The Mobile Network and Its Collective Insecurity › presentations14 › Chuck... · In Scope and...

1

The Mobile Network and Its Collective Insecurity

Sector.ca

2

Chuck McAuley Senior Systems Engineer

A little bit about me

3

�  I work at a Network Test Company �  We get to poke things all day

–  Firewalls –  Routers –  Wifi –  Mobile Networks

�  I typically work with Service Providers and Network Equipment Manufacturers �  I focus on testing Deep Packet Inspection Devices for Layers 4 -7

–  IPS, Firewalls, App ID engines, Malware detection, User Monitoring Systems, etc –  Performance and Security testing

�  About two years ago, we got the opportunity to start testing mobile packet core equipment

–  Found that most of that equipment there was fragile –  Byzantine –  And not very worried about security

Goals and Objectives

4

�  Demystify the mobile network and the Evolved Packet Core (EPC) elements

�  Demonstrate the correlation between EPC elements and typical IP network elements

�  Discuss the EPC elements’ possible vulnerabilities, attack vectors, and associated test cases

In Scope and Out of Scope of this Talk

5

In Scope: �  LTE/EPC �  3GPP functional domain: network domain security �  The security and stability of mobile network elements

Out of Scope (though sometimes mentioned): �  2G/3G �  Mobile network security devices �  3GPP functional domains: network access security, user domain security,

application domain security, visibility and configurability of security �  The call flow registration/attach/authentication process and its potential

weaknesses �  Confidentiality/integrity/authentication of user and control data �  VoIP/VoLTE/IMS and DNS threats �  Ironically, the security features in the mobile network elements �  Backhaul security �  Radio (Wireless)

Mobile Network vs. a Typical Enterprise Network

A typical user’s view of how the Internet works

How most people think the mobile network works

The Typical Enterprise Network

The Complex Mobile Network

The Mobile Network

“The Internet” “Your Phone”

The Evolved Packet Core

•  The EPC is the wired porDon of an LTE network •  The wireless porDon is referred to as the E-‐UTRAN •  The combined EPC+E-‐UTRAN is called the EPS

•  The EPC is being standardized as the the core network for access mechanisms, including: LTE, 2G, 3G, non-‐3GPP, WiFi, and even wireline network

•  This is HUGE—the EPC will be the carrier’s converged network

First: A Network Element Decoder Ring

13

Decoder Ring: Long Term Evolution (LTE) to Enterprise

LTE Enterprise User Equipment

eNode B vs. Wireless Access Point

MME + HSS vs. Authentication

Serving Gateway vs. Edge Router

Packet Data Network Gateway vs. Core Router

Decoder Ring: Long Term Evolution (LTE) to Enterprise

LTE Enterprise Phone Land Magic Zone Internet

Security Elements

The Lack of Security Elements

•  Typically, there are no active security elements in the Evolved Packet Core •  The pervasive mentality around this technology is that the EPC is still

“protected” or “hidden” •  We often hear:

“Yes, but no one would ever do that.” “Why would you do that?” or best…

“It’s a protected network (managed by others) that users cannot reach.”

“The economics of consumer subscriber networks do not incent providers to implement security un8l a problem occurs.” Arbor Network 2012 Security Report

A Semblance of Some Security, Seriously

•  There are few, if any, security controls •  Most carriers (72%) perform NAT-‐-‐

known as Carrier Grade NAT •  Carriers employ a firewall between

their PGW and other carriers’ SGWs when their customers’ UEs are roaming from another carrier’s network •  Partner Border (EPC-‐to-‐EPC / S8)

•  Intelligent DDoS MiDgaDon Systems (IDMS) •  Internet Border (EPC-‐to-‐Internet / SGi)

Additional Security Elements

•  Security Gateways (SEG) between RAN

& EPC—these are just IPsec gateways •  Mobile Access Border (RAN-‐to-‐EPC / S1) •  Internet Border (EPC-‐to-‐Internet / SGi) •  Partner Border (EPC-‐to-‐EPC / S8)

• Integrated security features in the SGW/PGW

• This can be classified as authenDcaDon: certain carriers also deploy independent PCEFs that feed the PGW

• Basic Firewalls being deployed between carriers to support roaming

Network Visibility

Network visibility and out-‐of-‐band analysis is sDll a challenge, yet is increasing in popularity

•  Traffic must be tapped or “spanned” to a separate network •  CorrelaDon between control and user data must be maintained •  Not all data can be analyzed

•  There are a lot of users •  There are very few tools: (packet capture, IDS, malware analysis, etc.)

“60 percent of Mobile Providers do not have visibility into the traffic on their mobile/evolved packet cores” Arbor Network 2012 Security Report

Lawful Intercept

•  Done using SPAN ports on the network elements (eNB, SGW, PGW) or Taps

•  VERY good chance that it then uses the Network Visibility Packet Brokers for filtering and aggregaDon

•  Government observaDon •  All carriers are subjected •  Control plane data is prioriDzed over

user plane data •  “Observed” interfaces:

• Mobile Access Border (RAN-‐to-‐EPC / S1) • Internet Border (EPC-‐to-‐Internet / SGi) • Partner Border (EPC-‐to-‐EPC / S5/S8) • AuthenDcaDon Border (MME-‐to-‐SGW S11)

Contributing Factors to EPC Network Element Vulnerabilities

23

LTE is Immature

•  2G/3G have been around for 14+ years •  4G (LTE, specifically) specificaDons have been “frozen” for 5 years, while

the iniDal spec was proposed 9 years ago •  There will conDnue to be growing pains

24

4G Networks are more accessible and accessed

Key differences between 3G and 4G: •  LTE’s Evolved Packet Core (EPC) is an “all IP” system •  The individual elements are more intelligent

•  More features = more alack surfaces = more vulnerabiliDes •  LTE can handle higher capaci=es

•  ResulDng in more users and more data •  Easier to control and moneDze addi=onal services

•  More services = more alack surfaces = more vulnerabiliDes •  LTE is cheaper

•  More HW vendors compeDng

25

Little Competition

Confidential and Proprietary

4 Companies make the bulk of LTE equipment Small compeDDve landscape makes less robust equipment There are a few startups, but their market share is dwarfed by these four

Large number of Interfaces

•  There are different (network) interfaces between every EPC network element

•  They are standards-‐based (3GPP) •  There are a lot of them •  Each represents a different protocol exchange (GTP, SCTP, DIAMETER, ETC)

Too often testing is done in isolation

•  Feature / FuncDonal TesDng •  Scale and Performance TesDng •  Security TesDng •  Lille to no concern for product robustness

Put it all together

•  Constantly Changing Standards •  High level of complexity •  Low amount of competition •  Isolated and limited security testing •  Limited visibility into production network •  Fast growing environment

EPC Network Element Assessments

Network Component Mappings

LTE Enterprise User Equipment

eNodeB vs. Wireless Access Point




UE: Potential Vulnerabilities and Attack Vectors

•  “Jail Broken” = vulnerable soqware •  InstallaDon of malware-‐infected

applicaDons •  Remote installaDon of SIM card apps •  Old, un-‐patched soqware •  TradiDonal malware infecDon

scenarios: •  Email alachment •  Compromised website •  Drive-‐by downloads

User Equipment

The single biggest threat are the users, themselves

UE: Attackers’ Motives

•  People invade phones for the same reason as PCs: $$$

•  Methods of extracDon –  Botnets (could and probably do parDcipate in any and all of the following)

–  Data ExfiltraDon – banking, CC, email, credenDals, contacts, etc.

–  Toll Fraud –  SMS Fraud –  “In-‐ApplicaDon” Purchases –  ExtorDon – Misc:

•  SPAM contacts, DDoS •  call premium #s, follow tainted URLs

UE: Potential Attacks

•  PotenDal Alacks: –  Roaming Fraud -‐ Alaching to an already-‐compromised eNB

–  Using the UE as an alack proxy: •  PivoDng to corporate WiFi networks

•  DDoSing LTE EPC elements: – eNodeB Control Message Flood

– RegistraDon Flood – Bearer Tunnel ExhausDon

eNodeB

PotenDal VulnerabiliDes and Alack Vectors: •  Unaware of any alacks on towers today over air •  Similar to WiFi abuses, but with a more

proprietary point of entry •  Could feasibly send alacks across wire on IP

•  However no protocols are “responders” •  Alack management and other services

•  eNBs might be deployed in buildings and other accessible areas, so physical access is possible •  Tapping GTU-‐U data possible

•  more on this later

eNodeB vs. Wireless Access Point

eNode-B

Known Alacks: •  There does exist the potenDal of poisoned or spoofed tower

•  This isn’t so much an alack on an eNodeB, as much as it is an alack on the UEs

•  Non-‐carrier towers have been put in place for impromptu pager networks, cartels, or even to hijack 2g phones at events (Burning Man, DefCon)

MME: S1-MME Interface

S1-‐MME: •  Role: Responder and IniDator •  Stack: S1AP over SCTP over IP •  Used for control-‐plane communicaDon between the eNodeB

and the MME (AAA) •  Listens on SCTP port 36412 – set port scanners to stun

Generic PotenDal Vectors / Methods of Alack: •  No safety mechanisms in place for DDoS miDgaDon

•  Can flood the MME with “UE Alach” messages •  No cryptographic authenDcaDon on S1AP

•  Any host can connect to an MME as long as ACLs allow it


MME: S1-MME Interface

PotenDal Vectors / Methods of Alack: •  S1AP is an open alack surface

•  Fuzz it—there are millions of fields available for fuzzing with random data

•  Send S1AP control plane registraDon messages out of order to “confuse” the state machine

•  Send S1AP control plane registraDon messages that do not include mandatory fields

•  Send mulDple requests/responses for the same UE ID (IMEID) at the same Dme

•  Send requests/responses for a different IMEID aqer one was already established

•  SCTP stack is not as well tested as TCP •  Fuzz it •  Create crazy scenarios with the stream ID •  Send Fragments / Jumbo packets

•  4/27/2013: MME reset bug related to fragmentaDon processing

S1-‐MME

SCTP – A digression – rfc 4960

•  SCTP was developed to support SIGTRAN/SS7 –  long distance, ip based transition, phone call system. –  Ties into PSTN (aka “the phone network”). –  Developed by phone companies

•  SCTP is a TCP “replacement” –  Stream based –  Has “advanced features” to “protect” against attacks that affect TCP –  According to wikipedia, has a “simpler, basic structure”

•  However, run a quick fuzzer for a few seconds, and get one of these:

And google is no help

•  Google is no help either

Even more SCTP digression

Robin Seggelman might’ve based heart beat code for SSL off of SCTP protocol/code hHp://=nyurl.com/o5xdrot <-‐-‐-‐ goes to reddit

SCTP Points of interest

S1AP Points of interest

Mapping S1AP messages to Phone Information

How do i find an MME?

•  SCTP is built into most modern linux kernels •  lksctp-tools

–  lets you setup basic sctp clients and servers easily •  sctpscan

–  good scanner for listening sctp devices •  Nmap has support now •  socat support

–  can be listener or sender –  socat SCTP-CLIENT:1.1.1.1:36412 -

•  Port scanning SCTP won’t work behind most firewalls running SNAT, because they are SCTP.

•  Craft an S1AP Setup Request message, send across socat or similar. •  Break into the baseband radio of phone

–  See Droid RAZR baseband hack from defcon 22 – Hack all the things

HSS

•  HSS is a DIAMETER server •  Uses SCTP port 3868 •  Normally found as a load balanced cluster •  Load balancer for DIAMETER is called a DRA

–  Diameter Routing Agent •  MME Authenticates phone IMEID against HSS •  HSS is typically an “appliance-ized” linux or BSD box •  Attack vectors:

–  Knock out HSS cluster, no one can sign onto the network

–  Break into HSS, add your own device onto network, FREE DATA!!!

–  Very fragile devices

SGW: S11 Interface

S11: GTPv2-‐C •  Role: Responder •  Used for bringing up GTP “Contexts”-‐-‐

otherwise known as tunnels •  TLV-‐based protocol that runs over UDP •  UDP port 2123

PotenDal Alacks: •  Send random fuzzed traffic at GTP-‐C

port—with or without the GTP headers •  This has been successful and caused

repeated reboots of SGWs


S1-‐U: GTPv1-‐U •  Role: Responder •  Tunnels IP packets inside of IP •  Similar funcDon to VPN •  IPsec is possible •  TLV fields followed by encapsulated IP packet •  Contains all of the users’ data traffic

•  This is your super sekrit cat pictures and emails PotenDal Alacks:

•  This is the easiest point of entry for an alacker as this is an IP address that the UE knows and uses

•  Toll fraud, using wrong data channel for data •  Tunnel data traffic over DNS •  Sending malformed IP PDUs over GTP-‐U has caused

many crashes on SGWs as it “unwraps” the packet •  DDoS or “performance test” with a standard

applicaDon protocol mix

SGW: S1-U Interface

HTTP TCP IP GTP-‐U UDP port 2125 IP Layer 2 Layer 1

Case Study: Toll Fraud “Exploitation”

•  LTE allows the use of “bearer” channels •  Designed to allow data limits for different applications •  The UE decides which bearer channel to send for each type of traffic •  Should be trivial to send different traffic over different bearer channel

OR

•  DNS-‐tunnel is allowed through most carriers networks •  Set VPN to port 53 •  Free data

•  ICMP-‐tunneling can also work

PGW : S5/8 Interface

S5/8 Interface: •  PGW acts as “core router” for all traffic exiDng the mobile

network to the PDN •  MulDple SGWs are typically connected to one PGW •  In smaller environments the SGW and PGW are integrated

into one unit •  PGW uses GTPv2-‐C and GTP-‐U, in a similar fashion to SGW

•  Packet headers are the same, but data changes PotenDal Alacks:

•  UDlize the same techniques to break SGW as used on PGW •  Once again, malformed IP packets are not typically handled

well •  GTP-‐C flooding to setup contexts and tunnels that don’t

exist (DDoS)


PGW : SGi Interface

SGi Interface: •  PGW acts as “core router” for all traffic exiDng the mobile network to the

PDN •  No tunnels—only IP

PotenDal Alacks: •  The same balery of alacks that you would use on any intelligent router

•  Management services (SNMP, SSH, Telnet, etc) •  Packet flooding DDoS will knock out service for millions of phones

How do I find a SGW or PGW?

•  Port scan for UDP ports 2123 (GTP-C) and 2125 (GTP-U) –  If you are lucky, will respond with ICMP port unreachable/reachable

messages –  Test for unreachable message with non-GTP related port

•  GTP-C control plane –  UDP port 2123 –  two types of probes you can send –  GTP Echo Request

•  Response is GTP Echo Response –  Create Session Request Packet

•  Will respond with ACK or NACK

•  GTP-U Data Plane –  UDP port 2125 –  GTP Echo Request works

Confirmed Kills

SGW: S1-‐U Interface: 1.  fragmented IP traffic —> GTP-‐U manager crashes and traffic wasn’t let through 2.  64B TCP packets at a high rate —> GTP-‐U manager crashes and traffic wasn’t let through 3.  Fuzz GTP-‐U (<20Mbps) + applicaDon traffic -‐>GTP-‐U manager crashes and traffic wasn’t let through S11 Interface: 1.  Sending a badly formed “Idle Control” Command + applicaDon traffic -‐>GTP-‐U manager crash 2.  Fuzz only the TCP/IP not even the GTP-‐C + applicaDon traffic -‐>NPU-‐manager crash 3.  Fuzz the GTP-‐C traffic -‐> GTP-‐U crash

MME: S1-‐MME interface: 1.  DDoS with alach requests floods, SCTP

connecDon floods, and other general mayhem on S1AP

HSS: S6a Interface: 1.  Performance tesDng, no security -‐> Crash

DRA: (diameter-‐specific load-‐balancer between the MME and HSS) S6a Interface: 1.  Performance tesDng, no security :

1x SCTP connecDon, simulaDng 1x MME, 4000 messages/s (authenDcaDons, then locaDon updates) -‐> Crash

Summary

•  LTE networks are not as complicated as they seem •  LTE networks are sDll immature •  Security was an aqer-‐thought •  Stack your performance, security, feature, and negaDve tesDng for best results

58

Thank You

The Mobile Network and Its Collective Insecurity › presentations14 › Chuck... · In Scope and...

Documents

Transcript of The Mobile Network and Its Collective Insecurity › presentations14 › Chuck... · In Scope and...