Contents VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014

Transcription

1 VULNERABILITIES OF MOBILE INTERNET (GPRS) Dmitry Kurbatov Sergey Puzankov Pavel Novikov 2014

2 Contents 1. Introduction 2. Summary 3. Mobile network scheme 4. GTP protocol 5. Searching for mobile operator s facilities on the Internet 6. Threats 6.1. IMSI brute force 6.2. The disclosure of subscriber s data via IMSI 6.3. Disconnection of authorized subscribers from the Internet 6.4. Blocking the connection to the Internet 6.5. Internet at the expense of others 6.6. Data interception 6.7. DNS tunneling 6.8. Substitution of DNS for GGSN 7. Conclusion and recommendations

3 1. Introduction Modern mobile networks facilitate the most convenient access to the Internet without the need for static infrastructures. People can access , messengers, social networks and online stores whenever and wherever they need it. A range of businesses use mobile Internet for remote administration, financial operations, e-commerce, M2M and some other purposes. Government organizations provide more and more services via the web, and it results in a significant increase in the volume of the world s mobile data traffic. This traffic is expected to increase significantly in both 3G/3.5G and 4G through 2018, see table below. Many users have approached the use of broadband Internet access with caution, due to publicity around security breaches. In response to this, a great number of security solutions were introduced to protect this services sector, such as antivirus software, firewalls, etc. By contrast, the level of consciousness about security while using the mobile Internet is relatively low. Most users assume that mobile network access is much safer because a big mobile-telecoms provider will protect subscribers and has the benefit of the developments in security from the broadband Internet arena. Unfortunately, as practice shows, mobile Internet is a great opportunity for the attacker, and can be less secure than more traditional options. This report will provide an analysis of these threats, as well as recommendations to ensure the safety of mobile Internet services. Exabytes per Month % % % 60% 30% 51% 2/2.5G 3/3.5G 4G Source: Cisco VNI Mobile 2014 Fig. 1. The expected growth in mobile data traffic [1] 2. Summary Positive Technologies has determined that there are serious security issues in the networks that support mobile Internet devices. A large number of devices belonging to 2G/3G networks of mobile network operators are available via open GTP ports as well as some other open communication protocols (FTP, Telnet, HTTP). An attacker can connect to the node of a mobile network operator by exploiting vulnerabilities (for example, default passwords) in these interfaces. Having acquired access to the network of any operator, an attacker can automatically gain access to the GRX network, which in turn allows him/her to perform various attacks on subscribers of any operator: 1. Searching for valid IMSI 2. Obtaining subscriber s data via IMSI (including his/her location) 3. Disconnection of subscribers from the Internet or blocking their access to the Internet 4. Connecting to the Internet with credentials of the legitimate user and at the expense of others 5. Listening to the traffic of the victim 6. Engage in a fishing attack Security measures required to protect against such attacks include proper configuration of equipment, utilizing a firewall and regular security monitoring. More details on the recommended set of protective measures is provided in the final part of this review. 3

4 3. Mobile network scheme Fig. 2. Provider s mobile network Mobile provider s network consists of the Circuit Switched Core Network (CS core), the Packet Switched Core Network (PS core), the base station network and its 2G controllers (BSC and BTS in the scheme), and the base station network and its 3G controllers (Node B and RNC). The scheme shows that 3G network is based on 2G radio access network; the rest of the operator s network does not undergo any significant changes in the evolution to the third generation. As clearly outlined in Figure 2.2, the operators networks have not undergone any significant changes in terms of security from 2G to 3G to 4G. Below is the packet data transfer subsystem (PS core). The scheme in Figure 3 illustrates the architecture of the system used to transmit data in a 2G network. There are some differences in the chain MS (mobile station) SGSN within the 3G network (UMTS network). The scheme shows that an attacker can access the provider s network using: Subscriber s Mobile Station The Internet The GRX network, i.e. via another mobile provider Thus if an attacker enters the network of any mobile provider in the world, he/she will be able to affect other providers. Service GPRS Support Node (SGSN) and Gateway GPRS Support Node (GGSN) are the basic elements for data transmission. The former one is used to provide subscribers with data transmission services and it also interacts with other network elements; the latter is a gateway between the internal operator s network and the Internet. In addition to the Internet connection, there is a connection to the GRX network Global Roaming exchange, which is based on complicated relationships between individual operators (interconnection of networks) used to provide Internet access to subscribers in roaming. 4

5 Fig. 3. A scheme for the packet data transmission within mobile networks (including information on protocols) 4. GTP protocol GTP protocol is used to send the traffic within PS core and GRX. This is a tunneling protocol, which runs over UDP and utilizes port 2123 (for management purposes, GTP-C), port 2152 (for transmitting user data, GTP-U), and 3386 (for billing, GTP ). Message Type field in the GTP header is primarily used for management purposes in GTP-C. Usually, in GTP-U Message Type = 0xFF (T-PDU). Tunnel Endpoint Identifier (TEID) is a tunnel identifier that is not associated with an IP address, i.e., packages can be sent with the same TEID but from different IP addresses (in case if the subscriber moves and switches to another SGSN). PDP Context Activation procedure is executed when the subscriber is connecting to the Internet. In simplified form, the procedure is as follows: 1. The phone sends an Activate PDP Context request, which (amongst other information) contains the login, password, and APN. 2. After receiving the APN, SGSN tries to resolve it on the internal DNS server; the server resolves the received APN and provides the corresponding GGSN address. 3. The SGSN sends the Create PDP Context request to this address. 4. The GGSN authenticates the submitted login and password, for example, on the RADIUS server. 5. The GGSN obtains an IP address for the mobile phone and transmits all data required for PDP context activation back to the SGSN. 6. The SGSN accomplishes the activation procedure by sending back to the phone all the data required for establishing a connection. In fact, the PDP Context Activation procedure is the creation of a tunnel between a cell phone and a gateway (GGSN) on the operator s mobile network. 5

6 Octets Version PT (*) E S Message Type Length (1 st Octet) Length (2 nd Octet) Tunnel Endpoint Identifier (1 st Octet) Tunnel Endpoint Identifier (2 nd Octet) Tunnel Endpoint Identifier (3 rd Octet) Tunnel Endpoint Identifier (4 th Octet) Sequence Number (1 st 1) 4) Octet) Sequence Number (2 nd 1) 4) Octet) 2) 4) N-PDU Number 3) 4) Next Extension Header Type 1 PN NOTE 0: (*) This bit is a spare bit. It shall be sent as '0'. The receiver shall not evaluate this bit. NOTE 1: 1) This field shall only be evaluated when indicated by the S flag set to 1. NOTE 2: 2) This field shall only be evaluated when indicated by the PN flag set to 1. NOTE 3: 3) This field shall only be evaluated when indicated by the E flag set to 1. NOTE 4: 4) This field shall be present if and only if any one or more of the S, PN and E flags are set. Fig. 4. GTP header structure PDP Context Activation SGSN DNS GGSN RADIUS DHCP 1. Activate PDP Context Request 2a. DNS Request mncxxx.mscxxx.internet 2b. DNS Response GGSN IP 4a. Radius Authenticate Request 4b. Radius Authenticate Response 3. Create PDP Context Request 5a. DHCP Address Request 7. Activate PDP Context Accept GTP U 6. Create PDP Context Response GTP C + GTP U 5a. DHCP Address Assignment Fig. 5. The procedure for establishing a connection 6

7 5. Searching for mobile operator s facilities on the Internet We already know that GGSN must be deployed as an edge device. Using Shodan.io search engine for Internet-connected devices, we can find the required devices by their banners. Fig. 6. Search results in Shodan Search result displays about 40 devices using this abbreviation in their banners. The screenshot provides a list of some devices that use this abbreviation, including devices with open Telnet and turned off password authentication. An attacker can perform an intrusion into the network of the operator in the Central African Republic by connecting to this device and implementing the required settings. Having access to the network of any operator, the attacker will automatically get access to the GRX network and other operators of mobile services. One single mistake made by one single operator in the world creates this opportunity for attack to many other mobile networks. There are more ways of using the compromised boundary host, for example, DNS spoofing attack (more information about attacks is considered below). GGSN and SGSN can also be found in other ways. GTP protocol described above can be used only within PS core and GRX networks and should not be accessible from the Internet. In practice, however, things are often quite different: There are more than 207,000 devices with open GTP ports all over the global Internet. Fig. 7. Countries with the largest number of hosts with open GTP ports (more than 1000) 7

8 Fig. 8. The distribution of hosts with open GTP ports around the world What can be said about these 207,000 devices? 7,255 devices are not associated with GTP and send HTTP responses (see fig. 9) The remainder of the 200,000 addresses respond with correct GTP messages. A more in-depth analysis shows that an individual device may not be a component of a mobile network: these are universal devices utilized for other purposes when administrators of certain systems did not turn off this feature for them. Alcatel-Lucent 7750 and ZTE ZXUN xgw can often be found among such devices, and the latter has open FTP and Telnet ports. 548 devices responded to the request for establishing a connection: four of them allow a user or attacker to create a tunnel while other respond with various errors. Fig. 9. The response to GTP request received from equipment by Internet Rimon LTD Fig. 10. Responses to attempts to establish a PDP connection 8

9 Let us look into the responses: 1. System failure and Mandatory IE incorrect responses imply that the fields of the GTP packet required for this node were not filled. 2. No resources available response means that node s DHCP pool or PDP pool has run out. 3. Missing or unknown APN and Service not supported responses imply that the current APN is not included into the list of authorized APNs (you can find proper APNs on the provider s website in the Internet, WAP, or MMS settings). 4. Accept response implies that the device provides an IP address and other connection attributes, i.e. a tunnel is created. HTTP 4% FTP 81% SSH 25% Telnet 82% BGP 4% VPN (UDP:500) 44% Fig. 11. Number of hosts with various services Dictionary passwords % 79% Management interfaces available to any Internet user % 82% Use of open data transfer protocols % 82% Vulnerabilities of system and application software caused by lack of updates SQL Injection % 55% 64% 63% Unrestricted File Upload % 55% Storing important data unencrypted Path traversal % 47% 45% 42% Dictionary SNMP Community String value (public) % 36% DBMS access interfaces available to any Internet user % 36% Fig. 12. Top 10 vulnerabilities typical of a network perimeter Therefore, an attacker coming from the Internet can detect the proper GGSN, set up the GTP connection and then encapsulate GTP control packets into the created tunnel. If parameters were selected properly, GGSN will take them as packets from legitimate devices within the operator s network. Another benefit for attackers is that GTP is not the only protocol used on detected hosts. Telnet, FTP, SSH, Web, etc. are also used for management purposes. The figure below shows how many open ports were detected for each protocol. According to statistics provided by Positive Technologies, penetration tests revealed that data transferring via open protocols (FTP, Telnet, HTTP) and availability of management interfaces from the Internet are the most frequent vulnerabilities to appear in the network perimeter of large companies information systems. Moreover, the distribution of these vulnerabilities has doubled in compared to 2011/2012, effectively creating a larger number and range of attacks for mobile Internet suppliers and users to consider. 9

10 6. Threats The following parameters are typical for the described attacks: the complexity of implementing (having regard to conditions) is medium, the reproducibility (i.e. the reuse of the attack by other attackers) is high IMSI brute force Goal: To find a valid IMSI. Attack vector: An attacker conducts attacks from the GRX network or the operator s network. Description: IMSI is the SIM card Number (International Mobile Subscriber ID). It consists of 15 digits, the first three identify the Mobile Country Code (MCC), the next two digits are the Mobile Network Code (MNC). You can choose the required operator on the website enter the MCC and MNC and then brute force the remaining 10 digits by sending a Send Routing Information for GPRS Request message via GRX. This message can be sent to any GSN device, which converts the request into an SS7 format (CS core network component) and sends it to HLR where it is processed by SS7 network. If the subscriber with this IMSI uses the Internet, we can get the SGSN IP address serving the mentioned subscriber. Otherwise, response will be as follows: Mobile station Not Reachable for GPRS. Result. Obtaining a list of valid IMSI for further attacks. Fig. 13. The scheme of the attack 10

11 6.2. The disclosure of subscriber s data via IMSI Goal: To obtain a phone number, location data, information about the model of a subscriber s mobile device via IMSI. Attack vector: An attacker conducts attacks from the GRX network or the operator s network. Description: An attacker can use this vulnerability after the success of the previous attack or if he/she gets a subscriber s IMSI via a viral application for the subscriber s smartphone. The attacker needs to know the SGSN IP address, garnered from the previous attack. After that, the attacker sends an Update PDP Context Request to the SGSN IP address requesting the subscriber s location; the GSN Control Plane is spoofed with the attacker s IP address. The response contains MSISDN (Mobile Subscriber Integrated Services Digital Number), IMEI (International Mobile Equipment Identity, it helps to identify the model of a subscriber s phone) and the current subscriber s mobile radio base tower (MCC, MNC, LAC, CI). Consequently, the attacker can find the subscriber s location accurate to several hundred meters using the following website: or Result: The required information about the subscriber is obtained. Fig. 14. The scheme of the attack 11

12 6.3. Disconnection of authorized subscribers from the Internet Goal: To disconnect the connected subscribers. Attack vector: An attacker conducts attacks from the GRX network or the operator s network. Description: The attack is based on sending the PDP context delete request packets to the target GGSN with all the TEID listed. The PDP Сontext information is deleted, which causes disconnection of authorized subscribers. At the same time, GGSN unilaterally closes tunnels and sends the responses on this event to the attacker. A valid SGSN used by the subscriber to set up the connection doesn t have information about closing connections, so tunnels continue to occupy the hardware resources. The subscriber s Internet stops working, but the connection is displayed as active. Result: All subscribers connected to this GGSN will be disconnected. The amount of subscribers served by one GGSN is 100,000 10,000,000. Fig. 15. The scheme of the attack 12

13 6.4. Blocking the connection to the Internet Goal: To block the establishment of new connections to the Internet. Attack vector: An attacker conducts attacks from the GRX network or the operator s network. Description: The attack is based on sending the Create PDP context request packets with IMSI list, thus the exhaustion of the available pool of PDP tunnels occurs. For example, the maximum number of PDP Context Cisco 7200 with 256 MB of memory is 80,000, with 512 MB 135,000: it is not difficult to brute force all possible combinations. Moreover, more and more IP addresses from DHCP pool are issued and they may be exhausted. It does not matter what will be exhausted first the DHCP pool or the PDP pool, after all, GGSN will response with No resource available to all valid connection requests. Moreover, GGSN cannot close tunnels, because when you try to close one, GGSN sends an attacker Delete PDP context request with the number of the tunnel to be closed. If there is no response (actually, there isn t any response because an attacker does not want this to happen), GGSN sends such requests over and over again. The resources remain occupied. In case of successful implementation of this attack, authorized subscribers will not be able to connect to the Internet and those who were connected will be disconnected as GGSN sends these tunnels to the attacker s address. This attack is an analogue of the DHCP starvation attack at the GTP level. Result: The subscribers of the attacked GGSN will not be able to connect to the Internet. The amount of subscribers served by one GGSN is 100,000 10,000,000. Fig. 16. The scheme of the attack 13

14 6.5. Internet at the expense of others Goal: The exhaustion of the subscriber s account and use of the connection for illegal purposes. Attack vector: An attacker conducts attacks from the GRX network or the operator s network. Description: The attack is based on sending the Create PDP context request packets with the IMSI of a subscriber known in advance. Thus, the subscriber s credentials are used to establish connection. Unsuspecting subscriber will get a huge bill. It is possible to establish connection via the IMSI of a non-existent subscriber, as subscriber authorization is performed at the stage of connecting to SGSN and GGSN receives already verified connections. Since the SGSN is compromised, no verification is carried out. Result: An attacker can connect to the Internet with the credentials of a legitimate user. Fig. 17. The scheme of the attack 14

15 6.6. Data interception Goal: To listen to the traffic of the victim and conduct a fishing attack. Attack vector: An attacker conducts attacks from the GRX network or the operator s network. Description: An attacker can intercept data sent between the subscriber s device and the Internet by sending an Update PDP Context Request message with spoofed GSN addresses to SGSN and GGSN. This attack is an analogue of the ARP Spoofing attack at the GTP level. Result: Listening to traffic or spoofing traffic from the victim and disclosure of sensitive data. Fig. 18. The scheme of the attack 15

16 6.7. DNS tunneling Goal: To get non-paid access to the Internet from the subscriber s mobile station. Attack vector: The attacker is the subscriber of a mobile phone network and acts through a mobile phone. Description: This is a well-known attack vector, rooted in the days of dial-up, but the implementation of low-price and fast dedicated Internet access made it less viable. However, this attack can be used in mobile networks, for example, in roaming when prices for mobile Internet are unreasonably high and the data transfer speed is not that important (for example, for checking ). The point of this attack is that some operators do not rate DNS traffic, usually in order to redirect the subscriber to the operator s webpage for charging the balance. An attacker can use this vulnerability by sending special crafted requests to the DNS server; to get access one needs a specialized host on the Internet. Result: Getting non-paid access to the Internet at the expense of mobile operator. Fig. 19. The scheme of the attack 16

17 6.8. Substitution of DNS for GGSN Goal: To listen to the traffic of the victim, to conduct a fishing attack. Attack vector: An attacker acts through the Internet. Description: If an attacker gets access to GGSN (which is quite possible as we could see), the DNS address can be spoofed with the attacker s address and all the subscriber s traffic will be redirected through the attacker s host. Thus, listening to all the mobile traffic of the subscriber is possible. Result: An ability to listen to traffic or spoof traffic from all subscribers and then gather confidential data to engage it in fishing attacks. Fig. 20. The scheme of the attack 17

18 7. Conclusion and recommendations Modern mobile networks feature serious vulnerabilities, which allow attackers to perform various attacks against both certain mobile Internet users and the entire infrastructure (for example, for the purpose of industrial espionage or elimination of competitors on the market) using inexpensive equipment. In addition, the deterioration of international relationships and security has historically triggered cell phone tapping followed by the scandalous publication of negotiations between politicians or military officials. Some of the attacks cannot be performed if the mobile equipment is configured properly, but the results our research suggest that misconfiguration is a common problem in the telecommunications sphere by those attempting to save money on security. Vendors often leave some services enabled while these services should be disabled on this equipment, which gives additional opportunities to attackers. Many people rely on new communication standards that include new safety technologies. However, despite the development of such standards (3G, 4G) we cannot completely abandon the use of old generation networks (2G). The reason is the specifics of the implementation of mobile networks and the fact that the 2G base stations have better coverage as well as the fact that 3G networks use their infrastructure. Also, as of later 2014, the majority of operators in the world do not provide opportunities for voice transmission over 4G networks: during a call mobile phone switches forcedly to 3G network or even to 2G and after a call it switches back, if it is possible. The possibility of such invisible switches is widely used for mobile surveillance. The key difference between 4G and other networks voice transmission over IP, may be a vulnerability itself: therefore, not only data but also phone calls may be affected. Therefore, we should expect even more surprises from 4G networks. As for the currently used networks (2G and 3G), Positive Technologies experts recommend to implement the following security measures on the side of communication providers (fig. 21): 1. Use firewalls at the GRX network edge for blocking services that are not associated with providing an Internet access to subscribers in roaming (only required services are permitted: GTP, DNS, etc.). 2. Use firewalls at the Internet edge for blocking services that should not be accessible from the Internet. 3. Use 3GPP TS recommendations to configure the security settings within the PS Core network. The network must be secured, in particular, by using IPsec to send the GTP-C traffic within PS core. Fig. 21. The recommended set of security measures 18

19 4. Carry out a regular security monitoring of the perimeter (Advanced Border Control service). This set of measures will monitor the Customer s network protection against external threats. The monitoring implies regular scanning of all operator s networks and hosts available from the Internet. Scanning reveals available network services, their versions, and types of operational systems. Information obtained during the scanning is checked against the vulnerabilities and exploits database. Thus, the operator is able to control the perimeter from the point of the attacker, predict possible attacks and prevent them. 5. Develop security compliances of equipment and perform regular compliance management tasks (see example in fig.22). Fig. 22. MaxPatrol Compliance Management Sources 1. Cisco Global Mobile Data Traffic Forecast Update, Cisco VNI Mobile, visual-networking-index-vni/white_paper_c pdf 2. Vulnerability Statistics for Corporate Information Systems (), Positive Technologies, _rus.pdf 3. Vulnerabilities of mobile networks based on SS7 protocols. Positive Technologies, Cell phones and total NSA surveillance: How does it work? Positive Technologies, G inherently less secure than 3G The Telegraph, G-inherently-less-secure-than-3G.html 6. Mobile Internet security from inside and outside Positive Technologies, 7. GRX and a Spy Agency GPP TS

20 List of abbreviations APN - Access Point Name; a symbolic name of an access point through which the user can get access to the requested type of the service (WAP, Internet, MMS) BSC - Base Station Controller BTS - Base Transceiver Station; a piece of equipment (repeaters, transceivers) that facilitates wireless communication between user equipment and a network. CI - Cell ID CS - Circuit Switched; data transmission with channel switching DHCP - Dynamic Host Configuration Protocol DNS - Domain Name System FTP - File Transfer Protocol GGSN - Gateway GPRS Support Node; the node affiliated to PS Core Network, it enables the routing of data between GPRS Core network and external IP networks GPRS - General Packet Radio Service GRX - Global Roaming exchange; network that provides packet data services to the roaming GTP - GPRS Tunneling Protocol; a protocol describing and performing the transmission of data between GSN nodes within the packet network HLR - Home Location Register; a database storing all information about the subscriber HTTP - HyperText Transfer Protocol IMEI - International Mobile Equipment Identity IMSI - International Mobile Subscriber Identity LAC - Local Area Code MCC - Mobile Country Code; a code of country, in which the Base Station is located MMS - Multimedia Message System; a system for multimedia messaging (images, audio and video files) within the mobile network MNC - Mobile Network Code MS - Mobile Station MSISDN - Mobile Subscriber Integrated Services Digital Number PS - Packet Switched; data transmission with packet switching SGSN - Service GPRS Support Node; the main component of the GPRS system for implementation of all packet data processing functions SS7 - Signaling System 7; a common channel signaling system used in the international and local telephone networks around the world SSH - Secure Shell TEID - Tunnel Endpoint IDentifier UDP - User Datagram Protocol UMTS - Universal Mobile Telecommunications System; a mobile technology developed by the European Telecommunications Standards Institute (ETSI) in order to implement a 3G service in Europe. WAP - Wireless Application Protocol 20