Dr. Guan-Hua Tu, Dr. Li Xiao, and their PhD students, won Mobicom2022 Best Paper Award Runner-Up
The researchers from Computer Science & Engineering have recently discovered several insecure designs of cellular emergency service standards, including (1) unverifiable emergency IP-CAN (IP Connectivity Access Network) session requests, (2) improper cross-layer security binding, (3) non-atomic cellular emergency service initialization, and (4) improper access control on emergency IP-CAN sessions. By exploiting them, adversaries launch not only free mobile service attacks against cellular carriers, but also data DoS/overcharge and denial of cellular emergency service (DoCES) attacks against mobile users. All vulnerabilities and attacks have been validated experimentally as practical security issues in the networks of three major U.S. carriers. We finally propose and prototype standard-compliant remedies to mitigate the vulnerabilities. The lessons we learned can secure both cellular network carriers and mobile users.
The findings of Dr. Guan-Hua Tu and Dr. Li Xiao and their Ph.D. students Yiwen Hu, Min-Yue Chen, Sihan Wang, Jingwen Shi, and Tian Xie with the collaboration team from Purdue University are published in the paper, titled “Uncovering insecure designs of cellular emergency services (911)” in the 28th International Conference on Mobile Computing and Networking (MobiCom 2022). This paper was selected as the Best Community Paper Award Runner-up. In addition, this work has received AT&T security award.
(Date Posted: 2023-01-03)