Embed Size (px)
Citation preview
Securing LTE Signaling Networks
Ilya AbramovDirector of Network Security
SFMS PM AND RND TEAMS
||
Security of mobile network communication is questioned…
XURA SIGNALING FRAUD MANAGEMENT2
German researchers discover a flaw that could let anyone
listen to your cell calls.
Phone network hack means anyone can listen in on any mobile call
Cellular Privacy SS7 Security Shattered
at 31C3
September 2015: “Hackers exploit SS7 vulnerability to spy on Australian senator: report”
December 2014 : Annual Chaos Communication Congress event held in Hamburg …
April 2016: “Sharyn Alfonsi reports on how mobile phone networks are vulnerable.”
||3
XuraVulnerability
Audit 100%have vulnerabilities
?
The press is right*All validations have been performed on customer request
|
How to create a solution (GSMA)
XURA SIGNALING FRAUD MANAGEMENT4
Monitor signaling
Focus on signaling from non-roaming partners
Use SMS home routing To disrupt location tracking and IMSI
discovery
Review the attacks
Categorize signaling primitives
Identify protection mechanisms per category
|
NB: Signaling categorization ≠ degree of security
XURA SIGNALING FRAUD MANAGEMENT5
Should not be sent between networks unless specifically authorizede.g. MAP sendRoutingInfo, MAP anyTimeInterrogation
Should only be received from subscriber’s home networke.g. MAP insertSubscriberData, MAP cancelLocation
Should only be received from subscriber’s visited network e.g. MAP UpdateLocation, MAP purgeMS
Cat.I
Cat.II
Cat.III
Required to protect the MNO’ subscriber base against unauthorized messages that should never come from any other MNO.
Relatively simple – but not sufficient on its own
Implies complexity as it proves to be rather challenging to identify the faked signaling messages - this category therefore impacts all subscribers
||
The vulnerability will not simply go away
XURA SIGNALING FRAUD MANAGEMENT6
SS7 will remain an important interconnect protocol for many years
Diameter (and SIP) will become increasingly used
Weakness in SS7 has been carried forward to Diameter
Additional vulnerabilities in Diameter are known 20
15
201
6
201
7
201
8
201
9
202
0
SIP
Diameter
SS7
Illustration of potential interconnect signaling evolution
|
Diameter security enforcement (GSMA - draft)
XURA SIGNALING FRAUD MANAGEMENT7
Consistency between command code and application ID/Interface enforcement
Detailed AVP screening. Messages should not target internal subscribers from international interconnect. Combination of Command, interface and detailed AVP: IMSI, MSISDN
Correspond to location update procedures
Cat.I
Cat.II
Cat.III
Typically focusing on in-bound roamers and preventing roaming primitives for own subscribers
Detects not only explicit attacks but also misconfigured/badly implemented network elements
Implies complexity as it proves to be rather challenging to identify the faked signaling messages - this category therefore impacts all subscribers
Low level anti-spoof. Realm check, Double AVP attack, malformed messagesCat.0 Extends current DEA functionality
||
New requirements for Diameter Edge Agent
XURA SIGNALING FRAUD MANAGEMENT8
From basic router
•Full Diameter packet decoding and analysis
•Security enforcement policies•Real-time Threat monitoring•Signaling Flow validation•Intrusion detection
•DoS attack detection and protection
Security Policy Control
DEA
•Basic router•Basic access control
DiSC : Xura’s secure DEA
||
Diameter security policies
XURA SIGNALING FRAUD MANAGEMENT9
Connectivity
•DNS validation checks for the new connected peers
•Connectivity white list for the originating host
•Overload prevention (mitigation)
•Topology hiding
•DTLS support
•IP sec support
Signaling level
•Detailed AVP policies (per signal, per AVP)
•AVP consistency check
•Dictionary enforcement
•Detection of AVP check override / duplication
•Validation of the originating peer based on the command code and the associated AVPs
•Stateful validations
•Velocity check
||
Multi-dimensional attack (SS7)
XURA SIGNALING FRAUD MANAGEMENT10
Step 1: Get the IMSI Use IMSI
IMSI Catcher
Buy it online
Ask the network for itSendRoutingInfo_for_SM
EraseSS
ActivateSS
DeactivateSS
InterrogateSS
RestoreData
ProcessUnstructuredSS_Request
SS_Invocation_Notification
Register_CC_Entry
Erase_CC_Entry
Send_Identification
SendRoutingInfo_for_LCS
CancelLocation
ProvideRoamingNumber
DeleteSubscriberData
Send_Parameters
UnstructuredSS_Notify
PurgeMS
ProvideSubscriberInfo
ProvideSubscriberLocation
IST_Command
RegisterSS
SMS interception
Location tracking
Voice Call interception
Balance Transfer€£$
Denial of Service
Non SS7 method
||
Future multi-dimensional attack
XURA SIGNALING FRAUD MANAGEMENT11
Attacker
2G/3G/4G SS7/SIGTRAN Diameter
||
Secure network design
XURA SIGNALING FRAUD MANAGEMENT12
Signaling Firewall
• International /national interconnect protection
• Policies• Detection patters• Real-time detection and prevention
Secure DEA
• LTE interconnect protection• Connectivity policies• AVP policies
Correlation module
Monitoring and Analytics
Consolidated signalling control• Monitoring all signalling flows• Real-time correlation and detection• Prevention of multi-dimensional attacks
|
Key factors for effective signaling security
SECURING THE VULNERABILITIES EXPOSED IN SS713
Dedicated Task-specific
Firewall at network
edge
StatefulCorrelation
Analytics & Monitoring
SS7 + Diameter
One Solution
XURA Network Signaling Security
