29
4G Security - What hackers know? 4G Security - What hackers know? 4G Security - What hackers know? OHM 2013 0 1 August 2013 Stephen Kho/ Rob Kuiters

4G LTE Security - What hackers know?

Embed Size (px)

DESCRIPTION

4G LTE Security talk presented at OHM 2013, Netherlands by Stephen Kho & Rob Kuiters of KPN CISO.

Citation preview

Page 1: 4G LTE Security - What hackers know?

4G Security - What hackers know? 4G Security - What hackers know?

4G Security - What hackers know?

OHM 2013

0

1 August 2013

Stephen Kho/ Rob Kuiters

Page 2: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Agenda

•Who we are & why we are giving this talk?

•Introduction and transition to 4G

•4G network architectural overview

•Protocols you need to know

•LTE & EPC components and vulnerabilities

•Mitigation & best practises

•Conclusions

•Q&A

1

Page 3: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Who we are & why this talk?

•Stephen Kho & Rob Kuiters

•KPN CISO Team

•KPN-CERT & REDteam

•Penetration Testing & Incident Response

•Overview of transition to 4G technology

•Provide understanding of components, protocols and

vulnerabilities

2

Page 4: 4G LTE Security - What hackers know?

4G Security - What hackers know? 3

Introduction and transition to 4G

Page 5: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

4

Page 6: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

5

Page 7: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

6

• 1G Nordic Mobile Telephone (1980)

• 2G Global System for Mobile Communication (1994)

• 3G Universal Mobile Telecommunications System (2004)

• 4G Evolved Packet System (2013) • 5G ???? Somewhere 2023

Page 8: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

7

Page 9: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

8

User Equipment Radio Network Core Network

Page 10: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

2G

9

Basic Components • Basestation Tranciever • Basestation Controler

• Mobile Switching Centre / Visitor Loction Register

• Home Location Register

Main Protocols • BSSAP

• MAP / ISUP

Page 11: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

2G

10

BSC

HLR

UE

BTS

MSC / VLR GMSC

voice

SS7

Walled Garden

Page 12: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

2G and some

11

Basic Components • Basestation Tranciever • Basestation Controler

• Mobile Switching Centre / Visitor Location Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS

• Home Location Register

Main Protocols • BSSAP / BSSGP • GTP • IP • MAP / ISUP

Page 13: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

2G and some

12

Not So Walled Garden

BSC

HLR

UE

BTS

MSC / VLR GMSC

voice

SS7

SGSN GGSN

WWW /

PDN

GRX DNS

Page 14: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

3G

13

Basic Components • NodeB • Radio Network Controller

• Mobile Switching Centre / Visitor Loction Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS

• Home Location Register / Authentication Centre

Main Protocols • RANAP • GTP • IP • MAP / ISUP

UMTS

Page 15: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

3G

14

BSC

HLR

UE

BTS MSC / VLR GMSC

voice

SS7

SGSN GGSN

WWW /

PDN

GRX DNS

Not So Walled Garden

RNC NodeB

Page 16: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

3G

15

Basic Components • E NodeB • Mobile Mobility Entity • Serving Gateway • Packet Data Network Gateway • DNS

• Home Subscriber System

Main Protocols • Diameter • GTP • IP

Page 17: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Introduction and transition to 4G

2G

16

S-GW

HSS

UE

BTS

MME

PDN GW

WWW /

PDN

IPX / GRX

Semi public open place

Page 18: 4G LTE Security - What hackers know?

4G Security - What hackers know?

EPC components and vulnerabilities

Testing approach

•Infrastructure penetration test

•Host based security assessment

•Web application testing

•Code review

17

Information Gathering

Vulnerability Analysis

Exploitation

Page 19: 4G LTE Security - What hackers know?

4G Security - What hackers know?

EPC components and vulnerabilities

18

Where and what did we test?

Evolved Packet Core (EPC)

PDN-GW SeGW

MME HSS

eNodeB

DRA

UE

Internet

DNS

Page 20: 4G LTE Security - What hackers know?

4G Security - What hackers know?

EPC components and vulnerabilities

Diameter Routing Agent (DRA) •Helps reduce number of connections

between devices

•Complex routing and provisioning

•Load balancing and congestion

control

•Multi-vendor interoperability

•Security functions – protocol

validation

19

Page 21: 4G LTE Security - What hackers know?

4G Security - What hackers know?

EPC components and vulnerabilities

20

DRA vulnerabilities found (example from a vendor) •Infrastructure penetration test

•MySQL installation running with root user privileges & without a password

• Improper network segmentation for running services

•Weak password policy on the OS

•Multiple users with sudo rights without a password.

•Multiple software security patches are missing

•Easy to guess SNMPv3 password

•Web application test

•Multiple default accounts

• Inadequate user privilege separation

• Insecure SSL certificate

Page 22: 4G LTE Security - What hackers know?

4G Security - What hackers know?

EPC components and vulnerabilities

21

Packet Data Network Gateway (PDN-GW)

• Connects UE to PDN

• Performs policy enforcement

• Packet filtering for each user

• Charging support

• Lawful Interception

Page 23: 4G LTE Security - What hackers know?

4G Security - What hackers know?

EPC components and vulnerabilities

22

PDN-GW vulnerabilities found (example from a popular vendor) •Host security assessment

•No firmware hashing or cryptographic verification

•Clear-text transmission of PDN-GW login credentials

•PDN-GW username enumeration possible

•No failed login account lockout

•Self-signed and expired SSL certificate

•Weak password policy – no complexity

Page 24: 4G LTE Security - What hackers know?

4G Security - What hackers know?

EPC components and vulnerabilities

23

PDN-GW vulnerabilities found (example from a popular vendor) •Code review (manual & automated static code analysis)

•Hardcoded symmetric password encryption keys used

•Weak lawful interception key generation

•Software verification bypass

•Weak authentication mechanism – weak encryption and hashing algorithm

(DES,MD5)

Page 25: 4G LTE Security - What hackers know?

4G Security - What hackers know?

EPC components and vulnerabilities

24

Home Subscriber Server (HSS) •Central database for user-related and subscription-related information

•Mobility management, call and session establishment support

•User authentication and access authorization

Page 26: 4G LTE Security - What hackers know?

4G Security - What hackers know?

EPC components and vulnerabilities

25

HSS vulnerabilities found (example from another popular vendor) •Infrastructure penetration test •World exported NFS shares

•Sensitive data stored on HSS NFS shares

•Default account credentials in use

•Critical security updates missing

•Unnecessary services running

Page 27: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Mitigation & best practises

26

Implement network segmentation & filtering

Utilise centralised identity and access management

Enforce vendor security patch update

Implement security patch management

Perform regular vulnerability scans

Carry out in-depth penetration tests

Implement host & network based IDS

Practice incident response

Page 28: 4G LTE Security - What hackers know?

4G Security - What hackers know?

Conclusion

•The Wallled Garden telcos use to have are no longer

•Vendor OSes are Linux or Windows based

•Common IP network vulnerabilities are in 4G network

•Telco vendors need to raise their IP security awareness

•Adopt common IP network security best practises and mitigations

•The community needs to help mature the overall security level of these “newer”

protocols e.g. Diameter by doing more research

27

Page 29: 4G LTE Security - What hackers know?

4G Security - What hackers know? 4G Security - What hackers know?

Thank you for your attention

28

[email protected]

[email protected]