Securing the Interconnect Signaling Network Security Travis Russell Director, Cyber Security, Service Provider Networks Oracle Communications August, 2015
Current security landscape Much attention has been given to claims made at 31C3, and articles posted in the Washington Post. 2 articles were run; one in August of 2014, and another related article in December of 2014. These articles were run in advance of 31C3 in Hamburg, and have created another fire storm of activity in the industry.
The news has spread Hackers demo network-level call interception January 05, 2015 White-hat hackers at the 31st Chaos Computer Congress have demonstrated fundamental flaws in the underlying infrastructure of 2G and 3G mobile phone networks. The flaws allow attackers to covertly track the location of a phone number as well as intercept calls and SMS - all at the network level.
And continues to be sensationalized Mobile privacy open to global cyber snooping from 'SS7 protocol'
What are the claims? The four areas focused on by researchers Location tracking using ATI or SRI Call hijacking using LocationUpdate Denial of Service using InsertSubscriberData Account fraud The problem is allowing other networks to manipulate signaling and use these protocol messages
The Issue is the Business of Interconnect Telecom networks are not designed with interconnect security in mind Telecom networks are only connected with other trusted networks Signaling networks are secured through business arrangements rather than firewalls Recent events have demonstrated the vulnerabilities in this concept Service providers are exploiting their interconnects to offer other services There are rogue service providers abusing their interconnect privileges Circle, and several other companies have built entire Hub services for SS7 access It is through these channels that opens the network to abuse
What about Diameter? Researchers have made claims that because Diameter replaces SS7, these same vulnerabilities exist in LTE Partially true Diameter and SS7 are nothing alike, even though they both support many of the same functions Diameter was developed with security in mind But it needs to be implemented Ignoring the recommendations of 3GPP and the IETF will make certain that network security is compromised again The issue of interconnect needs to be resolved to eliminate these problems
What did we learn? There is no such thing as a trusted network All networks should be treated as untrusted Interconnects are wide open with little to no restrictions This is the topic a little later on define granular permissions and not everything in the network Not all suspect traffic is an attack Several started classifying suspect traffic as an attack, but in reality it was not nefarious Misconfigured nodes will also generate this traffic Some legitimate applications can also be generating traffic
What Did We Learn? Monitoring of the network is critical Most operators do not monitor their networks After monitoring their networks, several in the GSMA found anomalies More attention needs to be paid to the routing of traffic in the control plane The majority of events detected during monitoring stages has shown other service providers misbehaving rather than nefarious attacks Granting access to your network without limitations leads to exploitations Granting access to your network to unknown companies is dangerous and reckless
What Did We Learn? Accessing the SS7 network is not as easy as claimed It requires a connection, and engineering to obtain the connection One hacker cited costs of around $14k/month for an interconnect, providing them access to +600 roaming partners Some operations exist offering SS7 connectivity to anyone, using their expansive network hub
Since SS7 replaces Diameter, the same vulnerabilities exist Computer Chaos Congress 31, December 2015, Hamburg Germany
3G security; Network Domain Security (NDS); IP network layer security The security services that have been identified as being needed are confidentiality, integrity, authentication and anti-replay protection. These will be ensured by standard procedures, based on cryptographic techniques. 3GPP TS 33.210
Securing the Interconnect PCRF MME PCRF MME DSC/SIP HSS HSS DEA OCS IPsec is required at the interconnect per GSMA IR.88, providing authentication at each connection Topology hiding is required at the DEA per GSMA IR.88 protecting the topology and the network addressing Access control lists at the IP layer add another layer of protection by controlling static IP addresses MME HSS SGW PGW PCRF HSS SGW PGW DEA DSC/SIP OCS The Diameter Edge Agent (DEA) provides interconnect security MME SGW PGW OFCS SGW PGW
Interconnecting Diameter Networks 3GPP 29272-d10, Section 7.1.2, Securing Diameter Messages The HSS or the first Diameter agent in the home network with a direct connection to the visited network must verify the origin realm is correct Means that the origin realm is authorized to access the network Does not provide the means for verification but states verification of the IP address is one possible method Static IP addressing and the use of an ACL is the best method of ensuring that the connecting network is authorized to connect Further measures should be taken to ensure access is granted only for transactions that should be allowed
A DSR in the core will prevent DoS DoS is prevented by implementing a Diameter Signaling Router (DSR) in the network core This has been demonstrated in several tier 1 networks already The DSR acts as the STP for the 4G EPC; load balancing, managing congestion, and managing traffic through the core This is the best place to implement security procedures in the core The DSR is what routes to the network assets, so it only makes sense to control access to these nodes through a DSR
Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.