1
The Mobile Network and Its Collective Insecurity
Sector.ca
2
Chuck McAuley Senior Systems Engineer
A little bit about me
3
� I work at a Network Test Company � We get to poke things all day
– Firewalls – Routers – Wifi – Mobile Networks
� I typically work with Service Providers and Network Equipment Manufacturers � I focus on testing Deep Packet Inspection Devices for Layers 4 -7
– IPS, Firewalls, App ID engines, Malware detection, User Monitoring Systems, etc – Performance and Security testing
� About two years ago, we got the opportunity to start testing mobile packet core equipment
– Found that most of that equipment there was fragile – Byzantine – And not very worried about security
Goals and Objectives
4
� Demystify the mobile network and the Evolved Packet Core (EPC) elements
� Demonstrate the correlation between EPC elements and typical IP network elements
� Discuss the EPC elements’ possible vulnerabilities, attack vectors, and associated test cases
In Scope and Out of Scope of this Talk
5
In Scope: � LTE/EPC � 3GPP functional domain: network domain security � The security and stability of mobile network elements
Out of Scope (though sometimes mentioned): � 2G/3G � Mobile network security devices � 3GPP functional domains: network access security, user domain security,
application domain security, visibility and configurability of security � The call flow registration/attach/authentication process and its potential
weaknesses � Confidentiality/integrity/authentication of user and control data � VoIP/VoLTE/IMS and DNS threats � Ironically, the security features in the mobile network elements � Backhaul security � Radio (Wireless)
Mobile Network vs. a Typical Enterprise Network
A typical user’s view of how the Internet works
How most people think the mobile network works
The Typical Enterprise Network
The Complex Mobile Network
The Mobile Network
“The Internet” “Your Phone”
The Evolved Packet Core
• The EPC is the wired porDon of an LTE network • The wireless porDon is referred to as the E-‐UTRAN • The combined EPC+E-‐UTRAN is called the EPS
• The EPC is being standardized as the the core network for access mechanisms, including: LTE, 2G, 3G, non-‐3GPP, WiFi, and even wireline network
• This is HUGE—the EPC will be the carrier’s converged network
First: A Network Element Decoder Ring
13
Decoder Ring: Long Term Evolution (LTE) to Enterprise
LTE Enterprise User Equipment
eNode B vs. Wireless Access Point
MME + HSS vs. Authentication
Serving Gateway vs. Edge Router
Packet Data Network Gateway vs. Core Router
Decoder Ring: Long Term Evolution (LTE) to Enterprise
LTE Enterprise Phone Land Magic Zone Internet
Security Elements
The Lack of Security Elements
• Typically, there are no active security elements in the Evolved Packet Core • The pervasive mentality around this technology is that the EPC is still
“protected” or “hidden” • We often hear:
“Yes, but no one would ever do that.” “Why would you do that?” or best…
“It’s a protected network (managed by others) that users cannot reach.”
“The economics of consumer subscriber networks do not incent providers to implement security un8l a problem occurs.” Arbor Network 2012 Security Report
A Semblance of Some Security, Seriously
• There are few, if any, security controls • Most carriers (72%) perform NAT-‐-‐
known as Carrier Grade NAT • Carriers employ a firewall between
their PGW and other carriers’ SGWs when their customers’ UEs are roaming from another carrier’s network • Partner Border (EPC-‐to-‐EPC / S8)
• Intelligent DDoS MiDgaDon Systems (IDMS) • Internet Border (EPC-‐to-‐Internet / SGi)
Additional Security Elements
• Security Gateways (SEG) between RAN
& EPC—these are just IPsec gateways • Mobile Access Border (RAN-‐to-‐EPC / S1) • Internet Border (EPC-‐to-‐Internet / SGi) • Partner Border (EPC-‐to-‐EPC / S8)
• Integrated security features in the SGW/PGW
• This can be classified as authenDcaDon: certain carriers also deploy independent PCEFs that feed the PGW
• Basic Firewalls being deployed between carriers to support roaming
Network Visibility
Network visibility and out-‐of-‐band analysis is sDll a challenge, yet is increasing in popularity
• Traffic must be tapped or “spanned” to a separate network • CorrelaDon between control and user data must be maintained • Not all data can be analyzed
• There are a lot of users • There are very few tools: (packet capture, IDS, malware analysis, etc.)
“60 percent of Mobile Providers do not have visibility into the traffic on their mobile/evolved packet cores” Arbor Network 2012 Security Report
Lawful Intercept
• Done using SPAN ports on the network elements (eNB, SGW, PGW) or Taps
• VERY good chance that it then uses the Network Visibility Packet Brokers for filtering and aggregaDon
• Government observaDon • All carriers are subjected • Control plane data is prioriDzed over
user plane data • “Observed” interfaces:
• Mobile Access Border (RAN-‐to-‐EPC / S1) • Internet Border (EPC-‐to-‐Internet / SGi) • Partner Border (EPC-‐to-‐EPC / S5/S8) • AuthenDcaDon Border (MME-‐to-‐SGW S11)
Contributing Factors to EPC Network Element Vulnerabilities
23
LTE is Immature
• 2G/3G have been around for 14+ years • 4G (LTE, specifically) specificaDons have been “frozen” for 5 years, while
the iniDal spec was proposed 9 years ago • There will conDnue to be growing pains
24
4G Networks are more accessible and accessed
Key differences between 3G and 4G: • LTE’s Evolved Packet Core (EPC) is an “all IP” system • The individual elements are more intelligent
• More features = more alack surfaces = more vulnerabiliDes • LTE can handle higher capaci=es
• ResulDng in more users and more data • Easier to control and moneDze addi=onal services
• More services = more alack surfaces = more vulnerabiliDes • LTE is cheaper
• More HW vendors compeDng
25
Little Competition
Confidential and Proprietary
4 Companies make the bulk of LTE equipment Small compeDDve landscape makes less robust equipment There are a few startups, but their market share is dwarfed by these four
Large number of Interfaces
• There are different (network) interfaces between every EPC network element
• They are standards-‐based (3GPP) • There are a lot of them • Each represents a different protocol exchange (GTP, SCTP, DIAMETER, ETC)
Too often testing is done in isolation
• Feature / FuncDonal TesDng • Scale and Performance TesDng • Security TesDng • Lille to no concern for product robustness
Put it all together
• Constantly Changing Standards • High level of complexity • Low amount of competition • Isolated and limited security testing • Limited visibility into production network • Fast growing environment
EPC Network Element Assessments
Network Component Mappings
LTE Enterprise User Equipment
eNodeB vs. Wireless Access Point
MME + HSS vs. Authentication
Serving Gateway vs. Edge Router
Packet Data Network Gateway vs. Core Router
UE: Potential Vulnerabilities and Attack Vectors
• “Jail Broken” = vulnerable soqware • InstallaDon of malware-‐infected
applicaDons • Remote installaDon of SIM card apps • Old, un-‐patched soqware • TradiDonal malware infecDon
scenarios: • Email alachment • Compromised website • Drive-‐by downloads
User Equipment
The single biggest threat are the users, themselves
UE: Attackers’ Motives
• People invade phones for the same reason as PCs: $$$
• Methods of extracDon – Botnets (could and probably do parDcipate in any and all of the following)
– Data ExfiltraDon – banking, CC, email, credenDals, contacts, etc.
– Toll Fraud – SMS Fraud – “In-‐ApplicaDon” Purchases – ExtorDon – Misc:
• SPAM contacts, DDoS • call premium #s, follow tainted URLs
UE: Potential Attacks
• PotenDal Alacks: – Roaming Fraud -‐ Alaching to an already-‐compromised eNB
– Using the UE as an alack proxy: • PivoDng to corporate WiFi networks
• DDoSing LTE EPC elements: – eNodeB Control Message Flood
– RegistraDon Flood – Bearer Tunnel ExhausDon
eNodeB
PotenDal VulnerabiliDes and Alack Vectors: • Unaware of any alacks on towers today over air • Similar to WiFi abuses, but with a more
proprietary point of entry • Could feasibly send alacks across wire on IP
• However no protocols are “responders” • Alack management and other services
• eNBs might be deployed in buildings and other accessible areas, so physical access is possible • Tapping GTU-‐U data possible
eNodeB vs. Wireless Access Point
eNode-B
Known Alacks: • There does exist the potenDal of poisoned or spoofed tower
• This isn’t so much an alack on an eNodeB, as much as it is an alack on the UEs
• Non-‐carrier towers have been put in place for impromptu pager networks, cartels, or even to hijack 2g phones at events (Burning Man, DefCon)
MME
MME: S1-MME Interface
S1-‐MME: • Role: Responder and IniDator • Stack: S1AP over SCTP over IP • Used for control-‐plane communicaDon between the eNodeB
and the MME (AAA) • Listens on SCTP port 36412 – set port scanners to stun
Generic PotenDal Vectors / Methods of Alack: • No safety mechanisms in place for DDoS miDgaDon
• Can flood the MME with “UE Alach” messages • No cryptographic authenDcaDon on S1AP
• Any host can connect to an MME as long as ACLs allow it
MME + HSS vs. Authentication
MME: S1-MME Interface
PotenDal Vectors / Methods of Alack: • S1AP is an open alack surface
• Fuzz it—there are millions of fields available for fuzzing with random data
• Send S1AP control plane registraDon messages out of order to “confuse” the state machine
• Send S1AP control plane registraDon messages that do not include mandatory fields
• Send mulDple requests/responses for the same UE ID (IMEID) at the same Dme
• Send requests/responses for a different IMEID aqer one was already established
• SCTP stack is not as well tested as TCP • Fuzz it • Create crazy scenarios with the stream ID • Send Fragments / Jumbo packets
• 4/27/2013: MME reset bug related to fragmentaDon processing
S1-‐MME
SCTP – A digression – rfc 4960
• SCTP was developed to support SIGTRAN/SS7 – long distance, ip based transition, phone call system. – Ties into PSTN (aka “the phone network”). – Developed by phone companies
• SCTP is a TCP “replacement” – Stream based – Has “advanced features” to “protect” against attacks that affect TCP – According to wikipedia, has a “simpler, basic structure”
• However, run a quick fuzzer for a few seconds, and get one of these:
And google is no help
• Google is no help either
Even more SCTP digression
Robin Seggelman might’ve based heart beat code for SSL off of SCTP protocol/code hHp://=nyurl.com/o5xdrot <-‐-‐-‐ goes to reddit
SCTP Points of interest
S1AP Points of interest
Mapping S1AP messages to Phone Information
How do i find an MME?
• SCTP is built into most modern linux kernels • lksctp-tools
– lets you setup basic sctp clients and servers easily • sctpscan
– good scanner for listening sctp devices • Nmap has support now • socat support
– can be listener or sender – socat SCTP-CLIENT:1.1.1.1:36412 -
• Port scanning SCTP won’t work behind most firewalls running SNAT, because they are SCTP.
• Craft an S1AP Setup Request message, send across socat or similar. • Break into the baseband radio of phone
– See Droid RAZR baseband hack from defcon 22 – Hack all the things
HSS
HSS
• HSS is a DIAMETER server • Uses SCTP port 3868 • Normally found as a load balanced cluster • Load balancer for DIAMETER is called a DRA
– Diameter Routing Agent • MME Authenticates phone IMEID against HSS • HSS is typically an “appliance-ized” linux or BSD box • Attack vectors:
– Knock out HSS cluster, no one can sign onto the network
– Break into HSS, add your own device onto network, FREE DATA!!!
– Very fragile devices
SGW
SGW: S11 Interface
S11: GTPv2-‐C • Role: Responder • Used for bringing up GTP “Contexts”-‐-‐
otherwise known as tunnels • TLV-‐based protocol that runs over UDP • UDP port 2123
PotenDal Alacks: • Send random fuzzed traffic at GTP-‐C
port—with or without the GTP headers • This has been successful and caused
repeated reboots of SGWs
Serving Gateway vs. Edge Router
S1-‐U: GTPv1-‐U • Role: Responder • Tunnels IP packets inside of IP • Similar funcDon to VPN • IPsec is possible • TLV fields followed by encapsulated IP packet • Contains all of the users’ data traffic
• This is your super sekrit cat pictures and emails PotenDal Alacks:
• This is the easiest point of entry for an alacker as this is an IP address that the UE knows and uses
• Toll fraud, using wrong data channel for data • Tunnel data traffic over DNS • Sending malformed IP PDUs over GTP-‐U has caused
many crashes on SGWs as it “unwraps” the packet • DDoS or “performance test” with a standard
applicaDon protocol mix
SGW: S1-U Interface
HTTP TCP IP GTP-‐U UDP port 2125 IP Layer 2 Layer 1
Case Study: Toll Fraud “Exploitation”
• LTE allows the use of “bearer” channels • Designed to allow data limits for different applications • The UE decides which bearer channel to send for each type of traffic • Should be trivial to send different traffic over different bearer channel
OR
• DNS-‐tunnel is allowed through most carriers networks • Set VPN to port 53 • Free data
• ICMP-‐tunneling can also work
PGW
PGW : S5/8 Interface
S5/8 Interface: • PGW acts as “core router” for all traffic exiDng the mobile
network to the PDN • MulDple SGWs are typically connected to one PGW • In smaller environments the SGW and PGW are integrated
into one unit • PGW uses GTPv2-‐C and GTP-‐U, in a similar fashion to SGW
• Packet headers are the same, but data changes PotenDal Alacks:
• UDlize the same techniques to break SGW as used on PGW • Once again, malformed IP packets are not typically handled
well • GTP-‐C flooding to setup contexts and tunnels that don’t
exist (DDoS)
Packet Data Network Gateway vs. Core Router
PGW : SGi Interface
SGi Interface: • PGW acts as “core router” for all traffic exiDng the mobile network to the
PDN • No tunnels—only IP
PotenDal Alacks: • The same balery of alacks that you would use on any intelligent router
• Management services (SNMP, SSH, Telnet, etc) • Packet flooding DDoS will knock out service for millions of phones
How do I find a SGW or PGW?
• Port scan for UDP ports 2123 (GTP-C) and 2125 (GTP-U) – If you are lucky, will respond with ICMP port unreachable/reachable
messages – Test for unreachable message with non-GTP related port
• GTP-C control plane – UDP port 2123 – two types of probes you can send – GTP Echo Request
• Response is GTP Echo Response – Create Session Request Packet
• Will respond with ACK or NACK
• GTP-U Data Plane – UDP port 2125 – GTP Echo Request works
Confirmed Kills
SGW: S1-‐U Interface: 1. fragmented IP traffic —> GTP-‐U manager crashes and traffic wasn’t let through 2. 64B TCP packets at a high rate —> GTP-‐U manager crashes and traffic wasn’t let through 3. Fuzz GTP-‐U (<20Mbps) + applicaDon traffic -‐>GTP-‐U manager crashes and traffic wasn’t let through S11 Interface: 1. Sending a badly formed “Idle Control” Command + applicaDon traffic -‐>GTP-‐U manager crash 2. Fuzz only the TCP/IP not even the GTP-‐C + applicaDon traffic -‐>NPU-‐manager crash 3. Fuzz the GTP-‐C traffic -‐> GTP-‐U crash
MME: S1-‐MME interface: 1. DDoS with alach requests floods, SCTP
connecDon floods, and other general mayhem on S1AP
HSS: S6a Interface: 1. Performance tesDng, no security -‐> Crash
DRA: (diameter-‐specific load-‐balancer between the MME and HSS) S6a Interface: 1. Performance tesDng, no security :
1x SCTP connecDon, simulaDng 1x MME, 4000 messages/s (authenDcaDons, then locaDon updates) -‐> Crash
Summary
• LTE networks are not as complicated as they seem • LTE networks are sDll immature • Security was an aqer-‐thought • Stack your performance, security, feature, and negaDve tesDng for best results
58
Thank You