The document provides an overview of LTE networks and outlines potential security testing approaches. It describes the components of LTE networks including eNodeBs, MMEs, and gateways. The document discusses protocols like S1AP, GTP, and potential attacks such as spoofing signaling or manipulating encapsulated user data. It recommends testing key controls enforced by the gateway, IPSec implementation, and network routing/filtering to evaluate the security of LTE networks.

1. Practical Security Testing for LTE Networks
BlackHat Abu Dhabi
December 2012
Martyn Ruks & Nils
106/11/2012

2. Today’s Talk
• Intro to LTE Networks
• Technical Details
• Attacks and Testing
• Defences
• Conclusions
06/11/2012 2

3. 06/11/2012 3
Intro to LTE Networks

4. A Brief History Lesson
• 1G – 1980s Analogue technology
(AMPS, TACS)
• 2G – 1990s Move to digital
(GSM,GPRS,EDGE)
• 3G – 2000s Improved data
services (UMTS, HSPA)
• 4G – 2010s High bandwidth data
(LTE Advanced)
06/11/2012 4
Mobile Networks

5. Historic Vulnerabilities
• Older networks have been the subject of
practical and theoretical attacks
• Examples include:
• Ability to man in the middle
• No perfect forward secrecy
• No encryption on the back-end
• LTE Advanced addresses previous attacks
06/11/2012 5
Mobile Networks

6. Why is LTE Important?
• We have lived with 3G for a long
time
• 4G provides high speed mobile data
services for customers
• High level of scalability on the back-
end for operators
06/11/2012 6
Mobile Networks

7. 06/11/2012 7
Technical Details

8. 06/11/2012 8
NodeB
Core
Network
InternetBase StationUser Back-End
Conceptual View 3G
RNC

9. 06/11/2012 9
Network Overview 3G
UE
NB
NB SGSN GGSN Internet
HSS AuC
Core Network
RNC

10. 06/11/2012 10
eNodeB
EPC
InternetBase StationUser Back-End
Conceptual View 4G

11. 06/11/2012 11
Network Overview 4G
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

12. 06/11/2012 12
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

13. User Equipment (UE)
• What the customer uses to
connect
• Mainly dongles and hubs at
present
• Smartphones and tablets will
follow (already lots in US)
06/11/2012 13
The Components

14. 06/11/2012 14
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

15. evolved Node B (eNB)
• The bridge between wired
and wireless networks
• Forwards signalling traffic to
the MME
• Passes data traffic to the
PDN/Serving Gateway
06/11/2012 15
The Components

16. 06/11/2012 16
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

17. Evolved Packet Core (EPC)
• The back-end core network
• Manages access to data
services
• Uses IP for all
communications
• Divided into several
components
06/11/2012 17
The Components

18. 06/11/2012 18
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

19. Mobile Management Entity (MME)
• Termination point for UE
Signalling
• Handles authentication
events
• Key component in back-end
communications
06/11/2012 19
The Components

20. 06/11/2012 20
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

21. Home Subscriber Service (HSS)
• Contains a user’s subscription
data (profile)
• Typically includes the
Authentication Centre (AuC)
• Where key material is stored
06/11/2012 21
The Components

22. 06/11/2012 22
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

23. PDN and Serving Gateways (PGw and SGw)
• Handles data traffic from UE
• Can be consolidated into a
single device
• Responsible for traffic routing
within the back-end
• Implements important filtering controls
06/11/2012 23
The Components

24. 06/11/2012 24
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

25. Policy Charging and Rules
Function (PCRF)
• Does what it says on the tin
• Integrated into the network
core
• Allows operator to perform
bandwidth shaping
06/11/2012 25
The Components

26. 06/11/2012 26
The Components
UE HeNB MME
SGw PGw PCRF Internet
HSS
EPC

27. Home eNB (HeNB)
• The “FemtoCell” of LTE
• An eNodeB within your home
• Talks to the MME and
PDN/Serving Gateway
• Expected to arrive much later in
4G rollout
06/11/2012 27
The Components

28. 06/11/2012 28
Control and User Planes
Network Overview

29. 06/11/2012 29
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

30. Radio Protocols (RRC, PDCP, RLC)
• These all terminate at the eNodeB
• RRC is only used on the control
plane
• Wireless user and control data
is encrypted (some exceptions)
• Signalling data can also be
encrypted end-to-end
06/11/2012 30
RRC
PDCP
RLC
The Protocols

31. 06/11/2012 31
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

32. Internet Protocol (IP)
• Used by all back-end comms
• All user data uses it
• Supports both IPv4 and IPv6
• Important to get routing and
filtering correct
• Common UDP and TCP
services in use
06/11/2012 32
The Protocols
IP

33. 06/11/2012 33
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

34. The Protocols - SCTP
• Another protocol on top of IP
• Robust session handling
• Bi-directional sessions
• Sequence numbers very
important
06/11/2012 34
The Protocols
IP
SCTP

35. 06/11/2012 35
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

36. The Protocols – GTP-U
• Runs on top of UDP and IP
• One of two variants of GTP
used in LTE
• This transports user IP data
• Pair of sessions are used
identified by Tunnel-ID
06/11/2012 36
The Protocols
IP
GTP-U
UDP

37. 06/11/2012 37
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

38. The Protocols – GTP-C
• Runs on top of UDP and IP
• The other variant of GTP used
in LTE
• Used for back-end data
• Should not be used by the
MME in pure 4G
06/11/2012 38
The Protocols
IP
GTP-C
UDP

39. 06/11/2012 39
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

40. S1AP
• Runs on top of SCTP and IP
• An ASN.1 protocol
• Transports UE signalling
• UE sessions distinguished by
a pair of IDs
06/11/2012 40
The Protocols
IP
S1AP
SCTP

41. 06/11/2012 41
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC

42. X2AP
• Very similar to S1AP
• Used between eNodeBs for
signalling and handovers
• Runs over of SCTP and IP and
is also an ASN.1 protocol
06/11/2012 42
The Protocols
IP
X2AP
SCTP

43. 06/11/2012 43
Potential Attacks

44. What Attacks are Possible
• Wireless attacks and the baseband
• Attacking the EPC from UE
• Attacking other UE
• Plugging into the Back-end
• Physical attacks (HeNB)
06/11/2012 44
Targets for Testing

45. Wireless Attacks and the Baseband
• A DIY kit for attacking wireless
protocols is now closer (USRP
based)
• Best chance is using commercial
kit to get a head-start
• Not the easiest thing to attack
06/11/2012 45
Targets for Testing

46. Attacking the EPC from UE
• Everything in the back-end is IP
• You pay someone to give you IP access
to the environment 
• Easiest place to start
06/11/2012 46
Targets for Testing

47. Attacking other UE
• Other wirelessly connected
devices are close
• May be less protection if seen
as a local network
• The gateway may enforce
segregation between UE
06/11/2012 47
Targets for Testing

48. Wired network attacks
• eNodeBs will be in public locations
• They need visibility of components in the
EPC
• Very easy to communicate with an IP
network
• Everything is potentially in scope
06/11/2012 48
Targets for Testing

49. Physical Attacks (eNB)
• Plugging into management
interfaces is most likely attack,
except …
• A Home eNodeB is a different
story
• Hopefully we have learned from
the Vodafone Femto-Cell Attack
06/11/2012 49
Targets for Testing

50. 06/11/2012 50
What you can Test

51. As a Wirelessly Connected User
• Visibility of the back-end from UE
• Visibility of other UEs
• Testing controls enforced by Gateway
• Spoofed source addresses
• GTP Encapsulation (Control and User)
06/11/2012 51
Tests to Run

52. From the Back-End
• Ability to attack MME (signalling)
• Robustness of stacks (eg SCTP)
• Fuzzing
• Sequence number generation
• Testing management interfaces
• Web consoles
• SSH
• Proprietary protocols
06/11/2012 52
Tests to Run

53. Challenges
• Spoofing UE authentication is difficult
• Messing with radio layers is hard
• ASN.1 protocols are a pain
• Injecting into SCTP is tough
• Easy to break back-end communications
06/11/2012 53
Tests to Run

54. S1AP Protocol
• By default no authentication to the service
• Contains eNodeB data and UE Signalling
• UE Signalling can make use of encryption
and integrity checking
• If no UE encryption is used attacks against
connected handsets become possible
06/11/2012 54
Tests to Run

55. 06/11/2012 55
Tests to Run
eNBUE MME
S1AP NAS
NAS
S1AP and Signalling

56. 06/11/2012 56
Tests to Run
eNBUE
MME
S1AP and Signalling
Spoofed
UE
Spoofed
eNB

57. 06/11/2012 57
Tests to Run
eNB MME
S1AP and Signalling
S1 Setup
S1 Setup Response
Attach Request
Authentication Request
Authentication Response
Security Mode

58. GTP Protocol
• Gateway can handle multiple
encapsulations
• It uses UDP so easy to have fun with
• The gateway needs to enforce a number of
controls that stop attacks
06/11/2012 58
Tests to Run

59. GTP and User Data
06/11/2012 59
Tests to Run
eNBUE SGw
GTP IP
IP
Internet
IP

60. GTP and User Data
06/11/2012 60
Tests to Run
UE
IP
UDP
GTP
IP
IP
UDP
GTP
eNodeB

61. GTP and User Data
06/11/2012 61
Tests to Run
eNBUE SGw Internet
IP GTP
GTP IP GTP
IP GTP

62. GTP and User Data
06/11/2012 62
Tests to Run
eNBUE SGw
Source IP
Address (IP)
Invalid IP
Protocols (IP)
GTP Tunnel
ID (GTP)
Source IP
Address (GTP)
Destination IP
Address (IP)
PGw

63. Old Skool
• Everything you already know can be
applied to testing the back-end
• Its an IP network and has routers and
switches
• There are management services running
06/11/2012 63
Tests to Run

64. 06/11/2012 64
Defences

65. The Multi-Layered Approach
• Get the IP network design right
• Protect the IP traffic in transit
• Enforce controls in the Gateway
• Ensure UE and HeNBs are secure
• Monitoring and Response
• Testing
06/11/2012 65
Defences

66. Unified/Consolidated Gateway
• The “Gateway” enforces some very
important controls:
• Anti-spoofing
• Encapsulation protection
• Device to device Routing
• Billing and charging of users
06/11/2012 66
Defences

67. IP Routing
• Architecture design and routing in the core
is complex
• Getting it right is critical to security
• We have seen issues with this
• This must be tested before an environment
is deployed
06/11/2012 67
Defences

68. IPSec
• If correctly implemented will provide
Confidentiality and Integrity protection
• Can also provide authentication between
components
• Keeping the keys secure is not trivial and
not tested
06/11/2012 68
Defences

69. Architecture Consideration
06/11/2012 69
EPC
Internet
eNodeB
MME HSS
Serving Gateway PDN Gateway
Internet
Gateway
EPC Switch
Defences

70. 06/11/2012 70
Conclusions

71. • There are 3 key protective controls that
should be tested within LTE environments
• Policies and rules in the Unified/Consolidated
Gateway
• The implementation of IPSec between all back-
end components
• A back-end IP network with well-designed
routing and filtering
06/11/2012 71
Conclusion 1

72. • Despite fears from the use of IP in 4G, LTE
will improve security if implemented
correctly
• The 3 key controls must be correctly
implemented
• Testing must be completed for validation
• Continued scrutiny is required
• Legacy systems may be the weakest link
06/11/2012 72
Conclusion 2

73. • Protecting key material used for IPSec is
not trivial
• The security model for IPSec needs careful
consideration
• Operational security processes are also
important
• Home eNodeB security is a challenge
06/11/2012 73
Conclusion 3

74. • More air interface testing is needed
• Will need co-operation from
vendors/operators
• “Open” testing tools will need significant
development effort
• Still lower hanging fruit if support for legacy
wireless standards remain
06/11/2012 74
Conclusion 4

75. 06/11/2012 75
Questions
@mwrinfosecurity
@mwrlabs