Security Testing 4G (LTE) Networks - 44CON 2012

Transcript

1. Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn

   Ruks & Nils 1 11/09/2012

2. Today’s Talk • Intro to 4G (LTE) Networks • Technical

   Details • Attacks and Testing • Defences • Conclusions 11/09/2012 2

3. 11/09/2012 3 Intro to 4G (LTE) Networks

4. A Brief History Lesson • 1G – 1980s Analogue technology

   (AMPS, TACS) • 2G – 1990s Move to digital (GSM,GPRS,EDGE) • 3G – 2000s Improved data services (UMTS, HSPA) • 4G – 2010s High bandwidth data (LTE Advanced) 11/09/2012 4 Mobile Networks

5. Historic Vulnerabilities • Older networks have been the subject of

   practical and theoretical attacks • Examples include: • Ability to man in the middle • No perfect forward secrecy • No encryption on the back-end • LTE Advanced addresses previous attacks 11/09/2012 5 Mobile Networks

6. Current Status of 4G • Lots of 4G networks running

   or planned (eg Scandinavia, US) • UK Trials have run in Cornwall, London etc • Spectrum auction is important • EE services launches soon! 11/09/2012 6 Mobile Networks

7. Why is 4G Important? • Digital Britain strategy • Fixed

   line broadband expensive in remote locations • Provides high speed mobile data services • High level of scalability on the back- end 11/09/2012 7 Mobile Networks

8. 11/09/2012 8 Technical Details

9. 11/09/2012 9 NodeB Core Network Internet Base Station User Back-End

   Conceptual View 3G RNC

10. 11/09/2012 10 Network Overview 3G UE NB NB SGSN GGSN

    Internet HSS AuC Core Network RNC

11. 11/09/2012 11 eNodeB EPC Internet Base Station User Back-End Conceptual

    View 4G

12. 11/09/2012 12 Network Overview 4G UE eNB eNB MME SGw

    PGw PCRF Internet HSS EPC

13. User Equipment (UE) • What the customer uses to connect

    • Mainly dongles and hubs at present • Smartphones and tablets will follow (already lots in US) 11/09/2012 13 The Components

14. evolved Node B (eNB) • The bridge between wired and

    wireless networks • Forwards signalling traffic to the MME • Passes data traffic to the PDN/Serving Gateway 11/09/2012 14 The Components

15. Evolved Packet Core (EPC) • The back-end core network •

    Manages access to data services • Uses IP for all communications • Divided into several components 11/09/2012 15 The Components

16. Mobile Management Entity (MME) • Termination point for UE Signalling

    • Handles authentication events • Key component in back-end communications 11/09/2012 16 The Components

17. Home Subscriber Service (HSS) • Contains a user’s subscription data

    (profile) • Typically includes the Authentication Centre (AuC) • Where key material is stored 11/09/2012 17 The Components

18. PDN and Serving Gateways (PGw and SGw) • Handles data

    traffic from UE • Can be consolidated into a single device • Responsible for traffic routing within the back-end • Implements important filtering controls 11/09/2012 18 The Components

19. Policy Charging and Rules Function (PCRF) • Does what it

    says on the tin • Integrated into the network core • Allows operator to perform bandwidth shaping 11/09/2012 19 The Components

20. Home eNB (HeNB) • The “FemtoCell” of LTE • An

    eNodeB within your home • Talks to the MME and PDN/Serving Gateway • Expected to arrive much later in 4G rollout 11/09/2012 20 The Components

21. 11/09/2012 21 Control and User Planes Network Overview

22. Radio Protocols (RRC, PDCP, RLC) • These all terminate at

    the eNodeB • RRC is only used on the control plane • Wireless user and control data is encrypted (some exceptions) • Signalling data can also be encrypted end-to-end 11/09/2012 22 RRC PDCP RLC The Protocols

23. Internet Protocol (IP) • Used by all back-end comms •

    All user data uses it • Supports both IPv4 and IPv6 • Important to get routing and filtering correct • Common UDP and TCP services in use 11/09/2012 23 The Protocols IP

24. The Protocols - SCTP • Another protocol on top of

    IP • Robust session handling • Bi-directional sessions • Sequence numbers very important 11/09/2012 24 The Protocols IP SCTP

25. The Protocols – GTP-U • Runs on top of UDP

    and IP • One of two variants of GTP used in LTE • This transports user IP data • Pair of sessions are used identified by Tunnel-ID 11/09/2012 25 The Protocols IP GTP-U UDP

26. The Protocols – GTP-C • Runs on top of UDP

    and IP • The other variant of GTP used in LTE • Used for back-end data • Should not be used by the MME in pure 4G 11/09/2012 26 The Protocols IP GTP-C UDP

27. S1AP • Runs on top of SCTP and IP •

    An ASN.1 protocol • Transports UE signalling • UE sessions distinguished by a pair of IDs 11/09/2012 27 The Protocols IP S1AP SCTP

28. X2AP • Very similar to S1AP • Used between eNodeBs

    for signalling and handovers • Runs over of SCTP and IP and is also an ASN.1 protocol 11/09/2012 28 The Protocols IP X2AP SCTP

29. 11/09/2012 29 Potential Attacks

30. What Attacks are Possible • Wireless attacks and the baseband

    • Attacking the EPC from UE • Attacking other UE • Plugging into the Back-end • Physical attacks (HeNB) 11/09/2012 30 Targets for Testing

31. Wireless Attacks and the Baseband • A DIY kit for

    attacking wireless protocols is now closer (USRP based) • Best chance is using commercial kit to get a head-start • Not the easiest thing to attack 11/09/2012 31 Targets for Testing

32. Attacking the EPC from UE • Everything in the back-end

    is IP • You pay someone to give you IP access to the environment  • Easiest place to start 11/09/2012 32 Targets for Testing

33. Attacking other UE • Other wirelessly connected devices are close

    • May be less protection if seen as a local network • The gateway may enforce segregation between UE 11/09/2012 33 Targets for Testing

34. Wired network attacks • eNodeBs will be in public locations

    • They need visibility of components in the EPC • Very easy to communicate with an IP network • Everything is potentially in scope 11/09/2012 34 Targets for Testing

35. Physical Attacks (eNB) • Plugging into management interfaces is most

    likely attack, except … • A Home eNodeB is a different story • Hopefully we have learned from the Vodafone Femto-Cell Attack 11/09/2012 35 Targets for Testing

36. 11/09/2012 36 What you can Test

37. As a Wirelessly Connected User • Visibility of the back-end

    from UE • Visibility of other UEs • Testing controls enforced by Gateway • Spoofed source addresses • GTP Encapsulation (Control and User) 11/09/2012 37 Tests to Run

38. From the Back-End • Ability to attack MME (signalling) •

    Robustness of stacks (eg SCTP) • Fuzzing • Sequence number generation • Testing management interfaces • Web consoles • SSH • Proprietary protocols 11/09/2012 38 Tests to Run

39. Challenges • Spoofing UE authentication is difficult • Messing with

    radio layers is hard • ASN.1 protocols are a pain • Injecting into SCTP is tough • Easy to break back-end communications 11/09/2012 39 Tests to Run

40. S1AP Protocol • By default no authentication to the service

    • Contains eNodeB data and UE Signalling • UE Signalling can make use of encryption and integrity checking • If no UE encryption is used attacks against connected handsets become possible 11/09/2012 40 Tests to Run

41. 11/09/2012 41 Tests to Run eNB UE MME S1AP NAS

    NAS S1AP and Signalling

42. 11/09/2012 42 Tests to Run eNB UE MME S1AP and

    Signalling Spoofed UE Spoofed eNB

43. 11/09/2012 43 Tests to Run eNB MME S1AP and Signalling

    S1 Setup S1 Setup Response Attach Request Authentication Request Authentication Response Security Mode

44. GTP Protocol • Gateway can handle multiple encapsulations • It

    uses UDP so easy to have fun with • The gateway needs to enforce a number of controls that stop attacks 11/09/2012 44 Tests to Run

45. GTP and User Data 11/09/2012 45 Tests to Run eNB

    UE SGw GTP IP IP Internet IP

46. GTP and User Data 11/09/2012 46 Tests to Run UE

    IP UDP GTP IP IP UDP GTP eNodeB

47. GTP and User Data 11/09/2012 47 Tests to Run eNB

    UE SGw Internet IP GTP GTP IP GTP IP GTP

48. GTP and User Data 11/09/2012 48 Tests to Run eNB

    UE SGw Source IP Address (IP) Invalid IP Protocols (IP) GTP Tunnel ID (GTP) Source IP Address (GTP) Destination IP Address (IP) PGw

49. Old Skool • Everything you already know can be applied

    to testing the back-end • Its an IP network and has routers and switches • There are management services running 11/09/2012 49 Tests to Run

50. 11/09/2012 50 Defences

51. The Multi-Layered Approach • Get the IP network design right

    • Protect the IP traffic in transit • Enforce controls in the Gateway • Ensure UE and HeNBs are secure • Monitoring and Response • Testing 11/09/2012 51 Defences

52. Unified/Consolidated Gateway • The “Gateway” enforces some very important controls:

    • Anti-spoofing • Encapsulation protection • Device to device Routing • Billing and charging of users 11/09/2012 52 Defences

53. IP Routing • Architecture design and routing in the core

    is complex • Getting it right is critical to security • We have seen issues with this • This must be tested before an environment is deployed 11/09/2012 53 Defences

54. IPSec • If correctly implemented will provide Confidentiality and Integrity

    protection • Can also provide authentication between components • Keeping the keys secure is not trivial and not tested 11/09/2012 54 Defences

55. Architecture Consideration 11/09/2012 55 EPC Internet eNodeB MME HSS Serving

    Gateway PDN Gateway Internet Gateway EPC Switch Defences

56. 11/09/2012 56 Conclusions

57. • There are 3 key protective controls that should be

    tested within LTE environments • Policies and rules in the Unified/Consolidated Gateway • The implementation of IPSec between all back- end components • A back-end IP network with well-designed routing and filtering 11/09/2012 57 Conclusion 1

58. • Despite fears from the use of IP in 4G,

    LTE will improve security if implemented correctly • The 3 key controls must be correctly implemented • Testing must be completed for validation • Continued scrutiny is required • Legacy systems may be the weakest link 11/09/2012 58 Conclusion 2

59. • Protecting key material used for IPSec is not trivial

    • The security model for IPSec needs careful consideration • Operational security processes are also important • Home eNodeB security is a challenge 11/09/2012 59 Conclusion 3

60. • More air interface testing is needed • Will need

    co-operation from vendors/operators • “Open” testing tools will need significant development effort • Still lower hanging fruit if support for legacy wireless standards remain 11/09/2012 60 Conclusion 4

61. 11/09/2012 61 Questions @mwrinfosecurity @mwrlabs