Session1 Telecom Security a Primer v6 SonyRevise

7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise

1/96

Telecom Security A Primer

29th May 2012

Sony Anthony

Director

Management Consulting IT Advisory


2/96

Our Experiences

The Very Very Basics

Switching and Transmission Technologies

Telecom Technologies

Evolution of Telecom

The Layers (Terminal, Access and Core)

Telecom Architecture Threats

Understanding the Stack and Protocols

Protocol Analyzers and Tools

Case Study - FemtoCells


3/96

Our Experiences Thus


4/96


5/96

2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

History of Telecommunication

Telegraph

Telephone

Mobility


6/96


History of our Experience


7/96


History of our Experience

RIP, OSPF, BGP

SAN, NAS, DAS

Win, Linux, *NIX

Routers, Switches,Firewalls

Applications,

Databases,Middleware

SNMP, TCP/IP,

Telnet, FTP, HTTP

Virtualization,

Replication,Mirroring, DataDe-Duplication

IPV4 / IPV6


8/96


Future of our Experience


9/96


Future of our Experience

Switching and Transmission Technologies: ATM, SDH, STM, PDH, T1, E1

Data Speeds and Telecom Technologies: EVDO, EDGE, GPRS, GSM, TDM, WCDMA, PSTN

Protocols: MTP, SCCP, ISUP, TCAP, INAP, ISDN, MAP, CAP, BSSAP

Intelligent Network : SSF, SCP, SDP, IVR VOIP: SIGTRAN, MEGACO, H.248, MGCP, RTP

Protocol Analyzers: Tektronix K15-2, Ethereal, Wire shark, Eye Spot

The Stack: SS7, CCS7

Microwave Equipment Vendors: NEC, ARYA, GTL, Envision, Aster, BNN

Components: NSC, MSS, MGW, HLR, POI, BSC, AUC, SCP, MPBN, EIR, GMSC, VLR

Ericsson Alcatel / Lucent Nokia / Siemens

MSC - AXE 10/810MSS - AXE 810MGW CPP (R5/R6)MPBN Red Back RoutersMPBN Black Diamond SwitchesBlades APZ 2130/40/50/60

NGN Architecture

MSC DX 200 3GMGW IPA 2800


10/96


11/96

The Basics


12/96


The Generations

Generation Technology Description and Working

2G GSM Global System for Mobile Communication(Circuit Switched)

2.5G GPRS General Packet Radio Service(Packet Switched for IP Services)Uses SGSN-GGSN or Serving Gateway GPRS Support Node

3G UMTS Universal Mobile Telecommunication System(CS + PS)Uses Transport options like ATM / TDM / IPNew RAN : NodeB / RNC

4G LTE/SAE Long Term Evolution / System Architecture EvolutionOnly PSNew Core: Mobility Management Entity and SAE GatewayNew RAN : evolved NodeB / RNC


13/96


The Fundamentals on Channel Access Methods

FDM: FrequencyDivision

Multiplexing

TDM: Time DivisionMultiplexing

FDMA:1. Division of Frequency in to multiple (30) channels2. Each channel can carry a voice conversation or, with digital service, carrydigital data.

TDMA:

1. Chops up the channel into sequential time slices.2. User of the channel takes turns transmitting and receiving in a round-robin

fashion. (Only one person using the channel at a time)

3. (GSM uses TDMA Signaling)

CDMA :1. Everyone transmit at the same time.2. CDMA is a "spread spectrum" technology, allowing many users to occupy the

same time and frequency allocations in a given band/space.3. Assigns unique codes to each communication to differentiate it from others in

the same spectrum


14/96


The Fundamentals on Planes

Data / User / Bearer Plane

(Network Traffic)

Control / Signaling Plane(Control Signals)

DataIN

DataOUT

Signaling ControlManage

mentPlane

Operationsand

ManagementData


15/96

Switching and TransmissionTechnologies Wired End


16/96


Switching and Transmission Technologies ATM

Functionality:

Packets of fixed size of 53 bytes Assures no single type of data hogs the bandwidth

Uses concept of Virtual Circuits

Security Challenges:1. Eavesdropping (Tapping of fiber optic cable

Equipment costs about $2000)2. Spoofing3. Denial of Service

4. Stealing of VCs5. Traffic analysis

ATM

SONET/SDH

STM

T1/E1

Description: Asynchronous Transfer Mode (ATM) is alayer 2 technology which transfers data in cells of fixedsize


17/96


Switching and Transmission Technologies SONET/SDH

Functionality:

Guaranteed bandwidth Line rates of 155 Mbps to more than 10 Gbps Common circuits OC-3 (155 Mbps) and OC-12 (622

Mbps) (OC-48 = 2048Mbps or 2Gbps Circuit) Automatic recovery capabilities and self-healingmechanisms

Security Challenges:1. Eavesdropping2. Denial of Service

Description: Synchronous Optical Network/SynchronousDigital Hierarchy delivers high speed services overoptical network

ATM

SONET/SDH

STM

T1/E1


18/96


Switching and Transmission Technologies STM

Functionality:

STM-1 has a bit rate of 1.544 Mbps and higher levelsgo up 4 at a time. Currently supported levels are STM-4, STM-16, STM-64

and STM-256.

Security Challenges:1. Eavesdropping2. Denial of Service

Description: Synchronous Transport Module is a fiberoptic network transmission standard

ATM

SONET/SDH

STM

T1/E1


19/96


Switching and Transmission Technologies T1/E1

Functionality:

T1/E1 circuit based on Time Division Multiplexing T1 is primarily used in North America E1 is primarily used in Europe T1 circuit provides 1.544 Mbps of data consisting of 24timeslots of 64 kbps each and 8 kbps channel for control

information E1 circuit provides 2.048 Mbps of bandwidth consistingof 30 channels.

Security Challenges:1. Port Mirroring2. Data Sniff of Un-encrypted data channels3. Denial of Service

Description: Type of circuit used for data transmission.ATM

SONET/SDH

STM

T1/E1


20/96

Telecom TechnologiesWireless End


21/96


Telecom Technologies EVDO

Functionality:

Primarily used for broadband internet access Uses multiplexing techniques including CDMA and TDM EV-DO channel has a bandwidth of 1.25 Mhz

Back-end network is entirely packet-based.

Security Challenges:1. EV-DO base transceiver is prone to hacking and

misuse

2. WAP Servers and WML compromises.3. GSM Technology Security Issues prevalent

(Confirm if this is a GSM Technology)

EVDO

EDGE

GPRS

Description: Evolution-Data Optimized is atelecommunication standard for wireless transmission ofdata through radio signals


22/96


Telecom Technologies GPRS

Functionality: GPRS is a best-effort service 2G cellular technology combined with GPRS issometimes described as 2.5G The GPRS core network allows 2G, 3G and WCDMAmobile networks to transmit IP packets to external

networks such as the internet.

Security Challenges: Points of attack comprises of thefollowing: Mobile device and SIM card Interface between mobile device and SGSN GPRS backbone network

Packet network that connects different operators Public internet

Description: General Packet Radio Service is a packetoriented mobile data service for GSM users

EVDO

GPRS

EDGE


23/96


Telecom Technologies EDGE

Functionality:

Considered a pre-3G radio technology Peak rates of 1 Mbps and typical rates of 400 kbit/s canbe expected.EDGE requires no hardware of software changes to bemade in GSM core networks. ??

Security Challenges:1. GSM Technology Security Issues prevalent

Description: Enhanced Data Rates for GSM Evolution isa digital mobile phone technology that allows improved

data transmission rates.

EVDO

GPRS

EDGE


24/96


The Basics GSM and The Geographic Structure

Originally defined as a pan-European open standard for adigital cellular telephone network to support voice, data,text messaging and cross-border roaming GlobalSystem for Mobile Communications (GSM), is nowone of the world's main 2G digital wireless standards.

GSM is present in more than 160 countries andaccording to the GSM Association, accounts forapproximately 70 percent of the total digital cellularwireless market.

GSM is a time division multiplex (TDM) system.Implemented on 800, 900, 1800 and 1900 MHzfrequency.

GSM Architecture each cell is governed by a BaseStation or BTS.


25/96


The Basics GSM and The Geographic Structure

Cell 1

BTS

Cell and Base Transceiver Station (BTS)

In GSM architecture, every geographical area covered by the operators network is divided into smaller parts.

Each of these parts has a Mobile Signal tower, responsible for providing connectivity between your Mobile hand set

and the Network.

This small area is called as a Cell and the Mobile Signaling tower assigned to each Cell is called a BTS.

Location Area 1 Location Area 2

Location Area

Group of cells together represent

a location area within GSM

network.

Cell 1

BTS

Location Area 1 Location Area 2HLR VLR

MSC

AUCEIR

MSC (Mobile Switching Center)Service Area

A group of many Location Areas

(LAs) is called MSC area.

Public Land Mobile Network (PLMN)

A group of MSC areas serviced by the same

operator refer to PLMN area it represents an

entire set of cells, served by one network operator

Incase of multiple operators in a country, there wil

be more than one PLMN.


26/96

The Evolution of TelecomNetworks

C f 2G N k d T i l Ch ll


27/96


Components of 2G Networks and Typical Challenges

EIR

AUC

SGSN

Terminal

1.False BTS Active Attacks

(Reveal the IMSI and currentTMSI)

2.Cipher keys and AuthenticationData in Clear (Between andWithin Networks)

3.Attacks on COMP128

4.Encryption not extended till core(Clear text transmission of user

and signaling data acrossmicrowave links) (e.g. in GSMBTS-> BSC)

5.User Authentication with apreviously known Cipher

6.IMEI is an unsecured identify

7.Fraud and LI not considered inthe design of the 2G network

8. No flexibility to upgrade andimprove security.

Access Core IP Services

Requirement - Voice

Internet

3GPPLayer

BTSBSC

GERAN

DHCP

DNS

Char

ging

GSM

Reference : TR 33.120

C t f 3G N t k d T i l Ch ll


28/96



EIR

AUC

HSS

SGSN

MME

IN-VAS

Terminal

1.Attacks persist primarily because

of backward compatibility to 2G orGSM networks.

2.Smart-Phones with capability toIntercept and Analyze traffic,

3.Multiple IP based services enabledto facilitate user, data andmanagement channels.

4.Denial of Service

1.User De-registration requestspoofing2.Location update request

spoofing3.Camping on a false BS/MS

4.Passive and Active IdentifyCatching

5.Impersonation of the Network

6.Impersonation of the User


Requirement Voice + Data

Internet

Corporate Networks

3GPPLayer

NBRNC

BTSBSC

UTRAN

GERAN

DHCP

DNS

Char

gingApplication SPs

EvolvedPacketSystem

GSM

UMTS

C t f 4G N t k d T i l Ch ll


29/96



EIR

AUC

HSS

SGSN

MME

IN-VAS

Terminal Access Core IP Services

Requirement Data Continuous

Internet

Internet

Corporate Networks

3GPPLayer

H(e)NB

eNB Sec-Gw

NBRNC

BTSBSC

UTRAN

GERAN

E-UTRAN

DHCP

DNS

Char

gingApplication SPs

EvolvedPacketSystem

GSM

UMTS

1.Femto Cell Device compromise

2.UE Tracking

3.IMSI catching

4.Force Handovers to compromisedeNB.

5.Capture of System information andcompromise of credentials

6.Physical attacks

7.Configuration attacks

8.Protocol attacks

Reference : TR 33.820

Components of Non 3GPP Layers


30/96


Components of Non-3GPP Layers

EIR

AUC

HSS

SGSN

MME

AAA

ePDG

IN-VAS

Terminal

1. Authentication Bypass

2. Gateway Bypass

3. Route APs connectionto 3GPP Network


Risks

Internet

Internet

Corporate Networks

3GPP

Layer

n-trustedLayer

TrustedL

ayer

Non-3GPP

CDMA2000

WIMAX-WLAN

H(e)NB

eNB Sec-Gw

NBRNC

BTSBSC

UTRAN

GERAN

E-UTRAN

DHCP

DNS

Char

gingApplication SPs

EvolvedPacketSystem

GSM

UMTS


31/96

Break


32/96

The Terminal Layer

The Terminal Layer User Equipment (UE)


33/96



Mobile Station or User Equipment (UE)

Mobile Station comprises of 2 components a Mobile phone and a SIM (Subscriber

Identification Module) card.

While a mobile phone is a device that enables communication between two people

through telecom network, a SIM card is a smart card that stores unique subscriber

information in order to identify subscriber and permit communication.

SIM Card (described in subsequent paragraphs)

Receiver and Transmitter used to perform functions such as

receiving and transmitting voice and data communication.

On-board memory chips used to store internal mobile software

and other user data like contact list, messages, pictures etc.

A SIM card contains

information like authentication

key, security algorithms, etc.

which are used to authenticate

the subscriber.

Such information is stored on

the card prior to sale.



34/96



MSISDN (Mobile Subscriber Integrated Services Digital Network)

Generally known as Mobile phone number. It is a unique number for each mobile

subscriber. It is composed of the following components:

CC (Country Code) + NDC (National Destination Code) + SS (Subscriber Number)

For example: +91 80 98455 65222

International Mobile Subscriber Identity (IMSI)

A unique 15 digit number associated with all GSM network mobile phone users. IMSI is

stored in the SIM and is used by the network to identify the subscriber.

It is composed of the following components:

IMSI = MCC (Mobile Country Code) + MNC (Mobile Network Code)+ MSIN (Mobile

Subscriber Identity Number)

For example: 89914 50004 01062 (9419 9)

IMEI (International Mobile Equipment Identity)

A unique 14 to 17 digit code / or serial number used to identify an individual Mobile Phone

to a GSM network. (3561 880 4850 4945)

2041271796002QA

The Terminal Layer User Equipment (UE) States of Operation


35/96


State 1 Detached

1. Mobile Station (MS) is not within the network coverage area.

2. This also refers to the state when the mobile phone is switched off.

Detached

NOTE: the mobile station is notconnected to network, hence no

process is established here




36/96


State 2 Idle

1. When you switch on the mobile station, it moves to Idle state from Detached state.

2. In this state mobile station is within the network coverage area but is not being used (e.g. making or receiving a call,data communication etc)

When your mobile station is switched on, it attaches itself to the nearest BTS tower in the location area. This process of

attaching the phone to nearest BTS tower is called Registration.

Further, when you move from one location area to another, your mobile station, on a continuous basis sends a message to

the nearest BTS tower. The network updates the changing information about the subscriber and this process is called

Location Updating.

Registration Updating

IdleDetached






37/96


State 3 Active

1. When your mobile station is used to make or receive a call, send or receive data, it moves to Active state

from Idle State.

In active state, whenever you use the mobile station to either receive or make a call, then the MSC finds out

the Location Area (LA) in which you are present and connects you to other network elements within the

Location Area. This process is called Paging.

Registration Updating Paging

IdleDetached



Active

y q p ( ) p


38/96

The Access Layer

Telecom Components (2G/GSM/CDMA)


39/96


p ( )

BTS

BSC

Functionality

1. Radio reception and transmission2. Signal Processing3. Signal Link Management4. Synchronization5. Encodes, Encrypts, Multiplexes, Modulates and

feeds the RF signal to the antenna

Security Challenges:1. Physical Tampering MW equipment

2. Fake BTS3. IMSI Catcher4. Over-The-Air Cloning

The Base Transceiver Station (BTS) is the transmit andreceive link for a mobile communication system. Its adevice that actually communicates with the cell phone.The BTS connects to a BSC and communicates in an(Abis Interface)

BTS Base Tranceiver Station

GPS War Driving Nano BTS in a Nano


40/96


Telecom Components (2G/GSM/CDMA)


41/96


BTS

BSC

Functionality1. Handovers of Calls from one BTS to other2. BSC passes on your call to Mobile Switching Center

(MSC).3. Manages Radio resources for BTS4. Assigns frequency and timeslots to MS

Security Challenges:1. OpenBSC Software2. Cipher keys and Authentication Data in Clear

(Between and Within Networks)3. Attacks on COMP1284. Encryption not extended till core (Clear text

transmission of user and signaling data acrossmicrowave links) (e.g. in GSM BTS-> BSC)

BSC is used to control a group of BTS. It providesconnection between BTS and other network elementsthat are needed to complete the call.

BSC Base Station Controller

Telecom Components (3G/UMTS)


42/96


Functionality1. Modulation and spreading2. RF Processing

3. Inner-loop power control4. Rate matching5. Macro diversity combining/splitting inside Node B

Security Challenges:1. Unknown

A UMTS (3G) mobile connects to the Node B to transmitor receive a voice call or carry out a data-modeconnection.

RNC

Node BNode B

Telecom Components (3G/UMTS)


43/96


Functionality

1. Closed loop power control2. Handover control3. Admission control4. Code allocation5. Packet scheduling6. Macro diversity combining/splitting over number of

Node Bs

Security Challenges:1. Unknown

Comparable to Base Station Controller in GSM. It isresponsible for L2 processing of user data and RadioResource Management.

RNC

Node BRNC Radio Network Controller

Telecom Components (4G/LTE)


44/96


Functionality1. Radio resource management2. IP header compression and encrypting of user data

stream3. Selection of an MME at UE attachment4. Routing of user plane data towards SAE gateway

5. Measurement and measurement reportingconfiguration for mobility and scheduling

Security Challenges:1. Placing a lot number of eNodeB in a large L2 domain

results in Distributed Denial of Service (DDoS)attacks.

2. IP address of neighboring cell sites can be extractedthrough Automatic Neighbor Relation (ANR)messages for use on dynamic ACLs that will onlyallow communication between defined neighboringcell sites.

eNode B is the base station in the LTE/SAE network.

eNode B

eNODE B


45/96

The Core Layer

CDMA Network Architecture


46/96


6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 45

Core Components:


47/96


p


CDMA

HA - Locates the place where the Mobile Nodeopens its account;

MSC - Authenticates the subscriber to establishthe call.

GMSC Switch which interrogates subscriber HLRto obtain routing information (transit calls).

HLR - Centralized database that stores andmanages all subscriber related information

required to set up calls. VLR - Database containing subscriber informationof all subscribers currently located in the areaserved by MSC.

AuC - Authenticates each SIM card that attemptsto connect to the network.

EIR - Optional database containing mobileequipment identity information.

PDSN - Implements the switching of packet dataservices of mobile subscribers.

AUC

EIR

HLR/VLR

HA

SGSN/GGSN

PGW

SGW

MME

MSC/GMSC

PDSN

PCRF

2G and 3G Network Architecture


48/96



Core Components:


49/96


p


GSM

MSC/MGW - Performa call control function and

authenticates the subscriber to establish the call. GMSC Switch which interrogates subscriber HLR

to obtain routing information (transit calls). HLR - Centralized database that stores and

manages all subscriber related informationrequired to set up calls.

VLR - Database containing subscriber informationof all subscribers currently located in the area

served by MSC. AuC - Authenticates each SIM card that attempts

to connect to the network. EIR - Optional database containing mobile

equipment identity information. SGSN - Delivery of data packets from and to the

mobile stations within its geographical servicearea.

GGSN - Interworking between the GPRS networkand external packet switched networks.

AUC

EIR

HLR/VLR

HA

SGSN/GGSN

PGW

SGW

MME

MSC/MGW/GMSC

PDSN

PCRF

Core Components:


50/96


p


3G

MSC/MGW - Performa call control function and

authenticates the subscriber to establish the call. GMSC Switch which interrogates subscriber HLR

to obtain routing information (transit calls). HLR - Centralized database that stores and

manages all subscriber related informationrequired to set up calls.

VLR - Database containing subscriber informationof all subscribers currently located in the area

served by MSC. AuC - Authenticates each SIM card that attempts

to connect to the network. EIR - Optional database containing mobile

equipment identity information. SGSN - Delivery of data packets from and to the

mobile stations within its geographical servicearea.

GGSN - Interworking between the GPRS networkand external packet switched networks.

AUC

EIR

HLR/VLR

HA

SGSN/GGSN

PGW

SGW

MME

MSC/MGW/GMSC

PDSN

PCRF

4G/ LTENetwork Architecture


51/96



Core Components:


52/96



4G

MME- Manages the subscriber session controlplane functionality,

HSS - It is the concatenation of the HLR and AuC . HLR part of the HSS is in charge of storing

and updating when necessary the databasecontaining all the user subscriptioninformation.

AuC part of the HSS is in charge ofgenerating security information from useridentity keys. This security information isprovided to the HLR and furthercommunicated to other entities in thenetwork.

SGW - Receives and routes all UE packet dataand serves as a mobility anchor while UEstransition between eNodeB.

PGW - Routes data packets from the SGW toexternal services .

PCRF - Server manages the service policy andsends QoS setting information for each usersession and accounting rule information.

AUC

EIR

HSS

HA

SGSN/GGSN

PGW

SGW

MME

MSC/MGW

PDSN

PCRF


53/96

Telecom Components


54/96


Functionality1. Subscribers supplementary services2. Subscribers identity3. Subscribers location information (MSC service area)4. Subscribers authentication information.

Security Challenges:1. HLR/VLR Database Compromise2. Wrong Entry flushed in to the Database3. Access control to HLRs should be based on user profiles, using at least a unique username and a password as

authentication data4. Remote access to HLR should be protected from eavesdropping, source and destination spoofing and session

hijacking. Achieved by limiting the range of protocols for communication with HLR

It is a centralized database that stores and manages all subscriberrelated information required to set up calls. It acts as a personal storefor subscriber information until such subscription is cancelled.

1. VLR is a database containing subscriber information of all subscribers currently located in the area served by MSC.2. The most important information is about current location of the subscriber.3. Whenever a MSC detects a new subscriber in its network, in addition to creating a new record in the VLR, it also

updates the HLR of the mobile subscriber, apprising it of the new location

HLR / VLR/HSS Home / Visitor Location Register (CDMA/2G/3G)

AUC

HLR

HA

EIR

MSC

PDSN


55/96

Telecom Components


56/96


Functionality1. It provides information to allow the mobile phones to access the network.2. AuC generally performs its functions when you switch on your mobile station.3. AuC is responsible for the generation of the parameters used for the privacy and the

ciphering of the radio link.

4. To ensure the privacy of the mobile subscriber a Temporary Mobile Subscriber Identity(TMSI) is assigned for the duration that the subscriber is under control of the specificMobile Switching Centre (MSC) associated with the AuC.

Security Challenges:1. Number of employees having physical and logical access to AuC should be limited such that it is then reasonable

to use an AuC which is not integrated with HLR.

2. Operators should carefully consider the need for encryption of AuC data. Some vendors use default encryption.3. The encryption is questionable since the algorithm is proprietary and confidential.4. If decided to use an add-on ciphering facility, attention should be paid to cryptographic key management.5. Authentication triplets can be obtained from AuC by masquerading as another system entity (namely HLR). The

threat is present when HLR and AuC are physically separated.

AuC is a network element which is used to authenticate each SIM card that attempts toconnect to the network.

AUC

HLR/VLR/HSS

HA

EIR

MSC

PDSN

AuC Authentication Center (CDMA/2G/3G)

Telecom Components (CDMA)


57/96


Functionality1. Broadcast the accessible information of MN.2. Setup the tunnel between FA&HA.3. Transfer the data from other computer to the MN via the

tunnel.

The home agent locates the place where the Mobile Nodeopens its account; receive the registration information fromMN,

HA Home Agent

AUC

HLR

HA

EIR

MSC

PDSN

Telecom Components (CDMA)


58/96


Functionality1. Provides the interface between the radio network and the

packet data network

The PDSN implements the switching of packet data servicesof mobile subscribers.

PDSN Packet Data Service Node

AUC

HLR/VLR/HSS

HA

EIR

MSC

PDSN

Telecom Components


59/96



Functionality1. GGSN maintains routing necessary to tunnel the Protocol

Data Units (PDUs) to the SGSN that services a particularMS

2. SGSN tasks include packet routing and transfer, mobility

management (attach/detach and location management),logical link management, and authentication and chargingfunctions.

The Gateway GPRS Support Node (GGSN) is a maincomponent of the GPRS network. It is responsible for theinterworking between the GPRS network and external packetswitched networks,A Serving GPRS Support Node (SGSN) is responsible for thedelivery of data packets from and to the mobile stations within

its geographical service area.

SGSN/GGSN Service/Gateway GPRS Support Node (2G/3G)

AUC

HLR/VLR/HSS

HA

EIR

MSC

SGSN/GGSN



60/96


Functionality1. Authentication,2. Authorization3. Ciphering4. Security key management

MME manages the subscriber session control planefunctionality, which uses the S1-C (C is for Control Plane)interface to communicate through the eNodeB to the UE.

MME Mobile Management Entity

SGW

HSS

PGW

MME

PCRF


61/96



62/96


Functionality

1. Performs packet filtering,.2. Policy enforcement and lawful interception,.3. Charging support, and packet screening.

Routes data packets from the SGW to external servicessuch as the Internet, IP Multimedia Systems (IMS), orPSTN.

PGW PDN Gateway

SGW

HSS

PGW

MME

PCRF

Telecom Components(4G/LTE)


63/96



SGW

HSS

PGW

MME

PCRF

Functionality The Policy Decision Function (PDF)

Network entity where the policy decisions are made. As the IMS session is beingset up, SIP signaling containing media requirements are exchanged between the

terminal and the P-CSCF. Some time in the session establishment process, the PDF receives requirements

from the P-CSCF and makes decisions based on network operator rules, such as:Allowing or rejecting the media request, using new or existing PDP context for anincoming media request, checking the allocation of new resources against themaximum authorized.

The Charging Rules Function (CRF) Provide operator defined charging rules applicable to each service data flow.

Selects the relevant charging rules based on information provided by the P-CSCF, such as Application Identifier, Type of Stream (audio, video, etc.),Application Data Rate, etc.

Manages the service policy and sends QoS setting information for each user session andaccounting rule information.

PCRF Policy and Charging Rules Function


64/96

Call Routing

Call Routing-1


65/96


EIR AUC HLR VLR

DHCP

DNS Mail Content

Data Center Infrastructure

BTSModem

Amplifier

BTS

Modem

Amplifier

BTS

Modem

Amplifier

MobilePhone

MobilePhone

MobilePhone

BSC

BSC

MSC

MSC

GMSC

Mediation Rating/Billing

Printing Data warehouseNetworkSwitch

NetworkSwitch

BTS Base Transceiver StationBSC Base Station Controller

BSS Base Station SubsystemMSC Mobile Switching CenterGMSC Gateway Mobile Switching CenterPSTN Public Switched Telephone Network

BSS Infrastructure EIR Equipment Identity RegisterAUC Authentication Center

HLR Home Location RegisterVLR Visited Location RegisterDHCP Dynamic Host Control ProtocolDNS Domain Name SystemMIS Management Information System

Internet

PSTN

OperatorB

IP PhoneWAP

Local Area Routing

Multi LocalAreaRouting

MultiOperatorRouting

Multi Local Area Routing

Multi Operator Routing

MIS

Support Infrastructure

Business Infrastructure

Call Routing-2

Check if the


66/96


VLR

EIR

AuC

BTS

SUBSCRIBER

(A Number)

BSC

HLR

BTS

SUBSCRIBER(B Number)

SIM card

authentication atthe time of switch

on

Connect to BTSbased on the

location of the

subscriber

Link with

BSC Link withMSC

Communicationwith VLR

Check with HLR

to determineMSC of BNumber

Check if theequipment used

is approved

If no profile ofsubscriber exists

in VLR thendownload from

HLR

Transfer call toMSC (2)

Communicate

with BSCBSC

Connect toBTS

ContactSubscriber (B

Number)


67/96

Break


68/96

Telecom Architecture and

Threats


69/96


70/96

GSM Security Challenges


71/96


Only provides accesssecurity communications

and signaling traffic in thefixed network are notprotected

Does not address activeattacks, whereby somenetwork elements (e.g.

BTS: Base Station)

Only as secure as the fixed

networks to which theyconnect

Difficult to upgrade thecryptographic mechanisms

Terminal identity cannot betrusted

Lawful interception only

considered as an after-thought

Lack of user visibility (e.g.

doesnt know if encryptedor not)

2G(GSM) Security v/s 3G(UMTS) Security


72/96


Security Enhancements in 3G

Fake Base

Station

A change was made to defeat the false base station attack. The security

mechanisms include a sequence number that ensures that the mobile canidentify the network

Stronger CiphersKey lengths were increased to allow for the possibility of strongeralgorithms for encryption and integrity

Security onDevice

Mechanisms were included to support security within and betweennetworks.

Security fromOutside to Inside

Security is based within the switch rather than the base station as in GSM.Therefore links are protected between the base station and switch.

IntegrityIntegrity mechanisms for the terminal identity (IMEI) have been designedin from the start, rather than that introduced late into GSM

What good are these security enhancements when operators today

run Insecure 2G and Security Enhanced 3G networks in parallel.

Result : Weakened Network Architecture

Emerging Threats and Classification- Telecom


73/96


T6Data

modification ona networkelement

T1Flooding an

interface

T2Crashing anetwork element

T3Eavesdropping

T4Unauthorized data

access

T5Traffic

Modification

T7Compromise viaimplementation

flaw

T8Compromise via

managementinterface

T9Malicious

insider

T10Theft of service

Telecom

EmergingThreats

Availability

Confidentiality

Integrity

Loss of Control

Loss of Service

Attack analysis and Security concepts foMObile Network infastructures

supported by collaborative InformationexchAnge (AsmonI)

Emerging Threats and Classification- Telecom


74/96


Ranking of Threats

Ranking ofNetworkElements(Critical)

Ranking of

Network Elements(Less Critical)


75/96

Understanding the Telecom

Stack and Protocols

Intelligent Network (IN)

Description: The Intelligent Network (IN) is the


76/96


Description: The Intelligent Network (IN), is thestandard network architecture specified in theITU-T Q.1200 series recommendations. It is

intended for fixed as well as mobile telecomnetworks.

IN is supported by the Signaling System #7 (SS7)protocol between telephone network switchingcenters and other network nodes owned bynetwork operators.

Functionality: Allows operators to differentiate themselves by

providing value-added services. Intelligent Network Nodes Modular and more secure network The initial use of IN technology was for number

translation services

The Stack

SS7Description: Signaling System No 7 (SS7) is a set of


77/96


Functionality: The main purpose is to set up and teardown telephone calls. Other uses include numbertranslation, local number portability, prepaid billingmechanisms, short message service (SMS), and avariety of other mass market services.

Security Challenges:1. Internet-PTN convergence allows attackers inroads

via entities with poorly secured SS7 networks.2. ISDN connections are also points of unauthorized

entry.3. Advanced services like call forwarding have intrinsic

vulnerabilities attackers can create havoc bymodifying SCPs containing forwarding destinations.

4. Anyone capable of generating SS7 messages andintroducing them into a network can disrupt PTNservices.

SS7

CCS7

Description: Signaling System No. 7 (SS7) is a set oftelephony signaling protocols which are used to set upmost of the world's public switched telephone networktelephone calls. (The Link )

The Stack

SS7Description: In Common Channel Signaling (CCS) there


78/96


Functionality: Higher signaling capacity. More number of speech/data channels as there is only

one signaling channel. Central offices can exchange information , not related

to speech/data between themselves e.g. subscriber

data. Various high end features like roaming are possible by

using CCS7.

Security Challenges:1. DoS-Attack2. Flooding with SCTP-Chunks3. MitM-Attack: Eavesdropping

4. MitM-Attack: Unrecognized Data Alteration

CCS7

SS7Description: In Common Channel Signaling (CCS) thereis a common signaling channel which takes care of all thesignaling information to be exchanged duringcommunication. All other channels can be used forspeech or data as required. (The Link Information)

SP(SPC=100)

SRP

(SPC=400)

STP(SPC=300)

STP(SPC=2

00)

SEP(SPC=500)

SIGTRAN and Protocols

SIGTRAN


79/96


Functionality: SIGTRAN uses IP transport protocolcalled Stream Control Transmission Protocol (SCTP),which is used to carry PSTN over IP. (AND SCTP issomething like HTTP)

Security Challenges: SCTPscan tool (from backtrack) can be used forscanning for services IAM Attack : Capacity DoS -> Similar to SIP flooding REL attack: Targeted Call release -> Terminate a userconversation SRI attack: Tracking of users

HLR attack: Fake location update -> redirects calls toanother country, until phone reboots

SIGTRAN

MEGACO

MGCP

RTP

Description: Derived from Signaling Transport . Providesreliable datagram service and user layer adaption forSignaling System 7(SS7) and ISDN communications

protocol. (IF SS7 is IP, SIGTRAN is IPV4)


SIGTRAN


80/96


Functionality:

Although H.248 performs the same function as MGCP, ituses different commands and processes and supports abroad range of networks.

Security Challenges: Malformed request to port 2944/tcp used by MEGACOis known to cause Denial of Service attacks

Description: Media Gateway Control Protocol (H.248) isused for controlling media gateways in Internet Protocoland PSTN.

SIGTRAN

MEGACO

MGCP

RTP


SIGTRAN


81/96


Functionality:

Call control via Call Agent Uses Session Description Protocol (SDP) for specifyingand negotiating the media streams Typical architecture consists of Call Agent and MediaGateway.

Security Challenges: MGCP Cas susceptible to DoS attacks and malformedpackets

Description: Media Gateway Control Protocol is asignaling and call control protocol used within VoIP thatinteroperates with PSTN. MEGACO

MGCP

RTP


SIGTRAN


82/96


Functionality: Extensively used in communication and entertainmentsystems such as telephony, video conferenceapplications etc,. RTP is used in conjunction with RTCP RTP is originated and received on even port numbersand the associated RTCP communication uses the next

higher odd port number.

Security Challenges: Call tampering Man-in-the middle attacks DoS attacks

Description: Real-time Transport Protocol (RTP) definesa standardized packet format for delivering audio andvideo over IP networks. MEGACO

MGCP

RTP

Protocols MTP

MTPD i ti M di T i ti P i t MTP b id th


83/96


Functionality: Passes streaming data to other connection MTP trancodes a-law to mu-law (and vice versa) andadjusts packet sizes as required by the two connections MTPs extend supplementary services, such as callhold, call transfer, call park, and conferencing

Security Challenges:

SCCP

ISUP

TCAP

INAP

ISDN

MAP

Description: Media Termination Point. MTPs bridge themedia streams between two connections.


84/96

Protocols ISUP

Description: ISDN User Part (ISUP) is part of SS7 whichMTP


85/96


Functionality:Common messages transmitted in ISUP areInitial Address Message (IAM) Subsequent Address Message (SAM) Address Complete Message (ACM) Answer Message (ANM) Release (REL)

Release complete (RLC)

Security Challenges: Eavesdropping Man-in-the-middle attacks ARP spoofing attacks

Caller id spoofing SIP registration hacking

Description: ISDN User Part (ISUP) is part of SS7 whichis used to set up calls in Public Switched TelephoneNetworks. SCCP

ISUP

TCAP

INAP

ISDN

MAP

Protocols TCAP

Description: Transaction Capabilities Application PartMTP


86/96


Functionality:

Supports non-circuit related information exchangebetween signaling points using the Signalling ConnectionControl Part (SCCP) connectionless service TCAP also supports ability to invoke features in anotherremote network switch


Description: Transaction Capabilities Application Part(TCAP) is a protocol in the SS7 suite

SCCP

ISUP

TCAP

INAP

ISDN

MAP

Protocols INAP

Description: The Intelligent Network Application PartMTP


87/96


Functionality:

Part of SS7 protocol suite Typically layered on top of TCAP Provides logic for controlling telecommunicationservices migrated from traditional switching points tocomputer based service


Description: The Intelligent Network Application Part(INAP) is a signalling protocol used in the intelligentnetwork architecture. SCCP

ISUP

TCAP

INAP

ISDN

MAP

Protocols ISDN

Description: Integrated Services Digital Network (ISDN)MTP


88/96


Functionality:

Circuit switched telephone network Comprises of BRI and PRI BRI 2B + 1D (192 Kbps) PRI T1 (23B + 1D), E1 (30B + 1D)


Description: Integrated Services Digital Network (ISDN)is a communication standard for simultaneoustransmission of voice, data and other network services

over traditional circuits.

SCCP

ISUP

TCAP

INAP

ISDN

MAP


89/96


90/96

Protocol Analyzers and

Tools


91/96


92/96

P1 Telecom Auditor

Description: P1 Telecom Auditor is a SS7 andSIGTRAN vulnerability scanner and security


93/96


SIGTRAN vulnerability scanner and securityauditor. Today, the security situation of SS7 andSIGTRAN is identical.

P1 Telecom Auditor offers Telecom and Mobileoperators the capability to assess and analyzetheir security in their core network and signalingperimeters, continuously.

Deployment: Easily deployed with a single lightweight Virtual

Appliance using VMware technology and aweb-based control and reporting server usingSaaS technology.

Integrates seamlessly in the SignallingInfrastructure

Requires an IP address and a Signalling PointCode

Ready for deployment in both legacy SS7 andstate-of-the-art SIGTRAN, UMTS/CDMA 3G,IMS and LTE environments.


94/96

Technology, Protocols and Equipment(Quick View)

Native SS7 and SIGTRAN security auditing solutionMission-based and Permanent scanning

Elements STP MSC, MGW MMSC, SMSC, FDA HLR, HSS, AUC, EIR IN, VAS, Billing Platforms


95/96


gSS7 Interconnect security analysisNetwork Element, DPC and SSN exposure tests from an external perspectiveTelecom Network Elements vulnerability analysisExternal and Internal security auditTelecom product analysisSS7 external information gatheringWeb based admin, campaign control and reportingReliable, repeatable scanner results, clear deliverablesProtection methods against DoSAudit staging for controlled environment assessmentMultiple Signalling Point Code supportCDR tagging to prevent charging

Protocols SS7 Message Transfer Part 3 (mtp3), SCCP,

TCAP, ISUP, TUP, MAP, OMAP, INAP, BICC,CAMEL, BSSAP, RANAP, UMA SIGTRAN SCTP, M3UA, M2PA, M2UA, IUA

(ISDN, Q.931), SUA, V5UA GPRS GTP-U, GTP-C, GTP, GPX DNS AAA Radius, Diameter VoIP / ToIP SIP, H323, Skinny / SCCP, H248,

MGCP, MEGACO Core network protocols MPLS, LDP, BGP,

VPLS, L2TP, GRE, IPsec, SAAL, LDP, BGP

g FMS, LIG GGSN, SGSN SG, AS, ASP, SN GRX and IPX routers, GRX, 3G and IPX DNS,

SGW, PGW / PDG / PDN GW, ePDG, GPRSbilling gateways

Internet Gateways, PS domain routers,Proxies, Legacy PS equipment, WAP GW

ATM switches

Billing Centre, Billing systems, reconciliationsystems

IN, AIN, CAP and CAMEL systems BSC, BTS, Node B, RNC, LTE e-Node B SBC, SIP AS, SIP gateways Call Session Control Function equipment: P-

CSCF, I-CSCF, S-CSCF

HNB, eHNB, UMA Femtocells, UMA supportsystem, BRAS-AC, PDC

Legacy equipment, X25, XOT Circuit Switched (CS) / Packet Switched (PS)

networks and interfaces


96/96

Thank You

(2010) KPMG, an Indian Partnership and a member f irm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (KPMG

International), a Swiss entity. All rights reserved.

The KPMG name, logo and "cutting through complexity" are registeredtrademarks or trademarks of KPMG International Cooperative ("KPMGInternational").

Documents

Session1 Telecom Security a Primer v6 SonyRevise