security testing 4g lte networks
play

Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn - PowerPoint PPT Presentation

Oct 07, 2023 •313 likes •941 views

Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn Ruks & Nils 1 11/09/2012 Todays Talk Intro to 4G (LTE) Networks Technical Details Attacks and Testing Defences Conclusions 2 11/09/2012 Intro to 4G

  1. Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn Ruks & Nils 1 11/09/2012

  2. Today’s Talk • Intro to 4G (LTE) Networks • Technical Details • Attacks and Testing • Defences • Conclusions 2 11/09/2012

  3. Intro to 4G (LTE) Networks 3 11/09/2012

  4. Mobile Networks A Brief History Lesson • 1G – 1980s Analogue technology (AMPS, TACS) • 2G – 1990s Move to digital (GSM,GPRS,EDGE) • 3G – 2000s Improved data services (UMTS, HSPA) • 4G – 2010s High bandwidth data (LTE Advanced) 4 11/09/2012

  5. Mobile Networks Historic Vulnerabilities • Older networks have been the subject of practical and theoretical attacks • Examples include: • Ability to man in the middle • No perfect forward secrecy • No encryption on the back-end • LTE Advanced addresses previous attacks 5 11/09/2012

  6. Mobile Networks Current Status of 4G • Lots of 4G networks running or planned (eg Scandinavia, US) • UK Trials have run in Cornwall, London etc • Spectrum auction is important • EE services launches soon! 6 11/09/2012

  7. Mobile Networks Why is 4G Important? • Digital Britain strategy • Fixed line broadband expensive in remote locations • Provides high speed mobile data services • High level of scalability on the back- end 7 11/09/2012

  8. Technical Details 8 11/09/2012

  9. Conceptual View 3G Core Network NodeB RNC Base Station User Internet Back-End 9 11/09/2012

  10. Network Overview 3G HSS AuC NB UE NB RNC SGSN GGSN Internet Core Network 10 11/09/2012

  11. Conceptual View 4G EPC eNodeB Base Station User Internet Back-End 11 11/09/2012

  12. Network Overview 4G eNB MME HSS UE eNB SGw PGw PCRF Internet EPC 12 11/09/2012

  13. The Components User Equipment (UE) • What the customer uses to connect • Mainly dongles and hubs at present • Smartphones and tablets will follow (already lots in US) 13 11/09/2012

  14. The Components evolved Node B (eNB) • The bridge between wired and wireless networks • Forwards signalling traffic to the MME • Passes data traffic to the PDN/Serving Gateway 14 11/09/2012

  15. The Components Evolved Packet Core (EPC) • The back-end core network • Manages access to data services • Uses IP for all communications • Divided into several components 15 11/09/2012

  16. The Components Mobile Management Entity (MME) • Termination point for UE Signalling • Handles authentication events • Key component in back-end communications 16 11/09/2012

  17. The Components Home Subscriber Service (HSS) • Contains a user’s subscription data (profile) • Typically includes the Authentication Centre (AuC) • Where key material is stored 17 11/09/2012

  18. The Components PDN and Serving Gateways (PGw and SGw) • Handles data traffic from UE • Can be consolidated into a single device • Responsible for traffic routing within the back-end • Implements important filtering controls 18 11/09/2012

  19. The Components Policy Charging and Rules Function (PCRF) • Does what it says on the tin • Integrated into the network core • Allows operator to perform bandwidth shaping 19 11/09/2012

  20. The Components Home eNB (HeNB) • The “ FemtoCell ” of LTE • An eNodeB within your home • Talks to the MME and PDN/Serving Gateway • Expected to arrive much later in 4G rollout 20 11/09/2012

  21. Network Overview Control and User Planes 21 11/09/2012

  22. The Protocols Radio Protocols (RRC, PDCP, RLC) • These all terminate at the eNodeB • RRC is only used on the control plane RRC • Wireless user and control data PDCP RLC is encrypted (some exceptions) • Signalling data can also be encrypted end-to-end 22 11/09/2012

  23. The Protocols Internet Protocol (IP) • Used by all back-end comms • All user data uses it • Supports both IPv4 and IPv6 IP • Important to get routing and filtering correct • Common UDP and TCP services in use 23 11/09/2012

  24. The Protocols The Protocols - SCTP • Another protocol on top of IP • Robust session handling • Bi-directional sessions SCTP • Sequence numbers very IP important 24 11/09/2012

  25. The Protocols The Protocols – GTP-U • Runs on top of UDP and IP • One of two variants of GTP used in LTE GTP-U • This transports user IP data UDP • Pair of sessions are used IP identified by Tunnel-ID 25 11/09/2012

  26. The Protocols The Protocols – GTP-C • Runs on top of UDP and IP • The other variant of GTP used in LTE GTP-C • Used for back-end data UDP • Should not be used by the IP MME in pure 4G 26 11/09/2012

  27. The Protocols S1AP • Runs on top of SCTP and IP • An ASN.1 protocol • Transports UE signalling S1AP • UE sessions distinguished by SCTP IP a pair of IDs 27 11/09/2012

  28. The Protocols X2AP • Very similar to S1AP • Used between eNodeBs for signalling and handovers X2AP • Runs over of SCTP and IP and SCTP is also an ASN.1 protocol IP 28 11/09/2012

  29. Potential Attacks 29 11/09/2012

  30. Targets for Testing What Attacks are Possible • Wireless attacks and the baseband • Attacking the EPC from UE • Attacking other UE • Plugging into the Back-end • Physical attacks (HeNB) 30 11/09/2012

  31. Targets for Testing Wireless Attacks and the Baseband • A DIY kit for attacking wireless protocols is now closer (USRP based) • Best chance is using commercial kit to get a head-start • Not the easiest thing to attack 31 11/09/2012

  32. Targets for Testing Attacking the EPC from UE • Everything in the back-end is IP • You pay someone to give you IP access to the environment  • Easiest place to start 32 11/09/2012

  33. Targets for Testing Attacking other UE • Other wirelessly connected devices are close • May be less protection if seen as a local network • The gateway may enforce segregation between UE 33 11/09/2012

  34. Targets for Testing Wired network attacks • eNodeBs will be in public locations • They need visibility of components in the EPC • Very easy to communicate with an IP network • Everything is potentially in scope 34 11/09/2012

  35. Targets for Testing Physical Attacks (eNB) • Plugging into management interfaces is most likely attack, except … • A Home eNodeB is a different story • Hopefully we have learned from the Vodafone Femto-Cell Attack 35 11/09/2012

  36. What you can Test 36 11/09/2012

  37. Tests to Run As a Wirelessly Connected User • Visibility of the back-end from UE • Visibility of other UEs • Testing controls enforced by Gateway • Spoofed source addresses • GTP Encapsulation (Control and User) 37 11/09/2012

  38. Tests to Run From the Back-End • Ability to attack MME (signalling) • Robustness of stacks (eg SCTP) • Fuzzing • Sequence number generation • Testing management interfaces • Web consoles • SSH • Proprietary protocols 38 11/09/2012

  39. Tests to Run Challenges • Spoofing UE authentication is difficult • Messing with radio layers is hard • ASN.1 protocols are a pain • Injecting into SCTP is tough • Easy to break back-end communications 39 11/09/2012

  40. Tests to Run S1AP Protocol • By default no authentication to the service • Contains eNodeB data and UE Signalling • UE Signalling can make use of encryption and integrity checking • If no UE encryption is used attacks against connected handsets become possible 40 11/09/2012

  41. Tests to Run S1AP and Signalling S1AP NAS NAS UE eNB MME 41 11/09/2012

  42. Tests to Run S1AP and Signalling Spoofed Spoofed UE eNB MME UE eNB 42 11/09/2012

  43. Tests to Run S1AP and Signalling S1 Setup S1 Setup Response Attach Request eNB MME Authentication Request Authentication Response Security Mode 43 11/09/2012

  44. Tests to Run GTP Protocol • Gateway can handle multiple encapsulations • It uses UDP so easy to have fun with • The gateway needs to enforce a number of controls that stop attacks 44 11/09/2012

  45. Tests to Run GTP and User Data GTP IP IP IP UE eNB SGw Internet 45 11/09/2012

  46. Tests to Run GTP and User Data IP GTP UE UDP IP GTP eNodeB UDP IP 46 11/09/2012

  47. Tests to Run GTP and User Data GTP IP GTP IP GTP IP GTP UE eNB SGw Internet 47 11/09/2012

  48. Tests to Run GTP and User Data Destination IP Address (IP) GTP Tunnel ID (GTP) Source IP Invalid IP Address (IP) Protocols (IP) Source IP Address (GTP) UE eNB SGw PGw 48 11/09/2012

  49. Tests to Run Old Skool • Everything you already know can be applied to testing the back-end • Its an IP network and has routers and switches • There are management services running 49 11/09/2012

  50. Defences 50 11/09/2012

  51. Defences The Multi-Layered Approach • Get the IP network design right • Protect the IP traffic in transit • Enforce controls in the Gateway • Ensure UE and HeNBs are secure • Monitoring and Response • Testing 51 11/09/2012

  52. Defences Unified/Consolidated Gateway • The “Gateway” enforces some very important controls: • Anti-spoofing • Encapsulation protection • Device to device Routing • Billing and charging of users 52 11/09/2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Security Regression Addressing Security Regression by Unit Testing Christopher Grayson

Security Regression Addressing Security Regression by Unit Testing Christopher Grayson

Security Regression Addressing Security Regression by Unit Testing Christopher Grayson @_lavalamp Introduction WHOAMI ATL Web development Academic researcher Haxin all the things (but I rlllly like networks) Founder

472 views • 35 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied & Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security Information Assessment Brand Operation Consultancy & Security Protection Penetration Awareness Centre Testing External Networks

474 views • 44 slides
The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs Bluetooth Security and Cooperation in Wireless Networks Georg-August University Gttingen Security in Wireless Networks Wireless networks are

519 views • 48 slides
Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI

Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI

Alain MERLE CESTI LETI CEA Grenoble Alain.merle@cea.fr Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI Abstract What are you doing in ITSEFs ? Testing, Security testing, Attacks,

809 views • 23 slides
Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

2.02k views • 185 slides
Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Cuckoo Hashing for Security Awerbuch, Scheideler, Towards Scalable and Robust Overlay Networks Problem: -

329 views • 19 slides
Security Testing beyond Functional Tests David Basin ETH Zurich June, 2017 Associated

Security Testing beyond Functional Tests David Basin ETH Zurich June, 2017 Associated

Security Testing beyond Functional Tests David Basin ETH Zurich June, 2017 Associated Publication: Mohammad Torabi Dashti, David Basin: Security Testing Beyond Functional Tests. ESSoS 2016. Security Testing

722 views • 38 slides
Software Security Process & Testing a primer for quality professionals Fred Pinkett VP,

Software Security Process & Testing a primer for quality professionals Fred Pinkett VP,

Software Security Process & Testing a primer for quality professionals Fred Pinkett VP, Product Management Security Innovation About Security Innovation Application Security Experts 10+ years research on vulnerabilities Security

690 views • 49 slides
Security in IP networks Markus Peuhkuri 2005-03-15 Lecture topics Reminder: levels Security in

Security in IP networks Markus Peuhkuri 2005-03-15 Lecture topics Reminder: levels Security in

Security in IP networks Markus Peuhkuri 2005-03-15 Lecture topics Reminder: levels Security in IP networks WLAN security Mobile IP security Because IPsec is (still, after more than 10 years)

205 views • 9 slides
Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing Applying empirical results to reduce the cost of testing. Example: 2.5 year study ~ 20% lower test development cost and 20% - 50% better

479 views • 13 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Measuring and Visualizing Live IP traffic using LIST Webinar June 14 th 2018 Willem Vermost -

Measuring and Visualizing Live IP traffic using LIST Webinar June 14 th 2018 Willem Vermost -

Measuring and Visualizing Live IP traffic using LIST Webinar June 14 th 2018 Willem Vermost - vermost@ebu.ch Why we move to IP? The JT-NM Roadmap! In a nutshell what is: SMPTE ST 2110 SMPTE ST 2059 Packet Delay

990 views • 57 slides
AVTP on a Routable Network IEEE P1722 F2F - Detroit - Oct 20, 2014 Jeff Koftinoff

AVTP on a Routable Network IEEE P1722 F2F - Detroit - Oct 20, 2014 Jeff Koftinoff

AVTP on a Routable Network IEEE P1722 F2F - Detroit - Oct 20, 2014 Jeff Koftinoff jeff.koftinoff@gmail.com IEEE P1722 Draft 10 Annex J Enables transport of AVTP and AVDECC protocols via UDP on IPv4 and IPv6 networks Destination UDP port

601 views • 8 slides
in the broadband age: a European perspective Jonathan Cave July 2013 Outline The problem

in the broadband age: a European perspective Jonathan Cave July 2013 Outline The problem

Congested consumers and sectoral regulation in the broadband age: a European perspective Jonathan Cave July 2013 Outline The problem with congestion ( Says law and its antithesis) A brief discussion of broadband congestion from a

613 views • 29 slides
Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

1 Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE KEY FEATURES LEARN MORE 3 OVERVIEW Vulcan generates stateful Ethernet traffic to analyze how

349 views • 34 slides
TRAINING Contents 1. Key Selling Points 2. Key features 3. Wireless Management feature list 4.

TRAINING Contents 1. Key Selling Points 2. Key features 3. Wireless Management feature list 4.

TRAINING Contents 1. Key Selling Points 2. Key features 3. Wireless Management feature list 4. Planning and designing 5. Deployment Methods 6. Maintenance Methods 7. Q& A 8. Questionnaire EnGenius Wireless Management Switch Series Max

1.13k views • 74 slides
Welcome Connecting Your Enterprise With Asterisk: IAX to Kinky Adult Call Centers Dayton Turner

Welcome Connecting Your Enterprise With Asterisk: IAX to Kinky Adult Call Centers Dayton Turner

Welcome Connecting Your Enterprise With Asterisk: IAX to Kinky Adult Call Centers Dayton Turner Voxter Communications Just kidding! Connecting Your Enterprise With Asterisk: IAX to Carriers Dayton Turner Voxter Communications What is IAX?

1.23k views • 87 slides
Cyber and Electronic Warfare Division DST Partnerships Week 2016 Science and technology to

Cyber and Electronic Warfare Division DST Partnerships Week 2016 Science and technology to

UNCLASSIFIED Approved for Public Release Cyber and Electronic Warfare Division DST Partnerships Week 2016 Science and technology to understand and counter the threat using electronic means 1 Cyber & Electronic Warfare Division Mission: To

720 views • 59 slides
VDI Evolution at the speed of GRID VDI 2.0 IS here! Shawn Kaiser TSA Cisco Systems Jason

VDI Evolution at the speed of GRID VDI 2.0 IS here! Shawn Kaiser TSA Cisco Systems Jason

VDI Evolution at the speed of GRID VDI 2.0 IS here! Shawn Kaiser TSA Cisco Systems Jason Marchesano TSA Cisco Systems About us Shawn and Jason are both Technical Solutions Architects with Cisco Systems focused on Server and Desktop

690 views • 43 slides

More recommend