This note explores possible attacks on a LTE deployment. Attacks on the IMS core are not addressed here.

Transcription

1 LTE Threat Analysis 1. Introduction This note explores possible attacks on a LTE deployment. Attacks on the IMS core are not addressed here. Attack Goals: The goals of an attack can include: Malicious disruption of service (DoS). Theft of subscriber s information (address books, financial information, cookies, ). Fraudulent subscriber billing or overcharging. Impersonation of subscriber identity. Analysis of carrier configuration for competitive use. Theft of carrier services (Access to unauthorized services, Billing avoidance, ). Attack Targets: Attacks on DNS servers, servers, etc. are excluded. The main targets for attacks are: LTE Components o Core EPC components (MME, SGW, HSS, ) o enodebs (especially those in non-carrier owned premises, like shopping malls) o Femto enodebs (which are usually on subscriber premises) Subscribers handsets (UEs). o Theft of Data on UE. o Theft of Data in cloud. Attack Sources: Lastly, the sources of potential attacks can be: Other UEs Carrier, by insiders (disgruntled employees) Networks of Roaming partners (via GRX/IPX) SS7 / SIGTRAN gateway Public Internet enodebs, which have been compromised by physical access. Air (Radio) interface Femto enodebs LTE Threat Analysis, Rajaram Pejaver, June 6, 2012 Page 1/9

2 2. Summary of Potential attacks The likely attacks that are summarized below are detailed in the tables that follow. Compromised / rooted UE 1) Attacks on LTE components 2) Attacks on PGW 3) Attacks on other UEs Insider (disgruntled employee) attacks on Carrier 4) Login to EPC hosts (console or web), change LTE configurations 5) Sniff / capture UE's tunneled data 6) Location Privacy: tracking IMSIs & NAIs Networks of Roaming partners 7) Signaling attacks on EPC 8) GTP Echo scanning SS7 / SIGTRAN 9) Signaling attacks from roaming partners Public Internet based attacks 10) PGW is open to Internet 11) Open connections to UE (what ports are open on UE?) An enodeb compromised by unauthorized physical access 12) The same enodeb 13) The S1-U and S1-MME interfaces 14) The X2 interface Air (Radio) interface 15) Jamming, mass DoS 16) Strong signal to attract target UEs to compromised enodeb Femto enodebs 17) Subvert & replace software LTE Threat Analysis, Rajaram Pejaver, June 6, 2012 Page 2/9

3 1. IP based attacks on LTE Core from UE Compromised / rooted UE LTE components Network mapping is the first step to other attacks. Fuzzing and buffer overflows can disrupt service. A UE can be programmed to run a ping scan on the carrier s to discover hosts. The ranges can be guessed by examining the UE s assigned IP address. Both IPv4 and IPv6 scans can be run, using ICMP and UDP packets. If an IP address is found, then Port scanning can be run to identify the host s function (MME vs. PGW, ). The UE can either have a custom Android build or an application that generates these attacks. Subsequent attacks can include: Send fuzzed (malformed) messages to open ports. These messages could cause software crashes and service outages. Buffer overflow attempts. Variable length fields in GTP messages could be made unusually long. Excessive pings or ICMP error responses in tunneled traffic can indicate discovery attempts. There should be no route from a UE to LTE components. If necessary, a firewall can enforce this policy by blocking packets that have been detunneled by a PGW from being forwarded to the LTE hosts. Note that access to the IMS P- CSCF must be permitted. 2. Signaling attacks on the PGW Compromised / rooted UE LTE PGW Service disruption. IP packets from the UE are de-tunneled on a PGW and forwarded to the Internet. If a packet is addressed to the PGW itself, then it may be delivered to the specified port. The attacking UE can construct UDP based GTP-C packets and send it to the PGW on port These packets can be Tunnel Management messages that close tunnels and bearers belonging to other subscribers. The TEIDs can be chosen at random. Alternatively, the TEID can be based on the TEID value assigned to the attacker. Assuming that TEID values are assigned sequentially, the valid values at a Scan tunneled traffic for illegal and restricted destination addresses. There should be no route from a UE to the PGWs. LTE Threat Analysis, Rajaram Pejaver, June 6, 2012 Page 3/9

4 given time will all be closely bunched. The source IP address can be forged to be a valid SGW address. The destination address could be local host (::1 or ) or can be the PGW address that was somehow discovered. The TCP stack on the sending UE would have to be modified to send such packets. 3. Attacks on other UEs Compromised / rooted UE Other UEs Service disruption, spoofed messages. The UE can attempt to send IP packets directly to other UEs. UEs will typically be assigned private (NATted) IPv4 addresses but may have global IPv6 addresses. An attacking UE can guess the IP address of a different UE and open connections to it. For IPv4, the message may be addressed to a private address in the local NAT range, or to a global address. If VoIP service is enabled, then the two communicating UEs will be aware of each other s global addresses. Excessive failed TCP connections in the tunneled traffic. Excessive rejected UDP transmissions. Excessive failed ICMP messages. Attempts to send packets to a private address. The PGW should forward all de-tunneled messages from UEs to a firewall or a router that enforces routing policies. In case on VoIP calls where direct UE to UE communications are permitted between specific pairs, the router must be dynamically updated to allow the communication for the LTE Threat Analysis, Rajaram Pejaver, June 6, 2012 Page 4/9

5 duration of the call. In general, TCP connections or unsolicited UDP messages to UEs should be blocked. 4. Insider (disgruntled employee) attacks on EPC hosts Carrier s staff from Carrier EPC hosts Disruption of service; theft of service It is relatively easy for authorized staff to make unauthorized changes to configurations by logging in to the devices. The attacker could be an administrator, or a representative from the vendor that provides the hardware or software for the LTE component. Instead of causing an obvious outage by crashing the device, the attacker could affect performance by reducing buffer sizes, queue lengths, timer values, etc. Such attacks would be hard to detect and correct, even if audit tracks are maintained. Modifying data in the HSS could provide unauthorized services to subscribers. Audit information that tracks authentication of individual users should be maintained in a secure ed location. Access to sensitive devices via ssh, telnet or ftp should be monitored and recorded. The session can then be reconstructed to determine where the attack originated and what changes were made. 5. Insider (disgruntled employee) attacks on subscriber data Carrier s staff from Carrier Subscriber s tunneled carrier s Theft of user data Authorized operators and administrators could passively sniff and capture data packets between the EPC components. This would give them access to users private s, SMS, and web browsing sessions. Though it would be more difficult, Packet insertion and Man-in-the-middle attacks are also possible. These attacks involve modifying the carrier s components (routers, switches, taps) as opposed to attacking the EPC hosts. <help> LTE Threat Analysis, Rajaram Pejaver, June 6, 2012 Page 5/9

6 6. Insider (disgruntled employee) attacks on signaling data Carrier s staff from Carrier Signaling data on carrier s User location tracking, stalking. It is possible to track a UE s location and movements by monitoring the handoff operations. While a carrier would typically have equipment to report this information to authorized staff, an unauthorized person can also reconstruct this information by sniffing the s and correlating IMSI information. <help> 7. Signaling attacks from roaming partners Networks of other carriers who are roaming partners EPC hosts, HSS Disruption of service; theft of service; theft of competitive information GRX/IPX s allow different carriers to bypass the public Internet while providing service to roaming subscribers. It allows carriers to send GTP packets to other carriers. This opens the door to all sorts of signaling attacks, perhaps by employees of the remote carriers, similar to the signaling attacks by insiders. The remote carrier may not have adequate audit information to trace back the origins of malicious attacks. Monitor and record all requests originating from remote carriers. Application level firewalls to permit granular access. 8. Network mapping by roaming partners Networks of other carriers who are roaming partners EPC hosts, HSS Theft of competitive information GTP Echos can be sent via the GRX/IPX s. This allows a foreign carrier to map out the local and find unadvertised restricted EPC components. Check for excessive Echo requests originating from remote carriers. Firewalls. LTE Threat Analysis, Rajaram Pejaver, June 6, 2012 Page 6/9

7 9. EPC attacks via SS7/SIGTRAN SS7 cloud and the SIGTRAN gateway EPC components Disruption of service SS7/SIGTRAN provides a signaling avenue similar to GRX/IPX and can allow remote carriers to mount signaling attacks. Monitor and record all signaling traffic originating from SIGTRAN. Strict Policy checking. 10. PGW attacks from the Internet Public Internet PDN-GWY (PGW) Disruption of service The PGW is open to Internet via the SGi interface. It acts as the routing anchor for UEs. It is possible to flood this interface from the Internet, thereby disrupting service to UEs. TCP connection requests and UDP packets can be sent. Also, firewall misconfigurations may allow access to other services on the PGW. IDS checking on the SGi interface. Firewalls. 11. Attacks on UE from the Internet Public Internet UEs SPAM, theft of UE data, infect UEs with malware. xxxxxxxxx IDS checking on the SGi interface. Firewalls. LTE Threat Analysis, Rajaram Pejaver, June 6, 2012 Page 7/9

8 12. Physical attacks on enodebs An enodeb compromised by unauthorized physical access The same enodeb Proprietary Device configuration information can be used to deduce capacity limits, performance goals and other competitive information. Some enodebs may be installed at locations that are not controlled by the carrier. For example, an anodeb in a shopping mall may be in a room accessible by mall security staff, a cell site covering a high rise apartment complex bay be accessible by the local janitor, etc. Given physical access to the enodeb s console and front panel, an attacker may be able to reboot it in a service mode and bypass normal security. Removing the device s hard drive will allow access to configuration information. It may also be possible to patch the software to insert back doors for future attacks. <help> Configuration information must be encrypted on disk. Software should be signed and verified. 13. Attacks on the S1 interface An enodeb compromised by unauthorized physical access The S1-U and S1-MME interfaces If the S1 interfaces are not IPsec encrypted, then it would be easy for an attacker to tap in, perhaps using a hub. The tunneled user data is typically not encrypted at this point. Some of the many attacks are: Sniff signaling and user data packets Man in the middle attacks on signaling and user data sessions Spoofing of source addresses 14. Attacks on the X2 interface between enodebs An enodeb compromised by The X2 interface between Forcing hand offs to the compromised Once a enodeb site is compromised, it can send fake signaling messages to neighboring enodebs to grab UEs. These UEs can then be attacked as described above. LTE Threat Analysis, Rajaram Pejaver, June 6, 2012 Page 8/9

9 unauthorized physical access enodebs enodeb, disruption of service, LTE Threat Analysis, Rajaram Pejaver, June 6, 2012 Page 9/9