Guan-Hua Tu

Learn More
3G/4G cellular networks adopt usage-based charging. Mobile users are billed based on the traffic volume when accessing data service. In this work, we assess both this metered accounting architecture and application-specific charging policies by operators from the security perspective. We have identified loopholes in both, and discovered two effective(More)
Data-plan subscribers are charged based on the used traffic volume in 3G/4G cellular networks. This usage-based charging system has been operational and received general success. In this work, we conduct experiments to critically assess both this usage-based accounting architecture and application-specific charging policies by operators. Our evaluation(More)
In this paper, we study how mobility affects mobile data accounting, which records the usage volume for each roaming user. We find out that, current 2G/3G/4G systems have well-tested mobility support solutions and generally work well. However, under certain biased, less common yet possible scenarios, accounting gap between the operator's log and the user's(More)
Both voice and data are indispensable services in current cellular networks. In this work, we study the inter-play of voice and data in operational LTE networks. We assess how the popular CSFB-based voice service affects the IP-based data sessions in 4G LTE networks, and visa versa. Our findings reveal that the interference between them is mutual. On one(More)
Control-plane protocols are complex in cellular networks. They communicate with one another along three dimensions of cross layers, cross (circuit-switched and packet-switched) domains, and cross (3G and 4G) systems. In this work, we propose signaling diagnosis tools and uncover six instances of problematic interactions. Such control-plane issues span both(More)
Secure mobile data charging (MDC) is critical to cellular network operations. It must charge the right user for the right volume that (s)he authorizes to consume (i.e., requirements of authentication, authorization, and accounting (AAA)). In this work, we conduct security analysis of the MDC system in cellular networks. We find that all three can be(More)
VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this work, we conduct the first study on VoLTE security before its full rollout. We discover several(More)
—To support voice calls vital to mobile users and carriers, 4G LTE cellular networks adopt two solutions: VoLTE (Voice Over LTE) and CSFB (Circuit-Switched FallBack). In this paper, we disclose that both schemes are harmful to mobile users from a security perspective. The adoption of the latest VoLTE allows an attacker to manipulate the radio resource(More)
The control-plane protocols in 3G/4G mobile networks communicate with each other, and provide a rich set of control functions, such as radio resource control, mobility support, connectivity management, to name a few. Despite their significance, the problem of verifying protocol correctness remains largely unaddressed. In this paper, we examine control-plane(More)