ptsecurity.ru

Exploiting vulnerabilities of 4G Diameter interoperator network

Sergey Mashukov

Signaling

According to Wikipedia:

“In telecommunication, signaling has the following

meanings:

• the use of signals for controlling communications

• the information exchange concerning the

establishment and control of a telecommunication

circuit and the management of the network, in

contrast to manual setup of circuits by users or

administrators

• the sending of a signal from the transmitting end of

a telecommunication circuit to inform a user at the

receiving end that a message is to be sent.”

Photo. Telephone operators, 1952 / Seattle Municipal Archives /

CC BY 2.0

Blue Box

Photo. Blue Box at the Powerhouse Museum / Maksym Kozlenko / CC BY-SA 4.0

SS7 Vulnerabilities

More than 50 different SS7 attacks:

• IMSI disclosure

• Location Discovery

• Subscriber DoS

• SMS interception and spoofing

• Calls interception

• Reading chats of Telegram,

WhatsApp

SS7 banking fraud case

• Send malware to get bank

account details and mobile

number

• Intercept SMS with OTP for the

rogue transaction

Diameter

• Session-layer AAA protocol

• Cleartext

• Support for SCTP or TCP

• IPsec or TLS/DTLS for encryption

• Extensibility (Diameter Base and

Applications on top of it)

Protocol-specific weaknesses

• Only peer-to-peer

encryption

• Spoofing friendly

• IP is convenient for a

malefactor

Diameter vs SS7

Diameter Roaming: IPX Network

• IPX = IP eXchange

• Successor of GPRS roaming

network

• Private network between MNO

• Guaranteed QoS

• Any network is only two hops

away

Can attacker get in?

Legal with license

Semi legal without Find a guy Hack a border device

Audit service

• We bought an access

• If we could, attacker can as well

What is applicable to IPX and why?

• S6a/S6d for mobility

management while

roaming (3GPP TS29.272)

• Other interfaces closed or

not routed (may change in

future)

Scheme. End-to-end Diameter architecture / GSMA IR.88: LTE Roaming Guidelines / Copyright © 2013

GSM Association

LTE nodes

• HSS – Home Subscriber

Server

• MME - Mobility Management

Entity

Scheme. EPC nodes and interfaces / Joe Deu-Ngoc / CC BY-SA 4.0

Authentication veсtor theft via S6a AIR

An attacker sends an AIR message

to HSS with IMSI of the attacked

subscriber.

Messages:

AIR — Authentication-Information-Request (S6a)

AIA — Authentication-Information-Answer (S6a)

Authentication veсtor theft via S6a AIR

• Authentication Vectors may be used to

setup a fake Base Station

• HSS identity is leaked

• Only subscriber’s IMSI is needed

• Hard to detect

• No way to counteract from subscriber’s

side

DoS on subscriber via S6a ULR

An attacker periodically sends ULR

messages to HSS with IMSI of the

attacked subscriber

Messages:

ULR — Update-Location-Request (S6a)

ULA — Update-Location-Answer (S6a)

CLR — Cancel-Location-Request (S6a)

CLA — Cancel-Location-Answer (S6a)

DoS on subscriber via S6a ULR

• Not possible to make or receive any

calls

• Not possible to send or receive SMS

• Internet is no available

• Only subscriber’s IMSI and HSS FQDN

are needed

• Continues until attacker keeps sending

ULR messages

• No network symbol on UE

• No way to counteract from subscriber’s

side

Subscriber profile disclosure via S6a ULR

An attacker sends a ULR message

to HSS with:

• IMSI of the attacked subscriber

• Spoofing identity of the current

MME

Messages:

ULR — Update-Location-Request (S6a)

ULA — Update-Location-Answer (S6a)

DoS on subscriber via S6a CLR

Messages:

CLR — Cancel-Location-Request (S6a)

CLA — Cancel-Location-Answer (S6a)

An attacker sends a CLR message

to MME with IMSI of the attacked

subscriber

DoS on subscriber via S6a CLR

• Successful in 100% of roaming cases

• 4G services and internet are not

available, but other services still work

• Only subscriber’s IMSI and MME

FQDN are needed

• Possibility of mass DoS

• Fixed after reconnection to network from

UE

DoS on subscriber via S6a IDR

An attacker sends an IDR message

to MME with IMSI of the attacked

subscriber.

Messages:

IDR — Insert-Subscriber-Data-Request (S6a)

IDA — Insert-Subscriber-Data-Answer (S6a)

DoS on subscriber via S6a IDR

Four different ways to change a profile:

• Enforce barring of services

• Restrict use of radio technologies

• Replace APN

• Set upload and download speed to zero

Location tracking via S6a IDR

An attacker sends an IDR message

to MME with:

• IMSI of the attacked subscriber

• EPS Location Information Request

bit set in the IDR-Flags AVP

DoS on subscriber via S6a DSR

Messages:

DSR — Delete-Subscriber-Data-Request (S6a)

DSA — Delete-Subscriber-Data-Answer (S6a)

An attacker sends a DSR message to

MME with:

• IMSI of the attacked subscriber

• Correct Context-Identifier

DoS on subscriber via S6a DSR

• 4G services and internet are not

available

• Subscriber’s IMSI, APN profile and

MME FQDN are needed

• Sometimes additional changes in

subscriber’s profile via S6a IDR are

needed

• Possibility of mass DoS

• Fixed after reconnection to network from

UE

Conclusions

• All general classes of attacks are

theoretically possible

• Attacks work differently for different

operators

• It is possible to force device out of

4G to use 3G attacks

• In practice 4G signaling seems to

be more secure than in 2G/3G, at

least for the time being

What should be changed

• Lack of security awareness.

• IDS + firewall should be used as a

short-term solution.

• Long-term solution is to use end-to-

end authentication, integrity

protection, and encryption.

• Mandatory use of this solution in 5G.

Thank you!

ptsecurity.com

DoS on subscriber via S6a IDR

Using Access-Restriction-Data AVP

To conduct this attack, an S6a IDR message

is sent to the Mobility Management Entity

(MME) that is currently serving the user,

containing:

• MME Host-Id in Destination-Host AVP

• IMSI of the target

• Subscription-Data AVP containing Access-

Restriction-Data AVP with value 127

Table 7.3.31/1: Access-Restriction-Data

Bit Description

0 UTRAN Not Allowed

1 GERAN Not Allowed

2 GAN Not Allowed

3 I-HSPA-Evolution Not Allowed

4 WB-E-UTRAN Not Allowed

5 HO-To-Non-3GPP-Access Not Allowed

6 NB-IoT Not Allowed

DoS on subscriber via S6a IDR

Changing APN Configuration for the subscriber

To conduct this attack, an S6a IDR message is sent to the MME that is currently serving the user, containing:

• MME Host-Id in Destination-Host AVP

• IMSI of the target

• APN-Configuration-Profile AVP containing:

1. Correct Context-Identifier AVP value

2. APN-Configuration AVP with wrong APN name inside of Service-Selection AVP

3. All-APN-Configurations-Included-Indicator AVP set to 1

(MODIFIED/ADDED_APN_CONFIGURATIONS_INCLUDED)

DoS on subscriber via S6a IDR

Max-Requested-Bandwidth-UL and Max-Requested-Bandwidth-DL

AVPs

• Limit the maximum upload and download bandwidth respectively.

• If both are set to 0, download speeds drop to 0 bytes per second for

some MMEs (receiving data from the Internet is not possible)

DoS on subscriber via S6a IDR

Using Operator-Determined-Barring AVP

To conduct this attack, an S6a IDR message is sent to

the MME that is currently serving the user, containing:

• MME Host-Id in Destination-Host AVP

• IMSI of the target

• Subscription-Data AVP containing:

1. Operator-Determined-Barring AVP with first bit

set to 1

2. Subscriber-Status AVP set to 1

(OPERATOR_DETERMINED_BARRING)

Table 7.3.30/1: Operator-Determined-Barring

Bit Description

0 All Packet Oriented Services Barred

1 Roamer Access HPLMN-AP Barred

2 Roamer Access to VPLMN-AP Barred

3 Barring of all outgoing calls

4 Barring of all outgoing international calls

5 Barring of all outgoing international calls except those directed to the home PLMN country

6 Barring of all outgoing inter-zonal calls

7 Barring of all outgoing inter-zonal calls except those directed to the home PLMN country

8 Barring of all outgoing international calls except those directed to the home PLMN country and Barring of all outgoing inter-zonal calls