Toolkit for vulnerability assessment in 3G networks. Kameswari Kotapati The Pennsylvania State University University Park PA 16802

Toolkit for vulnerability assessment in 3G networks Kameswari Kotapati The Pennsylvania State University University Park PA 16802

Contents Motivation Solution Overview Methodology Overview 3G Attack Graph Attack Scenario SDL Toolkit Architecture Algorithms Attack Categories Sample results Issues and Future Work

Research Area 3G Network Vulnerability Assessment

Motivation

Previously telecom network (2G, 3G) signaling and control (SS7) is closed, future networks are not Trend Telecom networks are moving toward IP for control and services Open interfaces for service introduction Interworking between networks required Open interfaces CROSS-NETWORK SERVICES CROSS-INSFRASTRUCTURE CYBER ATTACKS INCREASED VULNERABILITY of 3G data and 3G servers Interworking Architecture Increased Vulnerability

Evolution of Wireless Networks Home Location Registers Mobile Switching Centers 2G Cellular Closed Network Attacks are possible, but rare Network are now opening up Closed Control Network (SS7) Home Subscriber Servers Internet Telephony Servers Usage of IP opens up possible attacks Services still somewhat limited 3G Cellular/All-IP IP Network Media Gateways 2G Cellular Next Generation IP Services Servers 3G Cellular/ All-IP Two new dangers: Very open environment Passage into SS7 network

Realistic Future Network Environment CDMA2000 3G-IP UMTS BS Circuit Access MSC/VLR ANSI-41 Core HLR IP Access BS Circuit UMTS Core Access MSC/VLR BS IP Access HLR SIP Server Services in all-ip domain IP Core SIP Server UMTS-IP BS BS IP Access SIP Server WI-FI/802.16 Interworking between networks

Cross Infrastructure Cyber Attacks Cross Infrastructure Cyber Attacks may be defined as attacks on the wireless telecommunication network from the IP domain. Cascading effect may be defined as propagation of the attack across network elements 3G Network 3G Entity Attack Entry Point Server IP Network Attack Server Attack

Motivation Open Interfaces Increased Usage Heavy Reliance 3G Networks = Attractive targets Need : 3G Network Vulnerability Assessment Techniques

Solution Overview Cellular Network Vulnerability Assessment Toolkit (CAT)

Why not pre-existing tools? They find physical configuration vulnerabilities But Every 3G deployment has different physical configuration. Does not identify cascading effects. Lacks end-to-end vulnerability assessment across network components.

Why not Manual vulnerability Assessment? Complexity of 3G Network Each service comprises of 100 s of servers. Each server comprises of millions of state machines. Hence not feasible Gateway MSC/ VLR GMSC HLR Effect Effect App Server 3G Network IP Network Effect Application Attack

Cellular Network Vulnerability Assessment Toolkit - CAT Goal: Generate attack graphs that capture attack propagation in 3G networks Output attack graph: progression across network traces seed propagation through the network and impact on services User Input: 3G data parameters seeds: data that is corrupted by an attacker goals: data that is derived incorrectly System input Freely available 3GPP Technical telecommunication specification written in Specification and Description Language (SDL) (http://www.3gpp.org)

Methodology

Specification and Description Language (SDL)

Graphical language Developed by the International Telecommunication Union (ITU). Designated as the formal description language for specifying the functional behavior of telecommunication systems by major standards bodies. Object-oriented. Specification of event-driven, real-time, concurrent distributed systems interacting with discrete signals. SDL specifications do not indicate an implementation structure.

SDL Idle 1.State Name 2.Input Signal Name 3.Transition Action 4.Output Signal Name Provide Roaming Number Convert CSBC to basic service IMSI known in VLR Allocate MSRN Store compatibility Information Store Alerting Pattern Create IMSI Record Allocate LMSI 5.State Name Provide Roaming Number ACK Fig a: SDL Graphical Representative Syntax 6. Waiting For Roaming # Fig b: SDL Fragment of Process Provide Roaming Number in VLR

Attack Scenario

Call delivery Service GMSC HLR VLR MSC 1.Initial Address Message (IAM) 2.Send Rout Info (SRI) 3. Provide Roam Num (PRN) Air Interface 5. Send Rout Info Ack (SRI_ACK) 4.Provide Roam Num Ack (PRN_ACK) 6.Initial Address Message (IAM) 7.SIFIC 8.Page MS 9. Page Home Network Visiting Network

Telecom Database

Architecture of CAT User Input GUI Attack Graph Output Seeds Goal Analysis Engine Explore Using CAT - Forward -Mid-Point Integrated Data Structure Maximum View Output Telecommunication Specifications SDL Database Final View Prune a. Overall Architecture of CAT b. Functional Architecture

3G Attack Graph Nodes Condition Action Goal Edges Network Transitions Adversary Transitions Tree Number Represents tree to which node belongs. Nodes at a level with same tree number represent AND nodes.

Algorithms

Algorithm Principles Condition nodes may be constructed if the seed occurs in the message or actions. When the seed occur in incoming messages and corresponding 3G servers = corruption spreads from the message to the block When a seed occur in a 3G server with other seeds/goal = corruption spreads from the seed to other seeds/goal When the corrupt seed occurs in a 3G server and outgoing message = corruption spreads from the block to other block

Sample result: Speech attack

Attack Classification 1-Level Indirect attacks: corruption of Seed1 leads to corruption of the goal hence reaching the goal. (Seed 1 Goal) N-level indirect attacks: Given any k seeds Seed 1, Seed 2,..., Seed k and Goal, corruption of Seed 1 leads to corruption of some seed Seed i and so on until the Goal is corrupt. (Seed 1 Seed i Seed j Seed n Goal) Collaborative attack: a single seed cannot reach the Goal but the corruption of multiple seeds allows for reaching of the Goal i.e. Seed1 & Seed2 Goal

Issues with SDL Data links in messages SDL may not explicitly show data relations in request/response pairs Data dependencies in actions Details (input data output data) of subroutines may not be specified Relation between input and output data items may not be specified.

Future work SDL will be augmented with expert input to capture missing details. The process of deriving attack scenarios from attack graphs may be automated using expert systems, AI algorithms and expert systems.