Security Testing 4G (LTE) Networks             44con             6th September 2012             Martyn Ruks & Nils11/09/20...
Today’s Talk         •   Intro to 4G (LTE) Networks         •   Technical Details         •   Attacks and Testing         ...
Intro to 4G (LTE) Networks11/09/2012                                3
Mobile Networks         A Brief History Lesson         • 1G – 1980s Analogue technology           (AMPS, TACS)         • 2...
Mobile Networks         Historic Vulnerabilities         • Older networks have been the subject of           practical and...
Mobile Networks         Current Status of 4G         • Lots of 4G networks running or           planned (eg Scandinavia, U...
Mobile Networks         Why is 4G Important?         • Digital Britain strategy         • Fixed line broadband expensive i...
Technical Details11/09/2012                       8
Conceptual View 3G                                      Core                       NodeB         Network                  ...
Network Overview 3G                          HSS      AuC             NB  UE             NB   RNC   SGSN       GGSN   Inte...
Conceptual View 4G                                       EPC                      eNodeB             User   Base Station  ...
Network Overview 4G             eNB   MME           HSS       UE             eNB   SGw    PGw    PCRF   Internet          ...
The Components         User Equipment (UE)         • What the customer uses to           connect         • Mainly dongles ...
The Components         evolved Node B (eNB)         • The bridge between wired           and wireless networks         • F...
The Components         Evolved Packet Core (EPC)         • The back-end core network         • Manages access to data     ...
The Components         Mobile Management Entity (MME)         • Termination point for UE           Signalling         • Ha...
The Components         Home Subscriber Service (HSS)         • Contains a user’s subscription           data (profile)    ...
The Components         PDN and Serving Gateways (PGw and SGw)         • Handles data traffic from UE         • Can be cons...
The Components         Policy Charging and Rules           Function (PCRF)         • Does what it says on the tin         ...
The Components         Home eNB (HeNB)         • The “FemtoCell” of LTE         • An eNodeB within your home         • Tal...
Network Overview         Control and User Planes11/09/2012                                            21
The Protocols         Radio Protocols (RRC, PDCP, RLC)         • These all terminate at the eNodeB         • RRC is only u...
The Protocols         Internet Protocol (IP)         • Used by all back-end comms         • All user data uses it         ...
The Protocols         The Protocols - SCTP         • Another protocol on top of IP         • Robust session handling      ...
The Protocols         The Protocols – GTP-U         • Runs on top of UDP and IP         • One of two variants of GTP      ...
The Protocols         The Protocols – GTP-C         • Runs on top of UDP and IP         • The other variant of GTP used   ...
The Protocols         S1AP         • Runs on top of SCTP and IP         • An ASN.1 protocol         • Transports UE signal...
The Protocols         X2AP         • Very similar to S1AP         • Used between eNodeBs for           signalling and hand...
Potential Attacks11/09/2012                       29
Targets for Testing         What Attacks are Possible         • Wireless attacks and the baseband         • Attacking the ...
Targets for Testing         Wireless Attacks and the Baseband         • A DIY kit for attacking wireless           protoco...
Targets for Testing         Attacking the EPC from UE         • Everything in the back-end is IP         • You pay someone...
Targets for Testing         Attacking other UE         • Other wirelessly connected           devices are close         • ...
Targets for Testing         Wired network attacks         • eNodeBs will be in public locations         • They need visibi...
Targets for Testing         Physical Attacks (eNB)         • Plugging into management           interfaces is most likely ...
What you can Test11/09/2012                       36
Tests to Run         As a Wirelessly Connected User         • Visibility of the back-end from UE         • Visibility of o...
Tests to Run         From the Back-End         • Ability to attack MME (signalling)         • Robustness of stacks (eg SCT...
Tests to Run         Challenges         • Spoofing UE authentication is difficult         • Messing with radio layers is h...
Tests to Run         S1AP Protocol         • By default no authentication to the service         • Contains eNodeB data an...
Tests to Run         S1AP and Signalling                        S1AP     NAS             NAS             UE               ...
Tests to Run         S1AP and Signalling             Spoofed      Spoofed               UE           eNB                  ...
Tests to Run         S1AP and Signalling                              S1 Setup                           S1 Setup Response...
Tests to Run         GTP Protocol         • Gateway can handle multiple           encapsulations         • It uses UDP so ...
Tests to Run         GTP and User Data                   GTP     IP             IP                  IP             UE     ...
Tests to Run         GTP and User Data                             IP                 UE          GTP                     ...
Tests to Run         GTP and User Data                        GTP    IP   GTP             IP   GTP                     IP ...
Tests to Run         GTP and User Data                Destination IP                                           Address (IP...
Tests to Run         Old Skool         • Everything you already know can be           applied to testing the back-end     ...
Defences11/09/2012              50
Defences         The Multi-Layered Approach         • Get the IP network design right         • Protect the IP traffic in ...
Defences         Unified/Consolidated Gateway         • The “Gateway” enforces some very           important controls:    ...
Defences         IP Routing         • Architecture design and routing in the core           is complex         • Getting i...
Defences         IPSec         • If correctly implemented will provide           Confidentiality and Integrity protection ...
Defences         Architecture Consideration                    MME                          HSS                           ...
Conclusions11/09/2012                 56
Conclusion 1         • There are 3 key protective controls that           should be tested within LTE environments        ...
Conclusion 2         • Despite fears from the use of IP in 4G, LTE           will improve security if implemented         ...
Conclusion 3         • Protecting key material used for IPSec is           not trivial             • The security model fo...
Conclusion 4         • More air interface testing is needed             • Will need co-operation from               vendor...
Questions                         @mwrinfosecurity                         @mwrlabs11/09/2012                             ...
Upcoming SlideShare
Loading in...5
×

Security Testing 4G (LTE) Networks - 44CON 2012

1,079

Published on

Martyn Ruks & Nils present Security Testing 4G (LTE) Networks at 44CON 2012 in London, September 2012.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,079
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
94
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security Testing 4G (LTE) Networks - 44CON 2012

  1. 1. Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn Ruks & Nils11/09/2012 1
  2. 2. Today’s Talk • Intro to 4G (LTE) Networks • Technical Details • Attacks and Testing • Defences • Conclusions11/09/2012 2
  3. 3. Intro to 4G (LTE) Networks11/09/2012 3
  4. 4. Mobile Networks A Brief History Lesson • 1G – 1980s Analogue technology (AMPS, TACS) • 2G – 1990s Move to digital (GSM,GPRS,EDGE) • 3G – 2000s Improved data services (UMTS, HSPA) • 4G – 2010s High bandwidth data (LTE Advanced)11/09/2012 4
  5. 5. Mobile Networks Historic Vulnerabilities • Older networks have been the subject of practical and theoretical attacks • Examples include: • Ability to man in the middle • No perfect forward secrecy • No encryption on the back-end • LTE Advanced addresses previous attacks11/09/2012 5
  6. 6. Mobile Networks Current Status of 4G • Lots of 4G networks running or planned (eg Scandinavia, US) • UK Trials have run in Cornwall, London etc • Spectrum auction is important • EE services launches soon!11/09/2012 6
  7. 7. Mobile Networks Why is 4G Important? • Digital Britain strategy • Fixed line broadband expensive in remote locations • Provides high speed mobile data services • High level of scalability on the back- end11/09/2012 7
  8. 8. Technical Details11/09/2012 8
  9. 9. Conceptual View 3G Core NodeB Network RNC User Base Station Back-End Internet11/09/2012 9
  10. 10. Network Overview 3G HSS AuC NB UE NB RNC SGSN GGSN Internet Core Network11/09/2012 10
  11. 11. Conceptual View 4G EPC eNodeB User Base Station Back-End Internet11/09/2012 11
  12. 12. Network Overview 4G eNB MME HSS UE eNB SGw PGw PCRF Internet EPC11/09/2012 12
  13. 13. The Components User Equipment (UE) • What the customer uses to connect • Mainly dongles and hubs at present • Smartphones and tablets will follow (already lots in US)11/09/2012 13
  14. 14. The Components evolved Node B (eNB) • The bridge between wired and wireless networks • Forwards signalling traffic to the MME • Passes data traffic to the PDN/Serving Gateway11/09/2012 14
  15. 15. The Components Evolved Packet Core (EPC) • The back-end core network • Manages access to data services • Uses IP for all communications • Divided into several components11/09/2012 15
  16. 16. The Components Mobile Management Entity (MME) • Termination point for UE Signalling • Handles authentication events • Key component in back-end communications11/09/2012 16
  17. 17. The Components Home Subscriber Service (HSS) • Contains a user’s subscription data (profile) • Typically includes the Authentication Centre (AuC) • Where key material is stored11/09/2012 17
  18. 18. The Components PDN and Serving Gateways (PGw and SGw) • Handles data traffic from UE • Can be consolidated into a single device • Responsible for traffic routing within the back-end • Implements important filtering controls11/09/2012 18
  19. 19. The Components Policy Charging and Rules Function (PCRF) • Does what it says on the tin • Integrated into the network core • Allows operator to perform bandwidth shaping11/09/2012 19
  20. 20. The Components Home eNB (HeNB) • The “FemtoCell” of LTE • An eNodeB within your home • Talks to the MME and PDN/Serving Gateway • Expected to arrive much later in 4G rollout11/09/2012 20
  21. 21. Network Overview Control and User Planes11/09/2012 21
  22. 22. The Protocols Radio Protocols (RRC, PDCP, RLC) • These all terminate at the eNodeB • RRC is only used on the control plane RRC • Wireless user and control data PDCP RLC is encrypted (some exceptions) • Signalling data can also be encrypted end-to-end11/09/2012 22
  23. 23. The Protocols Internet Protocol (IP) • Used by all back-end comms • All user data uses it • Supports both IPv4 and IPv6 IP • Important to get routing and filtering correct • Common UDP and TCP services in use11/09/2012 23
  24. 24. The Protocols The Protocols - SCTP • Another protocol on top of IP • Robust session handling • Bi-directional sessions SCTP • Sequence numbers very IP important11/09/2012 24
  25. 25. The Protocols The Protocols – GTP-U • Runs on top of UDP and IP • One of two variants of GTP used in LTE GTP-U • This transports user IP data UDP • Pair of sessions are used IP identified by Tunnel-ID11/09/2012 25
  26. 26. The Protocols The Protocols – GTP-C • Runs on top of UDP and IP • The other variant of GTP used in LTE GTP-C • Used for back-end data UDP • Should not be used by the IP MME in pure 4G11/09/2012 26
  27. 27. The Protocols S1AP • Runs on top of SCTP and IP • An ASN.1 protocol • Transports UE signalling S1AP • UE sessions distinguished by SCTP IP a pair of IDs11/09/2012 27
  28. 28. The Protocols X2AP • Very similar to S1AP • Used between eNodeBs for signalling and handovers X2AP • Runs over of SCTP and IP and SCTP is also an ASN.1 protocol IP11/09/2012 28
  29. 29. Potential Attacks11/09/2012 29
  30. 30. Targets for Testing What Attacks are Possible • Wireless attacks and the baseband • Attacking the EPC from UE • Attacking other UE • Plugging into the Back-end • Physical attacks (HeNB)11/09/2012 30
  31. 31. Targets for Testing Wireless Attacks and the Baseband • A DIY kit for attacking wireless protocols is now closer (USRP based) • Best chance is using commercial kit to get a head-start • Not the easiest thing to attack11/09/2012 31
  32. 32. Targets for Testing Attacking the EPC from UE • Everything in the back-end is IP • You pay someone to give you IP access to the environment  • Easiest place to start11/09/2012 32
  33. 33. Targets for Testing Attacking other UE • Other wirelessly connected devices are close • May be less protection if seen as a local network • The gateway may enforce segregation between UE11/09/2012 33
  34. 34. Targets for Testing Wired network attacks • eNodeBs will be in public locations • They need visibility of components in the EPC • Very easy to communicate with an IP network • Everything is potentially in scope11/09/2012 34
  35. 35. Targets for Testing Physical Attacks (eNB) • Plugging into management interfaces is most likely attack, except … • A Home eNodeB is a different story • Hopefully we have learned from the Vodafone Femto-Cell Attack11/09/2012 35
  36. 36. What you can Test11/09/2012 36
  37. 37. Tests to Run As a Wirelessly Connected User • Visibility of the back-end from UE • Visibility of other UEs • Testing controls enforced by Gateway • Spoofed source addresses • GTP Encapsulation (Control and User)11/09/2012 37
  38. 38. Tests to Run From the Back-End • Ability to attack MME (signalling) • Robustness of stacks (eg SCTP) • Fuzzing • Sequence number generation • Testing management interfaces • Web consoles • SSH • Proprietary protocols11/09/2012 38
  39. 39. Tests to Run Challenges • Spoofing UE authentication is difficult • Messing with radio layers is hard • ASN.1 protocols are a pain • Injecting into SCTP is tough • Easy to break back-end communications11/09/2012 39
  40. 40. Tests to Run S1AP Protocol • By default no authentication to the service • Contains eNodeB data and UE Signalling • UE Signalling can make use of encryption and integrity checking • If no UE encryption is used attacks against connected handsets become possible11/09/2012 40
  41. 41. Tests to Run S1AP and Signalling S1AP NAS NAS UE eNB MME11/09/2012 41
  42. 42. Tests to Run S1AP and Signalling Spoofed Spoofed UE eNB MME UE eNB11/09/2012 42
  43. 43. Tests to Run S1AP and Signalling S1 Setup S1 Setup Response Attach Request eNB MME Authentication Request Authentication Response Security Mode11/09/2012 43
  44. 44. Tests to Run GTP Protocol • Gateway can handle multiple encapsulations • It uses UDP so easy to have fun with • The gateway needs to enforce a number of controls that stop attacks11/09/2012 44
  45. 45. Tests to Run GTP and User Data GTP IP IP IP UE eNB SGw Internet11/09/2012 45
  46. 46. Tests to Run GTP and User Data IP UE GTP UDP IP GTP eNodeB UDP IP11/09/2012 46
  47. 47. Tests to Run GTP and User Data GTP IP GTP IP GTP IP GTP UE eNB SGw Internet11/09/2012 47
  48. 48. Tests to Run GTP and User Data Destination IP Address (IP) GTP Tunnel Source IP Invalid IP ID (GTP) Address (IP) Protocols (IP) Source IP Address (GTP) UE eNB SGw PGw11/09/2012 48
  49. 49. Tests to Run Old Skool • Everything you already know can be applied to testing the back-end • Its an IP network and has routers and switches • There are management services running11/09/2012 49
  50. 50. Defences11/09/2012 50
  51. 51. Defences The Multi-Layered Approach • Get the IP network design right • Protect the IP traffic in transit • Enforce controls in the Gateway • Ensure UE and HeNBs are secure • Monitoring and Response • Testing11/09/2012 51
  52. 52. Defences Unified/Consolidated Gateway • The “Gateway” enforces some very important controls: • Anti-spoofing • Encapsulation protection • Device to device Routing • Billing and charging of users11/09/2012 52
  53. 53. Defences IP Routing • Architecture design and routing in the core is complex • Getting it right is critical to security • We have seen issues with this • This must be tested before an environment is deployed11/09/2012 53
  54. 54. Defences IPSec • If correctly implemented will provide Confidentiality and Integrity protection • Can also provide authentication between components • Keeping the keys secure is not trivial and not tested11/09/2012 54
  55. 55. Defences Architecture Consideration MME HSS EPC Switch Internet eNodeB Gateway Internet Serving Gateway PDN Gateway EPC11/09/2012 55
  56. 56. Conclusions11/09/2012 56
  57. 57. Conclusion 1 • There are 3 key protective controls that should be tested within LTE environments • Policies and rules in the Unified/Consolidated Gateway • The implementation of IPSec between all back- end components • A back-end IP network with well-designed routing and filtering11/09/2012 57
  58. 58. Conclusion 2 • Despite fears from the use of IP in 4G, LTE will improve security if implemented correctly • The 3 key controls must be correctly implemented • Testing must be completed for validation • Continued scrutiny is required • Legacy systems may be the weakest link11/09/2012 58
  59. 59. Conclusion 3 • Protecting key material used for IPSec is not trivial • The security model for IPSec needs careful consideration • Operational security processes are also important • Home eNodeB security is a challenge11/09/2012 59
  60. 60. Conclusion 4 • More air interface testing is needed • Will need co-operation from vendors/operators • “Open” testing tools will need significant development effort • Still lower hanging fruit if support for legacy wireless standards remain11/09/2012 60
  61. 61. Questions @mwrinfosecurity @mwrlabs11/09/2012 61
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×