Attacking 3G and 4G mobile telecommunications networks
Enno Rey, Rene Graf & Daniel Mende
No demos today due to shipping materials and the like. TSA don’t like big electronic devices being shipped after all.
Still, that doesn’t mean there was no practical research.
Fundamentals
Standards
In mobile telco world everything is standardized by 3GPP
- 3GPP: collaboration between groups of telco standards orgs
- 3GPP: standard structured as/bundled in releases
- 1992: Phase 1
- 2000: Release 99 (incl first spec of 3G UMTS)
- 2008: Release 8
2 Elements. 1 facing the internet and the other facing the mobile network
4G Network
4G networks change the names and functions of some devices.
Transport Layer: UDP or SCTP (mostly)
There could be some TCP elements, but none that have been seen in this research.
Generic Packed Tunneling: GTP
All types of signaling:
Authentication: DIAMETER
Others:
SCTP Overview
Stream Control Transmission Protocol
General purpose layer 4 protocol
Specified by the IETF
Uses elements from TCP and UDP to cover all required functionality of both.
SCTP – 4 way handshake
INIT – INIT ACK – COOKIE ECHO – COOKIE ACK
Several different RFCs covering SCTP (starting with RFC2960).
Current tools don’t work very well due to SCTP rewrites in RFC5206 and RFC4960
- NMAP SCTP doesn’t work “in a satisfactory manner”
- SCTPscan no long work
Attacks from within the mobile telco networks
- Attacks from the backhaul networks
- Attacks from the Core network
- Attacks from Management networks
Backhaul networks
Mobile backhaul
Carries data from the RAN to the management network and back
4G specific requirement laid out by 3GPP
Includes
Can be implemented with different technologies
Originally ATM (in the early years of GSM), PDH/SDH, IP/MPLS, “Hybrid Approach” offloading to DSL, Carrier Ethernet
4G Assumes gigabit connections between elements to give sufficient bandwidth (mainly ethernet based)
How to get into backhaul
Physical intrusion to some cage located “in the somewhere”
Get Access to the network segment
- Microwave
- DSL
- Carrier Ethernet
4G Aggregates “dumb” BTS and BSC/RNC functions on the one device –> eNB is not dumb anymore!
Once your in, what to do!
Attacking components
- 3G: SGSNm RNC, NodeB
- 4G: MME, eNB, SAE.GW
- Routers/Switches
Eavesdropping
- Pretty much everything is unencrypted
- 3GPP insists on using IPsec Gateways
- Which operators implement this?
- Some countries argue against this standard
ARP spoofing still works smoothly
- Apparently not on the security radar!
4G ALL-IP approach comes in handy
Let’s get practical
These notes are from in lab testing (i.e no firewalls, IPsec, etc…)
Real world attacks may be different due to this!
“Standard attack approach” did not yield anything interesting
SCTP Scanning via nmap or SCTPscan showed nothing
Using custom SCTP scanning tool showed some open ports
- some of those “obscure signaling protocols”
Fuzzing the protocols
After starting the fuzzing, things got really slow.
When checking the server was sending SCTP ABORT leading us to believe something had crashed!
The main function of the device was no longer available
It recovered after a few minutes
Changed scripts and continued to fuzz
Final result…. system went down!
Business impact?
The first field of the protocol was causing the device crash!
Targeted code was running in the kernel
All that glitters is not gold however!
This isn’t old code! It’s newly developed for 4G! Make your own conclusions…
<NDA>
Continued testing is planned to really find the impact of this and other issues.
</NDA>
Attacks from the internet
Public space might mean the terminal (not covered) or the internet
Some interfaces must be made available to entities outside the network
- e.g. S8 on PDN-GW for roaming
- 3G: SGSNs must be able to connect to GGSNs of other countries
- Standards say: Use NDS (IPsec of equiv. security) for these cases
- So GTP should never be visible from the internet
Reality check!
GTP
Used to carry IP-based data traffic between network elements. There is also some other elements
Variants: GTP-C, GTP-U, and GTP’
TEID
Tunnel Endpoint IDentifier
Not very random
Not protected
Reality is that scanning for GTP in the wild does find results.
GTP Echo mechanism (port 2123) can be used to discover real GTP speakers in the internet waiting for communications
GTP-scan.py will be released soon to show this!
Many of the systems listening on GTP ports are also listening on other ports (21, 22, 23, 80) !
Various countries, many in Europe.
Whois information points to major mobile operators in these countries.
So why would they do this?
Sometimes having a working network is more important than following the standards to the letter!
Conclusions
From what the research shows, it looks like many attacks are coming against these networks.
Walled telco gardens are disappearing
All IP in the future
Terminals are getting more and more powerful
Misconception that people don’t understand these complex IP landscapes
Links:
Cатсн²² (in)sесuяitу / ChrisJohnRiley 