TODAY:

Attacking 3G and 4G mobile telecommunications networks

Daniel Mende, Rene Graf, Enno Rey

{dmende, rgraf, erey}@ernw.de

Who we are
Old-school network geeks, working as security researchers for Germany based ERNW GmbH
Independent Deep technical knowledge Structured (assessment) approach Business reasonable recommendations We understand corporate

Blog: www.insinuator.net Conference: www.troopers.de

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

Introductory notes
In contrast to our last years talks we dont have demos to show today.
This doesnt mean that we did not perform practical stuff ;-)

Given the sensitivity of the material some severe NDAs kick in

In the last days before ShmooCon Ive spent quite some hours in confcalls on what can be published and what not.

Being responsible researchers we wont give details of innocent parties in the Internet either. Still the main message of this presentation is, as in most of our talks, to provide some view on theory & reality ;-)
ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

Agenda
Fundamentals Attacks from within mobile telco network Attacks from Internet

Conclusions

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

Fundamentals
Standards, Architecture, Protocols

{dmende, erey}@ernw.de

Standards
In mobile telco world everything standardized by 3GPP 3GPP: collaboration between groups of telco standard orgs
Which type of documents do you think these guys produce? ;-)

3GPP standards structured as/bundled in releases

1992: Phase 1 (GSM) 2000: Release 99 incl. first specification of 3G UMTS 2008: Release 8 incl. first specification of LTE stuff

At times, 3GPP standards are a bit

bulky ;-)

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

2G/3G
UTRAN Node B RNC Node B OAM HLR BTS BSC BTS GERAN
P C U

Core Network PSTN / ISDN MSC/VLR GMSC

AuC SMSC

other Wireless Networks

SGSN

GGSN X.25 / Internet / corporate networks

RAN: Radio Access Network UTRAN: UMTS RAN GERAN: GSM Enhanced RAN PCU: Paket Control Unit

RNC: Radio Network Controller BTS: Base Transceiver Station BSC: Base Station Controller HLR: Home Location Register

MSC: Mobile Switching Center VLR: Visitor Location Register GMSC: Gateway MSC GSN: GPRS Support Node

Source: 3GPP AuC: Authentication Center OAM: Operation Administration & Maintenance SMSC: Short Message Service Center S/GGSN: Serving/Gateway GSN

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

4G
Terminals Radio Access Network / eUTRAN Core Network IP Service Networks

eNB

MME

SAE-GW

Internet

AAA

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

Main Protocols (4G)

Transport Layer: (mostly) UDP or SCTP Generic Packet Tunneling: GTP All types of signaling:
S1AP, X2AP, GTP-C

Authentication
DIAMETER

Others
L2TP, DSMIPv6 etc. Lots of areas for future research ;-)

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

SCTP - Overview
SCTP
Stream Control Transmission Protocol Specified by IETF, maintained IETF Transport Area (TSVWG) WG

Specs:
RFC 3286 (Introduction) RFC 2960 (2000) RFC 3309 RFC 4960 (2007) RFC 5062

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

10

SCTP Comparison
Protocol State required at each endpoint Reliable data transfer Congest control and avoidance Message boundary conservation Path MTU discovery and message fragmentation Message bundling Multi-homed hosts support Multi-stream support Unordered data delivery Security cookie against SYN flood attack Built-in heartbeat (reachibility check) SCTP Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes TCP Yes Yes Yes No Yes Yes No No No No No UDP No No No Yes No No No No No No No

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

11

SCTP 4 way handshake

SCTP vs. TCP

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

12

SCTP Timeline
RFC 2960 (2000): initial spec RFC 4960 (2007): major rewrite RFC 5062 (2007) Security Attacks Found Against the Stream Control Transmission Protocol (SCTP) and Current Countermeasures So, over time SCTP has changed a bit

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

13

Attacks in SCTP Space Current tools

Practical Problems

do not work very well

Probably due to stack rewrites based on RFC 5206 and 4960

nmap SCTP does not work in a satisfactory manner

-sZ does give results -sY (half-open handshake) didnt show anything useful
But we _knew_ the ports were there

Philippe Langlois SCTPscan didnt work either. Daniel wrote quick+dirty simple SCTP port scanner.
ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

14

SCTP hacked scanner ;)

s = socket.socket(socket.AF_INET, socket.SOCK_SEQPACKET) for i in ip: for j in xrange(sys.argv[2], sys.argv[3]): time.sleep(0.01) try: s.connect((j, i)) except Exception, e: print "Port %d closed on %s: %s" % (i, j, e) else: print "Port %d open on %s" % (i, j) s.close()

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

15

Ive got a packet. What is it?

Unpack, unpack!

Attacks from within telco network

All rights: www.nicht-lustig.de {dmende, erey}@ernw.de

Attacks from within telco network

Attacks from backhaul networks
Might be geographically dispersed Can be protected internally with firewalls, (IPsec) security gateways etc. ... or not...

Attacks from core networks Attacks from management networks

Well not cover those here as this is standard stuff Still it should be noted that the operators we know (EU/US space) have quite good operational security practice with regard to these devices.

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

17

Backhaul networks Definition

In communication services
Used to transport information from one network node to another

In mobile communication
Mobile Backhaul Carries data from the RAN to the management network and back.

Three primary functions

Transport Aggregation and grooming Switching/routing

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

18

Mobile Backhaul

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

19

Backhaul networks in 4G
4G specific requirements laid out by 3GPP Includes
eNodeB MME SGW
MME

eNB

SAE-GW

Internet

AAA

Represents
The transport network between eNodeB and MME The transport network between eNodeB and SGW

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

20

Backhaul networks Technologies

Mostly ATM in the early years (GSM) PDH/SDH over Microwave, T1/E1 IP/MPLS Hybrid Approach with data offloading to DSL Carrier Ethernet

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

21

How to get into backhaul

Physical intrusion to some cage located in the somewhere

Get access to network segment

Microwave DSL Carrier Ethernet

4G aggregates dumb BTS and BSC/RNC functions on one device eNB not dumb anymore.

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

22

Once youre in (a backhaul network)

Attack components
3G: SGSN, RNC, NodeB 4G: MME, eNB, SAE-GW Routers/Switches

Eavesdropping
Will get you some key material
but what would you need this for? Pretty much everything is unencrypt. here anyway.

Thats why 3GPP insists on using IPsec gateways. Subsequent question: do (which) operators implement this? In standard bodies $SOME_BIG_COUNTRY (hint: in Asia) strongly opposed this recommendation.

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

23

Once youre in backhaul

ARP spoofing works smoothly
In particular with all those latency-friendly/tolerating protocols ;-) Apparently not on the (security) radar.

4Gs All-IP approach comes in handy

2015 version of Cain might support some of these protocols ;-)

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

24

Lets get practical

We were able to perform some testing in the LTE lab of $SOME_BIG_TELCO_IN_SOME_PART_OF_THE_WORLD.

In that lab there were no firewalls or (IPsec) security gateways.

Our results might be misleading... or not ;-)

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

25

Some results
Standard attack approach did not yield anything
At least nothing interesting UDP Echo service was open on some devices and might be exploitable for mutual amplification attack between those (with spoofed source IP)
Still, this is a bit, well lame ;-)

SCTP scanning via nmap or SCTPscan showed nothing

See above as for general problems of current SCTP tool space.

Using our own SCTP scan tool gave some open ports
Some of those obscure signaling protocols.
ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

26

Scanning
nmap scan report for 10.40.68.2 [] PROTOCOL STATE 1 open 2 open|filtered 4 open|filtered 6 open 17 open 41 open|filtered 45 open|filtered 132 open|filtered Port Port Port Port 36410 36411 36412 36413

SERVICE icmp igmp ip tcp udp ipv6 idrp sctp

closed on 10.40.68.2: [Errno 111] Connection refused closed on 10.40.68.2: [Errno 111] Connection refused open on 10.40.68.2 closed on 10.40.68.2: [Errno 111] Connection refused
ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

27

Fuzzing $SOME_SIGNALING_PROT
Started fuzzer All of a sudden fuzzing script got slower
System sent SCTP ABORT messages instead of valid responses Obviously sth has happened ;-)
Probably daemon had crashed

At the same main function of device no more available

No further sessions could be established between entities

Recovered after some minutes So we continued fuzzing and changed script

At the end of the day system went down Ping still worked & mgmt interface. But main function not working.
ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

28

Postmortem
First (!) field of packet payload responsible for major crash.

Targeted code was running in kernel.

All that glitters is not gold...

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

29

More attacks
Theoretical at this point
But we will continue testing, either with own equipment or in that lab.

It seems some authentication info is sometimes cached. We assume some signaling protocols can be DoSed on the function level once we get the circumstances right. There are some new self organizing mechanisms one might be able to interfere with. Yes, vagueness abounds on this slide...
ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

30

Attacks from the public space

Where public space might mean
UE (Terminal), not covered in this talk Internet

Some interfaces must be available to entities outside the own network

E.g. S8 on PDN-GW for roaming 3G: SGSNs must be able to connect to GGSNs of other operators Standards say: Use NDS (IPsec or equivalent security) for these cases So GTP (see below) should never be visible from Internet ;-)

Lets wait for some reality check

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

31

GTP
GPRS Tunneling Protocol
Specified by 3GPP

IP-based protocol initially used to carry GPRS within GSM and UMTS networks.
Plays major role in 4G networks as well.

Three variants
GTP-C used for control plane (signaling) GTP-U used for user data GTP used for charging data
ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

32

GTP
GTP-C
Control section of the GTP standard In 3G used for signaling between SGSN and GGSN Activates and deactivates GTP sessions

GTP-U
Used for data transport between the RAN and the core network Can tunnel packets in several formats: IPv4, IPv6, PPP etc.

GTP
Used in 3G for transmitting charging data from the CDF (Charging Data Function) to the CGF (Charging Gateway Function).
ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

33

GTP in 4G

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

34

TEID
Tunnel Endpoint Identifier Do I need to explain that it serves to identify endpoints of tunnels? ;-)
For each (user) data session.

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

35

TEID
Apparently some discussion about it being random
For obvious (?) security reasons. Although we were not able to find spec prescribing this.

What we observed
0x00005c35 0x00005c4d 0x00005c65 0x00005c7d 0x00005c95 [ ] Does this look random to you ?

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

36

Attacking GTPv2c on S11 in 4G

Attacker with access to S11 could attack the GTP signaling between MME and SAE-GW
Would require (probably unlikely) network access to core. ... would require S11 to be accessible from the Internet. Or...

In any case GTP here transported via UDP

No pain with spoofing or sth.

Potentially DoS of user sessions doable. In case of switched TEIDs mixing sessions possible?
Remember TEID is the only separating element of user sessions.

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

37

GTP in the wild

greif@loki ~/scans $ wc -l * 353 list_version_1.txt 620 list_version_2.txt

The script (gtp-scan) will be released after ShmooCon. Pls check www.insinuator.net for updates...

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

38

To give you an idea of the script

gtp-scan.py -v2 -tc -w2 192.168.85.0/24 starting scan of 192.168.85.0/24 cooling down for 2 sec... 192.168.85.30 up, from udp/2123 sent 320300040000000000000000 version = 1 type = 3 len = 4 data = 000000 done

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

39

Some statistics
Version 1 Version 2 AfriNIC APNIC ARIN LACNIC RIPE UP 31 131 29 14 97 302 26 90 51 18 435 620 Complete 57 221 80 32 532 922 % 6.182213 23.96963 8.67679 3.470716 57.70065

Portscan

21 22 23 80

0 0 1 0

43 39 31 49

43 39 32 49

4.663774 4.229935 3.470716 5.314534

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

40

whois
organisation: org-name: org-type: country: address: address: address:

GH

Accra

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

41

whois
organisation: org-name: org-type: country: address: address: xy_org (Cote d'Ivoire) CI

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

42

whois
status: owner: ownerid: responsible: address: address: Asuncin (Paraguay) country: PY

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

43

whois
Organisation: org-name: org-type: Country: Address: Address: address:

Cairo

This box had FTP and SSH open. Hold up your signs and guess the password ;-) For the correct answer Ill spend a beer, or two. For some reason its currently unavailable...
ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

44

Conclusions
We expect to see a number of attacks in 3G and 4G mobile telco networks in the next years, for some reasons
Walled (telco) gardens are vanishing. At the same time terminals get more and more powerful. In the future its all IP in those networks. Theres a complex (IP based) protocol landscape. And potentially ppl_outside_telcos are able to understand these prots. As there are apparently people understanding Siemens PCS 7...

Theory

reality

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

45

Credits
To Daniel for his thorough protocol understanding and coding skills. ShmooCon 2011 misses you! [I know hes watching the livestream ;-)] To Simon for his helping hands. To our students Hendrik and Kai for digging restlessly through standards, preparing slides, etc. THANK YOU!

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

46

Shameless Announcements
TROOPERS11
March 28th April 1st 2011 Heidelberg You wont be alone. Several US speakers and attendees are on site ;) Enjoy German beer. What?!

Updated version of this talk + code in the next months.

Follow us: @WEareTROOPERS Visit: www.troopers.de

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

47

Questions?

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

48

Thanks for your attention!

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

49

March 28th April 1st 2011

Monday/Tuesday: Workshops, Wednesday/Thursday: Conference, Friday: Roundtables

More than 20 talks & 5 workshops

Agenda: www.troopers.de/troopers11/agenda/

Experts from all around the globe

Speakers: www.troopers.de/troopers11/speakers/

Top-class audience

The whole ERNW Team is on-site and is looking forward to meet you in Heidelberg.

ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de

50

March 28th April 1st 2011 Heidelberg, Germany

Learn more at www.troopers.de, follow us on Twitter @WEareTROOPERS ERNW GmbH | Breslauer Str. 28 | D-69124 Heidelberg | www.ernw.de 51 and meet with experts from around the world at TROOPERS11 in Heidelberg, Germany.