philippe langlois - hacking hlr hss and mme core network elements
DESCRIPTION
Hacking HLR HSS and MME Core Network Elements Slides of HITB2013 Amsterdam Nederlands from Philippe Langlois.TRANSCRIPT
![Page 1: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/1.jpg)
LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements
P1 Security
1
![Page 2: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/2.jpg)
LTE ENVIRONMENT
2
![Page 3: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/3.jpg)
LTE Network Overview
3
![Page 4: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/4.jpg)
Corporate & Mobile Data risk increased • LTE from aGackers perspecHve • All IP – always on – always vulnerable?
– Spear-‐Phishing – Botnets & Malware – Flooding – Trojan & Backdoors
• IPv6 renders NAT protecHon inefficient • Split Handshake TCP aGacks prevents IPS and AnHvirus
• Very familiar architecture for aGackers: ATCA, Linux • Intricate and new protocols: Diameter, S1, X2, GTP
4
![Page 5: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/5.jpg)
2G 3G to LTE: Reality and Legacy 2G 3G LTE BTS Node B eNode B BSC merged into Node B merged into eNode B
MSC / VLR RNC MME, MSC Proxy HLR HLR, IMS HSS, HE LTE SAE HSS, SDR/SDM STP STP, SG Legacy STP
GGSN GGSN PDN GW
SGSN SGSN MME/SGW IN IN/PCRF PCRF RAN Firewall RAN Firewall SeGW
5
![Page 6: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/6.jpg)
User data content: LTE User Plane
6
![Page 7: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/7.jpg)
LTE Network AGack Surface • Full IP only?
– No: full IP double exposure • Packets (PS Domain)
– 2x aGack surface • GTP sHll present • S1AP/X2AP new
• Circuits (CS Domain) – 2x aGack surface
• SIGTRAN & SS7 will stay for many years • IMS & Diameter
7
![Page 8: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/8.jpg)
3G and LTE together
8
RAN EPC
![Page 9: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/9.jpg)
CSFB vs. VOLTE vulnerability aGack surface
• CSFB – CS Fall Back from 4G to 3G – Past is present – SS7 and SIGTRAN stack vulnerabiliHes (DoS, spoof, …)
• VOLTE – Whole new aGack surface – New APN, new network to hack, new servers, – Closer to the Core Network == more serious vulns – IMS (CSCF = SIP server, DNS, …)
• Standard? No… 9
![Page 10: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/10.jpg)
ISUP injecHon in SIP through VOLTE Yes, SIP… known… but…
Internet SIP + SS7 ISUP == SIP-‐I and SIP-‐T == ISUP InjecHon !
• Remote Core Network DoS
• SS7 compromise
• External signaling injection
• Spoofing of ISUP messages
• Fake billing • Ouch!
![Page 11: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/11.jpg)
11
![Page 12: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/12.jpg)
CSFB AGack surface through MSC Proxy and SS7 + SIGTRAN
• All SIGTRAN aGack surface exposed • All SS7 aGack surface exposed • Most dangerous:
– Logical Denial of Service aGacks • SSP-‐based SCCP DoS (P1 CVID#480) • TFP-‐based SS7 DoS (P1 CVID#481)
– Equipment Crash/Denial of Service aGacks • Ericsson MSC Crash DoS (P1 VID#330) • NSN HLR Crash DoS (P1 VID#148) • Ericsson STP Crash DoS (P1 VID#187)
12
![Page 13: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/13.jpg)
Severity Critical
Description
NGHLR SS7 stack software is not robust and suffers from Remote Denial of Service.
Impact
Enables any person sending malicious SCCP traffic to the HLR to crash it. This includes the whole international SS7 network as HLRs need always to be globally reachable.
P1vid#148 - https://saas.p1sec.com/vulns/148
• Reliability for telco – Ability to cope with X million of requests – Not Ability to cope with malformed traffic
NSN NGHLR remote Denial of Service caused by fragile SS7 stack
![Page 14: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/14.jpg)
GSM MAP primiHve MAP_FORWARD_ACCESS_SIGNALLING enables RAN signaling injecHon
Severity Medium
Description
This GSM MAP MSU "MAP_FORWARD_ACCESS_SIGNALLING" forwards any content to the Radio Access Network (RAN).
Impact
The result is that some external entities may send or spoof MAP_FORWARD_ACCESS_SIGNALLING MSUs to target MSC GTs and have the vulnerable MSCs to inject this signaling into the radio network (typically RANAP).
P1vid#145 - https://saas.p1sec.com/vulns/145
Normal
Spoofed
• Spoof and inject radio signaling • As if it was coming from Radio Network
![Page 15: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/15.jpg)
Fun AnH-‐forensics
• Same aGack as VID#187 “ • Also crash Ericsson traffic monitoring log analysis forensic tools (P1 VKD VID#213)
• Code sharing between enforcement and forensic tools
15
P1vid#213 - https://saas.p1sec.com/vulns/213
![Page 16: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/16.jpg)
3G and LTE together
16
RAN EPC
![Page 17: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/17.jpg)
Peer to Peer Radio Access Network • X2AP
– eNodeB’s – Peer to Peer
• TranslaHon – Every base staHon can talk to every other – Network aGack surface increase – Total spread into the RAN network
• Operator-‐wide L2 network – L2 aGacks, less defense in depth, scanning only blocked by size of network
– Did GTP disappear? No 17
![Page 18: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/18.jpg)
18
User data btw eNBs: LTE User Plane
![Page 19: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/19.jpg)
LTE RAN Overview
19
Typically a commonphysical connection
X2
Mul
Mul S1
IP/Ethernet transport
MMEOSS-RC
LTE RAN
X2Mul
S1 UP
X2Mul S1S1
Evolved Packet Network (EPC)
SGW
S1 CP
SeGW
Typically a commonphysical connection
X2
Mul
Mul S1
IP/Ethernet transport
MMEOSS-RC
LTE RAN
X2Mul
S1 UP
X2Mul S1S1
Evolved Packet Network (EPC)
SGW
S1 CP
SeGW
!
![Page 20: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/20.jpg)
Pwning OSS: L2 network mistakes always happen
• Can’t catch it with mulHple overlapping /8 networks: automate!
• From any eNodeB to the NMS • From any eNodeB to any eNodeB
– You can bet on insecure provisioning • American example & Remote misconfiguraHon
20
![Page 21: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/21.jpg)
eNodeB Hardware AGacks
21
DUS (2G+3G+4G) & DUL (4G)
Radio
Local Ethernet ports (not TDM anymore)
Uplink to DWDM / Optical net
Ericsson RBS 6602
Hardware (in)security system
![Page 22: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/22.jpg)
LTE: Equipment AGack surface increase • Diameter (New)
– Added surface – New code, maturity in quesHon – Very few commercial fuzzers support it – Even less really trigger bugs in Diameter (depth pbm)
• S1/X2AP (New) – GTP + MAP within two completely new protocols – With encapsulaHon of user traffic (Non Access Stratum protocol)
• What could possibly go wrong? 22
![Page 23: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/23.jpg)
23
![Page 24: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/24.jpg)
24
![Page 25: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/25.jpg)
Diameter audit/fuzzing problem
25
![Page 26: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/26.jpg)
Auditor bias #1: Open standards doesn't mean vision
• Diameter – Nearly every parameter is opHonal
• Result – Nobody knows what is a valid combinaHon …
• To test / fuzz / inject • Combinatorial explosion
– Sequence / Dialogue / Flow – AVP combinaHon – AVP values – Fuzzed parameter
• Even manufacturer don’t know how to successfully instrument the Device Under Test
• Fuzzer Support is not Fuzzer successful triggering 26
![Page 27: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/27.jpg)
Auditor bias #2: Fuzzing is as deep as fuzzer goes
• And fuzzer never go deep enough – Commercial fuzzer
0 trigger/1000 iteration!
– Standard own fuzzer 13 triggers/1000 iterations!!
• Need target-‐specific development – Customized own fuzzer:
85 triggers/1000 iterations!
27
![Page 28: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/28.jpg)
LTE: New risk with Diameter • Diameter informaHon network disseminaHon
• Diameter awesomeness – distribuHon/centralizaHon – its own evil side
• Present in many database – HSS, SDM/SDR, CUD
• The goal was to centralize • The result is one more database
28
![Page 29: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/29.jpg)
LTE Huawei Specific
29
• USN = SGSN + MME • UGW = SeGW + SGW + PDN GW / PGW
![Page 30: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/30.jpg)
Pwning LTE HSS: C++ SQL InjecHon everywhere
30
![Page 31: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/31.jpg)
LTE HSS Pwning methodology • OSS is considered Core • It is accessible by eNodeBs
– SomeHme: Network filtering mistakes – Osen: Allowed for Provisionning
• OSS can connect to HSS – HSS exports too many services – Mux/Tunnel kind of thinking
• one port == many services
31
![Page 32: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/32.jpg)
LTE EPC funcHonal plane, no OAM
32
![Page 33: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/33.jpg)
Add OAM: complexity explosion
33
![Page 34: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/34.jpg)
Auditor bias #3: Manual vision is always incomplete • Need some automaHon • 200 APNs * 16 million IPs == need to have dedicated scanner – Each valid GTP tunnel is a new 16 millions IPs to scan – Address space explosion
• You CANNOT do it manually – You CANNOT do it without specific scanners
34
![Page 35: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/35.jpg)
Pwning MME: Hardcoded encrypHon keys
35 P1 VKB CVID#485 DES… Hardcoded keys everywhere…
![Page 36: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/36.jpg)
Demo
36
![Page 37: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/37.jpg)
Legacy PS Interfaces of interest to LTE
• Gi : Interface from GGSN to Internet • Gn : Interface between SGSN and other SGSN and (internal) GGSN
• Gp : Interface between Internal SGSN and external GGSN (GRX used here)
37
![Page 38: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/38.jpg)
eDNS vs iDNS • Leaks to Internet • Passive DNSmon • Leaks to GPRS • Leaks to 3G data • Leaks to LTE EPC
![Page 39: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/39.jpg)
Legacy GPRS / UMTS
• GRX • TLD / Domain .gprs • Quite monolithic:
– APN – RAI
• rai<RAI>. mnc08. mcc204.gprs
• Only APNs and “some” network element
39
![Page 40: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/40.jpg)
IMS DNS
• 3gppnetwork.org • Supports and lists all Network Element
– LAC – RAC
• Examples – rac<RAC>.lac<LAC>.mnc08.mcc204.gprs
40
![Page 41: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/41.jpg)
LTE EPC DNS
• Same as IMS DNS but extended • Supports and lists most SAE EPC Network Elements
– MME – SGW
• Examples mmec<MMEC>.mmegi<MMEGI>.mme.epc.mnc99.mcc208.3gppnetwork.org!
41
![Page 42: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/42.jpg)
Pwning from LTE mobile • Infrastructure Reverse path protecHon • LTE Mobile data access
– RFC1918 leaks (SomeHme) – Datacom IP infrastructure access (Now more osen)
42
NAT CGNAT
![Page 43: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/43.jpg)
Pwning from external: Direct MML access from Internet
• Pwning from external without any reverse path trick.
• Shodan doesn’t work on these • MML aGack surface exposed
43
NAT CGNAT
![Page 44: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/44.jpg)
Auditor bias #4: Testbed is always more secure • Testbed is more secure than producHon
– Legacy impact – Scalability impact
• Audit is osen only permiGed in testbed – Liability – PotenHal for Denial of Service
• Result – AGackers advantage – ProducHon goes untested
44
![Page 45: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/45.jpg)
Auditor bias #4: Testbed is always more secure • Testbed is more secure than producHon
– Legacy impact – Scalability impact – There’s always something more on the prod network
• Audit is osen only permiGed in testbed – Liability – PotenHal for Denial of Service
• Result – AGackers advantage – ProducHon goes untested
45
![Page 46: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/46.jpg)
Technical Capacity & Knowledge issue • Who
– Can audit all new LTE protocols and legacy protocols – Has experHse on the architectures & vendors equipment
• Guarantee – Scanning quality – Coverage on all protocols & arch (CSFB, IMS, Hybrid, SCharge)
• Cover all perimeters and accesses – APNs – GRX & IPX accesses – Split DNS – User plane and control plane
46
![Page 47: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/47.jpg)
Conclusion
• LTE is supposed to be built with security – Difference between standardizaHon and real security – Network Equipment Vendors are sHll lagging
• Opening up of the technology – Good: deeper independent security research
• Operators – SHll disinformed by vendors – Security through obscurity in 2013! Unbelievable! – Some are gezng proacHve
47
![Page 48: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/48.jpg)
THANKS! SEE YOU AT: HACKITO ERGO SUM – MAY 2-‐4 2013 PARIS, FRANCE
Contact: [email protected] hGp://www.p1sec.com
48
![Page 49: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/49.jpg)
BACKUP SLIDES
49
![Page 50: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/50.jpg)
Interfaces
50
![Page 51: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/51.jpg)
LTE Network
51
![Page 52: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/52.jpg)
Previous LTE services & missions • LTE Complete infrastructure audit • Huawei LTE EPC Core Network audit & vulnerability research
• LTE CSFB infrastructure integraHon with legacy audit – both Diameter, S1, X2 and SS7 integraHon for CS FallBack
• Ericsson eNodeB audit and product security review
• Diameter security audit on LTE & IMS Core 52
![Page 53: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/53.jpg)
LTE audit milestones 1. External LTE tesHng, scan & audit (blackbox)
– LTE new elements – IntegraHon with legacy
2. LTE eRAN onsite audit – eNodeB, enrollment, configuraHon & PSR/PVR – OSS & OAM
3. LTE EPC Core Network audit – MME – S-‐GW & PDN GW – HSS – PCRF
4. MBSS – Minimum Baseline Security Standard – LTE eRAN: eNodeB, SeGW, OSS & enrollment servers – LTE EPC: MME, S-‐GW, PCRF, HSS, PDN GW, MSC Proxy
53
![Page 54: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/54.jpg)
INTERFACES
54
![Page 55: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/55.jpg)
Interfaces
55
![Page 56: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/56.jpg)
ADDRESSING IN LTE
56
![Page 57: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/57.jpg)
Core Network: IP addresses everywhere
• Everything uses IP addresses – User: UE, – RAN: eNodeB, SeGW – EPC: MME, HSS, SGW, PGW
• IPv4 • IPv6 is actually really being supported
57
![Page 58: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/58.jpg)
Telecom-‐specific addressing
• End user addresses: – GUTI, – IMSI, – …
58
![Page 59: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/59.jpg)
GUTI • Globally Unique Temporary IdenHty (GUTI)
– Allocated by the MME to the UE • GUTI = GUMMEI + M-‐TMSI
– GUMMEI = Globally Unique MME ID • GUMMEI = MNC + MCC + MMEI
– MMEI = MMEGI + MMEC » MMEGI = MME Group ID » MMEC = MME Code
– M-‐TMSI == MME TMSI • GPRS/UMTS P-‐TMSI -‐> LTE M-‐TMSI • S-‐TMSI = MMEC + M-‐TMSI
59
![Page 60: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/60.jpg)
GUTI in Pictures
60
![Page 61: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/61.jpg)
RAI/P-‐TMSI mapping to GUTI
61
!
![Page 62: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/62.jpg)
GUTI mapping to P-‐TMSI
62
!
![Page 63: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/63.jpg)
TAC and RNC ID
63
!
![Page 64: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/64.jpg)
ADRESS MAPPING IN DNS
64
![Page 65: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/65.jpg)
Legacy GPRS / UMTS
• GRX • TLD / Domain .gprs • Quite monolithic:
– APN – RAI
• rai<RAI>. mnc08. mcc204.gprs
65
![Page 66: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/66.jpg)
IMS DNS
• 3gppnetwork.org • Supports
– LAC – RAC
• Examples – rac<RAC>.lac<LAC>.mnc08.mcc204.gprs
66
![Page 67: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/67.jpg)
LTE EPC DNS
• Same as IMS DNS but extended • Supports
– MME – SGW
• Examples – mmec<MMEC>.mmegi<MMEGI>.mme.epc.mnc99.mcc208.3gppnetwork.org
67
![Page 68: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/68.jpg)
TECHNOLOGY BACKGROUNDER
68
![Page 69: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/69.jpg)
LTE Data Terminology
• GTP = GPRS Tunneling Protocol • EPS = Evolved Packet Service, LTE data sessions • EPC = Evolved Packet Core, the LTE core network • APN = Access Point Name (same as 2G/3G) • Bearer = PDP session, GTP Tunnel for a given used • SeGW = Security Gateway, segments eNB / EPC • SGW = Serving Gateway, like GGSN, connects to Internet
69
![Page 70: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/70.jpg)
PDP Context vs. EPS Bearer • UMTS and GPRS data session
– Packet Data Protocol (PDP) Context – AGach (Alert SGSN) -‐> PDP Context AcHvaHon procedure
• LTE data session – Evolved Packet System (EPS) Bearer
• Default EPS Bearer • Dedicated EPS Bearer
• Both use parameters: – Access Point Name (APN), – IP address type, – QoS parameters
70
![Page 71: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/71.jpg)
LTE GTP = eGTP
• GTP-‐U • From eNodeB to PDN GW – PGW – aka Internet exit node
– Used to be the GGSN
71
![Page 72: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/72.jpg)
GTP-‐U
• udp/2152
72
![Page 73: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/73.jpg)
LTE Control Plane: eNodeB-‐MME
73
![Page 74: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/74.jpg)
S1AP
• sctp/36412
74
![Page 75: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/75.jpg)
LTE Control Plane: eNodeB-‐eNodeB
75
![Page 76: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/76.jpg)
X2AP
• sctp/36422
76
![Page 77: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/77.jpg)
Protocol and port matrix
77
Communicating nodes Protocol
Protocol ports
Source Destination Source Destination
eNodeB S-GW GTP-U/UDP 2152 2152
S-GW eNodeB GTP-U/UDP 2152 2152
eNodeB eNodeB GTP-U/UDP 2152 2152
eNodeB MME S1AP/SCTP 36422 36412
MME eNodeB S1AP/SCTP 36412 36422
eNodeB eNodeB X2AP/SCTP 36422 36422
![Page 78: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/78.jpg)
All is ASN1
• All protocols described in ASN1 – Different kind of Encoding
• BER – Basic, standard TLV • PER – Packed,
– Aligned (APER) – Unaligned (UPER)
– Described in ITU and 3GPP standards – Require ASN1 “CLASS” keywords
78
![Page 79: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/79.jpg)
LTE SIGNALING
79
![Page 80: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/80.jpg)
Diameter Everywhere
• Diameter replaces SS7 MAP • DSR
– Diameter Signaling Router
80
![Page 81: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/81.jpg)
81
![Page 82: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/82.jpg)
82
![Page 83: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/83.jpg)
83
![Page 84: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/84.jpg)
Security implicaHon
• SCTP filtering to be generalized • Benefit
– SCTP is “config first” most of the Hme
• Threat – IP cloud is much more exploitaHon friendly – AGack techniques are known to many people – Compromise consequences are more far-‐reaching than SS7
84
![Page 85: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/85.jpg)
Diameter Roaming
85
![Page 86: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/86.jpg)
Security rouHng and filtering in Diameter
• DSR – Define rouHng & filtering rules
• Discriminants Indicators – DesHnaHon-‐based:
• Realm, Host, ApplicaHon-‐ID
– OriginaHon-‐based: • Realm, Host, ApplicaHon-‐ID
– Command-‐Code – IMSIAddress
86
![Page 87: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/87.jpg)
Future Diameter RouHng & Filtering
87
![Page 88: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/88.jpg)
Security & Vulnerability of EPC Roaming
• Filtering even more important – DSR filtering is not mature
• GRX problems amplified – Impact of the GRX/IPX/IMS/SAE EPC DNS infrastructure in InformaHon Gathering
• Unique IdenHfier leaks much easier – Privacy consequences
88
![Page 89: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/89.jpg)
TESTING
89
![Page 90: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/90.jpg)
TesHng Security in an LTE Environment
• Two kind of environment – Testbed – Live (also called ProducHon, Greenfield, AcHve)
90
![Page 91: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/91.jpg)
LTE Testbed Security tesHng
• Shielded tesHng – eNodeB antenna output connected to a cable – Cable arrives in test room – A “Shielded box” in test room is connected to cable – Phone / USB dongle is put inside the box for tests – USB cable goes out of the box toward the test PC
• No RF is polluHng the spectrum – Enables pre-‐aucHon tesHng
91
![Page 92: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/92.jpg)
RelaHonship to Vendors • Vendor usually prevent audit
– By limiHng informaHon – By limiHng access to Device Under Test – By limiHng access to testbed – By threatening of potenHal problems, delays, responsibility, liability
• Most of the LTE tesHng can happen transparently – The vendor doesn’t see the security audit team – Presented as normal operator qualificaHon – Not presented as security audit
• Result only is presented when audit is finished
92
![Page 93: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/93.jpg)
AUDITS
93
![Page 94: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/94.jpg)
GTP • Endpoint discovery • Illegal connecHon/associaHon establishment
– User idenHty impersonaHon – Fuzzing
• Leak of user traffic – to Core Network (EPC) – to LTE RAN
94
![Page 95: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/95.jpg)
X2AP Audit
• Endpoint discovery • Illegal connecHon/associaHon establishment
– Fuzzing • Reverse engineering of proprietary extensions • MITM
95
![Page 96: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/96.jpg)
S1AP Audit
• Endpoint discovery • Illegal connecHon/associaHon establishment
– Fuzzing • Reverse engineering of proprietary extensions • MITM
– NAS injecHon
96
![Page 97: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/97.jpg)
LTE EPC DNS Audit
• EPC DNS is important • EPC DNS scanner • Close to GRX / IMS
97
![Page 98: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/98.jpg)
ATTACKS
98
![Page 99: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/99.jpg)
User aGacks: EPS Bearer Security AGacks
• APN Bruteforcing • IP SegmentaHon
– accessing operators’ RFC1918 internal networks • GTP endpoint discovery
– from within Bearer Data Session • Secondary EPS Bearer ExhausHon/Flood load DoS
– Max 11 to be tested – Repeat setup/teardown of connecHons
• PGW DiffServ tesHng – Scans the IP header DS bits (DifferenHated Services) to see difference in treatment by PGW
99
![Page 100: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/100.jpg)
TOOLS
100
![Page 101: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/101.jpg)
Basic audit tools
• LTE SIM card • LTE USB Dongle • LTE UE (User Equipment) = Phone • RJ45 for Ethernet connecHon to EPC/EUTRAN • Wireshark • Sakis3G and evoluHons for LTE support • IPsec audit tool
101
![Page 102: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/102.jpg)
Ideal audit tools
• GTP protocol stack & fuzzer • SCTP MITM tool & fuzzer • Ethernet/ARP MITM tool (eGercap) • S1AP protocol stack & fuzzer • NAS protocol stack & fuzzer • X2AP protocol stack & fuzzer • Diameter protocol stack & fuzzer • GRX, IMS, EPC DNS scanner
102
![Page 103: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/103.jpg)
VirtualizaHon targets
• Huawei – In progress
• HSS • MSC Proxy
– PotenHal • USN, Serving GW, PDN GW, MME
– eHRS integrated node (MME, HSS, SGW, PGW, …) • Easier because one single node
• HP opportunity? 103
![Page 104: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/104.jpg)
LTE Network VirtualizaHon
104
![Page 105: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/105.jpg)
Huawei ATCA vs. PGP
• OSTA 2.0 – Linux based
• OpenSuse 10.x or 11.x • Old, unpatched kernel • Proprietary extensions and SMP
– Some FPGA based boards – Some OEM based integraHon (Switches AR40, Routers, …)
• PGP – Older architecture – More monolithic – Harder to replicate
105
![Page 106: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/106.jpg)
Hard problems
• Use same kernel (medium) • Use licensing (medium) • Load signed kernel modules (medium hard) • Emulate FPGA and OEM integraHon (hard) • Replicate network services / other NEs (hard)
106
![Page 107: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/107.jpg)
HSS
• ATCA / OSTA 2.0 • Few external hardware • Moderately easy • OperaHon in progress • Based on HSS_V900R003
107
![Page 108: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/108.jpg)
Virtualizing in context (CSFB)
108
RAN EPC
![Page 109: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/109.jpg)
MSC Proxy
• ATCA / OSTA 2.0 • No external hardware • Moderately easy • ConfiguraHon with
– exisHng SS7 SIGTRAN infrastructure – Diameter testbed
109
![Page 110: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/110.jpg)
USN
• USN_V900R011C02SPC100 • Harder
110
![Page 111: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/111.jpg)
Ericsson
• Difficult to deal with them • Very protecHve
– Access – Licensing – DocumentaHon
111
![Page 112: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/112.jpg)
NSN
• PotenHally easier than Ericsson • Linux based (SGSN, …)
– MontaVista
• Some security features
112
![Page 113: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/113.jpg)
Cisco
• Some virtualizaHon done – IOS 12.x
• Some virtualizaHon needs hardware – Cisco 7200 – Cisco ITP – Cisco GGSN
• Virtual networking • Our technology for adapted virtualizaHon
113
![Page 114: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/114.jpg)
Our advantage so far
• Virtualize x86 with specific/signed kernels and modules
• Virtualize MIPS • EmulaHon of specific hardware support
– Kernel modules development
• Virtualize ARM Android based device – for customer simulaHon
114
![Page 115: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/115.jpg)
Mobile + VAS virtualizaHon
• Specific demand from customer – Virtualize x86 based server – Virtualize 10-‐20 Android clients – Simulate fraudulent transacHon within this flow – Inject faults within repeated traffic
115
![Page 116: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/116.jpg)
VIRTUALIZED SIGNALING FUZZING
116
![Page 117: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/117.jpg)
Principle
• Proxies – M3UA Proxy – S1/X2 Proxy – Diameter Proxy
• Made transparent – SCTP Man in the Middle – Packet forwarding
117
![Page 118: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/118.jpg)
LTE increases risks • Financial thes • Privacy thes • Hacking of corporate users • M2M impact of worms and aGacks • LTE Mobile broadband usage as main internet connecHon
• Protocols are untested and tradiHonal fuzzer coverage is weak and shallow
• Network equipment is new and not as reliable as tradiHonal network elements
118
![Page 119: Philippe Langlois - Hacking HLR HSS and MME core network elements](https://reader031.vdocuments.site/reader031/viewer/2022012309/556386d0d8b42adf7a8b4b76/html5/thumbnails/119.jpg)
Questions ?
119