4G LTE Security - What hackers know?
-
Upload
stephen-kho -
Category
Internet
-
view
1.023 -
download
4
description
Transcript of 4G LTE Security - What hackers know?
![Page 1: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/1.jpg)
4G Security - What hackers know? 4G Security - What hackers know?
4G Security - What hackers know?
OHM 2013
0
1 August 2013
Stephen Kho/ Rob Kuiters
![Page 2: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/2.jpg)
4G Security - What hackers know?
Agenda
•Who we are & why we are giving this talk?
•Introduction and transition to 4G
•4G network architectural overview
•Protocols you need to know
•LTE & EPC components and vulnerabilities
•Mitigation & best practises
•Conclusions
•Q&A
1
![Page 3: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/3.jpg)
4G Security - What hackers know?
Who we are & why this talk?
•Stephen Kho & Rob Kuiters
•KPN CISO Team
•KPN-CERT & REDteam
•Penetration Testing & Incident Response
•Overview of transition to 4G technology
•Provide understanding of components, protocols and
vulnerabilities
2
![Page 4: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/4.jpg)
4G Security - What hackers know? 3
Introduction and transition to 4G
![Page 5: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/5.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
4
![Page 6: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/6.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
5
![Page 7: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/7.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
6
• 1G Nordic Mobile Telephone (1980)
• 2G Global System for Mobile Communication (1994)
• 3G Universal Mobile Telecommunications System (2004)
• 4G Evolved Packet System (2013) • 5G ???? Somewhere 2023
![Page 8: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/8.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
7
![Page 9: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/9.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
8
User Equipment Radio Network Core Network
![Page 10: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/10.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
2G
9
Basic Components • Basestation Tranciever • Basestation Controler
• Mobile Switching Centre / Visitor Loction Register
• Home Location Register
Main Protocols • BSSAP
• MAP / ISUP
![Page 11: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/11.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
2G
10
BSC
HLR
UE
BTS
MSC / VLR GMSC
voice
SS7
Walled Garden
![Page 12: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/12.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
2G and some
11
Basic Components • Basestation Tranciever • Basestation Controler
• Mobile Switching Centre / Visitor Location Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS
• Home Location Register
Main Protocols • BSSAP / BSSGP • GTP • IP • MAP / ISUP
![Page 13: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/13.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
2G and some
12
Not So Walled Garden
BSC
HLR
UE
BTS
MSC / VLR GMSC
voice
SS7
SGSN GGSN
WWW /
PDN
GRX DNS
![Page 14: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/14.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
3G
13
Basic Components • NodeB • Radio Network Controller
• Mobile Switching Centre / Visitor Loction Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS
• Home Location Register / Authentication Centre
Main Protocols • RANAP • GTP • IP • MAP / ISUP
UMTS
![Page 15: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/15.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
3G
14
BSC
HLR
UE
BTS MSC / VLR GMSC
voice
SS7
SGSN GGSN
WWW /
PDN
GRX DNS
Not So Walled Garden
RNC NodeB
![Page 16: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/16.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
3G
15
Basic Components • E NodeB • Mobile Mobility Entity • Serving Gateway • Packet Data Network Gateway • DNS
• Home Subscriber System
Main Protocols • Diameter • GTP • IP
![Page 17: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/17.jpg)
4G Security - What hackers know?
Introduction and transition to 4G
2G
16
S-GW
HSS
UE
BTS
MME
PDN GW
WWW /
PDN
IPX / GRX
Semi public open place
![Page 18: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/18.jpg)
4G Security - What hackers know?
EPC components and vulnerabilities
Testing approach
•Infrastructure penetration test
•Host based security assessment
•Web application testing
•Code review
17
Information Gathering
Vulnerability Analysis
Exploitation
![Page 19: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/19.jpg)
4G Security - What hackers know?
EPC components and vulnerabilities
18
Where and what did we test?
Evolved Packet Core (EPC)
PDN-GW SeGW
MME HSS
eNodeB
DRA
UE
Internet
DNS
![Page 20: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/20.jpg)
4G Security - What hackers know?
EPC components and vulnerabilities
Diameter Routing Agent (DRA) •Helps reduce number of connections
between devices
•Complex routing and provisioning
•Load balancing and congestion
control
•Multi-vendor interoperability
•Security functions – protocol
validation
19
![Page 21: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/21.jpg)
4G Security - What hackers know?
EPC components and vulnerabilities
20
DRA vulnerabilities found (example from a vendor) •Infrastructure penetration test
•MySQL installation running with root user privileges & without a password
• Improper network segmentation for running services
•Weak password policy on the OS
•Multiple users with sudo rights without a password.
•Multiple software security patches are missing
•Easy to guess SNMPv3 password
•Web application test
•Multiple default accounts
• Inadequate user privilege separation
• Insecure SSL certificate
![Page 22: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/22.jpg)
4G Security - What hackers know?
EPC components and vulnerabilities
21
Packet Data Network Gateway (PDN-GW)
• Connects UE to PDN
• Performs policy enforcement
• Packet filtering for each user
• Charging support
• Lawful Interception
![Page 23: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/23.jpg)
4G Security - What hackers know?
EPC components and vulnerabilities
22
PDN-GW vulnerabilities found (example from a popular vendor) •Host security assessment
•No firmware hashing or cryptographic verification
•Clear-text transmission of PDN-GW login credentials
•PDN-GW username enumeration possible
•No failed login account lockout
•Self-signed and expired SSL certificate
•Weak password policy – no complexity
![Page 24: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/24.jpg)
4G Security - What hackers know?
EPC components and vulnerabilities
23
PDN-GW vulnerabilities found (example from a popular vendor) •Code review (manual & automated static code analysis)
•Hardcoded symmetric password encryption keys used
•Weak lawful interception key generation
•Software verification bypass
•Weak authentication mechanism – weak encryption and hashing algorithm
(DES,MD5)
![Page 25: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/25.jpg)
4G Security - What hackers know?
EPC components and vulnerabilities
24
Home Subscriber Server (HSS) •Central database for user-related and subscription-related information
•Mobility management, call and session establishment support
•User authentication and access authorization
![Page 26: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/26.jpg)
4G Security - What hackers know?
EPC components and vulnerabilities
25
HSS vulnerabilities found (example from another popular vendor) •Infrastructure penetration test •World exported NFS shares
•Sensitive data stored on HSS NFS shares
•Default account credentials in use
•Critical security updates missing
•Unnecessary services running
![Page 27: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/27.jpg)
4G Security - What hackers know?
Mitigation & best practises
26
Implement network segmentation & filtering
Utilise centralised identity and access management
Enforce vendor security patch update
Implement security patch management
Perform regular vulnerability scans
Carry out in-depth penetration tests
Implement host & network based IDS
Practice incident response
![Page 28: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/28.jpg)
4G Security - What hackers know?
Conclusion
•The Wallled Garden telcos use to have are no longer
•Vendor OSes are Linux or Windows based
•Common IP network vulnerabilities are in 4G network
•Telco vendors need to raise their IP security awareness
•Adopt common IP network security best practises and mitigations
•The community needs to help mature the overall security level of these “newer”
protocols e.g. Diameter by doing more research
27
![Page 29: 4G LTE Security - What hackers know?](https://reader034.fdocuments.net/reader034/viewer/2022052316/55763b66d8b42a015c8b536c/html5/thumbnails/29.jpg)
4G Security - What hackers know? 4G Security - What hackers know?
Thank you for your attention
28