[PPT] - Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn PowerPoint Presentation

SLIDE 1

Security Testing 4G (LTE) Networks

44con 6th September 2012 Martyn Ruks & Nils

1

11/09/2012

SLIDE 2

Today’s Talk

Intro to 4G (LTE) Networks
Technical Details
Attacks and Testing
Defences
Conclusions

11/09/2012

2

SLIDE 3

11/09/2012

3

Intro to 4G (LTE) Networks

SLIDE 4

A Brief History Lesson

1G – 1980s Analogue technology

(AMPS, TACS)

2G – 1990s Move to digital

(GSM,GPRS,EDGE)

3G – 2000s Improved data

services (UMTS, HSPA)

4G – 2010s High bandwidth data

(LTE Advanced)

11/09/2012

4

Mobile Networks

SLIDE 5

Historic Vulnerabilities

Older networks have been the subject of

practical and theoretical attacks

Examples include:
Ability to man in the middle
No perfect forward secrecy
No encryption on the back-end
LTE Advanced addresses previous attacks

11/09/2012

5

Mobile Networks

SLIDE 6

Current Status of 4G

Lots of 4G networks running or

planned (eg Scandinavia, US)

UK Trials have run in Cornwall,

London etc

Spectrum auction is important
EE services launches soon!

11/09/2012

6

Mobile Networks

SLIDE 7

Why is 4G Important?

Digital Britain strategy
Fixed line broadband expensive in

remote locations

Provides high speed mobile data

services

High level of scalability on the back-

end

11/09/2012

7

Mobile Networks

SLIDE 8

11/09/2012

8

Technical Details

SLIDE 9

11/09/2012

9

NodeB Core Network

Internet Base Station

User

Back-End

Conceptual View 3G

RNC

SLIDE 10

11/09/2012

10

Network Overview 3G

UE NB NB SGSN GGSN Internet HSS AuC

Core Network

RNC

SLIDE 11

11/09/2012

11

eNodeB EPC

Internet Base Station

User

Back-End

Conceptual View 4G

SLIDE 12

11/09/2012

12

Network Overview 4G

UE eNB eNB MME SGw PGw PCRF Internet HSS

EPC

SLIDE 13

User Equipment (UE)

What the customer uses to

connect

Mainly dongles and hubs at

present

Smartphones and tablets will

follow (already lots in US)

11/09/2012

13

The Components

SLIDE 14

evolved Node B (eNB)

The bridge between wired

and wireless networks

Forwards signalling traffic to

the MME

Passes data traffic to the

PDN/Serving Gateway

11/09/2012

14

The Components

SLIDE 15

Evolved Packet Core (EPC)

The back-end core network
Manages access to data

services

Uses IP for all

communications

Divided into several

components

11/09/2012

15

The Components

SLIDE 16

Mobile Management Entity (MME)

Termination point for UE

Signalling

Handles authentication

events

Key component in back-end

communications

11/09/2012

16

The Components

SLIDE 17

Home Subscriber Service (HSS)

Contains a user’s subscription

data (profile)

Typically includes the

Authentication Centre (AuC)

Where key material is stored

11/09/2012

17

The Components

SLIDE 18

PDN and Serving Gateways (PGw and SGw)

Handles data traffic from UE
Can be consolidated into a

single device

Responsible for traffic routing

within the back-end

Implements important filtering controls

11/09/2012

18

The Components

SLIDE 19

Policy Charging and Rules Function (PCRF)

Does what it says on the tin
Integrated into the network

core

Allows operator to perform

bandwidth shaping

11/09/2012

19

The Components

SLIDE 20

Home eNB (HeNB)

The “FemtoCell” of LTE
An eNodeB within your home
Talks to the MME and

PDN/Serving Gateway

Expected to arrive much later in

4G rollout

11/09/2012

20

The Components

SLIDE 21

11/09/2012

21

Control and User Planes Network Overview

SLIDE 22

Radio Protocols (RRC, PDCP, RLC)

These all terminate at the eNodeB
RRC is only used on the control

plane

Wireless user and control data

is encrypted (some exceptions)

Signalling data can also be

encrypted end-to-end

11/09/2012

22

RRC PDCP RLC

The Protocols

SLIDE 23

Internet Protocol (IP)

Used by all back-end comms
All user data uses it
Supports both IPv4 and IPv6
Important to get routing and

filtering correct

Common UDP and TCP

services in use

11/09/2012

23

The Protocols

IP

SLIDE 24

The Protocols - SCTP

Another protocol on top of IP
Robust session handling
Bi-directional sessions
Sequence numbers very

important

11/09/2012

24

The Protocols

IP SCTP

SLIDE 25

The Protocols – GTP-U

Runs on top of UDP and IP
One of two variants of GTP

used in LTE

This transports user IP data
Pair of sessions are used

identified by Tunnel-ID

11/09/2012

25

The Protocols

IP GTP-U UDP

SLIDE 26

The Protocols – GTP-C

Runs on top of UDP and IP
The other variant of GTP used

in LTE

Used for back-end data
Should not be used by the

MME in pure 4G

11/09/2012

26

The Protocols

IP GTP-C UDP

SLIDE 27

S1AP

Runs on top of SCTP and IP
An ASN.1 protocol
Transports UE signalling
UE sessions distinguished by

a pair of IDs

11/09/2012

27

The Protocols

IP S1AP SCTP

SLIDE 28

X2AP

Very similar to S1AP
Used between eNodeBs for

signalling and handovers

Runs over of SCTP and IP and

is also an ASN.1 protocol

11/09/2012

28

The Protocols

IP X2AP SCTP

SLIDE 29

11/09/2012

29

Potential Attacks

SLIDE 30

What Attacks are Possible

Wireless attacks and the baseband
Attacking the EPC from UE
Attacking other UE
Plugging into the Back-end
Physical attacks (HeNB)

11/09/2012

30

Targets for Testing

SLIDE 31

Wireless Attacks and the Baseband

A DIY kit for attacking wireless

protocols is now closer (USRP based)

Best chance is using commercial

kit to get a head-start

Not the easiest thing to attack

11/09/2012

31

Targets for Testing

SLIDE 32

Attacking the EPC from UE

Everything in the back-end is IP
You pay someone to give you IP access

to the environment 

Easiest place to start

11/09/2012

32

Targets for Testing

SLIDE 33

Attacking other UE

Other wirelessly connected

devices are close

May be less protection if seen

as a local network

The gateway may enforce

segregation between UE

11/09/2012

33

Targets for Testing

SLIDE 34

Wired network attacks

eNodeBs will be in public locations
They need visibility of components in the

EPC

Very easy to communicate with an IP

network

Everything is potentially in scope

11/09/2012

34

Targets for Testing

SLIDE 35

Physical Attacks (eNB)

Plugging into management

interfaces is most likely attack, except …

A Home eNodeB is a different

story

Hopefully we have learned from

the Vodafone Femto-Cell Attack

11/09/2012

35

Targets for Testing

SLIDE 36

11/09/2012

36

What you can Test

SLIDE 37

As a Wirelessly Connected User

Visibility of the back-end from UE
Visibility of other UEs
Testing controls enforced by Gateway
Spoofed source addresses
GTP Encapsulation (Control and User)

11/09/2012

37

Tests to Run

SLIDE 38

From the Back-End

Ability to attack MME (signalling)
Robustness of stacks (eg SCTP)
Fuzzing
Sequence number generation
Testing management interfaces
Web consoles
SSH
Proprietary protocols

11/09/2012

38

Tests to Run

SLIDE 39

Challenges

Spoofing UE authentication is difficult
Messing with radio layers is hard
ASN.1 protocols are a pain
Injecting into SCTP is tough
Easy to break back-end communications

11/09/2012

39

Tests to Run

SLIDE 40

S1AP Protocol

By default no authentication to the service
Contains eNodeB data and UE Signalling
UE Signalling can make use of encryption

and integrity checking

If no UE encryption is used attacks against

connected handsets become possible

11/09/2012

40

Tests to Run

SLIDE 41

11/09/2012

41

Tests to Run

eNB UE MME S1AP NAS NAS

S1AP and Signalling

SLIDE 42

11/09/2012

42

Tests to Run

eNB UE MME

S1AP and Signalling

Spoofed UE Spoofed eNB

SLIDE 43

11/09/2012

43

Tests to Run

eNB MME

S1AP and Signalling

S1 Setup S1 Setup Response Attach Request Authentication Request Authentication Response Security Mode

SLIDE 44

GTP Protocol

Gateway can handle multiple

encapsulations

It uses UDP so easy to have fun with
The gateway needs to enforce a number of

controls that stop attacks

11/09/2012

44

Tests to Run

SLIDE 45

GTP and User Data

11/09/2012

45

Tests to Run

eNB UE SGw GTP IP IP Internet IP

SLIDE 46

GTP and User Data

11/09/2012

46

Tests to Run

UE IP UDP GTP IP IP UDP GTP eNodeB

SLIDE 47

GTP and User Data

11/09/2012

47

Tests to Run

eNB UE SGw Internet

IP

GTP

IP

GTP

IP

GTP

SLIDE 48

GTP and User Data

11/09/2012

48

Tests to Run

eNB UE SGw Source IP Address (IP) Invalid IP Protocols (IP) GTP Tunnel ID (GTP) Source IP Address (GTP) Destination IP Address (IP) PGw

SLIDE 49

Old Skool

Everything you already know can be

applied to testing the back-end

Its an IP network and has routers and

switches

There are management services running

11/09/2012

49

Tests to Run

SLIDE 50

11/09/2012

50

Defences

SLIDE 51

The Multi-Layered Approach

Get the IP network design right
Protect the IP traffic in transit
Enforce controls in the Gateway
Ensure UE and HeNBs are secure
Monitoring and Response
Testing

11/09/2012

51

Defences

SLIDE 52

Unified/Consolidated Gateway

The “Gateway” enforces some very

important controls:

Anti-spoofing
Encapsulation protection
Device to device Routing
Billing and charging of users

11/09/2012

52

Defences

SLIDE 53

IP Routing

Architecture design and routing in the core

is complex

Getting it right is critical to security
We have seen issues with this
This must be tested before an environment

is deployed

11/09/2012

53

Defences

SLIDE 54

IPSec

If correctly implemented will provide

Confidentiality and Integrity protection

Can also provide authentication between

components

Keeping the keys secure is not trivial and

not tested

11/09/2012

54

Defences

SLIDE 55

Architecture Consideration

11/09/2012

55

EPC Internet eNodeB

MME HSS Serving Gateway PDN Gateway

Internet Gateway EPC Switch

Defences

SLIDE 56

11/09/2012

56

Conclusions

SLIDE 57

There are 3 key protective controls that

should be tested within LTE environments

Policies and rules in the Unified/Consolidated

Gateway

The implementation of IPSec between all back-

end components

A back-end IP network with well-designed

routing and filtering

11/09/2012

57

Conclusion 1

SLIDE 58

Despite fears from the use of IP in 4G, LTE

will improve security if implemented correctly

The 3 key controls must be correctly

implemented

Testing must be completed for validation
Continued scrutiny is required
Legacy systems may be the weakest link

11/09/2012

58

Conclusion 2

SLIDE 59

Protecting key material used for IPSec is

not trivial

The security model for IPSec needs careful

consideration

Operational security processes are also

important

Home eNodeB security is a challenge

11/09/2012

59

Conclusion 3

SLIDE 60

More air interface testing is needed
Will need co-operation from

vendors/operators

“Open” testing tools will need significant

development effort

Still lower hanging fruit if support for legacy

wireless standards remain

11/09/2012

60

Conclusion 4

SLIDE 61

11/09/2012

61

Questions

@mwrinfosecurity @mwrlabs