Practical security testing for lte networks

Practical Security Testing for LTE Networks BlackHat Abu Dhabi December 2012 Martyn Ruks & Nils

1 06/11/2012

Today’s Talk

• Intro to LTE Networks

• Technical Details

• Attacks and Testing

• Defences

• Conclusions

06/11/2012 2

06/11/2012 3

Intro to LTE Networks

A Brief History Lesson

• 1G – 1980s Analogue technology (AMPS, TACS)

• 2G – 1990s Move to digital (GSM,GPRS,EDGE)

• 3G – 2000s Improved data services (UMTS, HSPA)

• 4G – 2010s High bandwidth data (LTE Advanced)

06/11/2012 4

Mobile Networks

Historic Vulnerabilities

• Older networks have been the subject of practical and theoretical attacks

• Examples include:

• Ability to man in the middle

• No perfect forward secrecy

• No encryption on the back-end

• LTE Advanced addresses previous attacks

06/11/2012 5

Mobile Networks

Why is LTE Important?

• We have lived with 3G for a long time

• 4G provides high speed mobile data services for customers

• High level of scalability on the back-end for operators

06/11/2012 6

Mobile Networks

06/11/2012 7

Technical Details

06/11/2012 8

NodeB Core

Network

Internet Base Station User Back-End

Conceptual View 3G

RNC

06/11/2012 9

Network Overview 3G

UE

NB

NB SGSN GGSN Internet

HSS AuC

Core Network

RNC

06/11/2012 10

eNodeB

EPC

Internet Base Station User Back-End

Conceptual View 4G

06/11/2012 11

Network Overview 4G

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

06/11/2012 12

The Components

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

User Equipment (UE)

• What the customer uses to connect

• Mainly dongles and hubs at present

• Smartphones and tablets will follow (already lots in US)

06/11/2012 13

The Components

06/11/2012 14

The Components

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

evolved Node B (eNB)

• The bridge between wired and wireless networks

• Forwards signalling traffic to the MME

• Passes data traffic to the PDN/Serving Gateway

06/11/2012 15

The Components

06/11/2012 16

The Components

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

Evolved Packet Core (EPC)

• The back-end core network

• Manages access to data services

• Uses IP for all communications

• Divided into several components

06/11/2012 17

The Components

06/11/2012 18

The Components

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

Mobile Management Entity (MME)

• Termination point for UE Signalling

• Handles authentication

events

• Key component in back-end communications

06/11/2012 19

The Components

06/11/2012 20

The Components

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

Home Subscriber Service (HSS)

• Contains a user’s subscription data (profile)

• Typically includes the Authentication Centre (AuC)

• Where key material is stored

06/11/2012 21

The Components

06/11/2012 22

The Components

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

PDN and Serving Gateways (PGw and SGw)

• Handles data traffic from UE

• Can be consolidated into a

single device

• Responsible for traffic routing

within the back-end

• Implements important filtering controls

06/11/2012 23

The Components

06/11/2012 24

The Components

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

Policy Charging and Rules Function (PCRF)

• Does what it says on the tin

• Integrated into the network core

• Allows operator to perform bandwidth shaping

06/11/2012 25

The Components

06/11/2012 26

The Components

UE HeNB MME

SGw PGw PCRF Internet

HSS

EPC

Home eNB (HeNB)

• The “FemtoCell” of LTE

• An eNodeB within your home

• Talks to the MME and PDN/Serving Gateway

• Expected to arrive much later in 4G rollout

06/11/2012 27

The Components

06/11/2012 28

Control and User Planes

Network Overview

06/11/2012 29

The Protocols

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

Radio Protocols (RRC, PDCP, RLC)

• These all terminate at the eNodeB

• RRC is only used on the control plane

• Wireless user and control data

is encrypted (some exceptions)

• Signalling data can also be encrypted end-to-end

06/11/2012 30

RRC

PDCP

RLC

The Protocols

06/11/2012 31

The Protocols

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

Internet Protocol (IP)

• Used by all back-end comms

• All user data uses it

• Supports both IPv4 and IPv6

• Important to get routing and filtering correct

• Common UDP and TCP services in use

06/11/2012 32

The Protocols

IP

06/11/2012 33

The Protocols

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

The Protocols - SCTP

• Another protocol on top of IP

• Robust session handling

• Bi-directional sessions

• Sequence numbers very important

06/11/2012 34

The Protocols

IP

SCTP

06/11/2012 35

The Protocols

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

The Protocols – GTP-U

• Runs on top of UDP and IP

• One of two variants of GTP used in LTE

• This transports user IP data

• Pair of sessions are used identified by Tunnel-ID

06/11/2012 36

The Protocols

IP

GTP-U

UDP

06/11/2012 37

The Protocols

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

The Protocols – GTP-C

• Runs on top of UDP and IP

• The other variant of GTP used in LTE

• Used for back-end data

• Should not be used by the MME in pure 4G

06/11/2012 38

The Protocols

IP

GTP-C

UDP

06/11/2012 39

The Protocols

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

S1AP

• Runs on top of SCTP and IP

• An ASN.1 protocol

• Transports UE signalling

• UE sessions distinguished by a pair of IDs

06/11/2012 40

The Protocols

IP

S1AP

SCTP

06/11/2012 41

The Protocols

UE

eNB

eNB

MME

SGw PGw PCRF Internet

HSS

EPC

X2AP

• Very similar to S1AP

• Used between eNodeBs for signalling and handovers

• Runs over of SCTP and IP and is also an ASN.1 protocol

06/11/2012 42

The Protocols

IP

X2AP

SCTP

06/11/2012 43

Potential Attacks

What Attacks are Possible

• Wireless attacks and the baseband

• Attacking the EPC from UE

• Attacking other UE

• Plugging into the Back-end

• Physical attacks (HeNB)

06/11/2012 44

Targets for Testing

Wireless Attacks and the Baseband

• A DIY kit for attacking wireless protocols is now closer (USRP based)

• Best chance is using commercial

kit to get a head-start

• Not the easiest thing to attack

06/11/2012 45

Targets for Testing

Attacking the EPC from UE

• Everything in the back-end is IP

• You pay someone to give you IP access to the environment

• Easiest place to start

06/11/2012 46

Targets for Testing

Attacking other UE

• Other wirelessly connected devices are close

• May be less protection if seen as a local network

• The gateway may enforce segregation between UE

06/11/2012 47

Targets for Testing

Wired network attacks

• eNodeBs will be in public locations

• They need visibility of components in the EPC

• Very easy to communicate with an IP network

• Everything is potentially in scope

06/11/2012 48

Targets for Testing

Physical Attacks (eNB)

• Plugging into management interfaces is most likely attack, except …

• A Home eNodeB is a different story

• Hopefully we have learned from the Vodafone Femto-Cell Attack

06/11/2012 49

Targets for Testing

06/11/2012 50

What you can Test

As a Wirelessly Connected User

• Visibility of the back-end from UE

• Visibility of other UEs

• Testing controls enforced by Gateway

• Spoofed source addresses

• GTP Encapsulation (Control and User)

06/11/2012 51

Tests to Run

From the Back-End

• Ability to attack MME (signalling)

• Robustness of stacks (eg SCTP) • Fuzzing

• Sequence number generation

• Testing management interfaces • Web consoles

• SSH

• Proprietary protocols

06/11/2012 52

Tests to Run

Challenges

• Spoofing UE authentication is difficult

• Messing with radio layers is hard

• ASN.1 protocols are a pain

• Injecting into SCTP is tough

• Easy to break back-end communications

06/11/2012 53

Tests to Run

S1AP Protocol

• By default no authentication to the service

• Contains eNodeB data and UE Signalling

• UE Signalling can make use of encryption and integrity checking

• If no UE encryption is used attacks against connected handsets become possible

06/11/2012 54

Tests to Run

06/11/2012 55

Tests to Run

eNB UE MME

S1AP NAS

NAS

S1AP and Signalling

06/11/2012 56

Tests to Run

eNB UE

MME

S1AP and Signalling

Spoofed UE

Spoofed eNB

06/11/2012 57

Tests to Run

eNB MME

S1AP and Signalling

S1 Setup

S1 Setup Response

Attach Request

Authentication Request

Authentication Response

Security Mode

GTP Protocol

• Gateway can handle multiple encapsulations

• It uses UDP so easy to have fun with

• The gateway needs to enforce a number of controls that stop attacks

06/11/2012 58

Tests to Run

GTP and User Data

06/11/2012 59

Tests to Run

eNB UE SGw

GTP IP

IP

Internet

IP

GTP and User Data

06/11/2012 60

Tests to Run

UE

IP

UDP

GTP

IP

IP

UDP

GTP

eNodeB

GTP and User Data

06/11/2012 61

Tests to Run

eNB UE SGw Internet

IP GTP

GTP IP GTP

IP GTP

GTP and User Data

06/11/2012 62

Tests to Run

eNB UE SGw

Source IP Address (IP)

Invalid IP Protocols (IP)

GTP Tunnel ID (GTP)

Source IP Address (GTP)

Destination IP Address (IP)

PGw

Old Skool

• Everything you already know can be applied to testing the back-end

• Its an IP network and has routers and switches

• There are management services running

06/11/2012 63

Tests to Run

06/11/2012 64

Defences

The Multi-Layered Approach

• Get the IP network design right

• Protect the IP traffic in transit

• Enforce controls in the Gateway

• Ensure UE and HeNBs are secure

• Monitoring and Response

• Testing

06/11/2012 65

Defences

Unified/Consolidated Gateway

• The “Gateway” enforces some very important controls:

• Anti-spoofing

• Encapsulation protection

• Device to device Routing

• Billing and charging of users

06/11/2012 66

Defences

IP Routing

• Architecture design and routing in the core is complex

• Getting it right is critical to security

• We have seen issues with this

• This must be tested before an environment is deployed

06/11/2012 67

Defences

IPSec

• If correctly implemented will provide Confidentiality and Integrity protection

• Can also provide authentication between components

• Keeping the keys secure is not trivial and not tested

06/11/2012 68

Defences

Architecture Consideration

06/11/2012 69

EPC

Internet

eNodeB

MME HSS

Serving Gateway PDN Gateway

Internet

Gateway

EPC Switch

Defences

06/11/2012 70

Conclusions

• There are 3 key protective controls that should be tested within LTE environments

• Policies and rules in the Unified/Consolidated Gateway

• The implementation of IPSec between all back-end components

• A back-end IP network with well-designed routing and filtering

06/11/2012 71

Conclusion 1

• Despite fears from the use of IP in 4G, LTE will improve security if implemented correctly

• The 3 key controls must be correctly implemented

• Testing must be completed for validation

• Continued scrutiny is required

• Legacy systems may be the weakest link

06/11/2012 72

Conclusion 2

• Protecting key material used for IPSec is not trivial

• The security model for IPSec needs careful consideration

• Operational security processes are also important

• Home eNodeB security is a challenge

06/11/2012 73

Conclusion 3

• More air interface testing is needed

• Will need co-operation from vendors/operators

• “Open” testing tools will need significant development effort

• Still lower hanging fruit if support for legacy wireless standards remain

06/11/2012 74

Conclusion 4

06/11/2012 75

Questions

@mwrinfosecurity @mwrlabs