)**
8 August 2018
Handover success rate
Handover preparation success rate
Handover execution success rate
Handover problems – solutions
• Increase/decrease coverage
• Change cell index offset
23. Rogue Data Injection
• Measurement report
• Can contain false information (3GPP 36.331) - for handovers and ANR
• Radio Link Failure (RLF) report
• Can contain false information (3GPP 36.331) - for MRO
• Handover reports
• Reports between eNodeBs about handover failures - for MRO
• Information received from UE - content is not verified
• Attackers can inject rogue data
8 August 2018
24. Vulnerable Mobile Network Functions
• Cell detection and addition
• Cell ID interference detections
• LTE handover process
• Handover analysis
• Network coverage tuning
8 August 2018
26. Rogue eNodeB
• 200 $ setup
• Broadcast channels sufficient
• Spoof cell IDs of a legitimate eNodeB
• No interaction with UE
• Operating range depends on hardware
• 50 meters without amplifiers
• Open source software SRSLTE
• For testing - SON base stations, faraday cage
8 August 2018
27. 122
• Adjacent eNodeBs are connected via X2 (ANR)
• Rogue eNodeB - legitimate PCI and ECGI (133, 272, 112)
• UEs report PCI 133 to eNodeB
• ANR begins to add 133 to NRT
• Problem
• Zero control/authorize for X2 setup
• Effect
• X2 signaling flood when more cells are impersonated
• Handover failures
-> Exploiting X2 Signaling
8 August 2018
133
PCI = 100
133
X2
X2
NR PCI No
Remove
No
HO
No
X2
1 122 √
2 109 √
NR PCI No
Remove
No
HO
No
X2
1 122 √
2 109 √
3 133
28. 200
• Adjacent cells/eNodeBs use unique PCI to avoid collision
• Rogue eNodeB Broadcast legitimate PCIs (100, 200, 300)
• Problem
• Adjacent eNodeBs cannot use same PCI and starts optimization
• Effect
• Restart eNodeB/cell and choose a new PCI
• Restart time roughly 7-8 minutes
• Release the connected UEs to other base stations (2G/3G)
-> Remotely Kill & Restart LTE Base Station
8 August 2018
PCI = 100
100
200
300
300
29. 100
• UE in a voice call and sends periodic measurement reports
• Rogue eNodeB Broadcast legitimate neighboring PCI (100)
• Strong signal from PCI 100 causes handover
• PCI 100 already in neighbor list
• Problem
• Handover with false information
• Effect
• UE connects to rogue eNodeB – Handover hijacked
• RLF– report created against a real eNodeB
• Ongoing calls are dropped
-> Handover Hijacking (Dropping Calls)
8 August 2018
PCI = 200
100
Start X2
Handover
Handover
to PCI=100
Handover
failed
Re-establish
connectionrejectRLF report
Handover
30. Impact of Handover Hijacking
• Rogue eNodeB calumniates (defames) a real eNodeB
• RLF reports with false data
• Handover failures
• Coverage changes
• KPI drops – HO blacklisted or eNodeB/cell is shutdown
• 1 rogue eNodeB, 5 seconds – drop all cell (call + data) traffic..!
8 August 2018
31. Impact – Grand Scale
• Detection by operators – no known methods to detect
• Persistent attacks – time needed for SON to heal
• Full Paper : https://dl.acm.org/citation.cfm?id=3212497
8 August 2018
Subscriber Operator
Call and data drops eNodeB maintenance and repairs
Poor network coverage Poor network coverage
UE downgrades to 3G/2G Revenue loss
Customer complaints
33. Affected Products
• All LTE phones complying to 3GPP 36.331 >= Rel. 8
• 4 basebands vendors (based on tested UEs)
• All network products complying with 32.500 >= Rel.8
• 4 network vendors (based on available product documentation)
8 August 2018
34. Vulnerability Status
• Disclosed with two operators (SON experts) and GSMA
• Biggest European operators experts confirmed the issues
• Comments from GSMA and operators
• Switch to less automation – reduce risk
• PCI reallocation during maintenance period
• Unplug a defective eNodeB (not really defective)
• Difficulties to detect & add mitigations
• GSMA guidelines document (ongoing) – protection from rogue base stations
8 August 2018
35. Solutions
• Signed broadcast messages
• Prevent connection to rogue base stations (5G: NO, complicated design)
• Content verification
• Verify measurement reports from UE
• Compatibility issues, power issues, efficiency problems
• Adding actionable intelligence to SON
• Built-in baseband features to detect rogue base stations
• Ongoing work with a vendor
8 August 2018
36. Takeaways
• SON operate with unverified information from phones
• Current SON techniques cannot deal with Rogue base station attacks
• Lack of appropriate parameters for optimal automation decisions
• Automation lacks data verification and rely on few parameters
• A 200 $ rogue device can modify network configurations and turn it OFF..!
8 August 2018
37. 8 August 2018
Thank you
altaf329@sect.tu-berlin.de
rbbo@kth.se
director@kaitiaki.in