LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under...
Transcript of LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under...
![Page 1: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/1.jpg)
LTE Network Automationunder Threat
Altaf Shaik(Technische Universität Berlin & Kaitiaki Labs)
Ravishankar Borgaonkar
(SINTEF Digital & Kaitiaki Labs)
8 August 2018
KAITIAKI
Blackhat USA 2018, Las Vegas
![Page 2: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/2.jpg)
We Do…
• Mobile network and devices security
• Telecommunication protocol and device analysis
• Attacks and defenses
• Secure network building
8 August 2018
KAITIAKI
![Page 3: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/3.jpg)
Overview
• 4G/LTE & SON operations
• Vulnerabilities and exploitation
• Setup and DoS attacks
• Impact and status
• Mitigations
• Takeaways
8 August 2018
![Page 4: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/4.jpg)
Mobile Network Architecture
8 August 2018
• UE: User Equipment
• eNodeB: Evolved NodeB
• X2: New interface connectingeNodeBs
• P: Propreitary
![Page 5: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/5.jpg)
Recap - Telco Attacks
• IMSI Catchers
8 August 2018
• Man-in-the-middle
• Interception (Passive)
• SS7• Locate, Track, Manipulate
• DoS (Radio channels & HLR)
![Page 6: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/6.jpg)
Our Focus – Network Automation
• Favorite Target we know ->
• What about attacking base stations ->• Is it possible?
• Remotely, without detection?
• Base stations can operate automatically (self operated)• Self Organized Network (SON)
8 August 2018
![Page 7: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/7.jpg)
Self Organized Network (SON)
• New X2 interface in LTE
• Plug & play network elements - Low CAPEX and OPEX
• Base stations - Automatic configure and control
• 3GPP standardized from LTE Rel. 8 (32.500)
• 5G SON : low-latency, end-to-end intelligent, complex networks
8 August 2018
X2
![Page 8: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/8.jpg)
SON
• Software package installed on eNodeB or OAM
• Mix of standards and implementations
• Vendor implementations (UltraSON, Elastic-SON, NGSON, AirSON)
• 90% Operators support SON
• No reported attacks till now..!
8 August 2018
![Page 9: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/9.jpg)
8 August 2018
Background
![Page 10: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/10.jpg)
8 August 2018
SON Operation in Practice
Self-ConfigurationSelf-OptimizationSelf-Healing
Control System
![Page 11: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/11.jpg)
SON Technical Features
• ANR – Automatic Neighbor Relation
• Discover & add new base stations into the network
• PCI Optimization
• Solve adjacent cell ID conflicts
• MRO – Mobility Robustness Optimization
• Control handover settings to adjust coverage
8 August 2018
![Page 12: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/12.jpg)
SON Operation Modes
• Off
• Collect data, no parameter-change
• Manual apply• Parameter-change with operator confirmation
• Automatic apply• Automatic parameter change, autonomous operation
8 August 2018
![Page 13: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/13.jpg)
SON Design Issue
information from phones & base stations
8 August 2018
SON logic andintelligence
Trusted and Unverified
Design Flaw
![Page 14: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/14.jpg)
Key Question
Rogue eNodeBReal eNodeB
8 August 2018
UE
LTE networkLTE network
![Page 15: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/15.jpg)
Automation in LTE – Vulnerable Points
• Cell configurations• PCI (Physical Cell ID)
• Neighbor relations• Discover eNodeBs, share configs - neighbor cells, load info
• Handover analysis• Performance statistics, success/drop rates
• Coverage enhancements• Radio Link Failure (RLF) report
8 August 2018
![Page 16: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/16.jpg)
8 August 2018
Design Vulnerabilities
![Page 17: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/17.jpg)
LTE PCI Optimization
8 August 2018
• PCI: Physical Cell ID
• Adjacent cells: unique PCI, same frequency
• Network scanners, UE reports report PCI conflicts
• Same PCI: collision/confusion for UEs
• Handover failures, connection issues
122
PCI = 100
**eNodeB forced to change their config**
155
122
133
129
![Page 18: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/18.jpg)
Automatic Neighbor Relation (ANR)
8 August 2018
• Discover new eNodeBs
• Connect on X2 interface
X2
Source: 3GPP
![Page 19: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/19.jpg)
Automatic Neighbor Relation (ANR)
8 August 2018
• Neighbor relation table
• No Remove
• NoHo : No Handover
• NoX2
**No attributes to authorize X2 setup** Source: 3GPP
![Page 20: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/20.jpg)
LTE Handover
8 August 2018
• X2 connected handovers
• GSM vs LTE handover
• No neighbor cell list for UE – detect all
• Based on PCI and EARFCN only
**Reported Cells can be real or fake – No verification**
X2
![Page 21: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/21.jpg)
LTE Handover
8 August 2018
![Page 22: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/22.jpg)
Handover Analysis
• Handover failure types• Early HO, Late HO, HO to wrong cell
• Identify faults• RLF reports (UE -> eNodeB)
• HO reports (eNodeB <-> eNodeB)
• Periodic KPI monitoring
• Solve faults, How?• Adjust coverage settings
**HO blacklist (KPI < HO success threshold)**
8 August 2018
Handover success rate
Handover preparation success rate
Handover execution success rate
Handover problems – solutions
• Increase/decrease coverage
• Change cell index offset
![Page 23: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/23.jpg)
Rogue Data Injection
• Measurement report• Can contain false information (3GPP 36.331) - for handovers and ANR
• Radio Link Failure (RLF) report • Can contain false information (3GPP 36.331) - for MRO
• Handover reports• Reports between eNodeBs about handover failures - for MRO
• Information received from UE - content is not verified
• Attackers can inject rogue data
8 August 2018
![Page 24: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/24.jpg)
Vulnerable Mobile Network Functions
• Cell detection and addition
• Cell ID interference detections
• LTE handover process
• Handover analysis
• Network coverage tuning
8 August 2018
![Page 25: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/25.jpg)
8 August 2018
Exploitation
![Page 26: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/26.jpg)
Rogue eNodeB
• 200 $ setup
• Broadcast channels sufficient
• Spoof cell IDs of a legitimate eNodeB
• No interaction with UE
• Operating range depends on hardware
• 50 meters without amplifiers
• Open source software SRSLTE
• For testing - SON base stations, faraday cage
8 August 2018
![Page 27: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/27.jpg)
122
• Adjacent eNodeBs are connected via X2 (ANR)
• Rogue eNodeB - legitimate PCI and ECGI (133, 272, 112)
• UEs report PCI 133 to eNodeB
• ANR begins to add 133 to NRT
• Problem• Zero control/authorize for X2 setup
• Effect• X2 signaling flood when more cells are impersonated• Handover failures
-> Exploiting X2 Signaling
8 August 2018
133
PCI = 100
133X2
X2
NR PCI No Remove
No HO
No X2
1 122 √
2 109 √
NR PCI No Remove
No HO
No X2
1 122 √
2 109 √
3 133
![Page 28: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/28.jpg)
200
• Adjacent cells/eNodeBs use unique PCI to avoid collision
• Rogue eNodeB Broadcast legitimate PCIs (100, 200, 300)
• Problem• Adjacent eNodeBs cannot use same PCI and starts optimization
• Effect• Restart eNodeB/cell and choose a new PCI• Restart time roughly 7-8 minutes• Release the connected UEs to other base stations (2G/3G)
-> Remotely Kill & Restart LTE Base Station
8 August 2018
PCI = 100
100200300
300
![Page 29: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/29.jpg)
100
• UE in a voice call and sends periodic measurement reports
• Rogue eNodeB Broadcast legitimate neighboring PCI (100)
• Strong signal from PCI 100 causes handover
• PCI 100 already in neighbor list
• Problem• Handover with false information
• Effect• UE connects to rogue eNodeB – Handover hijacked• RLF– report created against a real eNodeB • Ongoing calls are dropped
-> Handover Hijacking (Dropping Calls)
8 August 2018
PCI = 200
100
Start X2 Handover
Handover to PCI=100
Handover failed
Re-establish connectionrejectRLF report
Handover
![Page 30: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/30.jpg)
Impact of Handover Hijacking
• Rogue eNodeB calumniates (defames) a real eNodeB
• RLF reports with false data
• Handover failures
• Coverage changes
• KPI drops – HO blacklisted or eNodeB/cell is shutdown
• 1 rogue eNodeB, 5 seconds – drop all cell (call + data) traffic..!
8 August 2018
![Page 31: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/31.jpg)
Impact – Grand Scale
• Detection by operators – no known methods to detect
• Persistent attacks – time needed for SON to heal
• Full Paper : https://dl.acm.org/citation.cfm?id=3212497
8 August 2018
Subscriber Operator
Call and data drops eNodeB maintenance and repairs
Poor network coverage Poor network coverage
UE downgrades to 3G/2G Revenue loss
Customer complaints
![Page 32: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/32.jpg)
8 August 2018
Security Status
![Page 33: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/33.jpg)
Affected Products
• All LTE phones complying to 3GPP 36.331 >= Rel. 8• 4 basebands vendors (based on tested UEs)
• All network products complying with 32.500 >= Rel.8 • 4 network vendors (based on available product documentation)
8 August 2018
![Page 34: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/34.jpg)
Vulnerability Status
• Disclosed with two operators (SON experts) and GSMA• Biggest European operators experts confirmed the issues
• Comments from GSMA and operators• Switch to less automation – reduce risk
• PCI reallocation during maintenance period
• Unplug a defective eNodeB (not really defective)
• Difficulties to detect & add mitigations
• GSMA guidelines document (ongoing) – protection from rogue base stations
8 August 2018
![Page 35: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/35.jpg)
Solutions
• Signed broadcast messages• Prevent connection to rogue base stations (5G: NO, complicated design)
• Content verification• Verify measurement reports from UE • Compatibility issues, power issues, efficiency problems
• Adding actionable intelligence to SON
• Built-in baseband features to detect rogue base stations• Ongoing work with a vendor
8 August 2018
![Page 36: LTE Network Automation KAITIAKI under Threat - i.blackhat.com · LTE Network Automation under Threat Altaf Shaik (Technische Universität Berlin & Kaitiaki Labs) Ravishankar Borgaonkar](https://reader030.fdocuments.net/reader030/viewer/2022040704/5dd13895d6be591ccb64cd04/html5/thumbnails/36.jpg)
Takeaways
• SON operate with unverified information from phones
• Current SON techniques cannot deal with Rogue base station attacks
• Lack of appropriate parameters for optimal automation decisions
• Automation lacks data verification and rely on few parameters
• A 200 $ rogue device can modify network configurations and turn it OFF..!
8 August 2018