Upload
others
View
6
Download
3
Embed Size (px)
Citation preview
ptsecurity.ru
Exploiting vulnerabilities of 4G Diameter interoperator network
Sergey Mashukov
Signaling
According to Wikipedia:
“In telecommunication, signaling has the following
meanings:
• the use of signals for controlling communications
• the information exchange concerning the
establishment and control of a telecommunication
circuit and the management of the network, in
contrast to manual setup of circuits by users or
administrators
• the sending of a signal from the transmitting end of
a telecommunication circuit to inform a user at the
receiving end that a message is to be sent.”
Photo. Telephone operators, 1952 / Seattle Municipal Archives /
CC BY 2.0
Blue Box
Photo. Blue Box at the Powerhouse Museum / Maksym Kozlenko / CC BY-SA 4.0
SS7 Vulnerabilities
More than 50 different SS7 attacks:
• IMSI disclosure
• Location Discovery
• Subscriber DoS
• SMS interception and spoofing
• Calls interception
• Reading chats of Telegram,
SS7 banking fraud case
• Send malware to get bank
account details and mobile
number
• Intercept SMS with OTP for the
rogue transaction
Diameter
• Session-layer AAA protocol
• Cleartext
• Support for SCTP or TCP
• IPsec or TLS/DTLS for encryption
• Extensibility (Diameter Base and
Applications on top of it)
Protocol-specific weaknesses
• Only peer-to-peer
encryption
• Spoofing friendly
• IP is convenient for a
malefactor
Diameter vs SS7
Diameter Roaming: IPX Network
• IPX = IP eXchange
• Successor of GPRS roaming
network
• Private network between MNO
• Guaranteed QoS
• Any network is only two hops
away
Can attacker get in?
Legal with license
Semi legal without Find a guy Hack a border device
Audit service
• We bought an access
• If we could, attacker can as well
What is applicable to IPX and why?
• S6a/S6d for mobility
management while
roaming (3GPP TS29.272)
• Other interfaces closed or
not routed (may change in
future)
Scheme. End-to-end Diameter architecture / GSMA IR.88: LTE Roaming Guidelines / Copyright © 2013
GSM Association
LTE nodes
• HSS – Home Subscriber
Server
• MME - Mobility Management
Entity
Scheme. EPC nodes and interfaces / Joe Deu-Ngoc / CC BY-SA 4.0
Authentication veсtor theft via S6a AIR
An attacker sends an AIR message
to HSS with IMSI of the attacked
subscriber.
Messages:
AIR — Authentication-Information-Request (S6a)
AIA — Authentication-Information-Answer (S6a)
Authentication veсtor theft via S6a AIR
• Authentication Vectors may be used to
setup a fake Base Station
• HSS identity is leaked
• Only subscriber’s IMSI is needed
• Hard to detect
• No way to counteract from subscriber’s
side
DoS on subscriber via S6a ULR
An attacker periodically sends ULR
messages to HSS with IMSI of the
attacked subscriber
Messages:
ULR — Update-Location-Request (S6a)
ULA — Update-Location-Answer (S6a)
CLR — Cancel-Location-Request (S6a)
CLA — Cancel-Location-Answer (S6a)
DoS on subscriber via S6a ULR
• Not possible to make or receive any
calls
• Not possible to send or receive SMS
• Internet is no available
• Only subscriber’s IMSI and HSS FQDN
are needed
• Continues until attacker keeps sending
ULR messages
• No network symbol on UE
• No way to counteract from subscriber’s
side
Subscriber profile disclosure via S6a ULR
An attacker sends a ULR message
to HSS with:
• IMSI of the attacked subscriber
• Spoofing identity of the current
MME
Messages:
ULR — Update-Location-Request (S6a)
ULA — Update-Location-Answer (S6a)
DoS on subscriber via S6a CLR
Messages:
CLR — Cancel-Location-Request (S6a)
CLA — Cancel-Location-Answer (S6a)
An attacker sends a CLR message
to MME with IMSI of the attacked
subscriber
DoS on subscriber via S6a CLR
• Successful in 100% of roaming cases
• 4G services and internet are not
available, but other services still work
• Only subscriber’s IMSI and MME
FQDN are needed
• Possibility of mass DoS
• Fixed after reconnection to network from
UE
DoS on subscriber via S6a IDR
An attacker sends an IDR message
to MME with IMSI of the attacked
subscriber.
Messages:
IDR — Insert-Subscriber-Data-Request (S6a)
IDA — Insert-Subscriber-Data-Answer (S6a)
DoS on subscriber via S6a IDR
Four different ways to change a profile:
• Enforce barring of services
• Restrict use of radio technologies
• Replace APN
• Set upload and download speed to zero
Location tracking via S6a IDR
An attacker sends an IDR message
to MME with:
• IMSI of the attacked subscriber
• EPS Location Information Request
bit set in the IDR-Flags AVP
DoS on subscriber via S6a DSR
Messages:
DSR — Delete-Subscriber-Data-Request (S6a)
DSA — Delete-Subscriber-Data-Answer (S6a)
An attacker sends a DSR message to
MME with:
• IMSI of the attacked subscriber
• Correct Context-Identifier
DoS on subscriber via S6a DSR
• 4G services and internet are not
available
• Subscriber’s IMSI, APN profile and
MME FQDN are needed
• Sometimes additional changes in
subscriber’s profile via S6a IDR are
needed
• Possibility of mass DoS
• Fixed after reconnection to network from
UE
Conclusions
• All general classes of attacks are
theoretically possible
• Attacks work differently for different
operators
• It is possible to force device out of
4G to use 3G attacks
• In practice 4G signaling seems to
be more secure than in 2G/3G, at
least for the time being
What should be changed
• Lack of security awareness.
• IDS + firewall should be used as a
short-term solution.
• Long-term solution is to use end-to-
end authentication, integrity
protection, and encryption.
• Mandatory use of this solution in 5G.
Thank you!
ptsecurity.com
DoS on subscriber via S6a IDR
Using Access-Restriction-Data AVP
To conduct this attack, an S6a IDR message
is sent to the Mobility Management Entity
(MME) that is currently serving the user,
containing:
• MME Host-Id in Destination-Host AVP
• IMSI of the target
• Subscription-Data AVP containing Access-
Restriction-Data AVP with value 127
Table 7.3.31/1: Access-Restriction-Data
Bit Description
0 UTRAN Not Allowed
1 GERAN Not Allowed
2 GAN Not Allowed
3 I-HSPA-Evolution Not Allowed
4 WB-E-UTRAN Not Allowed
5 HO-To-Non-3GPP-Access Not Allowed
6 NB-IoT Not Allowed
DoS on subscriber via S6a IDR
Changing APN Configuration for the subscriber
To conduct this attack, an S6a IDR message is sent to the MME that is currently serving the user, containing:
• MME Host-Id in Destination-Host AVP
• IMSI of the target
• APN-Configuration-Profile AVP containing:
1. Correct Context-Identifier AVP value
2. APN-Configuration AVP with wrong APN name inside of Service-Selection AVP
3. All-APN-Configurations-Included-Indicator AVP set to 1
(MODIFIED/ADDED_APN_CONFIGURATIONS_INCLUDED)
DoS on subscriber via S6a IDR
Max-Requested-Bandwidth-UL and Max-Requested-Bandwidth-DL
AVPs
• Limit the maximum upload and download bandwidth respectively.
• If both are set to 0, download speeds drop to 0 bytes per second for
some MMEs (receiving data from the Internet is not possible)
DoS on subscriber via S6a IDR
Using Operator-Determined-Barring AVP
To conduct this attack, an S6a IDR message is sent to
the MME that is currently serving the user, containing:
• MME Host-Id in Destination-Host AVP
• IMSI of the target
• Subscription-Data AVP containing:
1. Operator-Determined-Barring AVP with first bit
set to 1
2. Subscriber-Status AVP set to 1
(OPERATOR_DETERMINED_BARRING)
Table 7.3.30/1: Operator-Determined-Barring
Bit Description
0 All Packet Oriented Services Barred
1 Roamer Access HPLMN-AP Barred
2 Roamer Access to VPLMN-AP Barred
3 Barring of all outgoing calls
4 Barring of all outgoing international calls
5 Barring of all outgoing international calls except those directed to the home PLMN country
6 Barring of all outgoing inter-zonal calls
7 Barring of all outgoing inter-zonal calls except those directed to the home PLMN country
8 Barring of all outgoing international calls except those directed to the home PLMN country and Barring of all outgoing inter-zonal calls