SlideShare una empresa de Scribd logo

Philippe Langlois - Hacking HLR HSS and MME core network elements

P
P1Security

Hacking HLR HSS and MME Core Network Elements Slides of HITB2013 Amsterdam Nederlands from Philippe Langlois.

TecnologíaEmpresariales
1 de 119
Descargar para leer sin conexión
LTE  Pwnage:  Hacking  HLR/HSS  and   MME  Core  Network  Elements   P1  Security   1
LTE  ENVIRONMENT   2
LTE  Network  Overview   3
Corporate  &  Mobile  Data  risk  increased   •  LTE  from  aGackers  perspecHve   •  All  IP  –  always  on  –  always  vulnerable?   –  Spear-­‐Phishing   –  Botnets  &  Malware   –  Flooding   –  Trojan  &  Backdoors   •  IPv6  renders  NAT  protecHon  inefficient   •  Split  Handshake  TCP  aGacks  prevents  IPS  and   AnHvirus   •  Very  familiar  architecture  for  aGackers:  ATCA,  Linux   •  Intricate  and  new  protocols:  Diameter,  S1,  X2,  GTP   4
2G  3G  to  LTE:  Reality  and  Legacy   2G   3G   LTE   BTS   Node  B   eNode  B   BSC   merged  into  Node  B   merged  into  eNode  B   MSC  /  VLR   RNC   MME,  MSC  Proxy   HLR   HLR,  IMS  HSS,  HE   LTE  SAE  HSS,  SDR/SDM   STP   STP,  SG   Legacy  STP   GGSN   GGSN   PDN  GW   SGSN   SGSN   MME/SGW   IN   IN/PCRF   PCRF   RAN  Firewall   RAN  Firewall   SeGW   5
User  data  content:  LTE  User  Plane   6
LTE  Network  AGack  Surface   •  Full  IP  only?   –  No:  full  IP  double  exposure   •  Packets  (PS  Domain)     –  2x  aGack  surface   •  GTP  sHll  present   •  S1AP/X2AP  new   •  Circuits  (CS  Domain)   –  2x  aGack  surface   •  SIGTRAN  &  SS7  will  stay  for  many  years   •  IMS  &  Diameter   7
3G  and  LTE  together   RAN   EPC   8
CSFB  vs.  VOLTE  vulnerability  aGack   surface   •  CSFB   –  CS  Fall  Back  from  4G  to  3G   –  Past  is  present   –  SS7  and  SIGTRAN  stack  vulnerabiliHes  (DoS,  spoof,  …)   •  VOLTE   –  Whole  new  aGack  surface   –  New  APN,  new  network  to  hack,  new  servers,     –  Closer  to  the  Core  Network  ==  more  serious  vulns   –  IMS  (CSCF  =  SIP  server,  DNS,  …)     •  Standard?  No…   9
ISUP  injecHon  in  SIP  through  VOLTE   Yes,  SIP…  known…  but…   Internet  SIP  +  SS7  ISUP  ==  SIP-­‐I  and  SIP-­‐T  ==  ISUP  InjecHon  !     •  Remote Core Network DoS •  SS7 compromise •  External signaling injection •  Spoofing of ISUP messages •  Fake billing •  Ouch!
11
CSFB  AGack  surface  through  MSC  Proxy   and  SS7  +  SIGTRAN   •  All  SIGTRAN  aGack  surface  exposed   •  All  SS7  aGack  surface  exposed   •  Most  dangerous:   –  Logical  Denial  of  Service  aGacks   •  SSP-­‐based  SCCP  DoS  (P1  CVID#480)   •  TFP-­‐based  SS7  DoS  (P1  CVID#481)   –  Equipment  Crash/Denial  of  Service  aGacks   •  Ericsson  MSC  Crash  DoS  (P1  VID#330)   •  NSN  HLR  Crash  DoS  (P1  VID#148)   •  Ericsson  STP  Crash  DoS  (P1  VID#187)   12
P1vid#148 - https://saas.p1sec.com/vulns/148 NSN  NGHLR  remote  Denial  of  Service  caused  by   fragile  SS7  stack   Severity Critical Description NGHLR SS7 stack software is not robust and suffers from Remote Denial of Service. Enables any person sending malicious SCCP traffic to the HLR to crash it. This includes the whole Impact international SS7 network as HLRs need always to be globally reachable. •  Reliability  for  telco   –  Ability  to  cope  with  X  million  of  requests   –  Not  Ability  to  cope  with  malformed  traffic  
P1vid#145 - https://saas.p1sec.com/vulns/145 GSM  MAP  primiHve  MAP_FORWARD_ACCESS_SIGNALLING   enables  RAN  signaling  injecHon   Severity Medium Spoofed   This GSM MAP MSU "MAP_FORWARD_ACCESS_SIG Description NALLING" forwards any content to the Radio Access Network Normal   (RAN). The result is that some external entities may send or spoof MAP_FORWARD_ACCESS_SIGN Impact ALLING MSUs to target MSC GTs and have the vulnerable MSCs to inject this signaling into the radio network (typically RANAP). •  Spoof  and  inject  radio  signaling   •  As  if  it  was  coming  from  Radio  Network  
P1vid#213 - https://saas.p1sec.com/vulns/213 Fun  AnH-­‐forensics   •  Same  aGack  as  VID#187  “   •  Also  crash  Ericsson  traffic  monitoring  log  analysis   forensic  tools  (P1  VKD  VID#213)   •  Code  sharing  between  enforcement  and  forensic   tools   15
3G  and  LTE  together   RAN   EPC   16
Peer  to  Peer  Radio  Access  Network   •  X2AP   –  eNodeB’s   –  Peer  to  Peer   •  TranslaHon   –  Every  base  staHon  can  talk  to  every  other   –  Network  aGack  surface  increase   –  Total  spread  into  the  RAN  network   •  Operator-­‐wide  L2  network   –  L2  aGacks,  less  defense  in  depth,  scanning  only  blocked  by   size  of  network   –  Did  GTP  disappear?  No   17
User  data  btw  eNBs:  LTE  User  Plane   18
LTE  RAN  Overview   Evolved Packet Network (EPC) MME SGW Mul OSS-RC SeGW LTE RAN S1 CP S1 UP IP/Ethernet transport Mul S1 X2 Mul S1 X2 Mul S1 X2 Typically a common physical connection ! 19
Pwning  OSS:     L2  network  mistakes  always  happen   •  Can’t  catch  it  with  mulHple  overlapping  /8   networks:  automate!   •  From  any  eNodeB  to  the  NMS   •  From  any  eNodeB  to  any  eNodeB   –  You  can  bet  on  insecure  provisioning   •  American  example  &  Remote  misconfiguraHon   20
eNodeB  Hardware  AGacks   Ericsson RBS 6602 DUS (2G+3G+4G) & DUL (4G) Radio Uplink to DWDM / Optical net Local Ethernet ports (not TDM anymore) Hardware (in)security system 21
LTE:  Equipment  AGack  surface  increase   •  Diameter  (New)   –  Added  surface   –  New  code,  maturity  in  quesHon   –  Very  few  commercial  fuzzers  support  it   –  Even  less  really  trigger  bugs  in  Diameter  (depth  pbm)   •  S1/X2AP  (New)   –  GTP  +  MAP  within  two  completely  new  protocols   –  With  encapsulaHon  of  user  traffic  (Non  Access  Stratum   protocol)   •  What  could  possibly  go  wrong?   22
23
24
Diameter  audit/fuzzing  problem   25
Auditor  bias  #1:     Open  standards  doesn't  mean  vision   •  Diameter   –  Nearly  every  parameter  is  opHonal   •  Result   –  Nobody  knows  what  is  a  valid  combinaHon  …   •  To  test  /  fuzz  /  inject   •  Combinatorial  explosion   –  Sequence  /  Dialogue  /  Flow   –  AVP  combinaHon   –  AVP  values   –  Fuzzed  parameter   •  Even  manufacturer  don’t  know  how  to  successfully   instrument  the  Device  Under  Test   •  Fuzzer  Support  is  not  Fuzzer  successful  triggering   26
Auditor  bias  #2:  Fuzzing  is  as  deep  as   fuzzer  goes   •  And  fuzzer  never  go  deep  enough   –  Commercial  fuzzer   0 trigger/1000 iteration! –  Standard  own  fuzzer   13 triggers/1000 iterations! ! •  Need  target-­‐specific  development   –  Customized  own  fuzzer:     85 triggers/1000 iterations! 27
LTE:  New  risk  with  Diameter   •  Diameter  informaHon   network  disseminaHon   •  Diameter  awesomeness   –  distribuHon/centralizaHon   –  its  own  evil  side   •  Present  in  many  database   –  HSS,  SDM/SDR,  CUD     •  The  goal  was  to  centralize   •  The  result  is  one  more   database   28
LTE  Huawei  Specific   •  USN  =  SGSN  +  MME   •  UGW  =  SeGW  +  SGW  +  PDN  GW  /  PGW   29
Pwning  LTE  HSS:     C++  SQL  InjecHon  everywhere   30
LTE  HSS  Pwning  methodology   •  OSS  is  considered  Core   •  It  is  accessible  by  eNodeBs   –  SomeHme:  Network  filtering  mistakes   –  Osen:  Allowed  for  Provisionning   •  OSS  can  connect  to  HSS   –  HSS  exports  too  many  services   –  Mux/Tunnel  kind  of    thinking   •  one  port  ==  many  services   31
LTE  EPC  funcHonal  plane,  no  OAM   32
Add  OAM:  complexity  explosion   33
Auditor  bias  #3:     Manual  vision  is  always  incomplete   •  Need  some  automaHon   •  200  APNs  *  16  million  IPs  ==  need  to  have   dedicated  scanner   –  Each  valid  GTP  tunnel  is  a  new  16  millions  IPs  to  scan   –  Address  space  explosion   •  You  CANNOT  do  it  manually   –  You  CANNOT  do  it  without  specific  scanners   34
Pwning  MME:  Hardcoded  encrypHon  keys   P1 VKB CVID#485 DES… Hardcoded keys everywhere… 35
Demo   36
Legacy  PS  Interfaces  of  interest  to  LTE   •  Gi  :  Interface  from  GGSN  to  Internet   •  Gn  :  Interface  between  SGSN  and  other  SGSN  and   (internal)  GGSN   •  Gp  :  Interface  between  Internal  SGSN  and  external   GGSN  (GRX  used  here)   37
eDNS  vs  iDNS   •  Leaks  to  Internet   •  Passive  DNSmon   •  Leaks  to  GPRS   •  Leaks  to  3G  data   •  Leaks  to  LTE  EPC  
Legacy  GPRS  /  UMTS   •  GRX   •  TLD  /  Domain  .gprs   •  Quite  monolithic:   –  APN   –  RAI   •  rai<RAI>.  mnc08.  mcc204.gprs   •  Only  APNs  and  “some”  network  element   39
IMS  DNS   •  3gppnetwork.org   •  Supports  and  lists  all  Network  Element   –  LAC   –  RAC   •  Examples   –  rac<RAC>.lac<LAC>.mnc08.mcc204.gprs   40
LTE  EPC  DNS   •  Same  as  IMS  DNS  but  extended   •  Supports  and  lists  most  SAE  EPC  Network  Elements   –  MME   –  SGW   •  Examples   mmec<MMEC>.mmegi<MMEGI>.mme.epc.mnc99.mcc208.3gppnetwork.org!   41
Pwning  from  LTE  mobile   •  Infrastructure  Reverse  path  protecHon   •  LTE  Mobile  data  access   –  RFC1918  leaks  (SomeHme)   –  Datacom  IP  infrastructure  access  (Now  more  osen)   NAT CGNAT 42
Pwning  from  external:     Direct  MML  access  from  Internet   •  Pwning  from  external  without  any  reverse  path   trick.   •  Shodan  doesn’t  work  on  these   •  MML  aGack  surface  exposed   NAT CGNAT 43
Auditor  bias  #4:     Testbed  is  always  more  secure   •  Testbed  is  more  secure  than  producHon   –  Legacy  impact   –  Scalability  impact   •  Audit  is  osen  only  permiGed  in  testbed   –  Liability   –  PotenHal  for  Denial  of  Service   •  Result   –  AGackers  advantage   –  ProducHon  goes  untested   44
Auditor  bias  #4:     Testbed  is  always  more  secure   •  Testbed  is  more  secure  than  producHon   –  Legacy  impact   –  Scalability  impact   –  There’s  always  something  more  on  the  prod  network   •  Audit  is  osen  only  permiGed  in  testbed   –  Liability   –  PotenHal  for  Denial  of  Service   •  Result   –  AGackers  advantage   –  ProducHon  goes  untested   45
Technical  Capacity  &  Knowledge  issue   •  Who   –  Can  audit  all  new  LTE  protocols  and  legacy  protocols   –  Has  experHse  on  the  architectures  &  vendors  equipment   •  Guarantee   –  Scanning  quality   –  Coverage  on  all  protocols  &  arch  (CSFB,  IMS,  Hybrid,   SCharge)   •  Cover  all  perimeters  and  accesses   –  APNs   –  GRX  &  IPX  accesses   –  Split  DNS   –  User  plane  and  control  plane   46
Conclusion   •  LTE  is  supposed  to  be  built  with  security   –  Difference  between  standardizaHon  and  real  security   –  Network  Equipment  Vendors  are  sHll  lagging   •  Opening  up  of  the  technology   –  Good:  deeper  independent  security  research   •  Operators   –  SHll  disinformed  by  vendors   –  Security  through  obscurity  in  2013!  Unbelievable!   –  Some  are  gezng  proacHve   47
Contact:   Philippe.Langlois@p1sec.com   hGp://www.p1sec.com   THANKS!     SEE  YOU  AT:   HACKITO  ERGO  SUM  –  MAY  2-­‐4  2013   PARIS,  FRANCE   48
BACKUP  SLIDES   49
Interfaces   50
LTE  Network   51
Previous  LTE  services  &  missions   •  LTE  Complete  infrastructure  audit   •  Huawei  LTE  EPC  Core  Network  audit  &   vulnerability  research   •  LTE  CSFB  infrastructure  integraHon  with  legacy   audit   –  both  Diameter,  S1,  X2  and  SS7  integraHon  for  CS   FallBack   •  Ericsson  eNodeB  audit  and  product  security   review   •  Diameter  security  audit  on  LTE  &  IMS  Core   52
LTE  audit  milestones   1.  External  LTE  tesHng,  scan  &  audit  (blackbox)   –  LTE  new  elements   –  IntegraHon  with  legacy   2.  LTE  eRAN  onsite  audit   –  eNodeB,  enrollment,  configuraHon  &  PSR/PVR   –  OSS  &  OAM   3.  LTE  EPC  Core  Network  audit   –  MME   –  S-­‐GW  &  PDN  GW   –  HSS   –  PCRF   4.  MBSS  –  Minimum  Baseline  Security  Standard   –  LTE  eRAN:  eNodeB,  SeGW,  OSS  &  enrollment  servers   –  LTE  EPC:  MME,  S-­‐GW,  PCRF,  HSS,  PDN  GW,  MSC  Proxy   53
INTERFACES   54
Interfaces   55
ADDRESSING  IN  LTE   56
Core  Network:  IP  addresses  everywhere   •  Everything  uses  IP  addresses   –  User:  UE,     –  RAN:  eNodeB,  SeGW   –  EPC:  MME,  HSS,  SGW,  PGW   •  IPv4   •  IPv6  is  actually  really  being  supported   57
Telecom-­‐specific  addressing   •  End  user  addresses:     –  GUTI,     –  IMSI,     –  …   58
GUTI   •  Globally  Unique  Temporary  IdenHty  (GUTI)   –  Allocated  by  the  MME  to  the  UE   •  GUTI  =  GUMMEI  +  M-­‐TMSI   –  GUMMEI  =  Globally  Unique  MME  ID   •  GUMMEI  =  MNC  +  MCC  +  MMEI   –  MMEI  =  MMEGI  +  MMEC   »  MMEGI  =  MME  Group  ID   »  MMEC  =  MME  Code   –  M-­‐TMSI  ==  MME  TMSI   •  GPRS/UMTS  P-­‐TMSI  -­‐>  LTE  M-­‐TMSI   •  S-­‐TMSI  =  MMEC  +  M-­‐TMSI   59
GUTI  in  Pictures   60
RAI/P-­‐TMSI  mapping  to  GUTI   ! 61
GUTI  mapping  to  P-­‐TMSI   ! 62
TAC  and  RNC  ID   ! 63
ADRESS  MAPPING  IN  DNS   64
Legacy  GPRS  /  UMTS   •  GRX   •  TLD  /  Domain  .gprs   •  Quite  monolithic:   –  APN   –  RAI   •  rai<RAI>.  mnc08.  mcc204.gprs   65
IMS  DNS   •  3gppnetwork.org   •  Supports   –  LAC   –  RAC   •  Examples   –  rac<RAC>.lac<LAC>.mnc08.mcc204.gprs   66
LTE  EPC  DNS   •  Same  as  IMS  DNS  but  extended   •  Supports     –  MME   –  SGW   •  Examples   –  mmec<MMEC>.mmegi<MMEGI>.mme.epc.mnc99.mcc 208.3gppnetwork.org   67
TECHNOLOGY  BACKGROUNDER   68
LTE  Data  Terminology   •  GTP  =  GPRS  Tunneling  Protocol   •  EPS  =  Evolved  Packet  Service,  LTE  data  sessions   •  EPC  =  Evolved  Packet  Core,  the  LTE  core  network   •  APN  =  Access  Point  Name  (same  as  2G/3G)   •  Bearer  =  PDP  session,  GTP  Tunnel  for  a  given  used   •  SeGW  =  Security  Gateway,  segments  eNB  /  EPC   •  SGW  =  Serving  Gateway,  like  GGSN,  connects  to   Internet   69
PDP  Context  vs.  EPS  Bearer   •  UMTS  and  GPRS  data  session   –  Packet  Data  Protocol  (PDP)  Context   –  AGach  (Alert  SGSN)  -­‐>  PDP  Context  AcHvaHon  procedure   •  LTE  data  session   –  Evolved  Packet  System  (EPS)  Bearer   •  Default  EPS  Bearer   •  Dedicated  EPS  Bearer   •  Both  use  parameters:   –  Access  Point  Name  (APN),     –  IP  address  type,     –  QoS  parameters   70
LTE  GTP  =  eGTP   •  GTP-­‐U   •  From  eNodeB  to   PDN  GW   –  PGW   –  aka  Internet  exit   node   –  Used  to  be  the  GGSN   71
GTP-­‐U   •  udp/2152   72
LTE  Control  Plane:  eNodeB-­‐MME   73
S1AP   •  sctp/36412   74
LTE  Control  Plane:  eNodeB-­‐eNodeB   75
X2AP   •  sctp/36422     76
Protocol  and  port  matrix   Communicating nodes Protocol ports Protocol Source Destination Source Destination eNodeB S-GW GTP-U/UDP 2152 2152 S-GW eNodeB GTP-U/UDP 2152 2152 eNodeB eNodeB GTP-U/UDP 2152 2152 eNodeB MME S1AP/SCTP 36422 36412 MME eNodeB S1AP/SCTP 36412 36422 eNodeB eNodeB X2AP/SCTP 36422 36422 77
All  is  ASN1   •  All  protocols  described  in  ASN1   –  Different  kind  of  Encoding   •  BER  –  Basic,  standard  TLV   •  PER  –  Packed,   –  Aligned  (APER)   –  Unaligned  (UPER)   –  Described  in  ITU  and  3GPP  standards   –  Require  ASN1  “CLASS”  keywords   78
LTE  SIGNALING   79
Diameter  Everywhere   •  Diameter  replaces  SS7  MAP   •  DSR     –  Diameter  Signaling  Router   80
81
82
83
Security  implicaHon   •  SCTP  filtering  to  be  generalized   •  Benefit   –  SCTP  is  “config  first”  most  of  the  Hme   •  Threat   –  IP  cloud  is  much  more  exploitaHon  friendly   –  AGack  techniques  are  known  to  many  people   –  Compromise  consequences  are  more  far-­‐reaching  than   SS7   84
Diameter  Roaming   85
Security  rouHng  and  filtering  in  Diameter   •  DSR   –  Define  rouHng  &  filtering  rules     •  Discriminants  Indicators   –  DesHnaHon-­‐based:     •  Realm,  Host,  ApplicaHon-­‐ID     –  OriginaHon-­‐based:     •  Realm,  Host,  ApplicaHon-­‐ID     –  Command-­‐Code   –  IMSIAddress   86
Future  Diameter  RouHng  &  Filtering   87
Security  &  Vulnerability  of  EPC  Roaming     •  Filtering  even  more  important   –  DSR  filtering  is  not  mature   •  GRX  problems  amplified   –  Impact  of  the  GRX/IPX/IMS/SAE  EPC  DNS  infrastructure   in  InformaHon  Gathering   •  Unique  IdenHfier  leaks  much  easier   –  Privacy  consequences   88
TESTING   89
TesHng  Security  in  an  LTE  Environment   •  Two  kind  of  environment   –  Testbed   –  Live  (also  called  ProducHon,  Greenfield,  AcHve)   90
LTE  Testbed  Security  tesHng   •  Shielded  tesHng   –  eNodeB  antenna  output  connected  to  a  cable   –  Cable  arrives  in  test  room   –  A  “Shielded  box”  in  test  room  is  connected  to  cable   –  Phone  /  USB  dongle  is  put  inside  the  box  for  tests   –  USB  cable  goes  out  of  the  box  toward  the  test  PC     •  No  RF  is  polluHng  the  spectrum   –  Enables  pre-­‐aucHon  tesHng   91
RelaHonship  to  Vendors   •  Vendor  usually  prevent  audit     –  By  limiHng  informaHon     –  By  limiHng  access  to  Device  Under  Test   –  By  limiHng  access  to  testbed   –  By  threatening  of  potenHal  problems,  delays,   responsibility,  liability   •  Most  of  the  LTE  tesHng  can  happen  transparently   –  The  vendor  doesn’t  see  the  security  audit  team   –  Presented  as  normal  operator  qualificaHon   –  Not  presented  as  security  audit   •  Result  only  is  presented  when  audit  is  finished   92
AUDITS   93
GTP   •  Endpoint  discovery   •  Illegal  connecHon/associaHon  establishment   –  User  idenHty  impersonaHon   –  Fuzzing   •  Leak  of  user  traffic     –  to  Core  Network  (EPC)     –  to  LTE  RAN   94
X2AP  Audit   •  Endpoint  discovery   •  Illegal  connecHon/associaHon  establishment   –  Fuzzing   •  Reverse  engineering  of  proprietary  extensions   •  MITM   95
S1AP  Audit   •  Endpoint  discovery   •  Illegal  connecHon/associaHon  establishment   –  Fuzzing   •  Reverse  engineering  of  proprietary  extensions   •  MITM     –  NAS  injecHon   96
LTE  EPC  DNS  Audit   •  EPC  DNS  is  important   •  EPC  DNS  scanner   •  Close  to  GRX  /  IMS   97
ATTACKS   98
User  aGacks:  EPS  Bearer  Security  AGacks   •  APN  Bruteforcing   •  IP  SegmentaHon   –  accessing  operators’  RFC1918  internal  networks   •  GTP  endpoint  discovery     –  from  within  Bearer  Data  Session   •  Secondary  EPS  Bearer  ExhausHon/Flood  load  DoS   –  Max  11  to  be  tested   –  Repeat  setup/teardown  of  connecHons   •  PGW  DiffServ  tesHng   –  Scans  the  IP  header  DS  bits  (DifferenHated  Services)  to  see   difference  in  treatment  by  PGW   99
TOOLS   100
Basic  audit  tools   •  LTE  SIM  card   •  LTE  USB  Dongle   •  LTE  UE  (User  Equipment)  =  Phone   •  RJ45  for  Ethernet  connecHon  to  EPC/EUTRAN   •  Wireshark   •  Sakis3G  and  evoluHons  for  LTE  support   •  IPsec  audit  tool   101
Ideal  audit  tools   •  GTP  protocol  stack  &  fuzzer   •  SCTP  MITM  tool  &  fuzzer   •  Ethernet/ARP  MITM  tool  (eGercap)   •  S1AP  protocol  stack  &  fuzzer   •  NAS  protocol  stack  &  fuzzer   •  X2AP  protocol  stack  &  fuzzer   •  Diameter  protocol  stack  &  fuzzer   •  GRX,  IMS,  EPC  DNS  scanner   102
VirtualizaHon  targets   •  Huawei   –  In  progress   •  HSS   •  MSC  Proxy   –  PotenHal   •  USN,  Serving  GW,  PDN  GW,  MME   –  eHRS  integrated  node  (MME,  HSS,  SGW,  PGW,  …)   •  Easier  because  one  single  node   •  HP  opportunity?   103
LTE  Network  VirtualizaHon   104
Huawei  ATCA  vs.  PGP   •  OSTA  2.0   –  Linux  based   •  OpenSuse  10.x  or  11.x   •  Old,  unpatched  kernel   •  Proprietary  extensions  and  SMP   –  Some  FPGA  based  boards   –  Some  OEM  based  integraHon  (Switches  AR40,  Routers,  …)   •  PGP   –  Older  architecture   –  More  monolithic   –  Harder  to  replicate   105
Hard  problems   •  Use  same  kernel  (medium)   •  Use  licensing  (medium)   •  Load  signed  kernel  modules  (medium  hard)   •  Emulate  FPGA  and  OEM  integraHon  (hard)   •  Replicate  network  services  /  other  NEs  (hard)   106
HSS   •  ATCA  /  OSTA  2.0   •  Few  external  hardware   •  Moderately  easy   •  OperaHon  in  progress   •  Based  on  HSS_V900R003   107
Virtualizing  in  context  (CSFB)   RAN   EPC   108
MSC  Proxy   •  ATCA  /  OSTA  2.0   •  No  external  hardware   •  Moderately  easy   •  ConfiguraHon  with     –  exisHng  SS7  SIGTRAN  infrastructure   –  Diameter  testbed   109
USN   •  USN_V900R011C02SPC100   •  Harder   110
Ericsson   •  Difficult  to  deal  with  them   •  Very  protecHve   –  Access   –  Licensing   –  DocumentaHon   111
NSN   •  PotenHally  easier  than  Ericsson   •  Linux  based  (SGSN,  …)   –  MontaVista   •  Some  security  features   112
Cisco   •  Some  virtualizaHon  done   –  IOS  12.x   •  Some  virtualizaHon  needs  hardware   –  Cisco  7200   –  Cisco  ITP   –  Cisco  GGSN   •  Virtual  networking   •  Our  technology  for  adapted  virtualizaHon   113
Our  advantage  so  far   •  Virtualize  x86  with  specific/signed  kernels  and   modules   •  Virtualize  MIPS   •  EmulaHon  of  specific  hardware  support   –  Kernel  modules  development   •  Virtualize  ARM  Android  based  device     –  for  customer  simulaHon   114
Mobile  +  VAS  virtualizaHon   •  Specific  demand  from  customer   –  Virtualize  x86  based  server   –  Virtualize  10-­‐20  Android  clients   –  Simulate  fraudulent  transacHon  within  this  flow   –  Inject  faults  within  repeated  traffic   115
VIRTUALIZED  SIGNALING  FUZZING   116
Principle   •  Proxies   –  M3UA  Proxy   –  S1/X2  Proxy   –  Diameter  Proxy   •  Made  transparent   –  SCTP  Man  in  the  Middle   –  Packet  forwarding   117
LTE  increases  risks   •  Financial  thes   •  Privacy  thes   •  Hacking  of  corporate  users   •  M2M  impact  of  worms  and  aGacks   •  LTE  Mobile  broadband  usage  as  main  internet   connecHon   •  Protocols  are  untested  and  tradiHonal  fuzzer  coverage   is  weak  and  shallow   •  Network  equipment  is  new  and  not  as  reliable  as   tradiHonal  network  elements   118
Questions ? 119

Recomendados

Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX networkAlexandre De Oliveira
 

Recomendados

Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX networkAlexandre De Oliveira
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkPositiveTechnologies
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVikas Shokeen
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresPositiveTechnologies
 
Packet core network basics
Packet core network basicsPacket core network basics
Packet core network basicsMustafa Golam
 
PGW GGSN Optional Services Configuration
PGW GGSN Optional Services ConfigurationPGW GGSN Optional Services Configuration
PGW GGSN Optional Services ConfigurationMustafa Golam
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdfAbubakar416712
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran WorkshopLuca Matteo Ruberto
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIMNaveen Jakhar, I.T.S
 
Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Hamidreza Bolhasani
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks3G4G
 
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...P1Security
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Networkyusufd
 

Más contenido relacionado

La actualidad más candente

Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVikas Shokeen
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresPositiveTechnologies
 
Packet core network basics
Packet core network basicsPacket core network basics
Packet core network basicsMustafa Golam
 
PGW GGSN Optional Services Configuration
PGW GGSN Optional Services ConfigurationPGW GGSN Optional Services Configuration
PGW GGSN Optional Services ConfigurationMustafa Golam
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdfAbubakar416712
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Hamidreza Bolhasani
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks3G4G
 

La actualidad más candente (20)

Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS Stack
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
 
Packet core network basics
Packet core network basicsPacket core network basics
Packet core network basics
 
PGW GGSN Optional Services Configuration
PGW GGSN Optional Services ConfigurationPGW GGSN Optional Services Configuration
PGW GGSN Optional Services Configuration
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran Workshop
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIM
 
Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks
 

Destacado

Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...P1Security
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Networkyusufd
 
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
 
Passwords today passcodes tomorrow: Webinar December 2nd, 2015
Passwords today passcodes tomorrow: Webinar December 2nd, 2015Passwords today passcodes tomorrow: Webinar December 2nd, 2015
Passwords today passcodes tomorrow: Webinar December 2nd, 2015Xura
 
Webinar: To be or not to be...NFV
Webinar: To be or not to be...NFVWebinar: To be or not to be...NFV
Webinar: To be or not to be...NFVXura
 
Diameter and Diameter Roaming
Diameter and Diameter RoamingDiameter and Diameter Roaming
Diameter and Diameter RoamingJohn Loughney
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
UDC in a Box
UDC in a BoxUDC in a Box
UDC in a BoxEricsson
 
NextGen HSS, Our TADHacked solution - Javier Martin, Summa Networks
NextGen HSS, Our TADHacked solution - Javier Martin, Summa NetworksNextGen HSS, Our TADHacked solution - Javier Martin, Summa Networks
NextGen HSS, Our TADHacked solution - Javier Martin, Summa NetworksAlan Quayle
 
Modul 7 gprs operation
Modul 7 gprs operationModul 7 gprs operation
Modul 7 gprs operationWijaya Kusuma
 
Gprs security threats and solutions
Gprs security threats and solutionsGprs security threats and solutions
Gprs security threats and solutionsJauwadSyed
 
Huawei hss9860 v900 r008c20 production description
Huawei hss9860 v900 r008c20 production descriptionHuawei hss9860 v900 r008c20 production description
Huawei hss9860 v900 r008c20 production descriptionRabih Kanaan,PMP
 
Ericsson MSC commands
Ericsson MSC commandsEricsson MSC commands
Ericsson MSC commandsAnthony Uisso
 
Rbs 6401 datasheet
Rbs 6401 datasheetRbs 6401 datasheet
Rbs 6401 datasheetSS Saravanan
 
Ericsson RBS 6402
Ericsson RBS 6402Ericsson RBS 6402
Ericsson RBS 6402Ericsson
 
Basic GSM Call Flows
Basic GSM Call FlowsBasic GSM Call Flows
Basic GSM Call Flowsemyl97
 

Destacado (18)

Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Network
 
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
 
Passwords today passcodes tomorrow: Webinar December 2nd, 2015
Passwords today passcodes tomorrow: Webinar December 2nd, 2015Passwords today passcodes tomorrow: Webinar December 2nd, 2015
Passwords today passcodes tomorrow: Webinar December 2nd, 2015
 
Webinar: To be or not to be...NFV
Webinar: To be or not to be...NFVWebinar: To be or not to be...NFV
Webinar: To be or not to be...NFV
 
Diameter and Diameter Roaming
Diameter and Diameter RoamingDiameter and Diameter Roaming
Diameter and Diameter Roaming
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
 
Chap05 gtp 03_kh
Chap05 gtp 03_khChap05 gtp 03_kh
Chap05 gtp 03_kh
 
UDC in a Box
UDC in a BoxUDC in a Box
UDC in a Box
 
NextGen HSS, Our TADHacked solution - Javier Martin, Summa Networks
NextGen HSS, Our TADHacked solution - Javier Martin, Summa NetworksNextGen HSS, Our TADHacked solution - Javier Martin, Summa Networks
NextGen HSS, Our TADHacked solution - Javier Martin, Summa Networks
 
Modul 7 gprs operation
Modul 7 gprs operationModul 7 gprs operation
Modul 7 gprs operation
 
Gprs security threats and solutions
Gprs security threats and solutionsGprs security threats and solutions
Gprs security threats and solutions
 
Huawei hss9860 v900 r008c20 production description
Huawei hss9860 v900 r008c20 production descriptionHuawei hss9860 v900 r008c20 production description
Huawei hss9860 v900 r008c20 production description
 
Ericsson MSC commands
Ericsson MSC commandsEricsson MSC commands
Ericsson MSC commands
 
Rbs 6401 datasheet
Rbs 6401 datasheetRbs 6401 datasheet
Rbs 6401 datasheet
 
Ericsson RBS 6402
Ericsson RBS 6402Ericsson RBS 6402
Ericsson RBS 6402
 
Gsm signaling
Gsm signalingGsm signaling
Gsm signaling
 
Basic GSM Call Flows
Basic GSM Call FlowsBasic GSM Call Flows
Basic GSM Call Flows
 

Similar a Philippe Langlois - Hacking HLR HSS and MME core network elements

Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...DefconRussia
 
IPv6 in 3G Core Networks
IPv6 in 3G Core NetworksIPv6 in 3G Core Networks
IPv6 in 3G Core NetworksJohn Loughney
 
David A. Burgess's Presentation at eComm 2009
David A. Burgess's Presentation at eComm 2009David A. Burgess's Presentation at eComm 2009
David A. Burgess's Presentation at eComm 2009eCommConf
 
Highavailability designs-for-juniper-netscreen-firewalls3740
Highavailability designs-for-juniper-netscreen-firewalls3740Highavailability designs-for-juniper-netscreen-firewalls3740
Highavailability designs-for-juniper-netscreen-firewalls3740Saurav Aich
 
SIGTRAN - An Introduction
SIGTRAN - An IntroductionSIGTRAN - An Introduction
SIGTRAN - An IntroductionTareque Hossain
 
IP RAN 100NGN 2013 [COPY]
IP RAN 100NGN 2013 [COPY]IP RAN 100NGN 2013 [COPY]
IP RAN 100NGN 2013 [COPY]Mahadiputra S
 
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Brent Salisbury
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityBrent Salisbury
 
evolution towards NGN
evolution towards NGNevolution towards NGN
evolution towards NGNAJAL A J
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USAJose Liste
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environmentChristian Martorella
 
Ready for the Evolution: LTE Session delivery requirements
Ready for the Evolution: LTE Session delivery requirementsReady for the Evolution: LTE Session delivery requirements
Ready for the Evolution: LTE Session delivery requirementsAcmePacket
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
The State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentThe State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentJohn Loughney
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?Steve Simlo
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 

Similar a Philippe Langlois - Hacking HLR HSS and MME core network elements (20)

Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
 
IPv6 in 3G Core Networks
IPv6 in 3G Core NetworksIPv6 in 3G Core Networks
IPv6 in 3G Core Networks
 
LTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GPLTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GP
 
David A. Burgess's Presentation at eComm 2009
David A. Burgess's Presentation at eComm 2009David A. Burgess's Presentation at eComm 2009
David A. Burgess's Presentation at eComm 2009
 
Highavailability designs-for-juniper-netscreen-firewalls3740
Highavailability designs-for-juniper-netscreen-firewalls3740Highavailability designs-for-juniper-netscreen-firewalls3740
Highavailability designs-for-juniper-netscreen-firewalls3740
 
SIGTRAN - An Introduction
SIGTRAN - An IntroductionSIGTRAN - An Introduction
SIGTRAN - An Introduction
 
IP RAN 100NGN 2013 [COPY]
IP RAN 100NGN 2013 [COPY]IP RAN 100NGN 2013 [COPY]
IP RAN 100NGN 2013 [COPY]
 
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on Security
 
SS7 over IP Brown Bag
SS7 over IP Brown BagSS7 over IP Brown Bag
SS7 over IP Brown Bag
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRAN
 
evolution towards NGN
evolution towards NGNevolution towards NGN
evolution towards NGN
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environment
 
Ready for the Evolution: LTE Session delivery requirements
Ready for the Evolution: LTE Session delivery requirementsReady for the Evolution: LTE Session delivery requirements
Ready for the Evolution: LTE Session delivery requirements
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
The State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentThe State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 Deployment
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 

Último

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Philippe Langlois - Hacking HLR HSS and MME core network elements

  • 1. LTE  Pwnage:  Hacking  HLR/HSS  and   MME  Core  Network  Elements   P1  Security   1
  • 4. Corporate  &  Mobile  Data  risk  increased   •  LTE  from  aGackers  perspecHve   •  All  IP  –  always  on  –  always  vulnerable?   –  Spear-­‐Phishing   –  Botnets  &  Malware   –  Flooding   –  Trojan  &  Backdoors   •  IPv6  renders  NAT  protecHon  inefficient   •  Split  Handshake  TCP  aGacks  prevents  IPS  and   AnHvirus   •  Very  familiar  architecture  for  aGackers:  ATCA,  Linux   •  Intricate  and  new  protocols:  Diameter,  S1,  X2,  GTP   4
  • 5. 2G  3G  to  LTE:  Reality  and  Legacy   2G   3G   LTE   BTS   Node  B   eNode  B   BSC   merged  into  Node  B   merged  into  eNode  B   MSC  /  VLR   RNC   MME,  MSC  Proxy   HLR   HLR,  IMS  HSS,  HE   LTE  SAE  HSS,  SDR/SDM   STP   STP,  SG   Legacy  STP   GGSN   GGSN   PDN  GW   SGSN   SGSN   MME/SGW   IN   IN/PCRF   PCRF   RAN  Firewall   RAN  Firewall   SeGW   5
  • 6. User  data  content:  LTE  User  Plane   6
  • 7. LTE  Network  AGack  Surface   •  Full  IP  only?   –  No:  full  IP  double  exposure   •  Packets  (PS  Domain)     –  2x  aGack  surface   •  GTP  sHll  present   •  S1AP/X2AP  new   •  Circuits  (CS  Domain)   –  2x  aGack  surface   •  SIGTRAN  &  SS7  will  stay  for  many  years   •  IMS  &  Diameter   7
  • 8. 3G  and  LTE  together   RAN   EPC   8
  • 9. CSFB  vs.  VOLTE  vulnerability  aGack   surface   •  CSFB   –  CS  Fall  Back  from  4G  to  3G   –  Past  is  present   –  SS7  and  SIGTRAN  stack  vulnerabiliHes  (DoS,  spoof,  …)   •  VOLTE   –  Whole  new  aGack  surface   –  New  APN,  new  network  to  hack,  new  servers,     –  Closer  to  the  Core  Network  ==  more  serious  vulns   –  IMS  (CSCF  =  SIP  server,  DNS,  …)     •  Standard?  No…   9
  • 10. ISUP  injecHon  in  SIP  through  VOLTE   Yes,  SIP…  known…  but…   Internet  SIP  +  SS7  ISUP  ==  SIP-­‐I  and  SIP-­‐T  ==  ISUP  InjecHon  !     •  Remote Core Network DoS •  SS7 compromise •  External signaling injection •  Spoofing of ISUP messages •  Fake billing •  Ouch!
  • 11. 11
  • 12. CSFB  AGack  surface  through  MSC  Proxy   and  SS7  +  SIGTRAN   •  All  SIGTRAN  aGack  surface  exposed   •  All  SS7  aGack  surface  exposed   •  Most  dangerous:   –  Logical  Denial  of  Service  aGacks   •  SSP-­‐based  SCCP  DoS  (P1  CVID#480)   •  TFP-­‐based  SS7  DoS  (P1  CVID#481)   –  Equipment  Crash/Denial  of  Service  aGacks   •  Ericsson  MSC  Crash  DoS  (P1  VID#330)   •  NSN  HLR  Crash  DoS  (P1  VID#148)   •  Ericsson  STP  Crash  DoS  (P1  VID#187)   12
  • 13. P1vid#148 - https://saas.p1sec.com/vulns/148 NSN  NGHLR  remote  Denial  of  Service  caused  by   fragile  SS7  stack   Severity Critical Description NGHLR SS7 stack software is not robust and suffers from Remote Denial of Service. Enables any person sending malicious SCCP traffic to the HLR to crash it. This includes the whole Impact international SS7 network as HLRs need always to be globally reachable. •  Reliability  for  telco   –  Ability  to  cope  with  X  million  of  requests   –  Not  Ability  to  cope  with  malformed  traffic  
  • 14. P1vid#145 - https://saas.p1sec.com/vulns/145 GSM  MAP  primiHve  MAP_FORWARD_ACCESS_SIGNALLING   enables  RAN  signaling  injecHon   Severity Medium Spoofed   This GSM MAP MSU "MAP_FORWARD_ACCESS_SIG Description NALLING" forwards any content to the Radio Access Network Normal   (RAN). The result is that some external entities may send or spoof MAP_FORWARD_ACCESS_SIGN Impact ALLING MSUs to target MSC GTs and have the vulnerable MSCs to inject this signaling into the radio network (typically RANAP). •  Spoof  and  inject  radio  signaling   •  As  if  it  was  coming  from  Radio  Network  
  • 15. P1vid#213 - https://saas.p1sec.com/vulns/213 Fun  AnH-­‐forensics   •  Same  aGack  as  VID#187  “   •  Also  crash  Ericsson  traffic  monitoring  log  analysis   forensic  tools  (P1  VKD  VID#213)   •  Code  sharing  between  enforcement  and  forensic   tools   15
  • 16. 3G  and  LTE  together   RAN   EPC   16
  • 17. Peer  to  Peer  Radio  Access  Network   •  X2AP   –  eNodeB’s   –  Peer  to  Peer   •  TranslaHon   –  Every  base  staHon  can  talk  to  every  other   –  Network  aGack  surface  increase   –  Total  spread  into  the  RAN  network   •  Operator-­‐wide  L2  network   –  L2  aGacks,  less  defense  in  depth,  scanning  only  blocked  by   size  of  network   –  Did  GTP  disappear?  No   17
  • 18. User  data  btw  eNBs:  LTE  User  Plane   18
  • 19. LTE  RAN  Overview   Evolved Packet Network (EPC) MME SGW Mul OSS-RC SeGW LTE RAN S1 CP S1 UP IP/Ethernet transport Mul S1 X2 Mul S1 X2 Mul S1 X2 Typically a common physical connection ! 19
  • 20. Pwning  OSS:     L2  network  mistakes  always  happen   •  Can’t  catch  it  with  mulHple  overlapping  /8   networks:  automate!   •  From  any  eNodeB  to  the  NMS   •  From  any  eNodeB  to  any  eNodeB   –  You  can  bet  on  insecure  provisioning   •  American  example  &  Remote  misconfiguraHon   20
  • 21. eNodeB  Hardware  AGacks   Ericsson RBS 6602 DUS (2G+3G+4G) & DUL (4G) Radio Uplink to DWDM / Optical net Local Ethernet ports (not TDM anymore) Hardware (in)security system 21
  • 22. LTE:  Equipment  AGack  surface  increase   •  Diameter  (New)   –  Added  surface   –  New  code,  maturity  in  quesHon   –  Very  few  commercial  fuzzers  support  it   –  Even  less  really  trigger  bugs  in  Diameter  (depth  pbm)   •  S1/X2AP  (New)   –  GTP  +  MAP  within  two  completely  new  protocols   –  With  encapsulaHon  of  user  traffic  (Non  Access  Stratum   protocol)   •  What  could  possibly  go  wrong?   22
  • 23. 23
  • 24. 24
  • 26. Auditor  bias  #1:     Open  standards  doesn't  mean  vision   •  Diameter   –  Nearly  every  parameter  is  opHonal   •  Result   –  Nobody  knows  what  is  a  valid  combinaHon  …   •  To  test  /  fuzz  /  inject   •  Combinatorial  explosion   –  Sequence  /  Dialogue  /  Flow   –  AVP  combinaHon   –  AVP  values   –  Fuzzed  parameter   •  Even  manufacturer  don’t  know  how  to  successfully   instrument  the  Device  Under  Test   •  Fuzzer  Support  is  not  Fuzzer  successful  triggering   26
  • 27. Auditor  bias  #2:  Fuzzing  is  as  deep  as   fuzzer  goes   •  And  fuzzer  never  go  deep  enough   –  Commercial  fuzzer   0 trigger/1000 iteration! –  Standard  own  fuzzer   13 triggers/1000 iterations! ! •  Need  target-­‐specific  development   –  Customized  own  fuzzer:     85 triggers/1000 iterations! 27
  • 28. LTE:  New  risk  with  Diameter   •  Diameter  informaHon   network  disseminaHon   •  Diameter  awesomeness   –  distribuHon/centralizaHon   –  its  own  evil  side   •  Present  in  many  database   –  HSS,  SDM/SDR,  CUD     •  The  goal  was  to  centralize   •  The  result  is  one  more   database   28
  • 29. LTE  Huawei  Specific   •  USN  =  SGSN  +  MME   •  UGW  =  SeGW  +  SGW  +  PDN  GW  /  PGW   29
  • 30. Pwning  LTE  HSS:     C++  SQL  InjecHon  everywhere   30
  • 31. LTE  HSS  Pwning  methodology   •  OSS  is  considered  Core   •  It  is  accessible  by  eNodeBs   –  SomeHme:  Network  filtering  mistakes   –  Osen:  Allowed  for  Provisionning   •  OSS  can  connect  to  HSS   –  HSS  exports  too  many  services   –  Mux/Tunnel  kind  of    thinking   •  one  port  ==  many  services   31
  • 32. LTE  EPC  funcHonal  plane,  no  OAM   32
  • 33. Add  OAM:  complexity  explosion   33
  • 34. Auditor  bias  #3:     Manual  vision  is  always  incomplete   •  Need  some  automaHon   •  200  APNs  *  16  million  IPs  ==  need  to  have   dedicated  scanner   –  Each  valid  GTP  tunnel  is  a  new  16  millions  IPs  to  scan   –  Address  space  explosion   •  You  CANNOT  do  it  manually   –  You  CANNOT  do  it  without  specific  scanners   34
  • 35. Pwning  MME:  Hardcoded  encrypHon  keys   P1 VKB CVID#485 DES… Hardcoded keys everywhere… 35
  • 36. Demo   36
  • 37. Legacy  PS  Interfaces  of  interest  to  LTE   •  Gi  :  Interface  from  GGSN  to  Internet   •  Gn  :  Interface  between  SGSN  and  other  SGSN  and   (internal)  GGSN   •  Gp  :  Interface  between  Internal  SGSN  and  external   GGSN  (GRX  used  here)   37
  • 38. eDNS  vs  iDNS   •  Leaks  to  Internet   •  Passive  DNSmon   •  Leaks  to  GPRS   •  Leaks  to  3G  data   •  Leaks  to  LTE  EPC  
  • 39. Legacy  GPRS  /  UMTS   •  GRX   •  TLD  /  Domain  .gprs   •  Quite  monolithic:   –  APN   –  RAI   •  rai<RAI>.  mnc08.  mcc204.gprs   •  Only  APNs  and  “some”  network  element   39
  • 40. IMS  DNS   •  3gppnetwork.org   •  Supports  and  lists  all  Network  Element   –  LAC   –  RAC   •  Examples   –  rac<RAC>.lac<LAC>.mnc08.mcc204.gprs   40
  • 41. LTE  EPC  DNS   •  Same  as  IMS  DNS  but  extended   •  Supports  and  lists  most  SAE  EPC  Network  Elements   –  MME   –  SGW   •  Examples   mmec<MMEC>.mmegi<MMEGI>.mme.epc.mnc99.mcc208.3gppnetwork.org!   41
  • 42. Pwning  from  LTE  mobile   •  Infrastructure  Reverse  path  protecHon   •  LTE  Mobile  data  access   –  RFC1918  leaks  (SomeHme)   –  Datacom  IP  infrastructure  access  (Now  more  osen)   NAT CGNAT 42
  • 43. Pwning  from  external:     Direct  MML  access  from  Internet   •  Pwning  from  external  without  any  reverse  path   trick.   •  Shodan  doesn’t  work  on  these   •  MML  aGack  surface  exposed   NAT CGNAT 43
  • 44. Auditor  bias  #4:     Testbed  is  always  more  secure   •  Testbed  is  more  secure  than  producHon   –  Legacy  impact   –  Scalability  impact   •  Audit  is  osen  only  permiGed  in  testbed   –  Liability   –  PotenHal  for  Denial  of  Service   •  Result   –  AGackers  advantage   –  ProducHon  goes  untested   44
  • 45. Auditor  bias  #4:     Testbed  is  always  more  secure   •  Testbed  is  more  secure  than  producHon   –  Legacy  impact   –  Scalability  impact   –  There’s  always  something  more  on  the  prod  network   •  Audit  is  osen  only  permiGed  in  testbed   –  Liability   –  PotenHal  for  Denial  of  Service   •  Result   –  AGackers  advantage   –  ProducHon  goes  untested   45
  • 46. Technical  Capacity  &  Knowledge  issue   •  Who   –  Can  audit  all  new  LTE  protocols  and  legacy  protocols   –  Has  experHse  on  the  architectures  &  vendors  equipment   •  Guarantee   –  Scanning  quality   –  Coverage  on  all  protocols  &  arch  (CSFB,  IMS,  Hybrid,   SCharge)   •  Cover  all  perimeters  and  accesses   –  APNs   –  GRX  &  IPX  accesses   –  Split  DNS   –  User  plane  and  control  plane   46
  • 47. Conclusion   •  LTE  is  supposed  to  be  built  with  security   –  Difference  between  standardizaHon  and  real  security   –  Network  Equipment  Vendors  are  sHll  lagging   •  Opening  up  of  the  technology   –  Good:  deeper  independent  security  research   •  Operators   –  SHll  disinformed  by  vendors   –  Security  through  obscurity  in  2013!  Unbelievable!   –  Some  are  gezng  proacHve   47
  • 48. Contact:   Philippe.Langlois@p1sec.com   hGp://www.p1sec.com   THANKS!     SEE  YOU  AT:   HACKITO  ERGO  SUM  –  MAY  2-­‐4  2013   PARIS,  FRANCE   48
  • 52. Previous  LTE  services  &  missions   •  LTE  Complete  infrastructure  audit   •  Huawei  LTE  EPC  Core  Network  audit  &   vulnerability  research   •  LTE  CSFB  infrastructure  integraHon  with  legacy   audit   –  both  Diameter,  S1,  X2  and  SS7  integraHon  for  CS   FallBack   •  Ericsson  eNodeB  audit  and  product  security   review   •  Diameter  security  audit  on  LTE  &  IMS  Core   52
  • 53. LTE  audit  milestones   1.  External  LTE  tesHng,  scan  &  audit  (blackbox)   –  LTE  new  elements   –  IntegraHon  with  legacy   2.  LTE  eRAN  onsite  audit   –  eNodeB,  enrollment,  configuraHon  &  PSR/PVR   –  OSS  &  OAM   3.  LTE  EPC  Core  Network  audit   –  MME   –  S-­‐GW  &  PDN  GW   –  HSS   –  PCRF   4.  MBSS  –  Minimum  Baseline  Security  Standard   –  LTE  eRAN:  eNodeB,  SeGW,  OSS  &  enrollment  servers   –  LTE  EPC:  MME,  S-­‐GW,  PCRF,  HSS,  PDN  GW,  MSC  Proxy   53
  • 57. Core  Network:  IP  addresses  everywhere   •  Everything  uses  IP  addresses   –  User:  UE,     –  RAN:  eNodeB,  SeGW   –  EPC:  MME,  HSS,  SGW,  PGW   •  IPv4   •  IPv6  is  actually  really  being  supported   57
  • 58. Telecom-­‐specific  addressing   •  End  user  addresses:     –  GUTI,     –  IMSI,     –  …   58
  • 59. GUTI   •  Globally  Unique  Temporary  IdenHty  (GUTI)   –  Allocated  by  the  MME  to  the  UE   •  GUTI  =  GUMMEI  +  M-­‐TMSI   –  GUMMEI  =  Globally  Unique  MME  ID   •  GUMMEI  =  MNC  +  MCC  +  MMEI   –  MMEI  =  MMEGI  +  MMEC   »  MMEGI  =  MME  Group  ID   »  MMEC  =  MME  Code   –  M-­‐TMSI  ==  MME  TMSI   •  GPRS/UMTS  P-­‐TMSI  -­‐>  LTE  M-­‐TMSI   •  S-­‐TMSI  =  MMEC  +  M-­‐TMSI   59
  • 62. GUTI  mapping  to  P-­‐TMSI   ! 62
  • 63. TAC  and  RNC  ID   ! 63
  • 64. ADRESS  MAPPING  IN  DNS   64
  • 65. Legacy  GPRS  /  UMTS   •  GRX   •  TLD  /  Domain  .gprs   •  Quite  monolithic:   –  APN   –  RAI   •  rai<RAI>.  mnc08.  mcc204.gprs   65
  • 66. IMS  DNS   •  3gppnetwork.org   •  Supports   –  LAC   –  RAC   •  Examples   –  rac<RAC>.lac<LAC>.mnc08.mcc204.gprs   66
  • 67. LTE  EPC  DNS   •  Same  as  IMS  DNS  but  extended   •  Supports     –  MME   –  SGW   •  Examples   –  mmec<MMEC>.mmegi<MMEGI>.mme.epc.mnc99.mcc 208.3gppnetwork.org   67
  • 69. LTE  Data  Terminology   •  GTP  =  GPRS  Tunneling  Protocol   •  EPS  =  Evolved  Packet  Service,  LTE  data  sessions   •  EPC  =  Evolved  Packet  Core,  the  LTE  core  network   •  APN  =  Access  Point  Name  (same  as  2G/3G)   •  Bearer  =  PDP  session,  GTP  Tunnel  for  a  given  used   •  SeGW  =  Security  Gateway,  segments  eNB  /  EPC   •  SGW  =  Serving  Gateway,  like  GGSN,  connects  to   Internet   69
  • 70. PDP  Context  vs.  EPS  Bearer   •  UMTS  and  GPRS  data  session   –  Packet  Data  Protocol  (PDP)  Context   –  AGach  (Alert  SGSN)  -­‐>  PDP  Context  AcHvaHon  procedure   •  LTE  data  session   –  Evolved  Packet  System  (EPS)  Bearer   •  Default  EPS  Bearer   •  Dedicated  EPS  Bearer   •  Both  use  parameters:   –  Access  Point  Name  (APN),     –  IP  address  type,     –  QoS  parameters   70
  • 71. LTE  GTP  =  eGTP   •  GTP-­‐U   •  From  eNodeB  to   PDN  GW   –  PGW   –  aka  Internet  exit   node   –  Used  to  be  the  GGSN   71
  • 73. LTE  Control  Plane:  eNodeB-­‐MME   73
  • 75. LTE  Control  Plane:  eNodeB-­‐eNodeB   75
  • 77. Protocol  and  port  matrix   Communicating nodes Protocol ports Protocol Source Destination Source Destination eNodeB S-GW GTP-U/UDP 2152 2152 S-GW eNodeB GTP-U/UDP 2152 2152 eNodeB eNodeB GTP-U/UDP 2152 2152 eNodeB MME S1AP/SCTP 36422 36412 MME eNodeB S1AP/SCTP 36412 36422 eNodeB eNodeB X2AP/SCTP 36422 36422 77
  • 78. All  is  ASN1   •  All  protocols  described  in  ASN1   –  Different  kind  of  Encoding   •  BER  –  Basic,  standard  TLV   •  PER  –  Packed,   –  Aligned  (APER)   –  Unaligned  (UPER)   –  Described  in  ITU  and  3GPP  standards   –  Require  ASN1  “CLASS”  keywords   78
  • 80. Diameter  Everywhere   •  Diameter  replaces  SS7  MAP   •  DSR     –  Diameter  Signaling  Router   80
  • 81. 81
  • 82. 82
  • 83. 83
  • 84. Security  implicaHon   •  SCTP  filtering  to  be  generalized   •  Benefit   –  SCTP  is  “config  first”  most  of  the  Hme   •  Threat   –  IP  cloud  is  much  more  exploitaHon  friendly   –  AGack  techniques  are  known  to  many  people   –  Compromise  consequences  are  more  far-­‐reaching  than   SS7   84
  • 86. Security  rouHng  and  filtering  in  Diameter   •  DSR   –  Define  rouHng  &  filtering  rules     •  Discriminants  Indicators   –  DesHnaHon-­‐based:     •  Realm,  Host,  ApplicaHon-­‐ID     –  OriginaHon-­‐based:     •  Realm,  Host,  ApplicaHon-­‐ID     –  Command-­‐Code   –  IMSIAddress   86
  • 87. Future  Diameter  RouHng  &  Filtering   87
  • 88. Security  &  Vulnerability  of  EPC  Roaming     •  Filtering  even  more  important   –  DSR  filtering  is  not  mature   •  GRX  problems  amplified   –  Impact  of  the  GRX/IPX/IMS/SAE  EPC  DNS  infrastructure   in  InformaHon  Gathering   •  Unique  IdenHfier  leaks  much  easier   –  Privacy  consequences   88
  • 90. TesHng  Security  in  an  LTE  Environment   •  Two  kind  of  environment   –  Testbed   –  Live  (also  called  ProducHon,  Greenfield,  AcHve)   90
  • 91. LTE  Testbed  Security  tesHng   •  Shielded  tesHng   –  eNodeB  antenna  output  connected  to  a  cable   –  Cable  arrives  in  test  room   –  A  “Shielded  box”  in  test  room  is  connected  to  cable   –  Phone  /  USB  dongle  is  put  inside  the  box  for  tests   –  USB  cable  goes  out  of  the  box  toward  the  test  PC     •  No  RF  is  polluHng  the  spectrum   –  Enables  pre-­‐aucHon  tesHng   91
  • 92. RelaHonship  to  Vendors   •  Vendor  usually  prevent  audit     –  By  limiHng  informaHon     –  By  limiHng  access  to  Device  Under  Test   –  By  limiHng  access  to  testbed   –  By  threatening  of  potenHal  problems,  delays,   responsibility,  liability   •  Most  of  the  LTE  tesHng  can  happen  transparently   –  The  vendor  doesn’t  see  the  security  audit  team   –  Presented  as  normal  operator  qualificaHon   –  Not  presented  as  security  audit   •  Result  only  is  presented  when  audit  is  finished   92
  • 93. AUDITS   93
  • 94. GTP   •  Endpoint  discovery   •  Illegal  connecHon/associaHon  establishment   –  User  idenHty  impersonaHon   –  Fuzzing   •  Leak  of  user  traffic     –  to  Core  Network  (EPC)     –  to  LTE  RAN   94
  • 95. X2AP  Audit   •  Endpoint  discovery   •  Illegal  connecHon/associaHon  establishment   –  Fuzzing   •  Reverse  engineering  of  proprietary  extensions   •  MITM   95
  • 96. S1AP  Audit   •  Endpoint  discovery   •  Illegal  connecHon/associaHon  establishment   –  Fuzzing   •  Reverse  engineering  of  proprietary  extensions   •  MITM     –  NAS  injecHon   96
  • 97. LTE  EPC  DNS  Audit   •  EPC  DNS  is  important   •  EPC  DNS  scanner   •  Close  to  GRX  /  IMS   97
  • 99. User  aGacks:  EPS  Bearer  Security  AGacks   •  APN  Bruteforcing   •  IP  SegmentaHon   –  accessing  operators’  RFC1918  internal  networks   •  GTP  endpoint  discovery     –  from  within  Bearer  Data  Session   •  Secondary  EPS  Bearer  ExhausHon/Flood  load  DoS   –  Max  11  to  be  tested   –  Repeat  setup/teardown  of  connecHons   •  PGW  DiffServ  tesHng   –  Scans  the  IP  header  DS  bits  (DifferenHated  Services)  to  see   difference  in  treatment  by  PGW   99
  • 100. TOOLS   100
  • 101. Basic  audit  tools   •  LTE  SIM  card   •  LTE  USB  Dongle   •  LTE  UE  (User  Equipment)  =  Phone   •  RJ45  for  Ethernet  connecHon  to  EPC/EUTRAN   •  Wireshark   •  Sakis3G  and  evoluHons  for  LTE  support   •  IPsec  audit  tool   101
  • 102. Ideal  audit  tools   •  GTP  protocol  stack  &  fuzzer   •  SCTP  MITM  tool  &  fuzzer   •  Ethernet/ARP  MITM  tool  (eGercap)   •  S1AP  protocol  stack  &  fuzzer   •  NAS  protocol  stack  &  fuzzer   •  X2AP  protocol  stack  &  fuzzer   •  Diameter  protocol  stack  &  fuzzer   •  GRX,  IMS,  EPC  DNS  scanner   102
  • 103. VirtualizaHon  targets   •  Huawei   –  In  progress   •  HSS   •  MSC  Proxy   –  PotenHal   •  USN,  Serving  GW,  PDN  GW,  MME   –  eHRS  integrated  node  (MME,  HSS,  SGW,  PGW,  …)   •  Easier  because  one  single  node   •  HP  opportunity?   103
  • 105. Huawei  ATCA  vs.  PGP   •  OSTA  2.0   –  Linux  based   •  OpenSuse  10.x  or  11.x   •  Old,  unpatched  kernel   •  Proprietary  extensions  and  SMP   –  Some  FPGA  based  boards   –  Some  OEM  based  integraHon  (Switches  AR40,  Routers,  …)   •  PGP   –  Older  architecture   –  More  monolithic   –  Harder  to  replicate   105
  • 106. Hard  problems   •  Use  same  kernel  (medium)   •  Use  licensing  (medium)   •  Load  signed  kernel  modules  (medium  hard)   •  Emulate  FPGA  and  OEM  integraHon  (hard)   •  Replicate  network  services  /  other  NEs  (hard)   106
  • 107. HSS   •  ATCA  /  OSTA  2.0   •  Few  external  hardware   •  Moderately  easy   •  OperaHon  in  progress   •  Based  on  HSS_V900R003   107
  • 108. Virtualizing  in  context  (CSFB)   RAN   EPC   108
  • 109. MSC  Proxy   •  ATCA  /  OSTA  2.0   •  No  external  hardware   •  Moderately  easy   •  ConfiguraHon  with     –  exisHng  SS7  SIGTRAN  infrastructure   –  Diameter  testbed   109
  • 110. USN   •  USN_V900R011C02SPC100   •  Harder   110
  • 111. Ericsson   •  Difficult  to  deal  with  them   •  Very  protecHve   –  Access   –  Licensing   –  DocumentaHon   111
  • 112. NSN   •  PotenHally  easier  than  Ericsson   •  Linux  based  (SGSN,  …)   –  MontaVista   •  Some  security  features   112
  • 113. Cisco   •  Some  virtualizaHon  done   –  IOS  12.x   •  Some  virtualizaHon  needs  hardware   –  Cisco  7200   –  Cisco  ITP   –  Cisco  GGSN   •  Virtual  networking   •  Our  technology  for  adapted  virtualizaHon   113
  • 114. Our  advantage  so  far   •  Virtualize  x86  with  specific/signed  kernels  and   modules   •  Virtualize  MIPS   •  EmulaHon  of  specific  hardware  support   –  Kernel  modules  development   •  Virtualize  ARM  Android  based  device     –  for  customer  simulaHon   114
  • 115. Mobile  +  VAS  virtualizaHon   •  Specific  demand  from  customer   –  Virtualize  x86  based  server   –  Virtualize  10-­‐20  Android  clients   –  Simulate  fraudulent  transacHon  within  this  flow   –  Inject  faults  within  repeated  traffic   115
  • 117. Principle   •  Proxies   –  M3UA  Proxy   –  S1/X2  Proxy   –  Diameter  Proxy   •  Made  transparent   –  SCTP  Man  in  the  Middle   –  Packet  forwarding   117
  • 118. LTE  increases  risks   •  Financial  thes   •  Privacy  thes   •  Hacking  of  corporate  users   •  M2M  impact  of  worms  and  aGacks   •  LTE  Mobile  broadband  usage  as  main  internet   connecHon   •  Protocols  are  untested  and  tradiHonal  fuzzer  coverage   is  weak  and  shallow   •  Network  equipment  is  new  and  not  as  reliable  as   tradiHonal  network  elements   118
  • 119. Questions ? 119