Practical Security Testing for LTE Networks BlackHat Abu Dhabi December 2012 Martyn Ruks & Nils

Similar documents
Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn Ruks & Nils

3GPP Long Term Evolution: Architecture, Protocols and Interfaces

Long-Term Evolution. Mobile Telecommunications Networks WMNet Lab

LTE X2 Handover Messaging

Architecture Overview NCHU CSE LTE - 1

Optimization Handoff in Mobility Management for the Integrated Macrocell - Femtocell LTE Network

Mobile Devices Security: Evolving Threat Profile of Mobile Networks

Telesystem Innovations. LTE in a Nutshell: Protocol Architecture WHITE PAPER

LTE transport network security Jason S. Boswell Head of Security Sales, NAM Nokia Siemens Networks

How to secure an LTE-network: Just applying the 3GPP security standards and that's it?

Study of Long Term Evolution Network, its Architecture along with its Interfaces

4G Mobile Networks At Risk

LTE Attach and Default Bearer Setup Messaging

Towards Software Defined Cellular Networks

Long Term Evolution - LTE. A short overview

Diameter in the Evolved Packet Core

The LTE Network Architecture

LTE - Can SDN paradigm be applied?

Network Access Security in Mobile 4G LTE. Huang Zheng Xiong Jiaxi An Sihua

IP-based Mobility Management for a Distributed Radio Access Network Architecture. helmut.becker@siemens.com

Telecommunication Services Engineering (TSE) Lab. Chapter III 4G Long Term Evolution (LTE) and Evolved Packet Core (EPC)

Protocol Signaling Procedures in LTE

Trends in Mobile Network Architectures 3GPP LTE Mobile WiMAX Next Generation Mobile Networks Dr.-Ing. Michael Schopp, Siemens Networks

NTT DOCOMO Technical Journal. Core Network Infrastructure and Congestion Control Technology for M2M Communications

LTE Overview October 6, 2011

Intel Network Builders Solution Brief. Intel and ASTRI* Help Mobile Network Operators Support Small Cell Networks

Applying Software Defined Networks and Virtualization Concepts for Next Generation Mobile Broadband Networks

Design and Implementation of a Distributed Mobility Management Entity (MME) on OpenStack

LTE Performance and Analysis using Atoll Simulation

LTE Security How Good Is It?

Mobility Management for All-IP Core Network

Nokia Siemens Networks Flexi Network Gateway. Brochure

LTE Security. EventHelix.com. Encryption and Integrity Protection in LTE. telecommunication design systems engineering real-time and embedded systems

Nokia Siemens Networks Flexi Network Server

Accelerating 4G Network Performance

Introduction to Evolved Packet Core

Delivery of Voice and Text Messages over LTE

LTE CDMA Interworking

Chapter 2 Network Architecture and Protocols

LTE Control Plane on Intel Architecture

Overview of the Evolved packet core network

SS7 & LTE Stack Attack

Mobile network evolution A tutorial presentation

Mobile IPv6 deployment opportunities in next generation 3GPP networks. I. Guardini E. Demaria M. La Monaca

Kamakshi Sridhar, PhD Distinguished Member of Technical Staff Director Wireless CTO organization

Wireless & Mobile. Working Group

Top 10 Considerations for a Successful 4G LTE Evolved Packet Core Deployment

Wanderlust: Enabling roaming in the LTE era. Don Troshynski Vice President, Solutions Architecture

Securing Next Generation Mobile Networks

Mobile Devices Security: Evolving Threat Profile of Mobile Networks

Technical white paper. Enabling mobile broadband growth Evolved Packet Core

Signaling is growing 50% faster than data traffic

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

3GPP Femtocells: Architecture and Protocols. by Gavin Horn

Whitepaper. 10 Metrics to Monitor in the LTE Network. blog.sevone.com

Nationwide Interoperability Framework

SAE and Evolved Packet Core

Single Radio Voice Call Continuity. (SRVCC) with LTE. White Paper. Overview. By: Shwetha Vittal, Lead Engineer CONTENTS

Handover Management Optimization for LTE Terrestrial Network with Satellite Backhaul

SERVICE DISCOVERY AND MOBILITY MANAGEMENT

ehrpd Mike Keeley Market Segment Director

Demo 1. Network Path and Quality Validation in the Evolved Packet Core

10 METRICS TO MONITOR IN THE LTE NETWORK. [ WhitePaper ]

Voice over IP over LTE (VoLTE) Impacts on LTE access. EFORT

Performance validation for the mobile core

Contents. Preface. Acknowledgement. About the Author. Part I UMTS Networks

Femtocells: A Poisonous Needle in the Operator s Hay Stack

Supporting mobility in the RAN cloud

Security in the Evolved Packet System

Virtualization techniques for redesigning mobile backhaul networks: challenges and issues. Fabrice Guillemin Orange Labs, IMT/IMT/OLN/CNC/NCA

ETSI TS V8.0.0 ( ) Technical Specification

MASTER THESIS. Luca Valtulina

Get the best performance from your LTE Network with MOBIPASS

ATCN 2014: SDN - Mobility and SDN: Mobility Management and Mobile Networks

Securing IP Networks with Implementation of IPv6

Security in cellular-radio access networks

Security Analysis of LTE Access Network

UMTS/GPRS system overview from an IP addressing perspective. David Kessens Jonne Soininen

Oracle s Secure HetNet Backhaul Solution. A Solution Based on Oracle s Network Session Delivery and Control Infrastructure

Security Gate & Gi Firewall

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Securing the Interconnect Signaling Network Security

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Technology Business Unit. White Paper. SDN in Wireless Cellular Networks: Gearing Up to Meet the Growing Bandwidth Demand

Cisco ASR 5000 Mobility Management Entity Administration Guide

LTE service area. 3G service area. EPS : Evolved Packet System. Currently Planning & Coordination Office 1 C *

Deploying IPv6 in 3GPP Networks. Evolving Mobile Broadband from 2G to LTE and Beyond. NSN/Nokia Series

EVERYTHING YOU EVER WANTED TO KNOW ABOUT LTE

IPV6 IN MOBILE NETWORKS

Integrating Lawful Intercept into the Next Generation 4G LTE Network

Chapter 9. IP Secure

A Systemfor Scanning Traffic Detection in 3G WCDMA Network

A Layer-2 Approach for Mobility and Transport in the Mobile Backhaul

Virtual Evolved Packet Core

On LTE Security: Closing the Gap Between Standards and Implementation

IP Security. Ola Flygt Växjö University, Sweden

Computer Networking. Definitions. Introduction

Transcription:

Practical Security Testing for LTE Networks BlackHat Abu Dhabi December 2012 Martyn Ruks & Nils 06/11/2012 1

Today s Talk Intro to LTE Networks Technical Details Attacks and Testing Defences Conclusions 06/11/2012 2

Intro to LTE Networks 06/11/2012 3

Mobile Networks A Brief History Lesson 1G 1980s Analogue technology (AMPS, TACS) 2G 1990s Move to digital (GSM,GPRS,EDGE) 3G 2000s Improved data services (UMTS, HSPA) 4G 2010s High bandwidth data (LTE Advanced) 06/11/2012 4

Mobile Networks Historic Vulnerabilities Older networks have been the subject of practical and theoretical attacks Examples include: Ability to man in the middle No perfect forward secrecy No encryption on the back-end LTE Advanced addresses previous attacks 06/11/2012 5

Mobile Networks Why is LTE Important? We have lived with 3G for a long time 4G provides high speed mobile data services for customers High level of scalability on the backend for operators 06/11/2012 6

Technical Details 06/11/2012 7

Conceptual View 3G NodeB Core Network RNC User Base Station Back-End Internet 06/11/2012 8

Network Overview 3G NB HSS AuC UE NB RNC SGSN GGSN Internet Core Network 06/11/2012 9

Conceptual View 4G EPC enodeb User Base Station Back-End Internet 06/11/2012 10

Network Overview 4G enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 11

The Components enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 12

The Components User Equipment (UE) What the customer uses to connect Mainly dongles and hubs at present Smartphones and tablets will follow (already lots in US) 06/11/2012 13

The Components enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 14

The Components evolved Node B (enb) The bridge between wired and wireless networks Forwards signalling traffic to the MME Passes data traffic to the PDN/Serving Gateway 06/11/2012 15

The Components enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 16

The Components Evolved Packet Core (EPC) The back-end core network Manages access to data services Uses IP for all communications Divided into several components 06/11/2012 17

The Components enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 18

The Components Mobile Management Entity (MME) Termination point for UE Signalling Handles authentication events Key component in back-end communications 06/11/2012 19

The Components enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 20

The Components Home Subscriber Service (HSS) Contains a user s subscription data (profile) Typically includes the Authentication Centre (AuC) Where key material is stored 06/11/2012 21

The Components enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 22

The Components PDN and Serving Gateways (PGw and SGw) Handles data traffic from UE Can be consolidated into a single device Responsible for traffic routing within the back-end Implements important filtering controls 06/11/2012 23

The Components enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 24

The Components Policy Charging and Rules Function (PCRF) Does what it says on the tin Integrated into the network core Allows operator to perform bandwidth shaping 06/11/2012 25

The Components UE HeNB MME HSS SGw PGw PCRF Internet EPC 06/11/2012 26

The Components Home enb (HeNB) The FemtoCell of LTE An enodeb within your home Talks to the MME and PDN/Serving Gateway Expected to arrive much later in 4G rollout 06/11/2012 27

Network Overview Control and User Planes 06/11/2012 28

The Protocols enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 29

The Protocols Radio Protocols (RRC, PDCP, RLC) These all terminate at the enodeb RRC is only used on the control plane Wireless user and control data is encrypted (some exceptions) Signalling data can also be encrypted end-to-end RRC PDCP RLC 06/11/2012 30

The Protocols enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 31

The Protocols Internet Protocol (IP) Used by all back-end comms All user data uses it Supports both IPv4 and IPv6 Important to get routing and filtering correct Common UDP and TCP services in use IP 06/11/2012 32

The Protocols enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 33

The Protocols The Protocols - SCTP Another protocol on top of IP Robust session handling Bi-directional sessions Sequence numbers very important SCTP IP 06/11/2012 34

The Protocols enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 35

The Protocols The Protocols GTP-U Runs on top of UDP and IP One of two variants of GTP used in LTE This transports user IP data Pair of sessions are used identified by Tunnel-ID GTP-U UDP IP 06/11/2012 36

The Protocols enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 37

The Protocols The Protocols GTP-C Runs on top of UDP and IP The other variant of GTP used in LTE Used for back-end data Should not be used by the MME in pure 4G GTP-C UDP IP 06/11/2012 38

The Protocols enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 39

The Protocols S1AP Runs on top of SCTP and IP An ASN.1 protocol Transports UE signalling UE sessions distinguished by a pair of IDs S1AP SCTP IP 06/11/2012 40

The Protocols enb MME HSS UE enb SGw PGw PCRF Internet EPC 06/11/2012 41

The Protocols X2AP Very similar to S1AP Used between enodebs for signalling and handovers Runs over of SCTP and IP and is also an ASN.1 protocol X2AP SCTP IP 06/11/2012 42

Potential Attacks 06/11/2012 43

Targets for Testing What Attacks are Possible Wireless attacks and the baseband Attacking the EPC from UE Attacking other UE Plugging into the Back-end Physical attacks (HeNB) 06/11/2012 44

Targets for Testing Wireless Attacks and the Baseband A DIY kit for attacking wireless protocols is now closer (USRP based) Best chance is using commercial kit to get a head-start Not the easiest thing to attack 06/11/2012 45

Targets for Testing Attacking the EPC from UE Everything in the back-end is IP You pay someone to give you IP access to the environment Easiest place to start 06/11/2012 46

Targets for Testing Attacking other UE Other wirelessly connected devices are close May be less protection if seen as a local network The gateway may enforce segregation between UE 06/11/2012 47

Targets for Testing Wired network attacks enodebs will be in public locations They need visibility of components in the EPC Very easy to communicate with an IP network Everything is potentially in scope 06/11/2012 48

Targets for Testing Physical Attacks (enb) Plugging into management interfaces is most likely attack, except A Home enodeb is a different story Hopefully we have learned from the Vodafone Femto-Cell Attack 06/11/2012 49

What you can Test 06/11/2012 50

Tests to Run As a Wirelessly Connected User Visibility of the back-end from UE Visibility of other UEs Testing controls enforced by Gateway Spoofed source addresses GTP Encapsulation (Control and User) 06/11/2012 51

Tests to Run From the Back-End Ability to attack MME (signalling) Robustness of stacks (eg SCTP) Fuzzing Sequence number generation Testing management interfaces Web consoles SSH Proprietary protocols 06/11/2012 52

Tests to Run Challenges Spoofing UE authentication is difficult Messing with radio layers is hard ASN.1 protocols are a pain Injecting into SCTP is tough Easy to break back-end communications 06/11/2012 53

Tests to Run S1AP Protocol By default no authentication to the service Contains enodeb data and UE Signalling UE Signalling can make use of encryption and integrity checking If no UE encryption is used attacks against connected handsets become possible 06/11/2012 54

Tests to Run S1AP and Signalling S1AP NAS NAS UE enb MME 06/11/2012 55

Tests to Run S1AP and Signalling Spoofed UE Spoofed enb MME UE enb 06/11/2012 56

Tests to Run S1AP and Signalling S1 Setup S1 Setup Response enb Attach Request Authentication Request Authentication Response Security Mode MME 06/11/2012 57

Tests to Run GTP Protocol Gateway can handle multiple encapsulations It uses UDP so easy to have fun with The gateway needs to enforce a number of controls that stop attacks 06/11/2012 58

Tests to Run GTP and User Data GTP IP IP IP UE enb SGw Internet 06/11/2012 59

Tests to Run GTP and User Data IP UE GTP UDP IP enodeb GTP UDP IP 06/11/2012 60

Tests to Run GTP and User Data GTP IP GTP IP GTP IP GTP UE enb SGw Internet 06/11/2012 61

Tests to Run GTP and User Data Destination IP Address (IP) Source IP Address (IP) Invalid IP Protocols (IP) GTP Tunnel ID (GTP) Source IP Address (GTP) UE enb SGw PGw 06/11/2012 62

Tests to Run Old Skool Everything you already know can be applied to testing the back-end Its an IP network and has routers and switches There are management services running 06/11/2012 63

Defences 06/11/2012 64

Defences The Multi-Layered Approach Get the IP network design right Protect the IP traffic in transit Enforce controls in the Gateway Ensure UE and HeNBs are secure Monitoring and Response Testing 06/11/2012 65

Defences Unified/Consolidated Gateway The Gateway enforces some very important controls: Anti-spoofing Encapsulation protection Device to device Routing Billing and charging of users 06/11/2012 66

Defences IP Routing Architecture design and routing in the core is complex Getting it right is critical to security We have seen issues with this This must be tested before an environment is deployed 06/11/2012 67

Defences IPSec If correctly implemented will provide Confidentiality and Integrity protection Can also provide authentication between components Keeping the keys secure is not trivial and not tested 06/11/2012 68

Defences Architecture Consideration MME HSS enodeb EPC Switch Internet Gateway Internet Serving Gateway EPC PDN Gateway 06/11/2012 69

Conclusions 06/11/2012 70

Conclusion 1 There are 3 key protective controls that should be tested within LTE environments Policies and rules in the Unified/Consolidated Gateway The implementation of IPSec between all backend components A back-end IP network with well-designed routing and filtering 06/11/2012 71

Conclusion 2 Despite fears from the use of IP in 4G, LTE will improve security if implemented correctly The 3 key controls must be correctly implemented Testing must be completed for validation Continued scrutiny is required Legacy systems may be the weakest link 06/11/2012 72

Conclusion 3 Protecting key material used for IPSec is not trivial The security model for IPSec needs careful consideration Operational security processes are also important Home enodeb security is a challenge 06/11/2012 73

Conclusion 4 More air interface testing is needed Will need co-operation from vendors/operators Open testing tools will need significant development effort Still lower hanging fruit if support for legacy wireless standards remain 06/11/2012 74

Questions @mwrinfosecurity @mwrlabs 06/11/2012 75

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information