Processing

Please wait...

Settings

Settings

Goto Application

1. WO2020112292 - METHODS AND SYSTEMS FOR DETECTING AND RESPONDING TO PAGING CHANNEL ATTACKS

Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

[ EN ]

CLAIMS

What is claimed is:

1. A method of countering a shared paging channel hijack attack, comprising:

monitoring, by a processor of a wireless device, a shared paging channel during a paging occasion in a discontinuous reception (DRX) cycle to detect a first international mobile subscriber identity (IMSI) based paging message in the paging occasion;

continuing monitoring, by the processor, for IMSI-based paging in subsequent radio subframes in a paging frame after receiving the first IMSI-based paging message;

continuing monitoring, by the processor, for IMSI-based paging in one or more radio subframes in one or more subsequent radio frames within the DRX cycle;

continuing monitoring, by the processor, for IMSI-based paging in one or more subsequent DRX cycles;

determining, based on the monitoring, whether one or more subframes that are not the paging occasion receive an IMSI-based paging message; and

adjusting a rogue probability for a base station in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging message.

2. The method of claim 1, further comprising determining, based on the monitoring, whether there are repeated IMSI-based paging messages, wherein adjusting the rogue probability for the base station in response to determining that another subframe that is not the paging occasion receives the IMSI-based paging message comprises adjusting the rogue probability for the base station in response to determining that another subframe that is not the paging occasion receives the IMSI-based paging message or that there are repeated IMSI-based paging messages.

3. The method of claim 2, further comprising performing an operation to protect against the shared paging channel hijack attack in response to determining that another subframe that is not the paging occasion receives the IMSI-based paging message or that there are repeated IMSI-based paging messages.

4. The method of claim 3, further comprising determining whether the wireless device during monitoring increments an attach request counter each time it detects the IMSI-based paging message in a subframe that is not the paging occasion,

wherein performing the operation to protect against the shared paging channel hijack attack in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging message comprises performing the operation to protect against the shared paging channel hijack attack in response to detecting that one or more subframes that are not the paging occasion receives the IMSI-based paging message and in response to determining that the wireless device does increment an attach request counter each time it detects the subframe that is not the paging occasion that received the IMSI-based paging message.

5. The method of claim 3, wherein performing the operation to protect against the shared paging channel hijack attack in response to detecting that one or more subframes that are not the paging occasion receives the IMSI-based paging message comprises performing one of:

ignoring future paging messages from a base station that transmitted the first set of one or more IMSI-based paging messages;

detaching from the base station that transmitted the first set of one or more IMSI-based paging messages; or

generating and sending a notification message to a security server.

6. The method of claim 1, wherein adjusting the rogue probability for the base station comprises adjusting a probability value that indicates a likelihood that a base station that transmitted the first set of one or more IMSI-based paging messages is not a legitimate base station authorized by a service provider network associated with the wireless device, the method further comprising:

determining whether the rogue probability exceeds a threshold; and

performing an operation to protect against a rogue base station in response to determining that the rogue probability exceeds the threshold.

7. The method of claim 1, further comprising:

performing monitoring, by the processor, of subsequent radio subframes for additional indications of a rogue base station in response to determining that another subframe receives the IMSI-based paging message or that there are repeated IMSI-based paging messages; and

adjusting the rogue probability in response to detecting the additional indications of the rogue base station.

8. The method of claim 1, further comprising:

performing monitoring of subsequent radio subframes for additional indications of a rogue base station by comparing radio resource control (RRC) connection setup parameters from a previous RRC connection setup to determine whether signaling radio bearers (SRB) channels setup are different for two base stations with the same cell ID parameter, same SIB 1 information and same SIB2 information; and

adjusting a threat score for a base station that transmitted the first set of one or more IMSI-based paging messages from among a plurality of base stations that broadcasted themselves with the same Cell ID, and substantially similar SIB Is, and substantially similar SIB2s.

9. The method of claim 1, further comprising:

detecting a current IMSI leak attack;

recording an event in memory that indicates that the wireless device was subject to the current IMSI leak attack;

recording information identifying the base station that triggered the current IMSI leak attack;

recording a location and time associated with the current IMSI leak attack; comparing the information recorded for previous IMSI leak attacks with the current IMSI leak attack, and

adjusting the rogue probability based on the recorded information.

10. The method of claim 1, further comprising:

storing a record of signal strength values of one or more previous base stations that the wireless device camped and successfully connected to with security context set up;

determining a first signal strength value for a base station that transmitted the first set of one or more IMSI-based paging messages;

identifying one or more previous base stations in the one or more previous base stations that the wireless device camped and successfully connected to with security context set up that have similar characteristics to the base station that transmitted the first set of one or more IMSI-based paging messages;

determining whether a difference between the first signal strength value and a recorded signal strength value associated with at least one the identified previous base stations having matching characteristics exceed a threshold value; and

increasing the rogue probability in response to determining that the difference between the first signal strength value and the recorded signal strength value associated with the at least one the identified previous base stations having matching characteristics exceeds the threshold value.

11. The method of claim 1, further comprising:

determining whether‘channel config’ and‘power config’ parameters/timers are different in two channels; and

increasing the rogue probability in response to determining that the channel config and power config parameters/timers are different.

12. The method of claim 1, further comprising:

disabling monitoring of and preventing connection attempts to a base station that transmitted the first IMSI-based paging message for a period of time in response to determining one or more subframes that are not the paging occasion receives the IMSI-based paging message or in response to determining that the rogue probability for the base station exceeds a threat threshold due to receiving repeated IMSI paging from the base station;

continuing to monitor other base stations for IMSI-based paging messages; incrementing a monitoring disabled value that indicates a number of times that monitoring has been disabled for the base station;

exponentially incrementing the period of time for which the monitoring remains disabled for the base station by the wireless device in response to determining that the monitoring disabled value of the base station exceeds a threshold value; and preventing any connection to the base station while the monitoring for IMSI-based paging is disabled due to the monitoring disabled value exceeding the threshold value for the base station.

13. The method of claim 1, further comprising:

determining whether a current network operator is commonly using IMSI-based paging by keeping track of a usage of IMSI-based paging on paging occasions for various base stations by the same operator that the wireless device was connected to earlier;

determining whether there are IMSI-based paging messages outside of the paging occasion in the monitored subsequent DRX cycles;

suspending monitoring in response to determining that there are no IMSI-based paging messages that are outside of the paging occasion in the monitored subsequent DRX cycles for a base station operated by an operator determined to be commonly using IMSI paging; and

reducing the rate in which the probability of threat is increased on each detection of IMSI paging in the paging occasion whenever monitoring is enabled until finally monitoring is suspended.

14. A wireless device, comprising:

a wireless transceiver; and

a processor coupled to the wireless transceiver and configured with processor-executable instructions to perform operations comprising:

monitoring a shared paging channel during a paging occasion in a discontinuous reception (DRX) cycle to detect a first international mobile subscriber identity (IMSI) based paging message in the paging occasion;

continuing monitoring for IMSI-based paging in subsequent radio subframes in a paging frame after receiving the first IMSI-based paging message;

continuing monitoring for IMSI-based paging in one or more radio subframes in one or more subsequent radio frames within the DRX cycle;

continuing monitoring for IMSI-based paging in one or more subsequent DRX cycles;

determining, based on the monitoring, whether one or more subframes that are not the paging occasion receive an IMSI-based paging message; and adjusting a rogue probability for a base station in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging message.

15. The wireless device of claim 14, wherein:

the processor is configured with processor-executable instructions to perform operations further comprising determining, based on the monitoring, whether there are repeated IMSI-based paging messages; and

the processor is configured with processor-executable instructions to perform operations such that adjusting the rogue probability for the base station in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging message comprises adjusting the rogue probability for the base station in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging message or that there are repeated IMSI-based paging messages in any subframes that can also include the subframe that is the paging occasion.

16. The wireless device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations further comprising

performing an operation to protect against a shared paging channel hijack attack in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging message or that there are repeated IMSI-based paging messages in any subframes that can include the paging occasion.

17. The wireless device of claim 16, wherein:

the processor is configured with processor-executable instructions to perform operations further comprising determining whether the wireless device during monitoring increments an attach request counter each time it detects the IMSI-based paging message in a subframe that is not the paging occasion; and

wherein the processor is configured with processor-executable instructions to perform operations such that performing the operation to protect against the shared paging channel hijack attack in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging message comprises

performing the operation to protect against the shared paging channel hijack attack in response to detecting that one or more subframes that are not the paging occasion receives the IMSI-based paging message and in response to determining that the wireless device does increment an attach request counter each time it detects the subframe that is not the paging occasion that received the IMSI-based paging message.

18. The wireless device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that performing the operation to protect against the shared paging channel hijack attack in response to detecting that one or more subframes that are not the paging occasion receives the IMSI-based paging message comprises performing one of:

ignoring future paging messages from a base station that transmitted the one or more IMSI-based paging messages;

detaching from the base station that transmitted the one or more IMSI-based paging messages; or

generating and sending a notification message to a security server.

19. The wireless device of claim 14, wherein:

the processor is configured with processor-executable instructions to perform operations such that adjusting the rogue probability for the base station comprises adjusting a probability value that indicates a likelihood that a base station that transmitted the one or more IMSI-based paging messages is not a legitimate base station authorized by a service provider network associated with the wireless device; and

wherein the processor is configured with processor-executable instructions to perform operations further comprising:

determining whether the rogue probability exceeds a threshold; and

performing an operation to protect against a rogue base station in response to determining that the rogue probability exceeds the threshold.

20. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

performing monitoring, by the processor, of subsequent radio subframes for additional indications of a rogue base station in response to determining that another subframe receives the IMSI-based paging message or that there are repeated IMSI-based paging messages; and

adjusting the rogue probability in response to detecting the additional indications of the rogue base station.

21. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

performing monitoring of subsequent radio subframes for additional indications of a rogue base station by comparing radio resource control (RRC) connection setup parameters from a previous RRC connection setup to determine whether signaling radio bearers (SRB) channels setup are different for two base stations with the same cell ID parameter, same SIB 1 information and same SIB2 information; and

adjusting a threat score for a base station that transmitted the first IMSI-based paging message from among a plurality of base stations that broadcasted themselves with the same Cell ID, and substantially similar SIB Is, and substantially similar SIB2s.

22. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

detecting a current IMSI leak attack;

recording an event in memory that indicates that the wireless device was subject to the current IMSI leak attack;

recording information identifying the base station that triggered the current IMSI leak attack;

recording a location and time associated with the current IMSI leak attack; comparing the information recorded for previous IMSI leak attacks with the current IMSI leak attack, and

adjusting the rogue probability based on the recorded information.

23. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

storing a record of signal strength values of one or more previous base stations that the wireless device camped and successfully connected to with security context set up;

determining a first signal strength value for a base station that transmitted the one or more IMSI-based paging messages;

identifying one or more previous base stations in the one or more previous base stations that the wireless device camped and successfully connected to with security context set up that have similar characteristics to the base station that transmitted the one or more IMSI-based paging messages;

determining whether a difference between the first signal strength value and a recorded signal strength value associated with at least one the identified previous base stations having matching characteristics exceed a threshold value; and

increasing the rogue probability in response to determining that the difference between the first signal strength value and the recorded signal strength value associated with the at least one the identified previous base stations having matching characteristics exceeds the threshold value.

24. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

determining whether‘channel config’ and‘power config’ parameters/timers are different in two channels; and

increasing the rogue probability in response to determining that the channel config and power config parameters/timers are different.

25. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

disabling monitoring of and preventing connection attempts to a base station that transmitted the one or more IMSI-based paging messages for a period of time in response to determining one or more subframes that are not the paging occasion receives the IMSI-based paging messages or in response to determining that the rogue probability for the base station exceeds a threat threshold due to receiving repeated IMSI paging from the base station in any subframes that can also include the subframe that is the paging occasion;

continuing to monitor other base stations for IMSI-based paging messages; incrementing a monitoring disabled value that indicates a number of times that monitoring has been disabled for the base station;

exponentially incrementing the period of time for which the monitoring remains disabled for the base station by the wireless device in response to determining that the monitoring disabled value of the base station exceeds a threshold value; and preventing any connection to the base station while the monitoring for IMSI-based paging is disabled due to the monitoring disabled value exceeding the threshold value for the base station.

26. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

determining whether the current network operator is commonly using IMSI-based paging by keeping track of usage of IMSI-based paging on paging occasions for various base stations by the same operator that the wireless device was connected to earlier;

determining whether there are IMSI-based paging messages outside of the paging occasion in the monitored subsequent DRX cycles;

suspending monitoring in response to determining that there are no IMSI-based paging messages that are outside of the paging occasion in the monitored subsequent DRX cycles for a base station operated by an operator determined to be commonly using IMSI paging; and

reducing the rate in which the probability of threat is increased on each detection of IMSI paging in the paging occasion whenever monitoring is enabled until finally monitoring is suspended.

27. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a wireless device to perform operations for countering a shared paging channel hijack attack, the operations comprising:

monitoring a shared paging channel during a paging occasion in a

discontinuous reception (DRX) cycle to detect a first international mobile subscriber identity (IMSI) based paging message in the paging occasion;

continuing monitoring for IMSI-based paging in subsequent radio subframes in a paging frame after receiving the first IMSI-based paging message;

continuing monitoring for IMSI-based paging in one or more radio subframes in one or more subsequent radio frames within the DRX cycle;

continuing monitoring for IMSI-based paging in one or more subsequent DRX cycles;

determining, based on the monitoring, whether one or more subframes that are not the paging occasion receive an IMSI-based paging message; and

adjusting a rogue probability for a base station in response to determining that another subframe that is not the paging occasion receives the IMSI-based paging message.

28. The non-transitory computer readable storage medium of claim 27, wherein: the stored processor-executable software instructions are configured to cause the processor of the wireless device to perform operations further comprising determining, based on the monitoring, whether there are repeated IMSI-based paging messages; and

wherein the stored processor-executable software instructions are configured to cause the processor of the wireless device to perform operations such that adjusting the rogue probability for the base station in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging messages comprises adjusting the rogue probability for the base station in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging messages or that there are repeated IMSI-based paging messages in any subframes that can also include the subframe that is the paging occasion.

29. The non-transitory computer readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the processor of the wireless device to perform operations further comprising:

determining whether the wireless device during monitoring increments an attach request counter each time it detects the IMSI-based paging message in a subframe that is not the paging occasion; and

performing an operation to protect against the shared paging channel hijack attack in response to detecting that one or more subframes that are not the paging occasion receives the IMSI-based paging messages and in response to determining that the wireless device does increment an attach request counter each time it detects the subframe that is not the paging occasion that received the IMSI-based paging message.

30. A wireless device, comprising:

means for monitoring a shared paging channel during a paging occasion in a discontinuous reception (DRX) cycle to detect a first international mobile subscriber identity (IMSI) based paging message in the paging occasion;

means for monitoring for IMSI-based paging in subsequent radio subframes in a paging frame after receiving the first IMSI-based paging message;

means for monitoring for IMSI-based paging in one or more radio subframes in one or more subsequent radio frames within the DRX cycle;

means for monitoring for IMSI-based paging in one or more subsequent DRX cycles;

means for determining, based on the monitoring, whether one or more subframes that are not the paging occasion receive an IMSI-based paging message; and

means for adjusting a rogue probability for a base station in response to determining that one or more subframes that are not the paging occasion receives the IMSI-based paging message.