This document outlines a framework for conducting a security penetration test of the Diameter protocol. It describes the basic equipment needed, including virtual machines running Open Source Diameter software and penetration testing tools. It also discusses setting up simulated 4G network elements like the PCRF, HSS and MME to test Diameter in a more complete network environment. The goal is to identify vulnerabilities in Diameter by developing a taxonomy similar to one created for the SS7 protocol. This will provide much needed security analysis of the widely used Diameter protocol.
Worldwide attacks on SS7/SIGTRAN networkP1Security
Publication performed by Alexandre De Oliveira and Pierre-Olivier Vauboin during Hackito Ergo Sum 2014
Mobile telecommunication networks are complex and provide a wide range of services, making them a tempting target for fraudsters and for intelligence agencies. Moreover, the architecture, equipment and protocols used on these networks were never designed with security in mind, availability being the first concern. Today, even though some telecom operators are investing money into securing their network, events confirm that for most of them maturity in term of security is yet to come, as recently shown with the example of massive traffic interception on compromised SCCP and GRX providers like Belgacom’s BICS. Here we present the most typical and legitimate telecom callflows from making a mobile phone call to sending a SMS. Then we describe the protocol layers involved and how to abuse them, which fields can be manipulated in order to attack both the operator infrastructure and its subscribers. Finally, we show a real life example of scan performed from an international SS7 interconnection and practical attacks on subscribers such as spam, spoofed SMS and user location tracking.
The talk was given at Troopers 2016.
(https://www.troopers.de/events/troopers16/654_the_known_unknowns_of_ss7_and_beyond/)
Abstract:
2014 turned out to be "the year of SS7 vulnerabilities" as the Telco researchers showcased several successful attacks using the Signaling System No 7 (SS7) interconnection network such as subscriber profile modification, eavesdropping, tracking of users, SMS spoofing and call/SMS redirect. These attacks are serious because SS7 and its IP version SIGTRAN, despite its age, remains a key signaling protocol in the mobile networks and will still long be required for interoperability and background compatibility in international roaming. Understandably, telecommunications industry is taking countermeasures against the vulnerabilities that were exposed through the aforementioned attacks.
Are all risks now mitigated?
Definitely not!
Complexity of network layers and diversity of underlying protocols in SS7 makes it more difficult to find all loopholes in the systems. There exist a lot of 'known functionalities' which are indeed the 'unknown vulnerabilities'. In this talk, we first begin with one of such vulnerabilities in detail, where we discuss how to exploit the relationship between IMEI and IMSI to unblock stolen mobile devices. Here, we also discuss about the existing attacks on modification of subscriber profile using SS7 to recap about the contents of subscriber profile. Secondly, we will outline extending the previously known SS7 based attacks to Diameter/LTE. Furthermore, we will also present with an intuitive attack vector to emphasize the fact that the telecommunication systems are being misused for surveillance.
Diameter protocol has been introduced to replace in many aspects SS7/SIGTRAN in the LTE and VoLTE networks, and such as these 2G/3G networks, Diameter also has its dedicated global roaming network named IPX (IP eXchange) that allows international roaming for LTE users..
Back in the days Diameter was already used by the PCRF in 2G/3G networks for charging purposes, but its usage has been extended to completely replace the signalization role of SS7/SIGTRAN in LTE networks. SS7/SIGTRAN security flows are now public after several publications, but what about Diameter security ? By replacing old and insecure protocols, does Diameter come with built-in security?
During the presentation, we will study how the IPX infrastructure operates and how security is taken into account nowadays regarding the newest 4G telecom technologies. Getting into different point of view allowed us to find major Diameter vulnerabilities via the IPX, which affect almost all the network elements HSS, MME, GMLC, PCRF, PDN GW, including DNS serving telecom TLDs. Understanding the mistakes that led to a former generation of telecom networks we came out with insecure protocols will maybe help us to push security by design in the future.
Nevertheless, as a telecom provider we will provide recommendations to secure LTE infrastructures and share technical countermeasures we have implemented against different Diameter attacks and fraud scenarios to protect our network and customers. Along with recommendations, we will present some ways on how to self audit and do self monitoring of your network, as we consider that telecom providers need to take back the control of their networks!
Troopers website link: https://www.troopers.de/events/troopers16/653_assaulting_ipx_diameter_roaming_network/
Philippe Langlois - LTE Pwnage - P1securityP1Security
Today, we’re entering the realm of LTE super high speed always-on connectivity and with that comes the victory of TCP/IP in front of the old ITU/3GPP protocols. And with this comes many side effects: software gets standardized, everything runs on top of ATCA (Advanced Telecom Computing Architecture) hardware running mostly Linux -give or take 6 or 8 proprietary FPGA-based sister cards, TFTP-booted with decade old VxWorks that routinely show hardcoded DES credentials and funny “behaviour”. Easily 20 GB of fat C++ binaries, some for x86, PPC, MIPS, some with up to 200 Mbytes file sizes for one single EXE! It’s called a vulnerability research and reverse engineering paradise… or hell.
All the protocols now run on top of IP, which ends up having 12 layers thanks to encapsulation and still the weight of legacy in bugs quantity and diversity. We’ll see how the porting of SS7 MAP on top of IP (SIGTRAN, Diameter) has given rise to funny Denial of Service (DoS) attacks against telecom core elements (DSR, STP), with trashy-crashy anti-forensics consequences for DPI and tracking (Hey @grugq!!).
We’ll look into specific vulnerabilities, and talk about the very particular way that Network Equipment Vendors deal with security in the telecom domain.
We will demo a virtualized Huawei HSS from our testbed and show some of the vulnerabilities and attacks directly on the equipment itself. We will finally talk about telco equipment and product security reviews and the fallacy of (some) certification and (many) standardization attempts. We will then see how to conduct a practical and fast telecom product security life cycle with automation and open source tools.
Worldwide attacks on SS7/SIGTRAN networkP1Security
Publication performed by Alexandre De Oliveira and Pierre-Olivier Vauboin during Hackito Ergo Sum 2014
Mobile telecommunication networks are complex and provide a wide range of services, making them a tempting target for fraudsters and for intelligence agencies. Moreover, the architecture, equipment and protocols used on these networks were never designed with security in mind, availability being the first concern. Today, even though some telecom operators are investing money into securing their network, events confirm that for most of them maturity in term of security is yet to come, as recently shown with the example of massive traffic interception on compromised SCCP and GRX providers like Belgacom’s BICS. Here we present the most typical and legitimate telecom callflows from making a mobile phone call to sending a SMS. Then we describe the protocol layers involved and how to abuse them, which fields can be manipulated in order to attack both the operator infrastructure and its subscribers. Finally, we show a real life example of scan performed from an international SS7 interconnection and practical attacks on subscribers such as spam, spoofed SMS and user location tracking.
The talk was given at Troopers 2016.
(https://www.troopers.de/events/troopers16/654_the_known_unknowns_of_ss7_and_beyond/)
Abstract:
2014 turned out to be "the year of SS7 vulnerabilities" as the Telco researchers showcased several successful attacks using the Signaling System No 7 (SS7) interconnection network such as subscriber profile modification, eavesdropping, tracking of users, SMS spoofing and call/SMS redirect. These attacks are serious because SS7 and its IP version SIGTRAN, despite its age, remains a key signaling protocol in the mobile networks and will still long be required for interoperability and background compatibility in international roaming. Understandably, telecommunications industry is taking countermeasures against the vulnerabilities that were exposed through the aforementioned attacks.
Are all risks now mitigated?
Definitely not!
Complexity of network layers and diversity of underlying protocols in SS7 makes it more difficult to find all loopholes in the systems. There exist a lot of 'known functionalities' which are indeed the 'unknown vulnerabilities'. In this talk, we first begin with one of such vulnerabilities in detail, where we discuss how to exploit the relationship between IMEI and IMSI to unblock stolen mobile devices. Here, we also discuss about the existing attacks on modification of subscriber profile using SS7 to recap about the contents of subscriber profile. Secondly, we will outline extending the previously known SS7 based attacks to Diameter/LTE. Furthermore, we will also present with an intuitive attack vector to emphasize the fact that the telecommunication systems are being misused for surveillance.
Diameter protocol has been introduced to replace in many aspects SS7/SIGTRAN in the LTE and VoLTE networks, and such as these 2G/3G networks, Diameter also has its dedicated global roaming network named IPX (IP eXchange) that allows international roaming for LTE users..
Back in the days Diameter was already used by the PCRF in 2G/3G networks for charging purposes, but its usage has been extended to completely replace the signalization role of SS7/SIGTRAN in LTE networks. SS7/SIGTRAN security flows are now public after several publications, but what about Diameter security ? By replacing old and insecure protocols, does Diameter come with built-in security?
During the presentation, we will study how the IPX infrastructure operates and how security is taken into account nowadays regarding the newest 4G telecom technologies. Getting into different point of view allowed us to find major Diameter vulnerabilities via the IPX, which affect almost all the network elements HSS, MME, GMLC, PCRF, PDN GW, including DNS serving telecom TLDs. Understanding the mistakes that led to a former generation of telecom networks we came out with insecure protocols will maybe help us to push security by design in the future.
Nevertheless, as a telecom provider we will provide recommendations to secure LTE infrastructures and share technical countermeasures we have implemented against different Diameter attacks and fraud scenarios to protect our network and customers. Along with recommendations, we will present some ways on how to self audit and do self monitoring of your network, as we consider that telecom providers need to take back the control of their networks!
Troopers website link: https://www.troopers.de/events/troopers16/653_assaulting_ipx_diameter_roaming_network/
Philippe Langlois - LTE Pwnage - P1securityP1Security
Today, we’re entering the realm of LTE super high speed always-on connectivity and with that comes the victory of TCP/IP in front of the old ITU/3GPP protocols. And with this comes many side effects: software gets standardized, everything runs on top of ATCA (Advanced Telecom Computing Architecture) hardware running mostly Linux -give or take 6 or 8 proprietary FPGA-based sister cards, TFTP-booted with decade old VxWorks that routinely show hardcoded DES credentials and funny “behaviour”. Easily 20 GB of fat C++ binaries, some for x86, PPC, MIPS, some with up to 200 Mbytes file sizes for one single EXE! It’s called a vulnerability research and reverse engineering paradise… or hell.
All the protocols now run on top of IP, which ends up having 12 layers thanks to encapsulation and still the weight of legacy in bugs quantity and diversity. We’ll see how the porting of SS7 MAP on top of IP (SIGTRAN, Diameter) has given rise to funny Denial of Service (DoS) attacks against telecom core elements (DSR, STP), with trashy-crashy anti-forensics consequences for DPI and tracking (Hey @grugq!!).
We’ll look into specific vulnerabilities, and talk about the very particular way that Network Equipment Vendors deal with security in the telecom domain.
We will demo a virtualized Huawei HSS from our testbed and show some of the vulnerabilities and attacks directly on the equipment itself. We will finally talk about telco equipment and product security reviews and the fallacy of (some) certification and (many) standardization attempts. We will then see how to conduct a practical and fast telecom product security life cycle with automation and open source tools.
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
Telecom security is way more than SIP-breaking some peripheral PBXs and raking a few thousands of dollars of free calls. From the formerly closed garden of SS7 to new all-IP telecom protocols such as Diameter and LTE protocols, the telecom domain faces now both the challenges of availability -one minute of downtime costs literally millions- and signaling vulnerabilities cutting down entire countries, causing massive frauds and the all new networking protocols. These new telecom protocols are rolled out in IP-centric fashion, with its myriad of standard IP security pitfalls and vulnerabilities, as well as very specific telecom vulnerabilities. The HLR is not only using TCP/IP for OAM and business workflow, but also now being named an HSS, it uses IP-only protocols such as Diameter for its Core Network signaling operations. That means that now telecom are facing new security risks both in term of exposure and threats, with its Core Network being exposed to unsophisticated IP-centered attackers, and the continuous waves of telecom-centered defrauders. In this presentation, we'll demo the new technologies of 3G and LTE networks and how to attack and defend them. We'll also show what kind of exposure one telecom companies, Mobile Network Operators and SS7 providers shows to external attackers.
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
This presentation examines insecurities in the 2.5G GSM protocol and demonstrates GreedyBTS; a platform for fingerprinting and exploiting cellular devices, including interception of SMS and voice data.
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
Blue and Red teams are missing the low hanging vulnerabilities that exist in many enterprise networks today. This session will show in detail how the red team can quickly identify and exploit numerous network protocol vulnerabilities that the previous security test team probably missed. Methods for securing routing and switching protocols will be covered. Detailed PCAP examples will be covered. Recommendations for adding visualization and instrumentation to the network to detect network exploits will be covered.
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...Ahmad K. Kabbara
Video Also Available : https://youtu.be/JlOK6LeZ9oM
The 4th Generation of mobile communications has been designed to fulfill strict security requirements. However many publications found critical vulnerabilities especially in the authentication and key agreement protocol which is the essential part of the security of the network.
This project intends to give an in-depth insight into this issue. It focuses on the enhancement of the Authentication and Key Agreement protocol in 4G mobile networks. The research to be done aims to present an in-depth study of the areas of vulnerability for 4G standard. The aim is then to research and analyze the solutions presented in order to overcome the attacks made on the 4G Network and then to simulate similar attacks on the proposed solutions for the 4G Network, specifically on the AKA Protocol using the AVISPA Simulator.
There is an urgent need to be in synchronization with the evolution of wireless communication and the much-anticipated 4G standard, which promises wonders. This Proposal explores the trends in the evolution of wireless communication and its advantages in security over the earlier systems. It outlines the requirements that are to be met by the 4G standard and also attempts to analyze the technical challenges that demand solutions during the course of the development and implementation of the next generation of wireless communication.
The development of the 4G wireless standard began in 2005 and is expected to be fully completed approximately by mid-2015. Researchers all around the world and industry communities are racing against time to find solutions for open issues in 4G networks. Hopefully as a second objective, all the researches and findings help me to contribute in providing a new extension for the AKA Protocol.
VoIP (Voice over Internet Protocol) is used for peer-to-peer or multi-points communications. SRTP (Secure Real-Time protocol) is used for peer-to-peer communications which are no longer suitable when you want to do multi-point of VoIP. SRTP uses DH (Diffie Hellman) for key exchange but does not make the certification. This means that SRTP does not guarantee non-repudiation service and presents security vulnerabilities during exchanges of keys. In this work, we propose ECMSRTP (Elliptic curve Multi-point Secure Real Time Protocol) which is a new VoIP security protocol for multi-point communications. It uses the certification mechanism, ensures non-repudiation and makes encryption using El-Gamal based on elliptic curves. Performance analysis shows that this new protocol has a latency time better than SRTP. It has a complexity of O(n2) for key exchange against O(n ) for SRTP, O(n2) for encryption against O(2n) for SRTP and O() for signature against O(n2) for SRTP.
IPX stands for IP eXchange – but what does it really mean? This is a plain English guide that explains what IPX is and what it will mean for the future of communications.
IPX provides a platform for connecting IP services between mobile and fixed networks and service providers. It provides greater security, reliability, scalability and control. But it comes with a lot of acronyms: QoS, CoS, E2E and SLA. We break these down to show what they mean and how they combine to create the IPX model.
The IPX model defines how IPX networks connect IPX services. These include 4G / LTE roaming, international HD voice, RCS, secure cloud services and every type of IP-based service available now or in the future. We look at what is important when choosing an IPX network to be sure it meets the requirements of both the GSMA and i3Forum.
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
Telecom security is way more than SIP-breaking some peripheral PBXs and raking a few thousands of dollars of free calls. From the formerly closed garden of SS7 to new all-IP telecom protocols such as Diameter and LTE protocols, the telecom domain faces now both the challenges of availability -one minute of downtime costs literally millions- and signaling vulnerabilities cutting down entire countries, causing massive frauds and the all new networking protocols. These new telecom protocols are rolled out in IP-centric fashion, with its myriad of standard IP security pitfalls and vulnerabilities, as well as very specific telecom vulnerabilities. The HLR is not only using TCP/IP for OAM and business workflow, but also now being named an HSS, it uses IP-only protocols such as Diameter for its Core Network signaling operations. That means that now telecom are facing new security risks both in term of exposure and threats, with its Core Network being exposed to unsophisticated IP-centered attackers, and the continuous waves of telecom-centered defrauders. In this presentation, we'll demo the new technologies of 3G and LTE networks and how to attack and defend them. We'll also show what kind of exposure one telecom companies, Mobile Network Operators and SS7 providers shows to external attackers.
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
This presentation examines insecurities in the 2.5G GSM protocol and demonstrates GreedyBTS; a platform for fingerprinting and exploiting cellular devices, including interception of SMS and voice data.
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
Blue and Red teams are missing the low hanging vulnerabilities that exist in many enterprise networks today. This session will show in detail how the red team can quickly identify and exploit numerous network protocol vulnerabilities that the previous security test team probably missed. Methods for securing routing and switching protocols will be covered. Detailed PCAP examples will be covered. Recommendations for adding visualization and instrumentation to the network to detect network exploits will be covered.
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...Ahmad K. Kabbara
Video Also Available : https://youtu.be/JlOK6LeZ9oM
The 4th Generation of mobile communications has been designed to fulfill strict security requirements. However many publications found critical vulnerabilities especially in the authentication and key agreement protocol which is the essential part of the security of the network.
This project intends to give an in-depth insight into this issue. It focuses on the enhancement of the Authentication and Key Agreement protocol in 4G mobile networks. The research to be done aims to present an in-depth study of the areas of vulnerability for 4G standard. The aim is then to research and analyze the solutions presented in order to overcome the attacks made on the 4G Network and then to simulate similar attacks on the proposed solutions for the 4G Network, specifically on the AKA Protocol using the AVISPA Simulator.
There is an urgent need to be in synchronization with the evolution of wireless communication and the much-anticipated 4G standard, which promises wonders. This Proposal explores the trends in the evolution of wireless communication and its advantages in security over the earlier systems. It outlines the requirements that are to be met by the 4G standard and also attempts to analyze the technical challenges that demand solutions during the course of the development and implementation of the next generation of wireless communication.
The development of the 4G wireless standard began in 2005 and is expected to be fully completed approximately by mid-2015. Researchers all around the world and industry communities are racing against time to find solutions for open issues in 4G networks. Hopefully as a second objective, all the researches and findings help me to contribute in providing a new extension for the AKA Protocol.
VoIP (Voice over Internet Protocol) is used for peer-to-peer or multi-points communications. SRTP (Secure Real-Time protocol) is used for peer-to-peer communications which are no longer suitable when you want to do multi-point of VoIP. SRTP uses DH (Diffie Hellman) for key exchange but does not make the certification. This means that SRTP does not guarantee non-repudiation service and presents security vulnerabilities during exchanges of keys. In this work, we propose ECMSRTP (Elliptic curve Multi-point Secure Real Time Protocol) which is a new VoIP security protocol for multi-point communications. It uses the certification mechanism, ensures non-repudiation and makes encryption using El-Gamal based on elliptic curves. Performance analysis shows that this new protocol has a latency time better than SRTP. It has a complexity of O(n2) for key exchange against O(n ) for SRTP, O(n2) for encryption against O(2n) for SRTP and O() for signature against O(n2) for SRTP.
IPX stands for IP eXchange – but what does it really mean? This is a plain English guide that explains what IPX is and what it will mean for the future of communications.
IPX provides a platform for connecting IP services between mobile and fixed networks and service providers. It provides greater security, reliability, scalability and control. But it comes with a lot of acronyms: QoS, CoS, E2E and SLA. We break these down to show what they mean and how they combine to create the IPX model.
The IPX model defines how IPX networks connect IPX services. These include 4G / LTE roaming, international HD voice, RCS, secure cloud services and every type of IP-based service available now or in the future. We look at what is important when choosing an IPX network to be sure it meets the requirements of both the GSMA and i3Forum.
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues.
Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.
• A brief introduction to Microsoft Lync ecosystem
• Security requirements, design vulnerabilities and priorities
• Modern threats against commercial Microsoft Lync services
• Demonstration of new attack vectors against target test platform
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to demonstrate these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Signalling protocols are the centre of UC environments, but also susceptible to IP spoofing, trust issues, call spoofing, authentication bypass and invalid signalling flows. They can be hacked with legacy techniques, but a set of new attacks will be demonstrated in this workshop. This workshop includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy use to analyse signalling services using novel techniques. Also the well-known attacks to the network infrastructure will be combined with the current VoIP vulnerabilities to test the target workshop network. Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by Fatih). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts, Cisco CUCDM exploitation and debugging services using as MITM. Furthermore, Viproy provides these attack modules in the Metasploit Framework environment with full integration. The workshop contains live demonstration of practical VoIP attacks and usage of the Viproy modules.
In this hands-on workshop, attendees will learn about basic attack types for UC infrastructure, advanced attacks to the SIP protocol weaknesses, Cisco Skinny protocol hacking, hacking Cisco CUCDM and CUCM servers, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy VoIP pen-test kit to analyse VoIP services using novel techniques. New CDP, CUCDM and Cisco Skinny modules and techniques of Viproy will be demonstrated in the workshop as well.
Advanced Security Management in Metro Ethernet NetworksIJNSA Journal
With the rapid increase in bandwidth and the introduction of advanced IP services including voice, high-speed internet access, and video/IPTV, consumers are more vulnerable to malicious users than ever. In recent years, roviding safe and sound networks and services have been the zenith priority for service providers and network carriers alike. Users are hesitant to subscribe to new services unless service providers guarantee secure connections. More importantly, government agencies of many countries have introduced legislations requiring service providers to keep track and records of owners of IP and MAC addresses at all time. In this paper, we first present an overview of Metro Ethernet (or Ethernet-To-The-Home/Business (ETTx)) and compare with various IP broadband access technologies including DSL, wireless and cable. We then outline major security concerns for Metro Ethernet networks including network and subscriber/end user security. Next we introduce state-of-the-art algorithms to prevent attackers from stealing any IP or MAC addresses. Our proposal is to use network management in conjunction with hardware features for security management to provide a secure and spoofing-free ETTx network. The key idea behind our proposal is to utilize network management to enforce strict (port, MAC, IP) binding in the access network to provide subscriber security. The paper then proposes an adaptive policy-based security controller to quickly identify suspected malicious users, temporarily isolate them without disconnecting them from the network or validating their contracts, and then carry the required analysis. The proposed controller identifies malicious users without compromising between accurate but lengthy traffic analysis and premature decision. It also provides the ability to make granular corrective actions that are adaptive to any defined network condition.
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGSpijans
While smart factories are becoming widely recognized as a fundamental concept of Industry 4.0, their
implementation has posed several challenges insofar that they generate and process vast amounts of
security critical and privacy sensitive data, in addition to the fact that they deploy IoT heterogeneous and
constrained devices communicating with each other and being accessed ubiquitously through lossy
networks. In this scenario, the routing of data is a specific area of concern especially with the inherent
constraints and limiting properties of such devices like processing resources, memory capacity and battery
life. To suit these constraints and to provide the required connectivity, the IETF has developed several
standards, among them the RPL routing protocol for Low powerand Lossy Networks (LLNs). However, and
even though RPL provides support for integrity and confidentiality of messages, its security may be
compromised by several threats and attacks. We propose in this work TRM-RPL, a Trust based Routing
Metric for the RPL protocol in an IIoT based environments. TRM-RPL uses a trust management
mechanism to detect malicious behaviors and resist routing attacks while providing QoS guarantees. In
addition, our model addresses both node and link trust and follows a multidimensional approach to enable
an accurate trust assessment for IoT entities. TRM-RPL is implemented, successfully tested and compared
with the standard RPL protocol where its effectiveniness and resilience to attacks has been proved to be
better
Trustbased Routing Metric for RPL Routing Protocol in the Internet of Things.pijans
While smart factories are becoming widely recognized as a fundamental concept of Industry 4.0, their implementation has posed several challenges insofar that they generate and process vast amounts of security critical and privacy sensitive data, in addition to the fact that they deploy IoT heterogeneous and constrained devices communicating with each other and being accessed ubiquitously through lossy networks. In this scenario, the routing of data is a specific area of concern especially with the inherent constraints and limiting properties of such devices like processing resources, memory capacity and battery life. To suit these constraints and to provide the required connectivity, the IETF has developed several standards, among them the RPL routing protocol for Low powerand Lossy Networks (LLNs). However, and
even though RPL provides support for integrity and confidentiality of messages, its security may be compromised by several threats and attacks. We propose in this work TRM-RPL, a Trust based Routing Metric for the RPL protocol in an IIoT based environments. TRM-RPL uses a trust management mechanism to detect malicious behaviors and resist routing attacks while providing QoS guarantees. In addition, our model addresses both node and link trust and follows a multidimensional approach to enable an accurate trust assessment for IoT entities. TRM-RPL is implemented, successfully tested and compared with the standard RPL protocol where its effectiveniness and resilience to attacks has been proved to be better
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGSpijans
While smart factories are becoming widely recognized as a fundamental concept of Industry 4.0, their implementation has posed several challenges insofar that they generate and process vast amounts of security critical and privacy sensitive data, in addition to the fact that they deploy IoT heterogeneous and constrained devices communicating with each other and being accessed ubiquitously through lossy networks. In this scenario, the routing of data is a specific area of concern especially with the inherent constraints and limiting properties of such devices like processing resources, memory capacity and battery life. To suit these constraints and to provide the required connectivity, the IETF has developed several standards, among them the RPL routing protocol for Low powerand Lossy Networks (LLNs). However, and even though RPL provides support for integrity and confidentiality of messages, its security may be compromised by several threats and attacks. We propose in this work TRM-RPL, a Trust based Routing Metric for the RPL protocol in an IIoT based environments. TRM-RPL uses a trust management mechanism to detect malicious behaviors and resist routing attacks while providing QoS guarantees. In addition, our model addresses both node and link trust and follows a multidimensional approach to enable
an accurate trust assessment for IoT entities. TRM-RPL is implemented, successfully tested and compared with the standard RPL protocol where its effectiveniness and resilience to attacks has been proved to be better.
Security course: exclusive 5G SA pitfalls and new changes to legislationPositiveTechnologies
5G will mark the transition to an entirely new era in connectivity. It will link together critical infrastructure elements, making security an absolute imperative. This comes as no surprise — regulators have been enhancing their control over telecom security for some time already, as seen in the UK and Europe. We believe that this growth in regulative powers is part of a global tendency — one that is forcing change on all MNOs with regards to network security.
Our webinar covers:
- Types of threats in the 5G standalone core that you should be aware of (based on our exclusive research)
- Building appropriate guidelines to maintain reliability and resilience
- Reinforcing security strategy as a new global tendency in telecommunications, including an overview of recent changes to legislation in the UK and Europe
Comparative Analysis of Quality of Service for Various Service Classes in WiM...Editor IJCATR
Broadband access is an important requirement to satisfy user demands and support a new set of real time services and
applications. WiMAX, as a Broadband Wireless Access solution for Wireless Metropolitan Area Networks, covering large distances
with high throughput and is a promising technology for Next Generation Networks. Nevertheless, for the successful deployment of
WiMAX based solutions, Quality of Service (QoS) is a mandatory feature that must be supported. Quality of Service (QoS) is an
important consideration for supporting variety of applications that utilize the network resources. These applications include voice over
IP, multimedia services, like, video streaming, video conferencing etc. In this paper the performances of the MPEG-4 High quality
video traffic over a WiMAX network using various service classes has been investigated. To analyze the QoS parameters, the WiMAX
module developed based on popular network simulator NS-3 is used. Various parameters that determine QoS of real life usage
scenarios and traffic flows of applications is analyzed. The objective is to compare different types of service classes with respect to the
QoS parameters, such as, throughput, packet loss, average delay and average jitter.
The IEEE 802.16 standard, commonly known as WiMAX, is the latest technology that
has promised to offer broadband wireless access over long distance. Since 2001, WiMAX has
evolved from 802.16 to 802.16d standard for fixed wireless access and to the new IEEE 802.16e
standard with mobility support. With the growing popularity of WiMAX the security risks have
increased many folds. In this paper we will give an overview of security architecture of WiMAX. We
propose some possible security improvements and solutions to eliminate the vulnerabilities. Finally,
we will have a look at improvement reported in multi hop WiMAX networks.
Secure Data Aggregation Of Wireless Sensor Networks
Diameter Penetration Test Lab
1. Security Penetration Test Framework for the
Diameter Protocol
Frederick R. Carlson
National Defense University
Washington, D.C., USA
fcarlson@ieee.org
Abstract— this paper outlines the infrastructure required for a documented the next generation NAS AAA requirements. The
penetration testing suite centered around the cellular call control Mobile IP Working Group of the IETF documented AAA
protocol called Diameter. A brief description of Diameter is requirements that would help Mobile IP scale for Inter-Domain
given along with the basic equipment and design requirements to mobility. The Telecommunication Industry Association (TIA)
conduct the testing. TR-45.6 Adjunct Wireless Packet Data Technology working
group documented the CDMA2000 Wireless Data
Diameter, Wireless Security, Penetration Testing, SIP, SS7 Requirements for Authorization, Authentication and
Accounting (AAA). Based on the work of TR-45.6, 3GPP2 has
I. INTRODUCTION specified a two phased architecture for supporting Wireless IP
The purpose of this paper is to suggest a framework for a networking based on IETF protocols; the second phase
detailed security analysis of the Diameter Protocol and the requiring AAA functionality not supportable in RADIUS. The
platforms that carry this protocol. There is very little design of Diameter met the requirements indicated by these
information on the protocol aside from a series of Requests for various groups. 2
Comment, Standards Body Documentation and Industry White
Papers. It is critical that the framework not only examines the III. THE RELAVENCE OF THE DIAMETER PROTOCOL
Diameter Protocol in isolation, but in system as well. This is to Diameter is important as it subsumes the Signaling System
show the interaction between Diameter and the various cellular Seven (SS7) system that was responsible for signaling and
radio systems, handsets, Provisioning gateways (P-Gateway), control in Public Switched Telephone Networks (PSTN) and
Serving Gateway (S-Gateway), Policy, Charging and Routing was the intelligent signaling layer in Time Division
Function (PCRF) Gateways and the base stations (eNodeB) as Multiplexing (TDM) networks. SS7, a very important and long
well. This paper sets up the base system to conduct detailed living protocol, is being replaced in modern cellular networks
analysis of the Diameter Protocol from a Security Perspective. by two protocols: Session Initiation Protocol (SIP) and
Diameter. SIP is the call control protocol used to establish
II. DIAMETER voice, messaging and multimedia communication sessions.
The Diameter model is a base protocol and a set of Diameter is used to exchange subscriber profiles,
applications. The base protocol provides common functionality authentication, billing, Quality of Service (QoS) and
to the supported applications. The base protocol defines the mobility—between the network elements in these systems. The
basic Diameter message format. Data is carried within a subscriber profile information handles issues such as network
Diameter message as a collection of Attribute Value Pairs join, location updates and subscriber data, voice, video or
(AVPs). An AVP is like a RADIUS attribute. An AVP consists multimedia sessions. This information is routed between
of multiple fields: an AVP Code, a Length, some Flags, and visited and home networks to authenticate and enable services
Data. Some AVPs are used by the Diameter base protocol; for roaming subscribers. Diameter signaling is used between
other AVPs are intended for the Diameter application while yet the elements in a service provider’s 4G network and between
others may be used by the higher-level end-system application providers and roaming hubs. There is a large body of Diameter
that employs Diameter. 1 interfaces that have been defined by various industry and
standards groups. Diameter is a extremely flexible standard,
A number of working groups have specified their which is both it’s strength, as it allows very quick development,
requirements for Authorization, Authentication and Accounting and it’s weakness, as it tends to be somewhat unfinished,
(AAA) protocols, and these requirements drove the design of cannot scale without help and has little, if any, academic work
the Diameter protocol. The Roaming Operations (ROAMOPS) on the security posture of the protocol ecosystem itself. 3
Working Group of the Internet Engineering Task Force (IETF)
published a set of requirements for roaming networks. The
2
NAS Requirements (NASREQ) Working Group of the IETF Interlink Networks. (2002). Introduction to Diameter. Retrieved from:
http://www.interlinknetworks.com/whitepapers/Introduction_to_Diameter.pdf
3
Acme Packet. (2012). Scaling Diameter in LTE and IMS, Retrieved from:
1
Interlink Networks. (2002). Introduction to Diameter. Retrieved from: http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_ScalingDia
http://www.interlinknetworks.com/whitepapers/Introduction_to_Diameter.pdf meter_020112.pdf
2. IV. DIAMETER AND MOBILITY the UE through the P-CSCF. The IMS system can then connect
Diameter signaling puts significant demands on the mobile a call through a media gateway (signaling processes not shown)
network. The main challenges that service providers face with so the connection can reach the landline telephone. 6
scaling, security and managing Diameter in Long Term • The relevance of this discussion is that the 4G
Evolution (LTE) and IP Multimedia Subsystem (IMS) network is not a closed system like the PSTN was. It
networks include: is growing up with even more open standards than the
• Traffic volume: The volume of messages and Diameter Transmission Protocol/Internet Protocol (TCP/IP)
transactions for each voice or data session can be huge. By based networks that formed the Internet. This is one
2015, the firm Exact Ventures projects a figure of 235,000 of the reasons that cellular infrastructure can be
transactions per second (TPS) for every one million brought to market extremely quickly, it is also a
subscribers. For a moderately sized LTE deployment of five reason that security holes may be formed at the seams
million subscribers, a mobile service provider will require of the actual infrastructure the cellular carriers are
Diameter transaction processing in the range of 220,000 to over deploying. Currently, mobile security is focused on
one million TPS. 4 handheld and user interaction and that are probably a
good development as the user devices themselves are
• Overload and network failure: The servers involved in very insecure, but there is the possibility of easily
processing various AAA, QoS or charging functions are not exploited vulnerabilities within the actual base station
equipped to deal with spikes in volume; this can impact service and IMS/LTE infrastructure.
quality or network availability due to element overload and
failure. This is a key security concern.
• Network attack: Diameter signaling infrastructure that is
exposed to external networks in roaming scenarios can be
attacked in two major ways. The first is with a denial of
service attack. With Diameter pooling the information
exchange used for signaling, if attack the Diameter Border
Controllers, this can degrade or possibly take down the entire
4G network. A more insidious attack would be the interception
of Attribute Value Pair and location information. Information
can easily be sniffed on untrusted, public IP transport networks
between service providers. 5 In fact, Wireshark has a detailed
Diameter template within their sniffer product to do just that.
The security theme here is not only can subtle attacks be made
on the 4G system (similar to the ones made on its predecessor
SS7), but the distributed nature of the 4G network makes it
uniquely vulnerable to “script kiddie” like Denial of Service
attacks. Figure 1. IP Multimedia Subsystem 7
V. IP MULTIMEDIA SUBSYSTEM (IMS)
VI. DIAMETER AS A LAYER
Unfortunately, the cellular network which Diameter is
Diameter sits above the transport layer when placed in the
applied is moderately complex. This section of the paper gives
OSI (Opens Systems Interconnection) layered architecture. It
a very basic discussion of platforms and what they do in the
uses the transport services provided by either TCP or SCTP
IMS ecosystem. Figure 1 shows the basic functions of the IMS
layers, which in turn use IP as their layer below as illustrated in
system. This diagram shows that a user equipment device (a
Figure 2. This is significant because the vast majority of tools
mobile phone in this example) is calling another device (a
and talent are focused at Layer 7 issues such as stack overflows
landline telephone). The User Equipment (UE) sends its
and other software design issues or network based issues such
connection request (an invite) to the proxy call session control
as Layer 4 port management and network flows. Being above
function (P-CSCF). The P-CSCF needs to find the call server
Layer 4 and below layer 7, Diameter is in a very difficult
so it sends a request to the interrogatory call session control
position on the OSI stack for IT managers to deal with as a
server (I-CSCF). The I-CSCF contacts the home subscriber
matter of culture. This is because the vast majority of people in
server (HSS) which contains the service profile of user and the
the IT industry are trained to look at issues at Layers 3 and
location of the serving call session control function (S-CSCF).
below (Networkers), 3, 4 and 7 (Programmers and most
The S-CSCF will then manage the communication session with
Security Personnel) and Layer 1 and 2 (Telecom and Fiber).
4 6
Acme Packet. (2012). Scaling Diameter in LTE and IMS, Retrieved from: VoIP Dictionary. IP Multimedia Subsystem - IMS
http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_ScalingDia Retrieved from:
meter_020112.pdf http://www.voipdictionary.com/VoIP_Dictionary_IMS_Definition.html
5 7
Acme Packet. (2012). Scaling Diameter in LTE and IMS, Retrieved from: VoIP Dictionary IP Multimedia Subsystem – IMS
http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_ScalingDia Retrived from:
meter_020112.pdf http://www.voipdictionary.com/VoIP_Dictionary_IMS_Definition.html
3. The pool of people that understand session and presentation
layer issues are somewhat small; the pool of people that
understand the security interactions smaller still. A very
interesting issue is appearing in the mobile network. The
nervous system of this infrastructure seems to be moving to a
portion of the IT ecosystem that IT managers are least prepared
to cope with.
Figure 3. LTE Architecture 9
The protocol used here is Diameter which allows these
subsystems to communicate. This creates an interesting
security situation as Layer 4 (transport) through than Layer 6
(presentation) now have significant policy and control
implications that were previously reserved at Layer 3 and
Layer 4. As mobile networks like LTE move into vogue, we
Figure 2. Diameter as a Layer 8 shall see that the securing of this protocol and the platforms
that aggregate it and transport it around the cellular system will
be a significant effort.
VII. LONG TERM EVOLUTION (LTE)
LTE is an evolution of the IMS system that simplifies the VIII. EQUIPMENT REQUIRED 10,11
platforms required to provide 4G services. The first major The effort breaks down into two phases. Phase I creates a
component is the eNodeB, a base station radio. The second Server running Virtualization Software with a target Open
major component is mobility management entity (MME), Source Diameter Server installed on it. A system that meets
which is the brains of the system. The third is the System the target box specifications appears in Table 1 (Phase I Bill of
Architecture Evolution – Gateway (SAE-GW) which is a very Materials for Target Box).
fast user plane router. The Policy and Control Routing
Function and the Host Subscriber Service are critical to track
billing and QoS considerations. Figure 3 - LTE Architecture
illustrates this arrangement.
9
Event Helix (2010). Long Term Evolution (LTE) Overview, Retrieved from:
http://www.eventhelix.com/lte/tutorial/lte_overview.pdf
10
Rapid7 (2011) “How to Create a Penetration Lab”, Retrieved from:
http://www.metasploit.com
8 11
N. Kottapalli (2010), Radisys White Paper: Diameter and LTE Evolved The information at the Metasploit Website was invaluable to the creation of
Packet System. http://go.radisys.com/rs/radisys/images/paper-lte-diameter- this equipment list. See the article “How to Create a Penetration Lab” at
eps.pdf http://www.metasploit.com
4. TABLE I. PHASE I BILL OF MATERIALS FOR TARGET BOX
Target System
Subsystem Specification
Processor Intel Core 2 Quad
@2.66 GHz
Memory 8 GB Crucial DDR3
RAM
Hard Drive 500 GB HD
Network 2 Gigabit Ethernet
NICS
Cards
Operating Ubuntu 10.04 LTS 64
bit
System
Virtualization VMware Workstation
Software
Target Open Diameter
Software
Software
A system that meets the attack system specifications is
listed in Table 2 (Phase I Bill of Materials for Attack Box). Figure 4. Phase I Diameter Lab
X. EQUIPMENT SET UP OF TARGET DIAMETER SYSTEM –
TABLE II. PHASE I BILL OF MATERIALS FOR ATTACK BOX PHASE II
Attacking System Once the environment is set up, it is then necessary to add
Virtualized and/or simulated elements of the LTE 4G system of
Subsystem Specification
systems. The critical ones are the Policy and Charging Rules
Processor Multiple Core
Function (PCRF), the Host Subscriber Service (HSS) and
Memory 8 GB DDR3 RAM Mobility Management Entity (MME) Figure 5 shows the
topology of the second phase of the lab setup.
Hard Drive 500 GB HD
Operating Ubuntu 9.10 64 bit
System
Network 1 Gigabit Ethernet NICS
Cards
Virtualization VMware Workstation (or Virtual
Box)
Software
Attack Metasploit Framework (and/or
Core Impact)
Software
Wireshark
Backtrack 5
Pre-built virtual machines or
installer ISOs
IX. EQUIPMENT SET UP OF TARGET DIAMETER SYSTEM –
PHASE I
Figure 4 (Phase I Diameter Lab) shows the Phase I lab
environment. This is the bare bones setup and will be used Figure 5. Phase II Diameter Lab
mostly to get the Diameter System up and accessible through
the VM in the attack box and to make sure that the correct tools
to do initial Penetration Test runs are set up.
5. XI. VULNERABILITY IDENTIFICATION passed over the SS7 based Public Switched Telephone
A list of potential system vulnerabilities must be created Network, it makes sense to start building a capability now that
from this effort. In an extremely useful paper, Securing SS7 can look into this issue of Diameter Security.
Telecommunications Networks by Lorenz, et al. presents an
excellent taxonomy for security vulnerabilities in the call
control subsystem of the Public Switched Telephone Network
(PSTN). That taxonomy appears in Figure 6 – SS7
Taxonomy 12. This paper proposes the creation of an analogous
taxonomy from the SS7 work in the examination of Diameter
vulnerabilities as a first deliverable of this system.
Figure 6. Signalling System Seven SS7 Security Taxonomy
XII. CONCLUSION
REFERENCES
Diameter is subsuming SS7 for call control. It is very likely
to subsume RADIUS and TACACS+ for general purpose
[1] G. Lorenz, T. Moore, G. Manes, J. Hale, S. Shenoi, Securing SS7
Authorization, Accounting, and Authentication (AAA) services Telecommunications Networks, Proceedings of the 2001 IEEE
as well. A list of potential system vulnerabilities will be Workshop on Information Assurance and Security, United States
created from this effort using a similar effort as the SS7 Military Academy, West Point, NY, 5 - 6 June 2001
Security Taxonomy shown in Securing SS7 [2] Acme Packet. (2012). Scaling Diameter in LTE and IMS. Retrieved
Telecommunications Networks. Currently the security from:
research on Diameter is extremely thin, mirroring the situation http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_Scalin
gDiameter_020112.pdf
in the 1980s and 1990s with SS7. With mobile computing
[3] Interlink Networks. (2002). Introduction to Diameter. Retrieved from:
becoming so ubiquitous and the richness and importance of http://www.interlinknetworks.com/whitepapers/Introduction_to_Diamet
data at a much higher level than what was comparatively er.pdf
[4] N. Kottapalli (2010), Radisys White Paper: Diameter and LTE Evolved
12
G. Lorenz, T. Moore, G. Manes, J. Hale, S. Shenoi, Securing SS7 Packet System http://go.radisys.com/rs/radisys/images/paper-lte-
Telecommunications Networks, Proceedings of the 2001 IEEE Workshop on diameter-eps.pd
Information Assurance and Security, United States Military Academy, West [5] R. Nicole, Event Helix (2010). Long Term Evolution (LTE) Overview
Point, NY, 5 - 6 June 2001
Retrieved from: http://www.eventhelix.com/lte/tutorial/lte_overview.pdf
6. [6] IRMC: 6201.2 SEC Course Notes, National Defense University, [7] Rapid7 (2011) “How to Create a Penetration Lab” Retrieved from:
Information Resources Management College, Washington, DC, www.metasploit.com
November 2005. [8] VoIP Dictionary IP Multimedia Subsystem – IMS Retrived from:
http://www.voipdictionary.com/VoIP_Dictionary_IMS_Definition.html