Practical Security Testing for LTE Networks BlackHat Abu Dhabi December 2012 Martyn Ruks & Nils
1 06/11/2012
Today’s Talk
• Intro to LTE Networks
• Technical Details
• Attacks and Testing
• Defences
• Conclusions
06/11/2012 2
06/11/2012 3
Intro to LTE Networks
A Brief History Lesson
• 1G – 1980s Analogue technology (AMPS, TACS)
• 2G – 1990s Move to digital (GSM,GPRS,EDGE)
• 3G – 2000s Improved data services (UMTS, HSPA)
• 4G – 2010s High bandwidth data (LTE Advanced)
06/11/2012 4
Mobile Networks
Historic Vulnerabilities
• Older networks have been the subject of practical and theoretical attacks
• Examples include:
• Ability to man in the middle
• No perfect forward secrecy
• No encryption on the back-end
• LTE Advanced addresses previous attacks
06/11/2012 5
Mobile Networks
Why is LTE Important?
• We have lived with 3G for a long time
• 4G provides high speed mobile data services for customers
• High level of scalability on the back-end for operators
06/11/2012 6
Mobile Networks
06/11/2012 7
Technical Details
06/11/2012 8
NodeB Core
Network
Internet Base Station User Back-End
Conceptual View 3G
RNC
06/11/2012 9
Network Overview 3G
UE
NB
NB SGSN GGSN Internet
HSS AuC
Core Network
RNC
06/11/2012 10
eNodeB
EPC
Internet Base Station User Back-End
Conceptual View 4G
06/11/2012 11
Network Overview 4G
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
06/11/2012 12
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
User Equipment (UE)
• What the customer uses to connect
• Mainly dongles and hubs at present
• Smartphones and tablets will follow (already lots in US)
06/11/2012 13
The Components
06/11/2012 14
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
evolved Node B (eNB)
• The bridge between wired and wireless networks
• Forwards signalling traffic to the MME
• Passes data traffic to the PDN/Serving Gateway
06/11/2012 15
The Components
06/11/2012 16
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
Evolved Packet Core (EPC)
• The back-end core network
• Manages access to data services
• Uses IP for all communications
• Divided into several components
06/11/2012 17
The Components
06/11/2012 18
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
Mobile Management Entity (MME)
• Termination point for UE Signalling
• Handles authentication
events
• Key component in back-end communications
06/11/2012 19
The Components
06/11/2012 20
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
Home Subscriber Service (HSS)
• Contains a user’s subscription data (profile)
• Typically includes the Authentication Centre (AuC)
• Where key material is stored
06/11/2012 21
The Components
06/11/2012 22
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
PDN and Serving Gateways (PGw and SGw)
• Handles data traffic from UE
• Can be consolidated into a
single device
• Responsible for traffic routing
within the back-end
• Implements important filtering controls
06/11/2012 23
The Components
06/11/2012 24
The Components
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
Policy Charging and Rules Function (PCRF)
• Does what it says on the tin
• Integrated into the network core
• Allows operator to perform bandwidth shaping
06/11/2012 25
The Components
06/11/2012 26
The Components
UE HeNB MME
SGw PGw PCRF Internet
HSS
EPC
Home eNB (HeNB)
• The “FemtoCell” of LTE
• An eNodeB within your home
• Talks to the MME and PDN/Serving Gateway
• Expected to arrive much later in 4G rollout
06/11/2012 27
The Components
06/11/2012 28
Control and User Planes
Network Overview
06/11/2012 29
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
Radio Protocols (RRC, PDCP, RLC)
• These all terminate at the eNodeB
• RRC is only used on the control plane
• Wireless user and control data
is encrypted (some exceptions)
• Signalling data can also be encrypted end-to-end
06/11/2012 30
RRC
PDCP
RLC
The Protocols
06/11/2012 31
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
Internet Protocol (IP)
• Used by all back-end comms
• All user data uses it
• Supports both IPv4 and IPv6
• Important to get routing and filtering correct
• Common UDP and TCP services in use
06/11/2012 32
The Protocols
IP
06/11/2012 33
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
The Protocols - SCTP
• Another protocol on top of IP
• Robust session handling
• Bi-directional sessions
• Sequence numbers very important
06/11/2012 34
The Protocols
IP
SCTP
06/11/2012 35
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
The Protocols – GTP-U
• Runs on top of UDP and IP
• One of two variants of GTP used in LTE
• This transports user IP data
• Pair of sessions are used identified by Tunnel-ID
06/11/2012 36
The Protocols
IP
GTP-U
UDP
06/11/2012 37
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
The Protocols – GTP-C
• Runs on top of UDP and IP
• The other variant of GTP used in LTE
• Used for back-end data
• Should not be used by the MME in pure 4G
06/11/2012 38
The Protocols
IP
GTP-C
UDP
06/11/2012 39
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
S1AP
• Runs on top of SCTP and IP
• An ASN.1 protocol
• Transports UE signalling
• UE sessions distinguished by a pair of IDs
06/11/2012 40
The Protocols
IP
S1AP
SCTP
06/11/2012 41
The Protocols
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
X2AP
• Very similar to S1AP
• Used between eNodeBs for signalling and handovers
• Runs over of SCTP and IP and is also an ASN.1 protocol
06/11/2012 42
The Protocols
IP
X2AP
SCTP
06/11/2012 43
Potential Attacks
What Attacks are Possible
• Wireless attacks and the baseband
• Attacking the EPC from UE
• Attacking other UE
• Plugging into the Back-end
• Physical attacks (HeNB)
06/11/2012 44
Targets for Testing
Wireless Attacks and the Baseband
• A DIY kit for attacking wireless protocols is now closer (USRP based)
• Best chance is using commercial
kit to get a head-start
• Not the easiest thing to attack
06/11/2012 45
Targets for Testing
Attacking the EPC from UE
• Everything in the back-end is IP
• You pay someone to give you IP access to the environment
• Easiest place to start
06/11/2012 46
Targets for Testing
Attacking other UE
• Other wirelessly connected devices are close
• May be less protection if seen as a local network
• The gateway may enforce segregation between UE
06/11/2012 47
Targets for Testing
Wired network attacks
• eNodeBs will be in public locations
• They need visibility of components in the EPC
• Very easy to communicate with an IP network
• Everything is potentially in scope
06/11/2012 48
Targets for Testing
Physical Attacks (eNB)
• Plugging into management interfaces is most likely attack, except …
• A Home eNodeB is a different story
• Hopefully we have learned from the Vodafone Femto-Cell Attack
06/11/2012 49
Targets for Testing
06/11/2012 50
What you can Test
As a Wirelessly Connected User
• Visibility of the back-end from UE
• Visibility of other UEs
• Testing controls enforced by Gateway
• Spoofed source addresses
• GTP Encapsulation (Control and User)
06/11/2012 51
Tests to Run
From the Back-End
• Ability to attack MME (signalling)
• Robustness of stacks (eg SCTP) • Fuzzing
• Sequence number generation
• Testing management interfaces • Web consoles
• SSH
• Proprietary protocols
06/11/2012 52
Tests to Run
Challenges
• Spoofing UE authentication is difficult
• Messing with radio layers is hard
• ASN.1 protocols are a pain
• Injecting into SCTP is tough
• Easy to break back-end communications
06/11/2012 53
Tests to Run
S1AP Protocol
• By default no authentication to the service
• Contains eNodeB data and UE Signalling
• UE Signalling can make use of encryption and integrity checking
• If no UE encryption is used attacks against connected handsets become possible
06/11/2012 54
Tests to Run
06/11/2012 55
Tests to Run
eNB UE MME
S1AP NAS
NAS
S1AP and Signalling
06/11/2012 56
Tests to Run
eNB UE
MME
S1AP and Signalling
Spoofed UE
Spoofed eNB
06/11/2012 57
Tests to Run
eNB MME
S1AP and Signalling
S1 Setup
S1 Setup Response
Attach Request
Authentication Request
Authentication Response
Security Mode
GTP Protocol
• Gateway can handle multiple encapsulations
• It uses UDP so easy to have fun with
• The gateway needs to enforce a number of controls that stop attacks
06/11/2012 58
Tests to Run
GTP and User Data
06/11/2012 59
Tests to Run
eNB UE SGw
GTP IP
IP
Internet
IP
GTP and User Data
06/11/2012 60
Tests to Run
UE
IP
UDP
GTP
IP
IP
UDP
GTP
eNodeB
GTP and User Data
06/11/2012 61
Tests to Run
eNB UE SGw Internet
IP GTP
GTP IP GTP
IP GTP
GTP and User Data
06/11/2012 62
Tests to Run
eNB UE SGw
Source IP Address (IP)
Invalid IP Protocols (IP)
GTP Tunnel ID (GTP)
Source IP Address (GTP)
Destination IP Address (IP)
PGw
Old Skool
• Everything you already know can be applied to testing the back-end
• Its an IP network and has routers and switches
• There are management services running
06/11/2012 63
Tests to Run
06/11/2012 64
Defences
The Multi-Layered Approach
• Get the IP network design right
• Protect the IP traffic in transit
• Enforce controls in the Gateway
• Ensure UE and HeNBs are secure
• Monitoring and Response
• Testing
06/11/2012 65
Defences
Unified/Consolidated Gateway
• The “Gateway” enforces some very important controls:
• Anti-spoofing
• Encapsulation protection
• Device to device Routing
• Billing and charging of users
06/11/2012 66
Defences
IP Routing
• Architecture design and routing in the core is complex
• Getting it right is critical to security
• We have seen issues with this
• This must be tested before an environment is deployed
06/11/2012 67
Defences
IPSec
• If correctly implemented will provide Confidentiality and Integrity protection
• Can also provide authentication between components
• Keeping the keys secure is not trivial and not tested
06/11/2012 68
Defences
Architecture Consideration
06/11/2012 69
EPC
Internet
eNodeB
MME HSS
Serving Gateway PDN Gateway
Internet
Gateway
EPC Switch
Defences
06/11/2012 70
Conclusions
• There are 3 key protective controls that should be tested within LTE environments
• Policies and rules in the Unified/Consolidated Gateway
• The implementation of IPSec between all back-end components
• A back-end IP network with well-designed routing and filtering
06/11/2012 71
Conclusion 1
• Despite fears from the use of IP in 4G, LTE will improve security if implemented correctly
• The 3 key controls must be correctly implemented
• Testing must be completed for validation
• Continued scrutiny is required
• Legacy systems may be the weakest link
06/11/2012 72
Conclusion 2
• Protecting key material used for IPSec is not trivial
• The security model for IPSec needs careful consideration
• Operational security processes are also important
• Home eNodeB security is a challenge
06/11/2012 73
Conclusion 3
• More air interface testing is needed
• Will need co-operation from vendors/operators
• “Open” testing tools will need significant development effort
• Still lower hanging fruit if support for legacy wireless standards remain
06/11/2012 74
Conclusion 4
06/11/2012 75
Questions
@mwrinfosecurity @mwrlabs