Unveiling LTE cloud security-GalinaPildushFinal LTE cloud security... · Galina Pildush PhDGalina...

UnVeilingLTE Cloud SecurityLTE Cloud Security

CanSecWest, 2012, VancouverGalina Pildush PhDGalina Pildush, [email protected]

WHAT IS THIS TALK ABOUT

Is:LTE introductionLTE perspectives and vulnerabilities

Is not:Everything else

2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

WHAT IS LTE

LTE = Long-Term Evolution of Evolved Universal Terrestrial Radio Access Network

Greater flexibility of spectrum usageReduced latencyInterworking with other systems, for example CDMA2000g y

LTE-AdvancedWorldwide functionality and roamingService compatibilityEnhanced peak data rates (100 Mbps – 1 Gbps)


THIS IS WHERE IT WAS A FEW YEARS AGO …

GERAN

SGSNIuPSIuPS

Gb

UTRAN

BSCBTSGGSN GiGn

Gx

GrGs

IuCS

PSTN

RNCNodeB

( )HSS

(HLR, AuC)MSCVLR

PCRFGc

C

D

Nc

IuCSAN

GMSC

CS-MGWMc

Internet

CS-MGWNbIuCS

IuCS

Interfaces supporting user traffic

CNNote: -This is a display of a basic GPRS architecture blocks and interfaces Not all network elements and

A


Interfaces supporting user traffic

Interfaces supporting signalling-Not all network elements and interfaces shown

THIS IS WHERE IT IS TODAY … AND STILL EVOLVING …

GERAN

BSCBTS

SGSNIuPS

GrGs

IuPS

GbCN

S3

S4

UTRAN

RNCNodeB

BSCBTSGGSN GiGn

Gx

GrGs

GcD

IuCS

Internet

RNCNodeB

( )HSS

(HLR, AuC)MSCVLR

PCRF

Gc

C

D

Nc

IuCS

E-UTRANS6a Gxc

GMSC

CS-MGWMc

IuCS

AN

eNodeB S3PSTN

CS-MGWNbIuCS

AIuCS

MME

PDN GWS1-U S5

SGiS1-MME

S11

Gx

Internet


S-GW PDN-GWS1-U

S12

S4S8

Gxc

Note: -This is a display of a basic GPRS and EPS architecture blocks and interfaces -Not all network elements and interfaces shown

Protocol Reference ModelGERAN User Plane

Protocol Reference ModelUTRAN User Plane

SNDCP

IP

Appl-n

GTP-U

Relay

SNDCP GTP-UGTP-U

Relay

GTP-U

IP

IP

Appl-n

Relay RelayIP

RLC

CP

Netw

IP

U

LLC

Netw

UDP

BSSGP

BSSGP

Relay

RLC

LLC UDPUDP

IPIP IP

UDP

MAC

RLC

PCDP

MAC Laye

RLC UDP/IP

GTP-UPDCP

Laye Laye

UDP/IP

UDP/IP

GTP-UGTP-U GTP-U

UDP/IP

Laye

GSM RF

MAC

UE

L1bis

Layer 1

Layer 1

Layer 1

NetworkServic

e

Layer 2

Layer 2

Layer 2

Layer 1

PDN GWServing GWSGSN

Layer 2

SGiS5/S8S4Um

GSM RF

L1bis

MAC

Network

Service

BSGb

Layer 1

MAC

Layer 1

Layer 1

Layer 1

Layer 1

MAC yr 2

Layer 2

Layer 2

Layer 1

Layer 2

SGiS5/S8IuUu

UE PDN GWServing GWUE PDN GWServing GWUTRAN

IP

Appl-n

IP

Protocol Reference ModelE-UTRAN User Plane

RLC

PCDP

IP

L

RLC UDP/IP

GTP-U

Relay

PDCP

UDP/IP

UDP/IP

GTP-UGTP-U

Relay

GTP-U

IP

UDP/IP

6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Layer 1

MAC

UE

Layer 1

Layer 1

Layer 1

Layer 1

MAC Layer 2

Layer 2

Layer 2

Layer 1

PDN GWServing GWeNodeB

Layer 2

SGiS5/S8S1-ULTE-Uu

Control Plane

U PlUser Plane


Source: www.3gpp.org

LTE GENERIC ARCHITECTURES1-AP

PDN GW

eNodeB

MME S10

S11

S6a

SCTP

IP

Lower Layers

IP

S-GWPDN-GW

E-UTRAN H-PCRF

HSS

Gx SGi

Rx

L-GW

SGi

Lower Layers

IP

Lower S9

S8

GTPv2GTP-UOCS

UDP

IP

Lower Layers

GTP-U

( )SS

(HLR, AuC)Internet

HPLMN

S6aInternet

Layers

IPX Cloud

DIAMETER

SCTP

IP

S9

DIAMETER

SCTP

IP

Lower

UDP

IP

Lower Layers

OCS

Gy

y

N d B

MME

S10S11 S6

VPLMN

SGiS1-AP

SCTP

IP

Lower

IP

Lower

IP

Lower Layers

3rd Party

IPX CloudLower Layers

Lower Layers

PDN-GW

E-UTRAN

eNodeB S6a

Gx

SGiL-GW

Lower Layers

Lower Layers

3 Party Application FunctionDomainDIAMETER

SCTP

IP

S-GW


V-PCRF

( )HSS

(HLR, AuC)

RxIP

Lower Layers

ESTABLISHING THE CONNECTION – NO ROAMING

MME

1

9

H-PCRF

OCS

12

3 67

8

S-GW PDN-GW

( )HSS

(HLR, AuC)

Internet4

5

1. Attach Request (initial attach, IMSI, PDP Connection Request)

5

7. Initial Context Setup Request (attach accept, activate default EPS

2. Update Location, granting the service3. Create Session Request

Bearer Request)8. Initial Context Setup Response9. Attach Complete, Activate Default


4. Create Session Request5. Create Session Response6. Create Session Response

Bearer AcceptNote: -Connection establishment shown in this diagram is simplified

LTE FROM OPERATOR’S PERSPECTIVE

Traditionally PSTN is a “Walled Garden”Protocols are not widely spread and/or knownProtocols are not widely spread and/or knownComplex protocolsClosed architecturesC t ll dControlled access

Today LTE access uses IP as a transportConvergence of voice and dataConvergence of voice and dataConvergence of wireline and wirelessLower operations costs

Ahh… Life is good … or IS IT NOT?


LTE FROM CONSUMER PERSPECTIVE

Love sooo … many Apps - over 10.9 billion (expected to rise to 76.9 billion by 2014!) *

The more the merrierFree is better than paid for

V i id d t ll i !Voice, video, data – all in one!

Enjoy high speed

W t SP t i t i th i I b ib tWant my SP to maintain the service I subscribe to

Ahh… Life is good… or IS IT NOT?

*Source: IDC


*Source: IDC

LTE FROM ENTERPRISE PERSPECTIVECan connect with staff any time from anywhere

Should be able to increase productivityp yFaster decisions makingInstant access to teleworkersInstant deal makingInstant deal makingEtc., etc., etc …

Ahh… Life is good … or IS IT NOT?


LTE FROM HACKER’S PERSPECTIVE

The more apps, the merrier –It’s a Wild Wild West (WWW) out there grab as much as you canIt s a Wild-Wild West (WWW) out there – grab as much as you canNo regulations, validations, or restrictionsI can masquerade anyone or anything

Phish around tricking you into entering sensitive information

Financial theft

Privacy theft

Challenge is invigorating

This is a wonderland – millions of walking servers with eyes and ears without firewalls

13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Ahh… Life IS good!

WHAT CAN WE CONCLUDE?

LTE is IP end-to-end

The protocols are open

The infrastructures are getting more complexThis could introduce new vulnerabilitiesComplexity does not mean more secure

What does it all mean to a security person?


LET’S DEFINE A PROBLEM STATEMENT

The threats are possible on:p• Network Infrastructure Elements – RAN, Core• Bandwidth consumption• Servers• Servers


WHAT ARE THE POSSIBLE THREATS ?On network elements • Flood attacks • Worm infections and Trojan attacks• Worm infections and Trojan attacks• Spam and virus attacks• Man in the middle attacks

On UEsPhishingBotnetBotnetVirusesWormsTrojan attacks

Trusted but infected UEs could become sources of attacks


WHAT ARE THE EFFECTS OF THE THREATS ?Paralyzed:

Network elements and/or entire network infrastructuresFixed serversFixed serversMobile servers – UEs

Misbehaved serversMis-billing and/or overbillingBattery drainage on UEsPersonal data compromisedPersonal data compromisedFinancial theftMisconductUnhappy customersLoss of privacyLoss of customers


Bad industry reputationLoss of revenue and business

Attacks on LTE –Places of Vulnerabilities


VULNERABILITIES – WHERE?

UEsThe out-of-control spread of unprotected servers – smart phones

Operators coreFacing InternetPeering pointsRAN-Core connection

Operators RANOperators RAN

EVERYWHERE


LTE SCTP POINTS OF VULNERABILITYS1-AP

PDN GW

eNodeB

MME S10

S11

S6a

SCTP

IP

Lower Layers

S-GWPDN-GW

E-UTRAN H-PCRF

HSS

Gx SGi

Rx

L-GW

SGi

S9

S8

OCS( )

SS(HLR, AuC)

Internet

HPLMN

S6aInternet

IPX Cloud

DIAMETER

SCTP

IP

S9

DIAMETER

SCTP

IP

Lower

OCS

Gy

N d B

MME

S10S11 S6 SGi

VPLMN

SGiS1-AP

SCTP

IP

Lower 3rd Party


Lower Layers

PDN-GW

E-UTRAN

eNodeB S6a

Gx

L-GW

Lower Layers


SCTP

IP

S-GW


V-PCRF

( )HSS

(HLR, AuC)

RxIP

Lower Layers

LTE SCTP VULNERABILITYSCTP Association hijacking:

Address camping or stealingIf attacker can take over an IP address they can restart theIf attacker can take over an IP address they can restart the association Man-in-the-middle

Bombing attacks:Get a server to amplify packets to an innocent victimAllows an attacker to use an arbitrary SCTP endpoint to sendAllows an attacker to use an arbitrary SCTP endpoint to send multiple packets to a victim in response to one packetAllows an attacker to use an SCTP server to send a larger packet to a victim than it sent to the SCTP serverto a victim than it sent to the SCTP server

Association redirection - http://tools.ietf.org/html/rfc5062


LTE DIAMETER POINTS OF VULNERABILITY

PDN GW

eNodeB

MME S10

S11

S6a

S-GWPDN-GW

E-UTRAN H-PCRF

HSS

Gx SGi

Rx

L-GW

SGi

S9

S8

OCS( )

SS(HLR, AuC)

Internet

HPLMN

S6aInternet

IPX Cloud

DIAMETER

SCTP

IP

S9

DIAMETER

SCTP

IP

Lower

OCS

Gy

N d B

MME

S10S11 S6 SGi

VPLMN

SGi

3rd Party


Lower Layers

PDN-GW

E-UTRAN

eNodeB S6a

Gx

L-GW


SCTP

IP

S-GW


V-PCRF

( )HSS

(HLR, AuC)

RxIP

Lower Layers

LTE DIAMETER VULNERABILITYDiameter attacks

Negotiation attack – could cause Diameter server to choose a less secure authentication method (CHAP, PAP, for example)secure authentication method (CHAP, PAP, for example)Connection hijacking – attacker attempts to inject packetsReplay S i k tSnooping packetsPacket modificationsImpersonation – rogue NEs with forged IP addressesMan-on-the-middle attack – attackers gain control of a Diameter agent, modifying packets in transit


LTE PEERING VULNERABILITY - GTP

PDN GW

eNodeB

MME S10

S11

S6a

S-GWPDN-GW

E-UTRAN H-PCRF

HSS

Gx SGi

Rx

L-GW

SGi

S9

S8

GTPv2GTP-UOCS

( )SS

(HLR, AuC)Internet

HPLMN

S6aInternet

IPX Cloud

S9UDP

IP

Lower Layers

OCS

Gy

N d B

MME

S10S11 S6

VPLMN

SGi

3rd Party

IPX Cloud

PDN-GW

E-UTRAN

eNodeB S6a

Gx

SGiL-GW

3 Party Application FunctionDomainS-GW


V-PCRF

( )HSS

(HLR, AuC)

Rx

LTE PEERING VULNERABILITYAttacks from a peering side – GTPv2 and GTP-U

GTP-in-GTP could be used as an attack – spoofing NEs, recursive GTP packet processingGTP packet processingRogue data from “trusted” partners

Remember – although GTP is “GPRS Tunnelling Protocol” there is no built-in encryption


LTE SGI VULNERABILITY

PDN GW

eNodeB

MME S10

S11

S6aIP

S-GWPDN-GW

E-UTRAN H-PCRF

HSS

Gx SGi

Rx

L-GW

SGi

Lower Layers

IP

Lower S9

S8

OCS( )

SS(HLR, AuC)

Internet

HPLMN

S6aInternet

Layers

IPX Cloud

S9 OCS

Gy

N d B

MME

S10S11 S6

VPLMN

SGiIP

Lower

IP

Lower Layers

3rd Party

IPX Cloud

PDN-GW

E-UTRAN

eNodeB S6a

Gx

SGiL-GW

Lower Layers



V-PCRF

( )HSS

(HLR, AuC)

Rx

LTE SGI VULNERABILITYAttacks from the Internet – SGi

DDoS attacksBotnetsBotnetsExploit core network elements and turn them into attack vectorsViruses, worms, Trojans, OverbillingEtc… etc… etc


LTE UE VULNERABILITYSMS Trojans –

Polymorphic, mutating with every downloadKnown as server-side polymorphismExisted in the world of desktopsMore can be found here -http://www.techworld.com.au/article/414311/symantec_warns_android_trojans_mutate_every_download

Attacks evolved from SMS-type to application layer coveringAttacks evolved from SMS type to application layer, covering ALL handheld devices – iPhones/IPads, Androids, RIM, Notebooks, etc, etc, etc…

Spam messagesExploit of unregistered pre-paid SIM cardsExploit of signaling fraud


p g g

HENCE, LTE PROTECTION MUST HAPPEN @UE

Network Infrastructure

RANs

Against known and unknown attacksg


WHERE SHOULD LTE PROTECTION HAPPEN –A CLOSER LOOK …

PDN GW

eNodeB

MME S10

S11

S6a

LTE-FW

S-GWPDN-GW

E-UTRAN H-PCRF

HSS

Gx SGi

Rx

L-GW

SGiS8

OCS

LTE-FW

LTE-FW

( )SS

(HLR, AuC)Internet

HPLMNInternet

IPX Cloud

S9OCS

Gy

LTE-FW

S6a

N d B

MME

S10S11 S6

VPLMN

SGi

3rd Party

LTE-FW

LTE-FWLTE-FW

PDN-GW

E-UTRAN

eNodeB S6a

Gx

SGiL-GW


LTE FWLTE-FW


V-PCRF

( )HSS

(HLR, AuC)

RxLTE-FW

Current States of Concern


CURRENT STATE OF CONCERN

From operator’s perspective

From user’s perspectivep p

From industry standard’s perspective


CURRENT STATE OF CONCERN – OPERATOR(1 OF 2)

While convergence sounds great, should I converge all my networks – wireline, wireless, voice, data, others (?)

How do I protect my cloud?Where is my “walled garden”?Where is my walled garden ?IP transport + UEs (walking servers) apps bring security concernsProtocols vulnerabilities at signaling/control planesOpen protocols/applicationsLack of apps standardsWhat are the possible vulnerabilities?pIs it good enough to just do NAT/CGNAT?Are the threats really there?


CURRENT STATE OF CONCERN – OPERATOR (2 OF 2)Exponential spread of UEs

Is this a de ja vu of wired line 10-15 years ago?How do I detect an infected UE?What do I do with infected UE?Should I do policy enforcement with an infected UE?p y

Can I be held liable for delivering customer traffic securely?Cost vs. riskComplexity vs. ease of management

IPv6IPv6Transition toCould IP within IP pose more threat?


CURRENT STATE OF CONCERN - USERProtect

My phone from viruses, Trojan attacks, worm, etc.Integrity of my dataMy privacy

EnsureEnsure Secure accessSecure servicesProper billingOptimal use of my phone, including its battery lifePrivacyy


CURRENT STATE OF CONCERN - STANDARDSTakes a long time

From standards security perspectivey p pMissing holistic view - it is rather piecemealOptional encryption of EVERYTHING

Is it enough?


SOME PREVENTATIVE MEASUREMENTSBe careful with new Apps

Anything free could bite you back – free WiFi, free app, free …

Check for availability of security solutions for your UEs

Be proactive in designing your protectionInclude protection of the protectors – firewallsDeploy FWsDeploy IPSec VPNsp y

Be careful with what is encrypted,Ensure you trust the termination elements of IPSecCan you afford to trust them?


Can you afford to trust them?

SOME KEY STRATEGY ELEMENTSUnderstand the “normal”

traffic flowsD fiDefine

Baseline

Throttle Traffic

Throttle at perimeter, as close to source as feasible

Pros – more accurate and

Apply FW

Throttle Traffic Close

to SourcecontrolledCons – could be scaling difficulty

protectiony

Reduces the impact of unknownEvens the traffic flowsEvens the traffic flows

Deploy elements of firewall features for DDoS, etc attacks


WHO SHOULD BE RESPONSIBLE FOR YOUR MOBILE PROTECTION?You?

Smart phone manufacturer?p

Service provider?

Anybody else?y y

And

Is Mobile protection just that – “mobile” or is it “YOUR Identity” ?p j y


A THREE-PILLAR VIEW YOU + OPERATOR + MANUFACTURER


THANK YOU!

QUESTIONS ?

THOUGHTS ?THOUGHTS ?


Unveiling LTE cloud security-GalinaPildushFinal LTE cloud security... · Galina Pildush PhDGalina...

Documents

Transcript of Unveiling LTE cloud security-GalinaPildushFinal LTE cloud security... · Galina Pildush PhDGalina...