Toolkit for vulnerabilityassessment in 3G networks

Kameswari KotapatiThe Pennsylvania State University

University Park PA 16802

Contents• Motivation• Solution Overview• Methodology Overview

• 3G Attack Graph• Attack Scenario• SDL• Toolkit Architecture• Algorithms• Attack Categories

• Sample results• Issues and Future Work

Research Area3G Network Vulnerability Assessment

Motivation

• Previously telecom network (2G, 3G) signalingand control (SS7) is closed, future networks arenot

• Trend• Telecom networks are moving toward IP for control

and services• Open interfaces for service introduction• Interworking between networks requiredOpen interfaces CROSS-NETWORK

SERVICES CROSS-INSFRASTRUCTURECYBER ATTACKS INCREASEDVULNERABILITY of 3G data and 3G servers

Interworking Architecture ⇒ IncreasedVulnerability

Evolution of Wireless Networks

2G Cellular

Home LocationRegisters

Mobile SwitchingCenters

ClosedControlNetwork

(SS7)

3G Cellular/All-IP

HomeSubscriber

Servers

InternetTelephony

Servers

IPNetwork

MediaGateways

Next Generation

Servers

2G Cellular3G Cellular/

All-IP

IP Services

Closed NetworkAttacks are possible, but rareNetwork are now opening up

Usage of IP opens uppossible attacks Servicesstill somewhat limited

Two new dangers:Very open environmentPassage into SS7 network

Realistic Future Network Environment

CDMA2000CircuitAccess

IP Access

ANSI-41 CoreANSI-41 Core

UMTSUMTS CoreCore

IP AccessIP AccessSIP

Server

3G-IP

UMTS

UMTS-IP

WI-FI/802.16

BS

BS

BS

BS

BS

CircuitAccess

IP Access

MSC/VLR

MSC/VLR

HLR

HLR

IP CoreIP Core

SIPServer

SIP Server

Services in all-IP domain

Interworking between networks

Cross Infrastructure Cyber Attacks• Cross Infrastructure Cyber Attacks may be defined

as attacks on the wireless telecommunicationnetwork from the IP domain.

• Cascading effect may be defined as propagation ofthe attack across network elements

3G Network IP Network

ServerServer3G

Entity

Attack

AttackAttack

Entry Point

Motivation

•Open Interfaces•Increased Usage•Heavy Reliance

3G Networks =Attractivetargets

Need : 3G Network VulnerabilityAssessment Techniques

Solution OverviewCellular Network Vulnerability

Assessment Toolkit (CAT)

Why not pre-existing tools ?

• They find physical configurationvulnerabilities But Every 3G deploymenthas different physical configuration.

• Does not identify cascading effects.• Lacks end-to-end vulnerability assessment

across network components.

Why not Manual vulnerabilityAssessment ?

• Complexity of 3G Network• Each service comprises of 100’s of servers.• Each server comprises of millions of state

machines.• Hence not feasible

IP Network

Gateway

Application

Attack

EffectEffectMSC/VLR

GMSC

App Server

3G Network

HLR

Effect

Cellular Network Vulnerability AssessmentToolkit - CAT

• Goal: Generate attack graphs that capture attackpropagation in 3G networks

• Output• attack graph: progression across network• traces seed propagation through the network and impact on

services

• User Input: 3G data parameters• seeds: data that is corrupted by an attacker• goals: data that is derived incorrectly

• System input• Freely available 3GPP Technical telecommunication specification

written in Specification and Description Language (SDL)(http://www.3gpp.org)

Methodology

Specification and DescriptionLanguage (SDL)

• Graphical language• Developed by the International

Telecommunication Union (ITU).• Designated as the formal description language for

specifying the functional behavior oftelecommunication systems by major standardsbodies.

• Object-oriented.• Specification of event-driven, real-time,

concurrent distributed systems interacting withdiscrete signals.

• SDL specifications do not indicate animplementation structure.

Fig b: SDL Fragment ofProcess Provide RoamingNumber in VLR

6. Waiting ForRoaming #

Provide RoamingNumber

Provide RoamingNumber ACK

•Convert CSBC to basic service•IMSI known in VLR•Allocate MSRN•Store compatibility Information•Store Alerting Pattern•Create IMSI Record•Allocate LMSI

Idle

Fig a: SDLGraphicalRepresentativeSyntax

5.State Name

2.Input Signal Name

3.Transition Action

4.Output SignalName

1.State Name

SDL

Attack Scenario

GMSC HLR VLR MSC2.Send Rout Info (SRI)

3. Provide Roam Num (PRN)

Home Network

4.Provide Roam Num Ack

(PRN_ACK)

5. Send Rout Info Ack (SRI_ACK)

6.Initial Address Message (IAM)

7.SIFIC

8.Page MS9. Page

1.InitialAddress

Message (IAM)

Visiting Network

Air Interface

Call delivery Service

Telecom Database

Telecommunication SpecificationsSDL Database

IntegratedData Structure

Analysis Engine

GUI

AttackGraphOutput

User Input

Seeds Goal

ExploreUsingCAT

- Forward

-Mid-Point

MaximumView

FinalView

Prune

Output

b. FunctionalArchitecturea. Overall Architecture of CAT

Architecture of CAT

3G Attack Graph• Nodes

• Condition• Action• Goal

• Edges• Network Transitions• Adversary Transitions

• Tree Number• Represents tree to which node belongs.• Nodes at a level with same tree number represent

AND nodes.

Algorithms

Algorithm Principles• Condition nodes may be constructed if the seed

occurs in the message or actions.• When the seed occur in incoming messages and

corresponding 3G servers = corruption spreadsfrom the message to the block

• When a seed occur in a 3G server with otherseeds/goal = corruption spreads from the seed toother seeds/goal

• When the corrupt seed occurs in a 3G server andoutgoing message = corruption spreads from theblock to other block

Sample result: Speech attack

Attack Classification• 1-Level Indirect attacks: corruption of Seed1

leads to corruption of the goal hence reachingthe goal. (Seed1 Goal)

• N-level indirect attacks: Given any ’k’ seedsSeed1, Seed2, ..., Seedk and Goal, corruption ofSeed1 leads to corruption of some seed Seedi andso on until the Goal is corrupt. (Seed1 …Seedi Seedj Seedn … Goal)

• Collaborative attack: a single seed cannot reachthe Goal but the corruption of multiple seedsallows for reaching of the Goal i.e. Seed1 &Seed2 Goal

Issues with SDL• Data links in messages

• SDL may not explicitly show data relations inrequest/response pairs

• Data dependencies in actions• Details (input data output data) of

subroutines may not be specified• Relation between input and output data items

may not be specified.

Future work• SDL will be augmented with expert input to

capture missing details.• The process of deriving attack scenarios from

attack graphs may be automated using expertsystems, AI algorithms and expert systems.