Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Telco

Shmoocon 2011: Attacking 3G and 4G mobile telecommunications networks

Attacking 3G and 4G mobile telecommunications networks

Enno Rey, Rene Graf & Daniel Mende

 

No demos today due to shipping materials and the like. TSA don’t like big electronic devices being shipped after all.

Still, that doesn’t mean there was no practical research.

Fundamentals

Standards

In mobile telco world everything is standardized by 3GPP

  • 3GPP: collaboration between groups of telco standards orgs
  • 3GPP: standard structured as/bundled in releases
    • 1992: Phase 1
    • 2000: Release 99 (incl first spec of 3G UMTS)
    • 2008: Release 8

2 Elements. 1 facing the internet and the other facing the mobile network

4G Network

4G networks change the names and functions of some devices.

Transport Layer: UDP or SCTP (mostly)

There could be some TCP elements, but none that have been seen in this research.

Generic Packed Tunneling: GTP

All types of signaling:

  • S1AP
  • X2AP
  • GTP-C

Authentication: DIAMETER

Others:

  • L2TP
  • DSMIPv6

SCTP Overview

Stream Control Transmission Protocol

General purpose layer 4 protocol

Specified by the IETF

Uses elements from TCP and UDP to cover all required functionality of both.

SCTP – 4 way handshake

INIT – INIT ACK – COOKIE ECHO – COOKIE ACK

Several different RFCs covering SCTP (starting with RFC2960).

Current tools don’t work very well due to SCTP rewrites in RFC5206 and RFC4960

  • NMAP SCTP doesn’t work “in a satisfactory manner”
  • SCTPscan no long work

Attacks from within the mobile telco networks

  • Attacks from the backhaul networks
  • Attacks from the Core network
  • Attacks from Management networks

Backhaul networks

Mobile backhaul

Carries data from the RAN to the management network and back

4G specific requirement laid out by 3GPP

Includes

  • eNodeB
  • MME
  • SGW

Can be implemented with different technologies

Originally ATM (in the early years of GSM), PDH/SDH, IP/MPLS, “Hybrid Approach” offloading to DSL, Carrier Ethernet

4G Assumes gigabit connections between elements to give sufficient bandwidth (mainly ethernet based)

How to get into backhaul

Physical intrusion to some cage located “in the somewhere”

Get Access to the network segment

  • Microwave
  • DSL
  • Carrier Ethernet

4G Aggregates “dumb” BTS and BSC/RNC functions on the one device –> eNB is not dumb anymore!

Once your in, what to do!

Attacking components

  • 3G: SGSNm RNC, NodeB
  • 4G: MME, eNB, SAE.GW
  • Routers/Switches

Eavesdropping

  • Pretty much everything is unencrypted
  • 3GPP insists on using IPsec Gateways
    • Which operators implement this?
  • Some countries argue against this standard

ARP spoofing still works smoothly

  • Apparently not on the security radar!

4G ALL-IP approach comes in handy

Let’s get practical

These notes are from in lab testing (i.e no firewalls, IPsec, etc…)

Real world attacks may be different due to this!

“Standard attack approach” did not yield anything interesting

SCTP Scanning via nmap or SCTPscan showed nothing

Using custom SCTP scanning tool showed some open ports

  • some of those “obscure signaling protocols”

Fuzzing the protocols

After starting the fuzzing, things got really slow.

When checking the server was sending SCTP ABORT leading us to believe something had crashed!

The main function of the device was no longer available

It recovered after a few minutes

Changed scripts and continued to fuzz

Final result…. system went down!

Business impact?

 

The first field of the protocol was causing the device crash!

Targeted code was running in the kernel

All that glitters is not gold however!

This isn’t old code! It’s newly developed for 4G! Make your own conclusions…

<NDA>

Continued testing is planned to really find the impact of this and other issues.

</NDA>

Attacks from the internet

Public space might mean the terminal (not covered) or the internet

Some interfaces must be made available to entities outside the network

  • e.g. S8 on PDN-GW for roaming
  • 3G: SGSNs must be able to connect to GGSNs of other countries
  • Standards say: Use NDS (IPsec of equiv. security) for these cases
  • So GTP should never be visible from the internet

Reality check!

GTP

Used to carry IP-based data traffic between network elements. There is also some other elements

Variants: GTP-C, GTP-U, and GTP’

TEID

Tunnel Endpoint IDentifier

Not very random

Not protected

Reality is that scanning for GTP in the wild does find results.

GTP Echo mechanism (port 2123) can be used to discover real GTP speakers in the internet waiting for communications

GTP-scan.py will be released soon to show this!

Many of the systems listening on GTP ports are also listening on other ports (21, 22, 23, 80) !

Various countries, many in Europe.

Whois information points to major mobile operators in these countries.

So why would they do this?

Sometimes having a working network is more important than following the standards to the letter!

Conclusions

From what the research shows, it looks like many attacks are coming against these networks.

Walled telco gardens are disappearing

All IP in the future

Terminals are getting more and more powerful

Misconception that people don’t understand these complex IP landscapes

Links:

Advertisements

26C3: SCCP Hacking – Attacking SS7 & SIGTRAN applications

One step further and mapping the phone system

SS7 is no longer the walled garden where people cannot inject traffic. SS7 was designed for reliability, with multiple systems  designed to take the load of failed servers. Access to the SS7 network was originally restricted to peering partners. It is now the target for fraudsters (SMS fraud), and government agencies.

Why do we have SS7 ?

Blame Steve Jobs / Steve Wozniak and the creation of the bluebox. With inband signalling, hackers took advantage of the telephone system. Seizing a trunk without tracing was a big problem. SS7 was designed to move the signalling away from the voice network. However this is all history.

One part of the SS7 system is the LIG (Legal Interception Gateway ?) –> usually not owned by the telco. Installed by 3rd parties to give access to the system for law enforcement.

OpenBTS and OpnBSC are making research into this area possible.

Using External APIs to HLR, it has been demonstrated how it’s possible to locate IMSI within the SS7 network.

The underlying technology is moving towards IP based solutions –> This is good for us, we know IP already

Important SS7 protocols :

  • MTP (Message Transfer Protocol) Layers 1-3
  • ISUP (Integrated Servics Digital Network)
  • SCCP (Signaling Control Connection Part)
  • TCAP (Transaction Capabilities Application Part)
  • MAP (Mobile Application Part)
  • INAP (Intelligent Network Application Part)

Entry points in an SS7 network :

  • Peer relationship between operators
  • STP connectivity
  • SIGTRAN protocols
  • VAS systems e.g. SMSC, IN
  • Signaling Gateways, MGW
  • SS7 Service providers (GRX, IPX)
  • GTT translation
  • ISDN terminals
  • GSM phones
  • LIG (Legal Interception Gateway)
  • 3G Femtocell
  • SIP encapsulation

These entries points offer a range of access posibilities, and limitations. Without access directly into the core SS7 network, attacks will be limited depending on the provider.

SIGTRAN protocol: M3UA Protocol Adaptation Layer

SIGTRAN gives us the opportunity to work with something more familiar.

Like TCP/IP, but with slight differences, including spoofing and DoS protections –> RFC4960

By adapting typical scanning methods used in TCP/IP environments, you can scan for services. The tools SCTPscan tool is now included in many Linux distributions, including Backtrack. When sending SCTP init packets, no answer usually means a peering port has been found. Usually an ABORT reply is sent. By scanning addresses, close to the official SMSC, you can often find test systems that may not be correctly connected to systems such as billing systems !

Protections are less about filtering, and more that a valid route isn’t know. Once you have a route, you can connect to other systems.

In order to get a valid list of SPC codes, you can scan, or buy the full list from the ITU for under €30

When dealing with SPC formats, there are a variety of differing formats.

  • ss7calc –> open-source tool available from p1sec.com

Attack examples :

  • IAM attack: Capacity DoS –> Similar to SIP flooding
  • REL attack: Targeted Call release –> Terminate a users conversation
  • SRI attack: Tracking of users
  • HLR attack: Fake location update –> redirect calls to another country, until phone reboot
  • ….

FemtoCell

  • Node B in users home. Establishes an IPsec tunnel, SIGTRAN
  • Hardware based on Linux
  • ARM hardware
  • Very insecure
  • > Unaudited software
  • > Global settings for IPsec tunnel
  • > Injection of RANAP and SS7 traffic into the core network

Tools and things to help

  • SCTPscan – Bridging support, instream scanning
  • ss7calc
  • 7Bone – Open Research SS7 Backbone
  • P1sec SIGTRANalyzer (SS7 and SIGTRAN vuln scanning, Commercial pruduct)

SS7 is not closed anymore !

For more information, check the following links :