Professional Documents
Culture Documents
ing radio infrastructure. Section II presents a comprehensive achieve desired levels of protection against SPARROW attacks
framework to identify and exploit vulnerable procedures in while concurrently preserving user performance. Finally the
MAC protocols of Wireless Carrier Networks (WCN), such concluding remarks are presented in Section IX along with
as cellular and satellite communication. It shows how WCN acknowledgment notes.
user devices can be co-opted and transformed into SPARROW
devices that exploit the broadcast power of a WCN radio II. G ENERAL E XPLOITATION M ODEL
access node for the purposes of covert communication. Figure This section provides an overview of Wireless Carrier
1 illustrates the implicit communication channel between Networks (WCNs) architectures and their associated resources.
SPARROW devices and a victim cellular station, which acts Also provided is a novel methodology that can be used to
as an unwitting message relay. identify weaknesses in the MAC layer protocols utilized in
Section III details a new responsibly disclosed security these networks, which can be exploited by malicious actors to
vulnerability example, which involves LTE/5G random-access leverage a WCN’s broadcast resources for SPARROW covert
procedures. This vulnerability enables SPARROW mobile de- communication.
vices to exchanged short messages within a cell without con-
necting to the cellular network. The SPARROW devices can be
made identical to other user devices as far as size and transmit A. Overview of WCNs
power concerned. Detailed in Section IV, the SPARROW WCN is the general term adopted in this work to refer-
covert communication scheme can be shown to outperform ence technologies such as cellular (3G/LTE/5G), WiMAX and
existing covert techniques in terms of: maximum anonymity, Satellite Internet. WCNs are deployed by service providers
operation range and hardware footprint. These techniques can (operators) to offer secure wireless data connectivity to a
bypass all current security and lawful-interception systems, large number of users in wide geographical areas, often via
as well as all current spectrum monitoring and intelligence a subscription model. WCNs differ from end-user wireless
systems. This enables SPARROW attack techniques to be technologies, such as wireless local area networks (WLANs),
used in a wide variety of covert communication scenarios. in several key aspects including: resources, architecture and
Nevertheless, it will be appreciated that these techniques can user control.
also be used in good faith with the consent of incumbent A WCN can often be broken into two components: the
network operators in scenarios such as connection-less M2M Radio Access Network (RAN) and the Core Network (CN).
communication and disaster recovery efforts. The RAN consists of a network of radio access nodes (cellu-
Random-access procedures, which facilitate wireless link lar stations in cellular terminology), which provide wireless
establishment, are common in many wireless MAC protocols connectivity between user devices and the CN. The CN
and, in fact, the vulnerable one in 5G/LTE has been imple- hosts servers, which manage RAN operation and connect user
mented in the standards for over a decade. This fact was one of devices to other networks, such as the Internet. The standard
the primary motivations for developing a rigorous remediation governing a WCN typically involves several protocol layers,
scheme capable of hardening random-access procedures with collectively called control-plane, which define the interaction
respect to SPARROW threats in current and future wireless of user devices with the RAN and CN components. The
standards. Section V explores possible remediation strategies control-plane procedures are abstracted away from user ap-
and makes the case to move forward with a novel entropy- plications, which are only concerned with data connectivity to
leveraging strategy which involves the use of content obfus- the Internet (data-plane). Related to the scope of this work,
cation in unprotected broadcast messages. Section VI provides the Medium Access Control (MAC) protocol layer defines the
the mathematical foundation to analyze this entropy-leveraging interaction of a single radio access node with the user devices
strategy and understand the inherent trade-off between pro- in its coverage area.
tection and performance. This section culminates with the To enhance signal radiation, the radio access nodes can
analysis of two simple examples of the entropy leveraging have antennas mounted on tall structures or be installed on
scheme and their respective limitations in combating more satellites. It enables them to clearly communicate with user
sophisticated SPARROW attack schemes. Section VII pro- devices miles away over radio frequency (RF) signals that
poses an enhanced entropy leveraging scheme called ELISHA are otherwise blocked by terrestrial clutter, such as foliage
(entropy-leveraged irreversible security hashing algorithm), and buildings. High transmit power, licensed spectrum and
which is used to efficiently disrupt most advanced SPARROW higher altitudes are luxuries available to WCNs compared to
attacks with minimal impact on the network performance for other technologies, such as WLAN, that offer limited coverage
other users. This minimally disruptive performance is achieved indoors or under terrestrial clutter. Nowadays, it is hard to find
through a novel combination of cryptographic hash functions a neighborhood without WCN service coverage. Nevertheless,
and random bit operations. A rigorous analysis of this ad- these WCN operators must comply with numerous government
vanced technique and the associated efficacy and overheads is regulations concerning their resources, infrastructure, and the
provided to support the consideration and potential adoption users’ activity.
of the disclosed SPARROW mitigation approach(es) by the In most WCNs, the user devices have to authenticate with
relevant wireless standard setting organizations. The numerical a CN entity (e.g. AAA servers) before accessing any of the
results presented in Section VIII illustrate how to optimize the network services. In addition to user-credential registries, there
design parameters in an ELISHA-based mitigation scheme to are CN servers constantly collecting user activity metadata,
3
such as service usage, location, etc.. The metadata are then 3) Anonymous Uplink: Sending messages in M does not
consumed internally by the WCN operator or shared with reveal transmitter’s identity to the WCN.
government authorities in compliance with Lawful Intercept 4) Stateless Uplink: The protocol does not mandate any
(LI) regulations [7]. It should be noted that the MAC layer correlation between consecutive uplink messages in M,
protocols implemented by WCNs prohibit the user devices
P r(Xt = mi |Xt−∆t = mj ) = P r(Xt = mi ) , ∆t > τ
from engaging in untraceable peer-to-peer wireless commu-
nications, which this work aims to prove is currently still The condition for passive reception guarantees anonymity
possible. for Ricky implying that the cellular station broadcasts mes-
sages with the most basic modulation and coding scheme
B. Exploitation Scenario at the PHY layer. The second condition requires sufficiently
strong bijective correlation between the messages in Trudy’s
For the ease of illustration, a generic unidirectional covert code-book and their resulted downlink broadcast messages. It
communication scheme formulated for the following hypothet- would be ideal to have a deterministic bijectivity discovered
ical scenario exploiting cellular technology. It can be extended in the protocol standard documentation. Although, the same
to other WCN technologies without loss of generality: cellular station is serving other users who may confuse Ricky
Scenario 1. Trudy intrudes a cyber air-gaped facility under by accidentally triggering broadcast messages in B. Since
heavy surveillance and wishes to send a set of covert messages the presence of Ricky is unknown to the cellular station, he
to her counterpart Ricky with a passive receiver outside. To cannot rely on the reliability mechanisms built in most wireless
maintain their cover, both agents cannot connect to any IP standards. It is recommended the codewords in M having
networks. They also cannot use any ad-hoc radios due to integrity-check features to minimize degradation of bijectivity
spectrum surveillance and insufficient signal range. However, due to conditions caused by other users’ activities and PHY
both are equipped with low-power radio devices that can layer noise.
interact with a nearby cellular station. Trudy programs its Fig. 1 depicts how the vulnerability outlined in Proposition
device to exploit the vulnerability in its MAC layer protocol 1 leads to the execution of Scenario 1. Trudy and Ricky
to implicitly relay messages to Ricky without authenticating decide their optimal code-book and the target cellular station.
with the carrier’s network. Then Trudy transmits a codeword mi at a time that triggers
distinct broadcast signal bi from the cellular station received by
MAC layer protocol procedures can be expressed as a flow Ricky. This notifies Ricky about the transmission of mi from
of messages exchanged between each user device and a WCN Trudy according to the bijectivity condition. Thus, a virtual
radio access node. In this case, Trudy and Ricky are assumed low power covert communication channel (dotted red line) is
to have constructed a code-book for their communication established from Trudy to Ricky. This channel takes advantage
scheme. This code-book consists of a set of possible messages of the relatively high broadcast transmit power of the cellular
(codewords) that Trudy can transmit to Ricky. Let M = station. It also allows Trudy to bypass network security de-
{m1 , m2 , · · · , m2M } denote the code-book including a set of vices, LI mechanisms in the operator network, and spectrum
2M distinct MAC layer messages, where each mi encodes M - monitoring systems. The anonymous uplink condition could
bits of information. The messages in M can trigger the set be relaxed in some other scenarios. If required, it limits the
of distinct response messages B = {b1 , b2 , · · · , b2M } from the search space for M to the early control messages that devices
cellular station. Let the random variable Xt ∈ M stand for exchange with cellular station before authentication and data
the message Trudy sends at time slot t. The cellular station connection. Assuming Ricky is able to correctly decode the
response to Xt can be modeled with another random variable messages in near real-time, the stateless uplink condition
Yt+τ ∈ B, where τ is the time lapse from the moment Trudy allows Trudy to send a message in every τ seconds. Therefore,
intends to send Xt until the cellular station broadcasts the they can achieve data rates in order of M τ bits per seconds.
response message.
Proposition 1. The MAC layer protocol of a WCN is deemed III. SPARROW S CHEME IN LTE & 5G
vulnerable to covert communication in Scenario 1 if any of This section shows a simple example of a SPARROW attack
its procedures allows forming M and B of the uplink and the scheme, which exploits the random-access (RA) procedure in
downlink messages satisfying all of the following conditions: the LTE and 5G protocol standards (defined in section 5.1.5
1) Passive Reception: The downlink broadcast messages in of 3GPP specification documents TS36.321 [8]). It leads to a
B can be decoded by any passive scanning device within realization of Scenario 1 using the resources of any currently
the radio access node signal range without a connection deployed LTE or 5G cellular stations (world wide). Adopting
establishment or prior knowledge of PHY channel state the 3GPP standard terminology moving forward, e/gNB refers
information. to an LTE or 5G target cellular station, specifically the serving
2) Bijectivity: For 1 < i ≤ 2M , Receiving downlink message sector of the cellular station covering both Ricky and Trudy.
bi at time t + τ is almost surely result of sending mi in Any user device interacting with an e/gNB is called a UE (User
uplink at time t, i.e. Equipment). This procedure has been present in the 3GPP
standard since the early releases of LTE (Release 8) and may
P r(Xt = mi |Yt+τ = bi ) = P r(Yt+τ = bi |Xt = mi ) possibly be used in other non LTE/5G wireless technologies,
= 1 − o(1) as well.
4
A. Normal RA Procedure UE has to back off and retry RA procedure. Per section 5.1.4
in [8], a UE can freely re-attempt RA after a randomly selected
backoff time. However, there is no practical way for the e/gNB
to enforce the backoff value. Consequently a UE can always
select a minimum value between consecutive RA attempts. The
purpose of contention resolution is further detailed in Section
V-A.
B. Exploiting RA Procedure
It is worth mentioning that the operational range of SPAR- LTE/5G bands operate in FDD mode (frequency division
ROW UEs has the potential to dramatically increase with duplexing) where there is only 10 PRACH resources [11].
the emergence of new satellite-based technologies such as Consequently, there is always a real possibility that multiple
5G-NTN [13] should the same vulnerable contention reso- UEs end up with the same RA-RNTI and that the random
lution procedure remain in the standard. Bypassing most of preambles cause a resource contention event. In most cases, the
known measures against covert-communication, the SPAR- cellular station can only decode a single preamble transmission
ROW scheme can remain a potential threat until the standards and is oblivious of any underlying contention event. To avoid
patch the MAC protocol procedures subject to Proposition 1. any subsequent uplink interference between the UEs, the
Prominent threat scenarios include: cellular station needs a mechanism to immediately signal
• Data Exfiltration: as outlined in Scenario 1, , SPAR- the UE with successful M sg1Msg1 to proceed and all other
ROW attack schemes can be an effective alternative to unsuccessful UEs to back off and retry RA. In this early stage
known data exfiltration techniques by leveraging vulner- of RA, there are no unique identities assigned to the UEs
abilities in existing network access protocols. Made in a and the contending UEs follow the same protocol procedure
small form factor, SPARROW devices can easily be used in isolation. Going back to M sg3 and M sg4 in Figure 2,
to smuggle data out of restricted facilities. the only plausible resolution is having each UE to test the
• Command & Control: SPARROW devices can anony- success of M sg1 by sending a purely random N -bits within
mously communicate with remote malicious IoT devices CRI in M sg3. Then the cellular station most likely receives
to trigger unwelcome events using apparently benign M sg3 from the UE with successful M sg1 and acknowledges
WCN radio signals. it with rebroadcasting its CRI in M sg4. Since the cellular
• Clandestine Operations: agents can anonymously com- station does not have any knowledge of distance or channel
municate with SPARROW devices in hostile areas with- conditions of all contending UEs, it transmit M sg4 similar to
out broadcasting noticeable signals or directly accessing other cell broadcast messages which are receivable everywhere
the incumbent networks. in its coverage area. The value N also has to be large
Having the consent of the incumbent network operators, enough (N = 40 in current 3GPP standards) to minimize the
SPARROW scheme can also be used in good faith scenarios probability of identity collision, otherwise the contention may
such as: drag beyond RA procedure. Contention is ultimately resolved
when each UE compares CRI in M sg4 against what they
• Connection-less M2M Communication: Some M2M
transmitted in M sg3.
(machine-to-machine) application require extremely low
latency and power consumption. The SPARROW scheme
can compliment the existing solutions such as [14] that
B. Strategy Paths
enables the devices to communicate via encoding infor-
mation in LTE M sg1 and M sg2. Before presenting the proposed strategy of this work, it
• Disaster Recovery: SPARROW devices can be used is worth enumerating the following strategies that can have
to take advantage of partially functional access radio significant performance overhead, risks, or offer limited pro-
nodes to exchange critical messages in disaster situations tection against SPARROW in contention resolution procedure:
without requiring authentication or back-haul connection • Preset UE Identities: To prevent broadcasting arbitrary
to a core network. UE-assigned identities, one shall propose having a unique
pre-defined CRI per UE similar to MAC address in
V. SPARROW R EMEDIATION S TRATEGIES WLAN. This value can also be derived from secure
The contention resolution procedure facilitated by M sg3 keys stored in SIM device and verifiable by the network.
and M sg4, which was exploited in Section III, plays an es- This way the cellular station only broadcasts CRI in
sential part of cellular RA procedure and may have analogues M sg4 if its source is verified. This strategy risks UE
in other WCN protocol standards. Therefore, the presented privacy by exposing a new attack surface for unauthorized
remediation strategies focus on thwarting their exploitation user tracking similar to IMSI-catching techniques [15]. It
while preserving their role in contention resolution procedure. also does not prevent or protect against SPARROW UEs
This is a more challenging problem than offering a generic re- that employ a precomputed communication code-book of
mediation to the generic scheme in Section II. After explaining valid CRI values.
the constraints of contention resolution mechanism, it will be • Detect & Block: The victim cellular station may notice
clear that the remediation strategies will be limited. exploitation by monitoring the random-access activity
patterns in the cell. However, the cell station does not
have a reliable way of differentiating uplink messages
A. Contention Resolution Mechanism from SPARROW UEs. The SPARROW UEs can adopt
There are a limited number of RACH-preambles (e.g. 64 various evasion techniques, such as slowing their activity,
for LTE) available at each cell for random selection by routinely changing their CRI code-book and using differ-
UEs attempting to access the network. Depending on duplex- ent random access initial resources. Thus, this strategy
ing configuration mode, there is a limited set of PRACH can risk the cellular station service availability without
resources associated with RA-RNTIs. Most low-frequency offering quantifiable levels of protection.
7
The remainder of this work focuses on the entropy-leveraging of B in the standard where a cellular station announces
remediation strategy. Compared to other strategies, it can prac- its choice in the periodic broadcast signals or M sg2.
tically prevent exploitation with minimal performance impact This will ensure the UEs adjust their decision functions
and no collateral security risks. In the context of Proposition 1, accordingly to process M sg4.
it aims at mitigating the deterministic bijectivity condition be- 3) Downlink Processing: Any choice for B should be
tween M sg3 and M sg4. The contention resolution procedure accompanied with a well-defined UE decision function
in a vulnerable MAC protocol should be modified as follows: D = D(Y, Xi ) ∈ {0, 1}, where 0 and 1 are respectively
• Entropy-Leveraging: This strategy allows the UEs to interpreted as RA success or failure commands for the
randomly select the CRI content in M sg3. However, it i-th UE. Given Y , an ideal choice of D should almost
requires the cellular station to obfuscate the content re- surely evaluate to 1 for no more than one of the con-
ceived in M sg3 with a random pattern before broadcast- tending UEs. The decision function should also have the
ing it in M sg4. The M sg4 broadcast has two components following property to eliminate the possibility of a live-
the obfuscated message and some helper information, i.e. lock where all UEs arrive at failed RA decision.
a hint. Each UE should process the received M sg4 and
P r(D(Y, Xi ) = 1|X = Xi ) = 1 (1)
their M sg3 by a decision function defined in the standard
to determine the next RA step. The hint plays an essential Knowing the choice for B and code-book M, Ricky
role in the decision function. It is designed to ensure the attempts to recover X ′ from M sg4 by devising an
intended UE proceeds while the contending others back estimation function. Let X ′′ = E(Y ) be the random vari-
off. On the other hand, the obfuscated content of M sg4 able representing Ricky’s estimated codeword. According
should prevent the SPARROW UEs to form stable code- Proposition 1, Ricky should design E(Y ) to minimize its
books M and B. estimation error probability, P r(X ′′ 6= X ′ ). It also has to
keep the code-book small enough to distinguish between
VI. A NALYSIS OF E NTROPY-L EVERAGING S TRATEGY broadcast triggered by Trudy and other UEs. There is
This section is dedicated to analyzing potential remediation always a chance to have another UE in the cell randomly
schemes following the entropy-leveraging strategy. It first select Xi ∈ M.
seeks to quantify its impact on the contention resolution As described in Section V-A, the performance of contention
performance and explores the theoretical trade-off between the resolution process requires low identity collision probability
remediation objectives: disrupting SPARROW scheme while to ensure only one of the contending UEs succeeds in RA. In
preserving contention resolution performance. Section VII practice, having more than two UEs simultaneously attempting
then details the elements needed to build a practically optimal RA using the same preamble is a rare event that may occur
scheme. while a cellular station recovers from a maintenance outage.
Thus, moving forward, the contention scenarios is considered
A. Formulation to only involve two UEs as the most probable scenario, i.e.
i ∈ 1, 2. The identity collision probability, PC for this scenario
Expanding the notation in Section II and Scenario 1, the fol-
defined as follows:
lowing steps detail contention resolution process in a entropy-
leveraging scheme: PC , P r(D(Y, X2 ) = 1|X = X1 ) (2)
1) Uplink Message: The random N -bits identities selected
Here we assume both UEs can decode M sg4 error free.
by contending UEs form a set of independent identically
Considering the uniform i.i.d property of Xi , the expression
distributed (i.i.d) random variables with a uniform dis-
in (2) can be further expanded to
tribution on support set UN = {0, 1, 2, · · · , 2N − 1}.
X X P r(D(Y, i) = 1|X2 = i, X = j) 1
Lets Xi ∼ U(2−N ) be the discrete random variable PC = + N (3)
denoting M sg3 transmitted by the i-th contending UE in 22N 2
i,j∈UN
the cell. Analyzing a single exchange, the time has been i6=j
omitted for brevity. On the other hand, random variable It implies that 2−N is the minimum achievable value for
X ′ denotes Trudy’s M sg3 transmission from codebook
PC when B(X) is an injective function. For instance, the
M ⊂ UN .
current state of the standard described in SectionIII retrofits in
2) Obfuscated Broadcast: The cellular station receives
this model with B(X) = X and the identity check decision
only one of the M sg3 transmissions that is denoted by
function D(Xi , Y ) = δ(X − Xi ).
X ∈ {X1 , X2 , X ′ }. The cellular station cannot detect the
source of X. It then derives M sg4 modeled by random
variable Y = [B(X), h], where B is the broadcast ob- B. Trade-Off Bounds
fuscation function defined in the standard along with the Introducing any obfuscation function should mitigate the
hint value h. In order to facilitate contention resolution, achievable error-free data rate for SPARROW UEs while main-
the cellular station includes h in the M sg4 broadcast, taining low PC . The data rate of SPARROW UE depends on
where h is a parameter that is intended to help UEs make their strategy in selection of code-book M and the estimation
correct RA decisions. Depending on the desired level of function E(Y ) to overcome channel entropy introduced by
protection, there could be multiple pre-defined choices B(X). Theoretically, it is desired to minimize SPARROW
8
UE’s maximum achievable data rate called channel capac- C. Solution Examples
ity in the context of information theory. SPARROW UEs Examples of entropy-leveraging scheme should involve re-
may achieve the channel capacity by employing sophisticated ducing H(X|Y ) in (4). The following simple schemes are
forward error-correcting (FEC) code-books in the long run. inspired by known binary noisy channel models in communi-
The channel capacity may not be achievable in practice, but cations theory [17]:
certainly highlights the inherent trade-off between protection
• K-errors: Similarly to a Binary Symmetric Channel
and performance. Given X = X ′ , the channel capacity for
(BSC), the cellular station induces bit errors at K random
SPARROW UEs is the maximum mutual information quantity
positions of the UE identity X in M sg3. Each time it
as defined below:
generates a random N -bits error mask eK ∈ UN with
I(X; Y ) = H(X) − H(X|Y ) (4) Hamming weight (number of set bits) K that is used to
derive the M sg4 broadcast message:
where H(.) denotes Shannon entropy. So, the remediation
schemes should aim at designing B(X) so that H(X|Y ) is M sg4 : Y = [B(X) = X ⊕ eK , h = K] (5)
maximized. On the other hand, applying Fano’s inequality where ⊕ denotes bit-wise XOR operator. The value of
to the expression in (3), it can be shown that H(X|Y ) K should be previously signaled to UEs or included as a
directly contributes to a lower bound on PC [16]. Hence, the hint to facilitate the decision function of the normal UEs:
entropy-leveraging strategy is bound to a trade-off between
the contention resolution performance (low H(X|Y )) and U Ei : D(Y, Xi ) = δ(K − dH (B(X), Xi )) (6)
blocking the SPARROW UEs (high H(X|Y )). implying that each UE computes the Hamming distance
The same trade-off can also be derived from a more intuitive M sg4 with its M sg3 denoted by dH (., .) and compares
viewpoint. The SPARROW UEs send M sg3 similarly to the the results against K.
other UEs in the cell. There is also a noticeable correla- • K-erasures: Inspired by Binary Erasure Channel (BEC),
tion between the ways they process M sg4 in the entropy- the cellular station omits bits at K random positions of
leveraging strategy. Ricky optimizes the estimation function the UE identity X in M sg3. Each time it generates a
E(Y ) to processes M sg4 to recover Trudy’s message among random N -bits erasure mask eK ∈ UN with Hamming
all the candidates in the code-book M. Now consider the rarest weight (number of set bits) K that is used to derive the
contention resolution situation where 2M normal UEs are in M sg4 broadcast message:
contention and each happen to pick a distinct M sg3 identities
from M. To resolve the contention, D(Y, Xi ) should evaluate M sg4 : Y = [B(X) = X ⊘ eK , h = eK ] (7)
to 1 only for the intended UE and 0 for the rest of them. Thus,
where ⊘ denotes bit-wise bit erasure operator producing
the collective outcome of D(Y, Xi ) serve the same purpose
N −K remaining from X. It is worth to note that the size
as E(Y ) in this hypothetical scenario leading to a very tight
of M sg4 is 2N + K that depends on K as depicted in
trade-off to design the broadcast obfuscation function B(X)
diagram in Figure 6. The contending UEs will need eK
to disrupt the functionality for E(Y ) while preserving the
as a hint to extract corresponding bits from their M sg3
resolution condition for D(Y, Xi ).
in their decision function:
In reality, we consider the contention scenario between
as few as two UEs that will relax the trade-off. Also, this U Ei : D(Y, Xi ) = δ(Xi ⊘ ek − B(X)) (8)
trade-off does not account for the fact that M should be
The value of K in both schemes does not have to be random
small enough to reduce the chance of the M sg4 intended
for each message and it can be selected to balance the trade-off
for other UEs being misinterpreted by Ricky as legitimate
between remediation and contention resolution performance.
messages from Trudy. The channel capacity derivation in (4)
Using (3), it is straightforward to derive the identity colli-
does not account for the minimum viable information needed
sion probability for each scheme as:
per attempt for synchronized reception. Ricky will need to
N
reliably identify messages sent from M in every attempt. In K 2K
this context, the presented trade-off implies that the entropy- K-errors: PC = N , K-erasures: PC = N (9)
2 2
leveraging schemes impact the performance of contention These are plotted for different values of K in Figure 7. For
resolution rather than dismissing their feasibility. both schemes it can be shown that the SPARROW channel
Remark. It is worth noting that using Cryptographic Hash capacity is inversely related to PC conforming to the design
Functions (CHF) to obfuscate M sg4 will not serve as a proper trade-off in Section VI-B.
remediation since H(X|Y ) = 0. Even with random salting,
I(X; Y ) = −log2 (PC ) (10)
M sg4 has to include the salt as the hint for the normal UEs to
repeat the same computation with their M sg3 in the downlink SPARROW UEs can use FEC codes which is a well-studies
processing step. For any given M, Ricky can compute the hash topic in these scenarios. For example, to circumvent the K-
value for all of its elements (preimage table) that forms B of erasures schemes, Trudy can retransmit the messages multiple
all possible M sg4 bijectively correlated to M. Using CHF times to increase the chance Ricky recovering all of its
will only imposes some modest computational complexity to randomly erased bits. To survive a K-errors scheme, Trudy
Ricky. can construct a code-books with minimum hamming distances
9
10 -02
10 -4
This work proposed a novel framework to identify and ex-
10 -5 ploit vulnerable MAC layer procedures in commercial wireless
technologies for covert communication. In this framework, the
10 -6 SPARROW schemes use the broadcast power of incumbent
M=8 wireless networks to covertly relay messages across a long dis-
10 -7 M=12
M=16 tance without connecting to them. This enables the SPARROW
10 -8 schemes to bypass all security and lawful-intercept systems
10 -12 10 -11 10 -10 10 -09 10 -08 10 -07 10 -06 10 -05 10 -04 10 -03 10 -02 10 -01 10 00
and gain ample advantage over existing covert techniques in
PC
terms of maximum anonymity, longer range and less hardware.
Fig. 10: Trade-off between SRARROW disruption rate (PD ) This paper detailed CVD-2021-0045 disclosed through GSMA
and identity collision probability (PC ). coordinated vulnerability disclosure program [1]. This vulner-
ability has been in the common random-access procedure in
10 00 the LTE and 5G standards for a long time. Hence, this work
10 -01 investigated remediation strategies tailored for this procedure
10 -02 including ELISHA which is a rigorous remediation that can
10 -03 suit other protocols as well. It can effectively disrupt the most
10 -04
sophisticated SPARROW schemes with a manageable system
10 -05
performance overheads.
Researchers are encouraged to investigate the SPARROW
PC
10 -06
vulnerability conditions, outlined in Proposition 1, in other
10 -07
wireless MAC protocols or other aspects of LTE/5G. Also
10 -08 ELISHA, P D=0.5
the framework can be expanded beyond just the broadcast
10 -09 ELISHA, P D=0.1
ELISHA, P D=0.01 signals to include other measurable implicit changes in the
-10
10
Just Reducing N, cell operation state that can be controlled by one SPARROW
10 -11 P D=0 device and detected by another one. Finally, it is recommended
10 -12 to incorporate this framework in security evaluation of the
2 4 6 8 10 12 14 16
M emerging non-terrestrial wireless standards such as 5G-NTN
that can be potentially exploited for very long range covert
Fig. 11: Trade-off between SRARROW UE data rate (M )
communication.
and identity collision probability (PC ).
ACKNOWLEDGMENTS
plotted versus PC for fixed PD values. Three disruption I would like to thank these individuals at Keysight Tech-
rate levels are considered for SPARROW UEs: PD = 0.01 nologies who assisted with disclosure and presentation of
(manageable), PD = 0.1 (almost intolerable), PD = 0.5 this work: Chuck McAuley for presentation at [9], Befekadu
(impossible to operate). One can see that reducing M at each Mengesha and Lucal Mapelli for PoC implementation in [9]
of the disruption rate levels requires an increase in PC . This [1], Pete Marsico for technical editing, and finally Steve
simply corroborates the design trade-off from the data rate McGregory and Chris Moore for supporting this research.
point of view. Looking at PD = 0.5 graph, ELISHA makes it
impossible for SPARROW UEs to even send a single byte R EFERENCES
(M = 8) at PC ≈ 10−5 . Given the inherent trade-off in
[1] GSM Association. (2021) GSMA mobile security
any entropy-leveraging scheme, one may argue for a simpler research acknowledgements. [Online]. Available:
solution: just reducing N , the number of identity bits in M sg3. https://www.gsma.com/security/gsma-mobile-security-research-acknowledgements/
The SPARROW UEs have to use smaller codewords of size [2] M. Li, W. Huang, Y. Wang, W. Fan, and J. Li, “The study of APT
attack stage model,” in 2016 IEEE/ACIS 15th International Conference
M = N bits and the only cost would be direct PC increase. on Computer and Information Science (ICIS). IEEE, 2016, pp. 1–5.
The purple dotted line in Figure 11 shows the performance of [3] A. Singh, O. Nordström, C. Lu, and A. L. Dos Santos, “Malicious ICMP
such a system. However the results confirm the advantage of tunneling: Defense against the vulnerability,” in Australasian Conference
on Information Security and Privacy. Springer, 2003, pp. 226–236.
ELISHA over such a scheme in terms of much more protection [4] Y. Wang, A. Zhou, S. Liao, R. Zheng, R. Hu, and L. Zhang, “A
(lower M ) for the same sacrificed performance (increased PC ). comprehensive survey on DNS tunnel detection,” Computer Networks,
The presented results seems to indicate that ELISHA is p. 108322, 2021.
[5] N. Hou and Y. Zheng, “Cloaklora: A covert channel over LoRa PHY,” in
an efficient solution to protect contention resolution proce- 2020 IEEE 28th International Conference on Network Protocols (ICNP).
dures in LTE/5G and other technologies against SPARROW IEEE, 2020, pp. 1–11.
12