security testing 4g (lte) networks - f-secure labs · current status of 4g •lots of 4g networks...
TRANSCRIPT
![Page 1: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/1.jpg)
Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn Ruks & Nils
1 11/09/2012
![Page 2: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/2.jpg)
Today’s Talk
• Intro to 4G (LTE) Networks
• Technical Details
• Attacks and Testing
• Defences
• Conclusions
11/09/2012 2
![Page 3: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/3.jpg)
11/09/2012 3
Intro to 4G (LTE) Networks
![Page 4: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/4.jpg)
A Brief History Lesson
• 1G – 1980s Analogue technology (AMPS, TACS)
• 2G – 1990s Move to digital (GSM,GPRS,EDGE)
• 3G – 2000s Improved data services (UMTS, HSPA)
• 4G – 2010s High bandwidth data (LTE Advanced)
11/09/2012 4
Mobile Networks
![Page 5: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/5.jpg)
Historic Vulnerabilities
• Older networks have been the subject of practical and theoretical attacks
• Examples include:
• Ability to man in the middle
• No perfect forward secrecy
• No encryption on the back-end
• LTE Advanced addresses previous attacks
11/09/2012 5
Mobile Networks
![Page 6: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/6.jpg)
Current Status of 4G
• Lots of 4G networks running or planned (eg Scandinavia, US)
• UK Trials have run in Cornwall, London etc
• Spectrum auction is important
• EE services launches soon!
11/09/2012 6
Mobile Networks
![Page 7: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/7.jpg)
Why is 4G Important?
• Digital Britain strategy
• Fixed line broadband expensive in remote locations
• Provides high speed mobile data services
• High level of scalability on the back-end
11/09/2012 7
Mobile Networks
![Page 8: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/8.jpg)
11/09/2012 8
Technical Details
![Page 9: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/9.jpg)
11/09/2012 9
NodeB Core
Network
Internet Base Station User Back-End
Conceptual View 3G
RNC
![Page 10: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/10.jpg)
11/09/2012 10
Network Overview 3G
UE
NB
NB SGSN GGSN Internet
HSS AuC
Core Network
RNC
![Page 11: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/11.jpg)
11/09/2012 11
eNodeB
EPC
Internet Base Station User Back-End
Conceptual View 4G
![Page 12: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/12.jpg)
11/09/2012 12
Network Overview 4G
UE
eNB
eNB
MME
SGw PGw PCRF Internet
HSS
EPC
![Page 13: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/13.jpg)
User Equipment (UE)
• What the customer uses to connect
• Mainly dongles and hubs at present
• Smartphones and tablets will follow (already lots in US)
11/09/2012 13
The Components
![Page 14: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/14.jpg)
evolved Node B (eNB)
• The bridge between wired and wireless networks
• Forwards signalling traffic to the MME
• Passes data traffic to the PDN/Serving Gateway
11/09/2012 14
The Components
![Page 15: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/15.jpg)
Evolved Packet Core (EPC)
• The back-end core network
• Manages access to data services
• Uses IP for all communications
• Divided into several components
11/09/2012 15
The Components
![Page 16: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/16.jpg)
Mobile Management Entity (MME)
• Termination point for UE Signalling
• Handles authentication
events
• Key component in back-end communications
11/09/2012 16
The Components
![Page 17: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/17.jpg)
Home Subscriber Service (HSS)
• Contains a user’s subscription data (profile)
• Typically includes the Authentication Centre (AuC)
• Where key material is stored
11/09/2012 17
The Components
![Page 18: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/18.jpg)
PDN and Serving Gateways (PGw and SGw)
• Handles data traffic from UE
• Can be consolidated into a
single device
• Responsible for traffic routing
within the back-end
• Implements important filtering controls
11/09/2012 18
The Components
![Page 19: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/19.jpg)
Policy Charging and Rules Function (PCRF)
• Does what it says on the tin
• Integrated into the network core
• Allows operator to perform bandwidth shaping
11/09/2012 19
The Components
![Page 20: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/20.jpg)
Home eNB (HeNB)
• The “FemtoCell” of LTE
• An eNodeB within your home
• Talks to the MME and PDN/Serving Gateway
• Expected to arrive much later in 4G rollout
11/09/2012 20
The Components
![Page 21: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/21.jpg)
11/09/2012 21
Control and User Planes
Network Overview
![Page 22: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/22.jpg)
Radio Protocols (RRC, PDCP, RLC)
• These all terminate at the eNodeB
• RRC is only used on the control plane
• Wireless user and control data
is encrypted (some exceptions)
• Signalling data can also be encrypted end-to-end
11/09/2012 22
RRC
PDCP
RLC
The Protocols
![Page 23: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/23.jpg)
Internet Protocol (IP)
• Used by all back-end comms
• All user data uses it
• Supports both IPv4 and IPv6
• Important to get routing and filtering correct
• Common UDP and TCP services in use
11/09/2012 23
The Protocols
IP
![Page 24: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/24.jpg)
The Protocols - SCTP
• Another protocol on top of IP
• Robust session handling
• Bi-directional sessions
• Sequence numbers very important
11/09/2012 24
The Protocols
IP
SCTP
![Page 25: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/25.jpg)
The Protocols – GTP-U
• Runs on top of UDP and IP
• One of two variants of GTP used in LTE
• This transports user IP data
• Pair of sessions are used identified by Tunnel-ID
11/09/2012 25
The Protocols
IP
GTP-U
UDP
![Page 26: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/26.jpg)
The Protocols – GTP-C
• Runs on top of UDP and IP
• The other variant of GTP used in LTE
• Used for back-end data
• Should not be used by the MME in pure 4G
11/09/2012 26
The Protocols
IP
GTP-C
UDP
![Page 27: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/27.jpg)
S1AP
• Runs on top of SCTP and IP
• An ASN.1 protocol
• Transports UE signalling
• UE sessions distinguished by a pair of IDs
11/09/2012 27
The Protocols
IP
S1AP
SCTP
![Page 28: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/28.jpg)
X2AP
• Very similar to S1AP
• Used between eNodeBs for signalling and handovers
• Runs over of SCTP and IP and is also an ASN.1 protocol
11/09/2012 28
The Protocols
IP
X2AP
SCTP
![Page 29: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/29.jpg)
11/09/2012 29
Potential Attacks
![Page 30: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/30.jpg)
What Attacks are Possible
• Wireless attacks and the baseband
• Attacking the EPC from UE
• Attacking other UE
• Plugging into the Back-end
• Physical attacks (HeNB)
11/09/2012 30
Targets for Testing
![Page 31: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/31.jpg)
Wireless Attacks and the Baseband
• A DIY kit for attacking wireless protocols is now closer (USRP based)
• Best chance is using commercial
kit to get a head-start
• Not the easiest thing to attack
11/09/2012 31
Targets for Testing
![Page 32: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/32.jpg)
Attacking the EPC from UE
• Everything in the back-end is IP
• You pay someone to give you IP access to the environment
• Easiest place to start
11/09/2012 32
Targets for Testing
![Page 33: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/33.jpg)
Attacking other UE
• Other wirelessly connected devices are close
• May be less protection if seen as a local network
• The gateway may enforce segregation between UE
11/09/2012 33
Targets for Testing
![Page 34: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/34.jpg)
Wired network attacks
• eNodeBs will be in public locations
• They need visibility of components in the EPC
• Very easy to communicate with an IP network
• Everything is potentially in scope
11/09/2012 34
Targets for Testing
![Page 35: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/35.jpg)
Physical Attacks (eNB)
• Plugging into management interfaces is most likely attack, except …
• A Home eNodeB is a different story
• Hopefully we have learned from the Vodafone Femto-Cell Attack
11/09/2012 35
Targets for Testing
![Page 36: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/36.jpg)
11/09/2012 36
What you can Test
![Page 37: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/37.jpg)
As a Wirelessly Connected User
• Visibility of the back-end from UE
• Visibility of other UEs
• Testing controls enforced by Gateway
• Spoofed source addresses
• GTP Encapsulation (Control and User)
11/09/2012 37
Tests to Run
![Page 38: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/38.jpg)
From the Back-End
• Ability to attack MME (signalling)
• Robustness of stacks (eg SCTP) • Fuzzing
• Sequence number generation
• Testing management interfaces • Web consoles
• SSH
• Proprietary protocols
11/09/2012 38
Tests to Run
![Page 39: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/39.jpg)
Challenges
• Spoofing UE authentication is difficult
• Messing with radio layers is hard
• ASN.1 protocols are a pain
• Injecting into SCTP is tough
• Easy to break back-end communications
11/09/2012 39
Tests to Run
![Page 40: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/40.jpg)
S1AP Protocol
• By default no authentication to the service
• Contains eNodeB data and UE Signalling
• UE Signalling can make use of encryption and integrity checking
• If no UE encryption is used attacks against connected handsets become possible
11/09/2012 40
Tests to Run
![Page 41: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/41.jpg)
11/09/2012 41
Tests to Run
eNB UE MME
S1AP NAS
NAS
S1AP and Signalling
![Page 42: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/42.jpg)
11/09/2012 42
Tests to Run
eNB UE
MME
S1AP and Signalling
Spoofed UE
Spoofed eNB
![Page 43: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/43.jpg)
11/09/2012 43
Tests to Run
eNB MME
S1AP and Signalling
S1 Setup
S1 Setup Response
Attach Request
Authentication Request
Authentication Response
Security Mode
![Page 44: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/44.jpg)
GTP Protocol
• Gateway can handle multiple encapsulations
• It uses UDP so easy to have fun with
• The gateway needs to enforce a number of controls that stop attacks
11/09/2012 44
Tests to Run
![Page 45: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/45.jpg)
GTP and User Data
11/09/2012 45
Tests to Run
eNB UE SGw
GTP IP
IP
Internet
IP
![Page 46: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/46.jpg)
GTP and User Data
11/09/2012 46
Tests to Run
UE
IP
UDP
GTP
IP
IP
UDP
GTP
eNodeB
![Page 47: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/47.jpg)
GTP and User Data
11/09/2012 47
Tests to Run
eNB UE SGw Internet
IP GTP
GTP IP GTP
IP GTP
![Page 48: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/48.jpg)
GTP and User Data
11/09/2012 48
Tests to Run
eNB UE SGw
Source IP Address (IP)
Invalid IP Protocols (IP)
GTP Tunnel ID (GTP)
Source IP Address (GTP)
Destination IP Address (IP)
PGw
![Page 49: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/49.jpg)
Old Skool
• Everything you already know can be applied to testing the back-end
• Its an IP network and has routers and switches
• There are management services running
11/09/2012 49
Tests to Run
![Page 50: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/50.jpg)
11/09/2012 50
Defences
![Page 51: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/51.jpg)
The Multi-Layered Approach
• Get the IP network design right
• Protect the IP traffic in transit
• Enforce controls in the Gateway
• Ensure UE and HeNBs are secure
• Monitoring and Response
• Testing
11/09/2012 51
Defences
![Page 52: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/52.jpg)
Unified/Consolidated Gateway
• The “Gateway” enforces some very important controls:
• Anti-spoofing
• Encapsulation protection
• Device to device Routing
• Billing and charging of users
11/09/2012 52
Defences
![Page 53: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/53.jpg)
IP Routing
• Architecture design and routing in the core is complex
• Getting it right is critical to security
• We have seen issues with this
• This must be tested before an environment is deployed
11/09/2012 53
Defences
![Page 54: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/54.jpg)
IPSec
• If correctly implemented will provide Confidentiality and Integrity protection
• Can also provide authentication between components
• Keeping the keys secure is not trivial and not tested
11/09/2012 54
Defences
![Page 55: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/55.jpg)
Architecture Consideration
11/09/2012 55
EPC
Internet
eNodeB
MME HSS
Serving Gateway PDN Gateway
Internet
Gateway
EPC Switch
Defences
![Page 56: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/56.jpg)
11/09/2012 56
Conclusions
![Page 57: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/57.jpg)
• There are 3 key protective controls that should be tested within LTE environments
• Policies and rules in the Unified/Consolidated Gateway
• The implementation of IPSec between all back-end components
• A back-end IP network with well-designed routing and filtering
11/09/2012 57
Conclusion 1
![Page 58: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/58.jpg)
• Despite fears from the use of IP in 4G, LTE will improve security if implemented correctly
• The 3 key controls must be correctly implemented
• Testing must be completed for validation
• Continued scrutiny is required
• Legacy systems may be the weakest link
11/09/2012 58
Conclusion 2
![Page 59: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/59.jpg)
• Protecting key material used for IPSec is not trivial
• The security model for IPSec needs careful consideration
• Operational security processes are also important
• Home eNodeB security is a challenge
11/09/2012 59
Conclusion 3
![Page 60: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/60.jpg)
• More air interface testing is needed
• Will need co-operation from vendors/operators
• “Open” testing tools will need significant development effort
• Still lower hanging fruit if support for legacy wireless standards remain
11/09/2012 60
Conclusion 4
![Page 61: Security Testing 4G (LTE) Networks - F-Secure Labs · Current Status of 4G •Lots of 4G networks running or planned (eg Scandinavia, US) •UK Trials have run in Cornwall, London](https://reader030.vdocuments.net/reader030/viewer/2022040822/5e6bbdb060d73c6caa46a4dc/html5/thumbnails/61.jpg)
11/09/2012 61
Questions
@mwrinfosecurity @mwrlabs