Upload
stephen-kho
View
1.020
Download
4
Embed Size (px)
DESCRIPTION
4G LTE Security talk presented at OHM 2013, Netherlands by Stephen Kho & Rob Kuiters of KPN CISO.
Citation preview
4G Security - What hackers know? 4G Security - What hackers know?
4G Security - What hackers know?
OHM 2013
0
1 August 2013
Stephen Kho/ Rob Kuiters
4G Security - What hackers know?
Agenda
•Who we are & why we are giving this talk?
•Introduction and transition to 4G
•4G network architectural overview
•Protocols you need to know
•LTE & EPC components and vulnerabilities
•Mitigation & best practises
•Conclusions
•Q&A
1
4G Security - What hackers know?
Who we are & why this talk?
•Stephen Kho & Rob Kuiters
•KPN CISO Team
•KPN-CERT & REDteam
•Penetration Testing & Incident Response
•Overview of transition to 4G technology
•Provide understanding of components, protocols and
vulnerabilities
2
4G Security - What hackers know? 3
Introduction and transition to 4G
4G Security - What hackers know?
Introduction and transition to 4G
4
4G Security - What hackers know?
Introduction and transition to 4G
5
4G Security - What hackers know?
Introduction and transition to 4G
6
• 1G Nordic Mobile Telephone (1980)
• 2G Global System for Mobile Communication (1994)
• 3G Universal Mobile Telecommunications System (2004)
• 4G Evolved Packet System (2013) • 5G ???? Somewhere 2023
4G Security - What hackers know?
Introduction and transition to 4G
7
4G Security - What hackers know?
Introduction and transition to 4G
8
User Equipment Radio Network Core Network
4G Security - What hackers know?
Introduction and transition to 4G
2G
9
Basic Components • Basestation Tranciever • Basestation Controler
• Mobile Switching Centre / Visitor Loction Register
• Home Location Register
Main Protocols • BSSAP
• MAP / ISUP
4G Security - What hackers know?
Introduction and transition to 4G
2G
10
BSC
HLR
UE
BTS
MSC / VLR GMSC
voice
SS7
Walled Garden
4G Security - What hackers know?
Introduction and transition to 4G
2G and some
11
Basic Components • Basestation Tranciever • Basestation Controler
• Mobile Switching Centre / Visitor Location Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS
• Home Location Register
Main Protocols • BSSAP / BSSGP • GTP • IP • MAP / ISUP
4G Security - What hackers know?
Introduction and transition to 4G
2G and some
12
Not So Walled Garden
BSC
HLR
UE
BTS
MSC / VLR GMSC
voice
SS7
SGSN GGSN
WWW /
PDN
GRX DNS
4G Security - What hackers know?
Introduction and transition to 4G
3G
13
Basic Components • NodeB • Radio Network Controller
• Mobile Switching Centre / Visitor Loction Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS
• Home Location Register / Authentication Centre
Main Protocols • RANAP • GTP • IP • MAP / ISUP
UMTS
4G Security - What hackers know?
Introduction and transition to 4G
3G
14
BSC
HLR
UE
BTS MSC / VLR GMSC
voice
SS7
SGSN GGSN
WWW /
PDN
GRX DNS
Not So Walled Garden
RNC NodeB
4G Security - What hackers know?
Introduction and transition to 4G
3G
15
Basic Components • E NodeB • Mobile Mobility Entity • Serving Gateway • Packet Data Network Gateway • DNS
• Home Subscriber System
Main Protocols • Diameter • GTP • IP
4G Security - What hackers know?
Introduction and transition to 4G
2G
16
S-GW
HSS
UE
BTS
MME
PDN GW
WWW /
PDN
IPX / GRX
Semi public open place
4G Security - What hackers know?
EPC components and vulnerabilities
Testing approach
•Infrastructure penetration test
•Host based security assessment
•Web application testing
•Code review
17
Information Gathering
Vulnerability Analysis
Exploitation
4G Security - What hackers know?
EPC components and vulnerabilities
18
Where and what did we test?
Evolved Packet Core (EPC)
PDN-GW SeGW
MME HSS
eNodeB
DRA
UE
Internet
DNS
4G Security - What hackers know?
EPC components and vulnerabilities
Diameter Routing Agent (DRA) •Helps reduce number of connections
between devices
•Complex routing and provisioning
•Load balancing and congestion
control
•Multi-vendor interoperability
•Security functions – protocol
validation
19
4G Security - What hackers know?
EPC components and vulnerabilities
20
DRA vulnerabilities found (example from a vendor) •Infrastructure penetration test
•MySQL installation running with root user privileges & without a password
• Improper network segmentation for running services
•Weak password policy on the OS
•Multiple users with sudo rights without a password.
•Multiple software security patches are missing
•Easy to guess SNMPv3 password
•Web application test
•Multiple default accounts
• Inadequate user privilege separation
• Insecure SSL certificate
4G Security - What hackers know?
EPC components and vulnerabilities
21
Packet Data Network Gateway (PDN-GW)
• Connects UE to PDN
• Performs policy enforcement
• Packet filtering for each user
• Charging support
• Lawful Interception
4G Security - What hackers know?
EPC components and vulnerabilities
22
PDN-GW vulnerabilities found (example from a popular vendor) •Host security assessment
•No firmware hashing or cryptographic verification
•Clear-text transmission of PDN-GW login credentials
•PDN-GW username enumeration possible
•No failed login account lockout
•Self-signed and expired SSL certificate
•Weak password policy – no complexity
4G Security - What hackers know?
EPC components and vulnerabilities
23
PDN-GW vulnerabilities found (example from a popular vendor) •Code review (manual & automated static code analysis)
•Hardcoded symmetric password encryption keys used
•Weak lawful interception key generation
•Software verification bypass
•Weak authentication mechanism – weak encryption and hashing algorithm
(DES,MD5)
4G Security - What hackers know?
EPC components and vulnerabilities
24
Home Subscriber Server (HSS) •Central database for user-related and subscription-related information
•Mobility management, call and session establishment support
•User authentication and access authorization
4G Security - What hackers know?
EPC components and vulnerabilities
25
HSS vulnerabilities found (example from another popular vendor) •Infrastructure penetration test •World exported NFS shares
•Sensitive data stored on HSS NFS shares
•Default account credentials in use
•Critical security updates missing
•Unnecessary services running
4G Security - What hackers know?
Mitigation & best practises
26
Implement network segmentation & filtering
Utilise centralised identity and access management
Enforce vendor security patch update
Implement security patch management
Perform regular vulnerability scans
Carry out in-depth penetration tests
Implement host & network based IDS
Practice incident response
4G Security - What hackers know?
Conclusion
•The Wallled Garden telcos use to have are no longer
•Vendor OSes are Linux or Windows based
•Common IP network vulnerabilities are in 4G network
•Telco vendors need to raise their IP security awareness
•Adopt common IP network security best practises and mitigations
•The community needs to help mature the overall security level of these “newer”
protocols e.g. Diameter by doing more research
27
4G Security - What hackers know? 4G Security - What hackers know?
Thank you for your attention
28