Session1 Telecom Security A Primer v6 SonyRevise

Telecom Security A Primer
29th May 2012 Sony Anthony Director Management Consulting IT Advisory
Agenda
Our Experiences The Very Very Basics Switching and Transmission Technologies Telecom Technologies
Evolution of Telecom The Layers (Terminal, Access and Core)

Telecom Architecture Threats Understanding the Stack and Protocols
Protocol Analyzers and Tools

Case Study - FemtoCells
Our Experiences Thus
History of Communication
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
History of Telecommunication
Telegraph
Telephone
Mobility
History of our Experience
History of our Experience
RIP, OSPF, BGP SAN, NAS, DAS Routers, Switches, Firewalls
SNMP, TCP/IP, Telnet, FTP, HTTP
IPV4 / IPV6
Virtualization, Replication, Mirroring, Data De-Duplication
Applications, Databases, Middleware
Win, Linux, *NIX
Future of our Experience
Future of our Experience
MSC - AXE 10/810 MSS - AXE 810 MGW CPP (R5/R6) MPBN Red Back Routers MPBN Black Diamond Switches Blades APZ 2130/40/50/60
NGN Architecture MSC DX 200 3G MGW IPA 2800
Ericsson
Alcatel / Lucent
Nokia / Siemens
Components: NSC, MSS, MGW, HLR, POI, BSC, AUC, SCP, MPBN, EIR, GMSC, VLR Protocol Analyzers: Tektronix K15-2, Ethereal, Wire shark, Eye Spot Intelligent Network : SSF, SCP, SDP, IVR VOIP: SIGTRAN, MEGACO, H.248, MGCP, RTP
Protocols: MTP, SCCP, ISUP, TCAP, INAP, ISDN, MAP, CAP, BSSAP The Stack: SS7, CCS7 Data Speeds and Telecom Technologies: EVDO, EDGE, GPRS, GSM, TDM, WCDMA, PSTN Switching and Transmission Technologies: ATM, SDH, STM, PDH, T1, E1
Microwave Equipment Vendors: NEC, ARYA, GTL, Envision, Aster, BNN
Security Consulting Engagements Tomorrow.are we Ready.
Equipment and protocol reverse engineering VPN, ATM, AAL telecom access network audit SIGTRAN adaptation layers configuration audit VAS and IN services analysis Management & OAM attacks SMS / MMS fraud audit, SIM & AuC leakage audit SS7 external information gathering Telecom product analysis Femto-cell access network security audit SS7 and SIGTRAN Network security architecture Telecom Network Elements vulnerability analysis 3G protocol and configuration security audit SS7 Interconnect security analysis
Telecom configuration audit

SS7 and SIGTRAN Penetration testing
The Basics
The Generations
Generation 2G 2.5G
Technology GSM GPRS
Description and Working Global System for Mobile Communication (Circuit Switched) General Packet Radio Service (Packet Switched for IP Services) Uses SGSN-GGSN or Serving Gateway GPRS Support Node Universal Mobile Telecommunication System (CS + PS) Uses Transport options like ATM / TDM / IP New RAN : NodeB / RNC Long Term Evolution / System Architecture Evolution Only PS New Core: Mobility Management Entity and SAE Gateway New RAN : evolved NodeB / RNC
3G
UMTS
4G
LTE/SAE
The Fundamentals on Channel Access Methods
FDM: Frequency Division Multiplexing
TDM: Time Division Multiplexing
FDMA: 1. Division of Frequency in to multiple (30) channels 2. Each channel can carry a voice conversation or, with digital service, carry digital data. TDMA: 1. Chops up the channel into sequential time slices. 2. User of the channel takes turns transmitting and receiving in a round-robin fashion. (Only one person using the channel at a time) 3. (GSM uses TDMA Signaling) CDMA : 1. Everyone transmit at the same time. 2. CDMA is a "spread spectrum" technology, allowing many users to occupy the same time and frequency allocations in a given band/space. 3. Assigns unique codes to each communication to differentiate it from others in the same spectrum
The Fundamentals on Planes
Operations and Management Data
Control / Signaling Plane (Control Signals)
Signaling Control
Manage ment Plane
Data IN
Data / User / Bearer Plane (Network Traffic)
Data OUT
Switching and Transmission Technologies Wired End
Switching and Transmission Technologies
ATM
ATM Description: Asynchronous Transfer Mode (ATM) is a layer 2 technology which transfers data in cells of fixed size SONET/SDH STM Functionality: Packets of fixed size of 53 bytes Assures no single type of data hogs the bandwidth Uses concept of Virtual Circuits T1/E1
Security Challenges: 1. Eavesdropping (Tapping of fiber optic cable Equipment costs about $2000) 2. Spoofing 3. Denial of Service 4. Stealing of VCs 5. Traffic analysis
SONET/SDH
ATM Description: Synchronous Optical Network/Synchronous Digital Hierarchy delivers high speed services over optical network Functionality: Guaranteed bandwidth Line rates of 155 Mbps to more than 10 Gbps Common circuits OC-3 (155 Mbps) and OC-12 (622 Mbps) (OC-48 = 2048Mbps or 2Gbps Circuit) Automatic recovery capabilities and self-healing mechanisms SONET/SDH STM T1/E1
Security Challenges: 1. Eavesdropping 2. Denial of Service
STM
ATM Description: Synchronous Transport Module is a fiber optic network transmission standard SONET/SDH STM T1/E1
Functionality: STM-1 has a bit rate of 1.544 Mbps and higher levels go up 4 at a time. Currently supported levels are STM-4, STM-16, STM-64 and STM-256.
Security Challenges: 1. Eavesdropping 2. Denial of Service
T1/E1
ATM Description: Type of circuit used for data transmission. SONET/SDH Functionality: T1/E1 circuit based on Time Division Multiplexing T1 is primarily used in North America E1 is primarily used in Europe T1 circuit provides 1.544 Mbps of data consisting of 24 timeslots of 64 kbps each and 8 kbps channel for control information E1 circuit provides 2.048 Mbps of bandwidth consisting of 30 channels. STM T1/E1
Security Challenges: 1. Port Mirroring 2. Data Sniff of Un-encrypted data channels 3. Denial of Service
Telecom Technologies Wireless End
Telecom Technologies
EVDO
EVDO Description: Evolution-Data Optimized is a telecommunication standard for wireless transmission of data through radio signals Functionality: Primarily used for broadband internet access Uses multiplexing techniques including CDMA and TDM EV-DO channel has a bandwidth of 1.25 Mhz Back-end network is entirely packet-based. EDGE GPRS
Security Challenges: 1. EV-DO base transceiver is prone to hacking and misuse 2. WAP Servers and WML compromises. 3. GSM Technology Security Issues prevalent (Confirm if this is a GSM Technology)
GPRS
EVDO Description: General Packet Radio Service is a packet oriented mobile data service for GSM users Functionality: GPRS is a best-effort service 2G cellular technology combined with GPRS is sometimes described as 2.5G The GPRS core network allows 2G, 3G and WCDMA mobile networks to transmit IP packets to external networks such as the internet. GPRS EDGE
Security Challenges: Points of attack comprises of the following: Mobile device and SIM card Interface between mobile device and SGSN GPRS backbone network Packet network that connects different operators Public internet
EDGE
EVDO Description: Enhanced Data Rates for GSM Evolution is a digital mobile phone technology that allows improved data transmission rates. Functionality: Considered a pre-3G radio technology Peak rates of 1 Mbps and typical rates of 400 kbit/s can be expected. EDGE requires no hardware of software changes to be made in GSM core networks. ?? GPRS EDGE
Security Challenges: 1. GSM Technology Security Issues prevalent
The Basics GSM and The Geographic Structure
Originally defined as a pan-European open standard for a digital cellular telephone network to support voice, data, text messaging and cross-border roaming Global System for Mobile Communications (GSM), is now one of the world's main 2G digital wireless standards. GSM is present in more than 160 countries and according to the GSM Association, accounts for approximately 70 percent of the total digital cellular wireless market.
GSM is a time division multiplex (TDM) system. Implemented on 800, 900, 1800 and 1900 MHz frequency.
GSM Architecture each cell is governed by a Base Station or BTS.
The Basics GSM and The Geographic Structure
Cell and Base Transceiver Station (BTS)

BTS
In GSM architecture, every geographical area covered by the operators network is divided into smaller parts.
Cell 1
Each of these parts has a Mobile Signal tower, responsible for providing connectivity between your Mobile hand set and the Network. This small area is called as a Cell and the Mobile Signaling tower assigned to each Cell is called a BTS.
BTS MSC Location Area 1 Cell 1 Location Area 2
Location Area
Group of cells together represent a location area within GSM network.
Location Area 1
Location Area 2
AUCEIR HLR VLR
Public Land Mobile Network (PLMN) A group of MSC areas serviced by the same operator refer to PLMN area it represents an entire set of cells, served by one network operator. Incase of multiple operators in a country, there will be more than one PLMN.
MSC (Mobile Switching Center) Service Area A group of many Location Areas (LAs) is called MSC area.
The Evolution of Telecom Networks
Components of 2G Networks and Typical Challenges

Terminal Access Core IP Services Requirement - Voice GSM
EIR
SGSN
1.False BTS Active Attacks (Reveal the IMSI and current TMSI)
Internet
BTS
GERAN BSC
AUC
2.Cipher keys and Authentication Data in Clear (Between and Within Networks) 3.Attacks on COMP128 4.Encryption not extended till core (Clear text transmission of user and signaling data across microwave links) (e.g. in GSM BTS-> BSC)
3GPP Layer
Char ging
DNS
5.User Authentication with a previously known Cipher 6.IMEI is an unsecured identify 7.Fraud and LI not considered in the design of the 2G network 8. No flexibility to upgrade and improve security.
DHCP
Reference : TR 33.120

Terminal Access Core IP Services Requirement Voice + Data GSM
EIR
SGSN
1.Attacks persist primarily because of backward compatibility to 2G or GSM networks.

Internet
BTS
GERAN BSC
AUC
2.Smart-Phones with capability to Intercept and Analyze traffic, 3.Multiple IP based services enabled to facilitate user, data and management channels.
UMTS 3GPP Layer

MME
UTRAN NB RNC
HSS
INVAS
Char ging
DNS
Application SPs
4.Denial of Service 1.User De-registration request spoofing 2.Location update request spoofing 3.Camping on a false BS/MS 4.Passive and Active Identify Catching
DHCP
Evolved Packet System
Corporate Networks
5.Impersonation of the Network 6.Impersonation of the User

Terminal Access Core IP Services Requirement Data Continuous GSM
EIR
SGSN
1.Femto Cell Device compromise 2.UE Tracking

Internet
BTS
GERAN BSC
AUC
3.IMSI catching 4.Force Handovers to compromised eNB.
UMTS 3GPP Layer

MME
UTRAN
NB
RNC
HSS
INVAS
5.Capture of System information and compromise of credentials 6.Physical attacks 7.Configuration attacks
E-UTRAN
Internet eNB Sec-Gw
Char ging
DNS
Application SPs
8.Protocol attacks
DHCP
H(e)NB
Corporate Networks
Reference : TR 33.820
Components of Non-3GPP Layers

Terminal Access Core IP Services Risks GSM
EIR
1. Authentication Bypass
2. Gateway Bypass
SGSN
Internet
BTS
GERAN
BSC
AUC
UMTS 3GPP Layer

MME
3. Route APs connection to 3GPP Network
UTRAN NB RNC
HSS
INVAS
E-UTRAN
Char ging
DNS
Application SPs
Internet
eNB Sec-Gw
DHCP
H(e)NB Non-3GPP Trusted Layer
Corporate Networks
AAA
CDMA2000
n-trusted Layer
WIMAX-WLAN
ePDG
Break
The Terminal Layer
The Terminal Layer User Equipment (UE)
Mobile Station or User Equipment (UE) Mobile Station comprises of 2 components a Mobile phone and a SIM (Subscriber Identification Module) card. While a mobile phone is a device that enables communication between two people through telecom network, a SIM card is a smart card that stores unique subscriber information in order to identify subscriber and permit communication.
SIM Card (described in subsequent paragraphs)
Receiver and Transmitter used to perform functions such as receiving and transmitting voice and data communication.
On-board memory chips used to store internal mobile software and other user data like contact list, messages, pictures etc.
A SIM card contains information like authentication key, security algorithms, etc. which are used to authenticate the subscriber. Such information is stored on the card prior to sale.
The Terminal Layer User Equipment (UE)
MSISDN (Mobile Subscriber Integrated Services Digital Network) Generally known as Mobile phone number. It is a unique number for each mobile subscriber. It is composed of the following components: CC (Country Code) + NDC (National Destination Code) + SS (Subscriber Number) For example: +91 80 98455 65222
International Mobile Subscriber Identity (IMSI) A unique 15 digit number associated with all GSM network mobile phone users. IMSI is stored in the SIM and is used by the network to identify the subscriber. It is composed of the following components: IMSI = MCC (Mobile Country Code) + MNC (Mobile Network Code)+ MSIN (Mobile Subscriber Identity Number) For example: 89914 50004 01062 (9419 9)
20412 71796 002QA
IMEI (International Mobile Equipment Identity) A unique 14 to 17 digit code / or serial number used to identify an individual Mobile Phone to a GSM network. (3561 880 4850 4945)
The Terminal Layer User Equipment (UE) States of Operation
State 1 Detached
1.
2.
Mobile Station (MS) is not within the network coverage area.

This also refers to the state when the mobile phone is switched off.
Detached
NOTE: the mobile station is not connected to network, hence no process is established here

State 2 Idle 1. 2. When you switch on the mobile station, it moves to Idle state from Detached state. In this state mobile station is within the network coverage area but is not being used (e.g. making or receiving a call, data communication etc)
When your mobile station is switched on, it attaches itself to the nearest BTS tower in the location area. This process of attaching the phone to nearest BTS tower is called Registration.
Further, when you move from one location area to another, your mobile station, on a continuous basis sends a message to the nearest BTS tower. The network updates the changing information about the subscriber and this process is called Location Updating.
Detached Idle
Registration
Updating
State 3 Active 1. When your mobile station is used to make or receive a call, send or receive data, it moves to Active state from Idle State. In active state, whenever you use the mobile station to either receive or make a call, then the MSC finds out the Location Area (LA) in which you are present and connects you to other network elements within the Location Area. This process is called Paging.
Detached
Idle
Active
Registration
Updating
Paging
The Access Layer
Telecom Components (2G/GSM/CDMA)
BTS Base Tranceiver Station
The Base Transceiver Station (BTS) is the transmit and receive link for a mobile communication system. Its a device that actually communicates with the cell phone. The BTS connects to a BSC and communicates in an (Abis Interface) Functionality 1. Radio reception and transmission 2. Signal Processing 3. Signal Link Management 4. Synchronization 5. Encodes, Encrypts, Multiplexes, Modulates and feeds the RF signal to the antenna Security Challenges: 1. Physical Tampering MW equipment 2. Fake BTS 3. IMSI Catcher 4. Over-The-Air Cloning
BTS BSC
GPS War Driving Nano BTS in a Nano
Telecom Components (2G/GSM/CDMA)
BSC Base Station Controller
BSC is used to control a group of BTS. It provides connection between BTS and other network elements that are needed to complete the call. Functionality 1. Handovers of Calls from one BTS to other 2. BSC passes on your call to Mobile Switching Center (MSC). 3. Manages Radio resources for BTS 4. Assigns frequency and timeslots to MS Security Challenges: 1. OpenBSC Software 2. Cipher keys and Authentication Data in Clear (Between and Within Networks) 3. Attacks on COMP128 4. Encryption not extended till core (Clear text transmission of user and signaling data across microwave links) (e.g. in GSM BTS-> BSC)
BTS BSC
Telecom Components (3G/UMTS)
Node B
Node B
A UMTS (3G) mobile connects to the Node B to transmit or receive a voice call or carry out a data-mode connection. Functionality 1. Modulation and spreading 2. RF Processing 3. Inner-loop power control 4. Rate matching 5. Macro diversity combining/splitting inside Node B Security Challenges: 1. Unknown
RNC
Telecom Components (3G/UMTS)
RNC Radio Network Controller
Node B
RNC
Comparable to Base Station Controller in GSM. It is responsible for L2 processing of user data and Radio Resource Management. Functionality 1. Closed loop power control 2. Handover control 3. Admission control 4. Code allocation 5. Packet scheduling 6. Macro diversity combining/splitting over number of Node Bs Security Challenges: 1. Unknown
Telecom Components (4G/LTE)
eNODE B
eNode B eNode B is the base station in the LTE/SAE network. Functionality 1. Radio resource management 2. IP header compression and encrypting of user data stream 3. Selection of an MME at UE attachment 4. Routing of user plane data towards SAE gateway 5. Measurement and measurement reporting configuration for mobility and scheduling
Security Challenges: 1. Placing a lot number of eNodeB in a large L2 domain results in Distributed Denial of Service (DDoS) attacks. 2. IP address of neighboring cell sites can be extracted through Automatic Neighbor Relation (ANR) messages for use on dynamic ACLs that will only allow communication between defined neighboring cell sites.
The Core Layer
CDMA Network Architecture
GO HEADER & FOOTER TO EDIT THIS TEXT
6/5/2012
45
Core Components:
HA MSC/GMSC
HA - Locates the place where the Mobile Node opens its account; MSC - Authenticates the subscriber to establish the call. GMSC Switch which interrogates subscriber HLR to obtain routing information (transit calls). HLR - Centralized database that stores and manages all subscriber related information required to set up calls. VLR - Database containing subscriber information of all subscribers currently located in the area served by MSC. AuC - Authenticates each SIM card that attempts to connect to the network. EIR - Optional database containing mobile equipment identity information. PDSN - Implements the switching of packet data services of mobile subscribers.
MME HLR/VLR AUC CDMA EIR PDSN SGSN/GGSN SGW PGW
PCRF
6/5/2012
46
2G and 3G Network Architecture
6/5/2012
47
Core Components:
HA
MSC/MGW - Performa call control function and authenticates the subscriber to establish the call. GMSC Switch which interrogates subscriber HLR to obtain routing information (transit calls). HLR - Centralized database that stores and manages all subscriber related information required to set up calls. VLR - Database containing subscriber information of all subscribers currently located in the area served by MSC. AuC - Authenticates each SIM card that attempts to connect to the network. EIR - Optional database containing mobile equipment identity information. SGSN - Delivery of data packets from and to the mobile stations within its geographical service area. GGSN - Interworking between the GPRS network and external packet switched networks.
MSC/MGW/GMSC MME HLR/VLR AUC GSM EIR PDSN SGSN/GGSN SGW PGW
PCRF
6/5/2012
48
Core Components:
HA
MSC/MGW - Performa call control function and authenticates the subscriber to establish the call. GMSC Switch which interrogates subscriber HLR to obtain routing information (transit calls). HLR - Centralized database that stores and manages all subscriber related information required to set up calls. VLR - Database containing subscriber information of all subscribers currently located in the area served by MSC. AuC - Authenticates each SIM card that attempts to connect to the network. EIR - Optional database containing mobile equipment identity information. SGSN - Delivery of data packets from and to the mobile stations within its geographical service area. GGSN - Interworking between the GPRS network and external packet switched networks.
MSC/MGW/GMSC MME HLR/VLR AUC
3G
EIR
PDSN SGSN/GGSN SGW PGW PCRF
6/5/2012
49
4G/ LTENetwork Architecture
6/5/2012
50
Core Components:
HA
MME- Manages the subscriber session control plane functionality, HSS - It is the concatenation of the HLR and AuC . HLR part of the HSS is in charge of storing and updating when necessary the database containing all the user subscription information. AuC part of the HSS is in charge of generating security information from user identity keys. This security information is provided to the HLR and further communicated to other entities in the network. SGW - Receives and routes all UE packet data and serves as a mobility anchor while UEs transition between eNodeB. PGW - Routes data packets from the SGW to external services . PCRF - Server manages the service policy and sends QoS setting information for each user session and accounting rule information.
MSC/MGW MME HSS AUC
4G
EIR PDSN SGSN/GGSN SGW PGW PCRF
6/5/2012
51
Telecom Components
MSC Master Station Controller (CDMA/2G/3G)
MSC The basic function of a MSC is to authenticate the subscriber information and establish the call. Functionality 1. Whether you are a authentic subscriber on the network; 2. Whether you are a prepaid or postpaid subscriber; 3. Whether you are an active or inactive subscriber; and 4. Whether you are authorized to use services like international calls, GPRS etc. 5. Call setup, basic switching, manages communication between GSM and core networks Security Challenges: 1. It is strongly recommended that access to MSCs is restricted, both in terms of physical and logical access. It is also recommended that their physical location is not made public. 2. When co-located, several MSCs should be independent (i.e. separated power, transmission,) in order to limit the impacts from accidents on one particular MSC (e.g. fire). HLR/VLR/HSS EIR AUC HA PDSN
Telecom Components
HLR / VLR/HSS Home / Visitor Location Register (CDMA/2G/3G)
MSC HLR EIR AUC
It is a centralized database that stores and manages all subscriber related information required to set up calls. It acts as a personal store for subscriber information until such subscription is cancelled. Functionality 1. Subscribers supplementary services 2. Subscribers identity 3. Subscribers location information (MSC service area) 4. Subscribers authentication information.
HA
PDSN
Security Challenges: 1. HLR/VLR Database Compromise 2. Wrong Entry flushed in to the Database 3. Access control to HLRs should be based on user profiles, using at least a unique username and a password as authentication data 4. Remote access to HLR should be protected from eavesdropping, source and destination spoofing and session hijacking. Achieved by limiting the range of protocols for communication with HLR
1. 2. 3.
VLR is a database containing subscriber information of all subscribers currently located in the area served by MSC. The most important information is about current location of the subscriber. Whenever a MSC detects a new subscriber in its network, in addition to creating a new record in the VLR, it also updates the HLR of the mobile subscriber, apprising it of the new location
Telecom Components
MSC
Equipment Identification Register (CDMA/2G/3G)
HLR/VLR/HSS EIR
EIR is an optional database containing mobile equipment identity information that helps to block calls from stolen mobile stations.
AUC HA PDSN
Functionality 1. White list list of IMEIs that are valid and authentic. 2. Black list list of IMEIs that are blocked. 3. Grey list list of IMEIs which are under monitoring.
Security Challenges: 1. EIR Database Compromise 2. Wrong Entry flushed in to the Database
Telecom Components
AuC Authentication Center (CDMA/2G/3G)
MSC AuC is a network element which is used to authenticate each SIM card that attempts to connect to the network. Functionality 1. It provides information to allow the mobile phones to access the network. 2. AuC generally performs its functions when you switch on your mobile station. 3. AuC is responsible for the generation of the parameters used for the privacy and the ciphering of the radio link. 4. To ensure the privacy of the mobile subscriber a Temporary Mobile Subscriber Identity (TMSI) is assigned for the duration that the subscriber is under control of the specific Mobile Switching Centre (MSC) associated with the AuC. HLR/VLR/HSS EIR AUC HA PDSN
Security Challenges: 1. Number of employees having physical and logical access to AuC should be limited such that it is then reasonable to use an AuC which is not integrated with HLR. 2. Operators should carefully consider the need for encryption of AuC data. Some vendors use default encryption. 3. The encryption is questionable since the algorithm is proprietary and confidential. 4. If decided to use an add-on ciphering facility, attention should be paid to cryptographic key management. 5. Authentication triplets can be obtained from AuC by masquerading as another system entity (namely HLR). The threat is present when HLR and AuC are physically separated.
Telecom Components (CDMA)
HA Home Agent
The home agent locates the place where the Mobile Node opens its account; receive the registration information from MN, Functionality 1. Broadcast the accessible information of MN. 2. Setup the tunnel between FA&HA. 3. Transfer the data from other computer to the MN via the tunnel.
MSC HLR EIR AUC HA PDSN
Telecom Components (CDMA)
PDSN Packet Data Service Node
MSC HLR/VLR/HSS
The PDSN implements the switching of packet data services of mobile subscribers. Functionality 1. Provides the interface between the radio network and the packet data network
EIR AUC HA PDSN
Telecom Components
SGSN/GGSN Service/Gateway GPRS Support Node (2G/3G)
MSC HLR/VLR/HSS
The Gateway GPRS Support Node (GGSN) is a main component of the GPRS network. It is responsible for the interworking between the GPRS network and external packet switched networks, A Serving GPRS Support Node (SGSN) is responsible for the delivery of data packets from and to the mobile stations within its geographical service area.
EIR AUC HA SGSN/GGSN
Functionality 1. GGSN maintains routing necessary to tunnel the Protocol Data Units (PDUs) to the SGSN that services a particular MS 2. SGSN tasks include packet routing and transfer, mobility management (attach/detach and location management), logical link management, and authentication and charging functions.
6/5/2012
58
MME Mobile Management Entity
MME manages the subscriber session control plane functionality, which uses the S1-C (C is for Control Plane) interface to communicate through the eNodeB to the UE. Functionality 1. Authentication, 2. Authorization 3. Ciphering 4. Security key management
HSS
MME
SGW
PGW PCRF
SGW Serving Gateway
Receives and routes all UE packet data and serves as a mobility anchor while UEs transition between eNodeB. It uses the S5 interface to route data packets to a PDN Gateway within the same core network and adheres to the S8 interface specifications when routing to a different networks PDN Gateways, such as in the case of a roaming UE. Functionality 1. It is used to process the user-plane data. 2. It handles the task related to the mobility management inside LTE and between other 3GPP radio technologies.
HSS
MME
SGW
PGW PCRF
PGW PDN Gateway
HSS
Routes data packets from the SGW to external services such as the Internet, IP Multimedia Systems (IMS), or PSTN. Functionality 1. Performs packet filtering,. 2. Policy enforcement and lawful interception,. 3. Charging support, and packet screening. MME
SGW
PGW PCRF
Telecom Components(4G/LTE)
PCRF Policy and Charging Rules Function
Manages the service policy and sends QoS setting information for each user session and accounting rule information.
Functionality The Policy Decision Function (PDF) Network entity where the policy decisions are made. As the IMS session is being set up, SIP signaling containing media requirements are exchanged between the terminal and the P-CSCF. Some time in the session establishment process, the PDF receives requirements from the P-CSCF and makes decisions based on network operator rules, such as :Allowing or rejecting the media request, using new or existing PDP context for an incoming media request, checking the allocation of new resources against the maximum authorized. The Charging Rules Function (CRF) Provide operator defined charging rules applicable to each service data flow. Selects the relevant charging rules based on information provided by the PCSCF, such as Application Identifier, Type of Stream (audio, video, etc.), Application Data Rate, etc.
HSS
MME
SGW
PGW PCRF
6/5/2012
62
Call Routing
Call Routing-1
Multi Operator Routing
Data Center Infrastructure

Support Infrastructure
BTS Modem Mobile Phone Amplifier
GMSC PSTN
Network Switch
DHC WAP P
DNS
Mail
Content
Operator B
IP Phone
BSC
MSC
Mediation Rating/Billing
Internet
Printing
BTS Mobile Phone Modem Amplifier
Data warehouse
Local Area Routing
Multi Local Area Routing Multi Operator Routing
Network Switch
Business Infrastructure
EIR
Multi Local Area Routing
MIS AUC HLR
VLR
EIR Equipment Identity Register AUC Authentication Center HLR Home Location Register VLR Visited Location Register DHCP Dynamic Host Control Protocol DNS Domain Name System MIS Management Information System
BSS Infrastructure
MSC
Mobile Phone
BTS
BTS Base Transceiver Station BSC Base Station Controller BSS Base Station Subsystem MSC Mobile Switching Center GMSC Gateway Mobile Switching Center PSTN Public Switched Telephone Network
Modem
Amplifier
BSC
Call Routing-2
Check if the equipment used is approved
EIR
VLR
BTS Link with BSC
HLR If no profile of subscriber exists in VLR then download from Communication HLR Check with HLR with VLR to determine MSC of B BSC Number Link with MSC MSC (1)
MSC (2) Transfer call to MSC (2)
Communicate with BSC
BSC BTS Connect to BTS
Connect to BTS based on the location of the subscriber
SIM card authentication at the time of switch on SUBSCRIBER (A Number)

AuC
Contact Subscriber (B Number)
SUBSCRIBER (B Number)
Break
Telecom Architecture and Threats
The Architecture (Security and Impact)
Base Station Subsystem
Switching System
MSC 2
Base Station Subsystem (BSS) - First subsystem of the GSM Architecture, responsible for wireless communication between your mobile phone and the network.
BTS BTS BTS
BSC BSC
Gateway MSC
MSC 1
EIR AUC HLR VLR
Switching System (SS) Second subsystem of the GSM Architecture, responsible for connecting and disconnecting your calls and keeping track of the duration of your calls.
Operations Support System (OSS)
Operational Support System (OSS) Third subsystem of the GSM Architecture, responsible for operations and maintenance of the various network elements.
The Fundamentals on Planes and Security Layers
Vulnerabilities
Security Layers
Applications Security
8 Security Dimensions Threats

Communication Security Data Confidentiality Access Manage Non-repudiation Authentication Availability
Control/Signaling Security
Management Security
End User Security
Privacy
Vulnerabilities can exist In each Layer, Plane
Services Security
Data Integrity
Destruction Corruption Removal Disclosure Interruption
Infrastructure Security
Attacks
GSM Security Challenges
Only provides access security communications and signaling traffic in the fixed network are not protected
Lawful interception only considered as an afterthought
Lack of user visibility (e.g. doesnt know if encrypted or not)
Does not address active attacks, whereby some network elements (e.g. BTS: Base Station)
Terminal identity cannot be trusted
Only as secure as the fixed networks to which they connect
Difficult to upgrade the cryptographic mechanisms
2G(GSM) Security v/s 3G(UMTS) Security
Security Enhancements in 3G Fake Base Station A change was made to defeat the false base station attack. The security mechanisms include a sequence number that ensures that the mobile can identify the network
Stronger Ciphers
Security on Device
Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity
Mechanisms were included to support security within and between networks.
Security from Security is based within the switch rather than the base station as in GSM. Outside to Inside Therefore links are protected between the base station and switch. Integrity Integrity mechanisms for the terminal identity (IMEI) have been designed in from the start, rather than that introduced late into GSM
What good are these security enhancements when operators today run Insecure 2G and Security Enhanced 3G networks in parallel. Result : Weakened Network Architecture
Emerging Threats and Classification- Telecom
T10 Theft of service
T1 Flooding an interface
T2 Crashing a network element
T9 Malicious insider
Availability Confidentiality Integrity Loss of Control Loss of Service
T8 Compromise via management interface
Telecom Emerging Threats

T6 Data modification on a network element
T3 Eavesdropping
T4 Unauthorized data access
T7 Compromise via implementation flaw
T5 Traffic Modification
Attack analysis and Security concepts for MObile Network infastructures supported by collaborative Information exchAnge (AsmonI)
Emerging Threats and Classification- Telecom
Ranking of Network Elements (Critical)
Ranking of Threats
Ranking of Network Elements (Less Critical)
Understanding the Telecom Stack and Protocols
Intelligent Network (IN)
Description: The Intelligent Network (IN), is the standard network architecture specified in the ITU-T Q.1200 series recommendations. It is intended for fixed as well as mobile telecom networks. IN is supported by the Signaling System #7 (SS7) protocol between telephone network switching centers and other network nodes owned by network operators. Functionality: Allows operators to differentiate themselves by providing value-added services. Intelligent Network Nodes Modular and more secure network The initial use of IN technology was for number translation services
The Stack
Description: Signaling System No. 7 (SS7) is a set of telephony signaling protocols which are used to set up most of the world's public switched telephone network telephone calls. (The Link ) Functionality: The main purpose is to set up and tear down telephone calls. Other uses include number translation, local number portability, prepaid billing mechanisms, short message service (SMS), and a variety of other mass market services. Security Challenges: 1. Internet-PTN convergence allows attackers inroads via entities with poorly secured SS7 networks. 2. ISDN connections are also points of unauthorized entry. 3. Advanced services like call forwarding have intrinsic vulnerabilities attackers can create havoc by modifying SCPs containing forwarding destinations. 4. Anyone capable of generating SS7 messages and introducing them into a network can disrupt PTN services.
SS7 CCS7
The Stack
Description: In Common Channel Signaling (CCS) there is a common signaling channel which takes care of all the signaling information to be exchanged during communication. All other channels can be used for speech or data as required. (The Link Information) Functionality: Higher signaling capacity. More number of speech/data channels as there is only one signaling channel. Central offices can exchange information , not related to speech/data between themselves e.g. subscriber data. Various high end features like roaming are possible by using CCS7. Security Challenges: 1. DoS-Attack 2. Flooding with SCTP-Chunks 3. MitM-Attack: Eavesdropping 4. MitM-Attack: Unrecognized Data Alteration
STP (SPC=2 00) SP (SPC=1 00) STP (SPC=3 00) SRP (SPC=4 00)
SS7 CCS7
SEP (SPC=5 00)
SIGTRAN and Protocols
SIGTRAN Description: Derived from Signaling Transport . Provides reliable datagram service and user layer adaption for Signaling System 7(SS7) and ISDN communications protocol. (IF SS7 is IP, SIGTRAN is IPV4) Functionality: SIGTRAN uses IP transport protocol called Stream Control Transmission Protocol (SCTP), which is used to carry PSTN over IP. (AND SCTP is something like HTTP) MEGACO MGCP RTP
Security Challenges: SCTPscan tool (from backtrack) can be used for scanning for services IAM Attack : Capacity DoS -> Similar to SIP flooding REL attack: Targeted Call release -> Terminate a user conversation SRI attack: Tracking of users HLR attack: Fake location update -> redirects calls to another country, until phone reboots
SIGTRAN Description: Media Gateway Control Protocol (H.248) is used for controlling media gateways in Internet Protocol and PSTN. MEGACO MGCP RTP
Functionality: Although H.248 performs the same function as MGCP, it uses different commands and processes and supports a broad range of networks.
Security Challenges: Malformed request to port 2944/tcp used by MEGACO is known to cause Denial of Service attacks
SIGTRAN Description: Media Gateway Control Protocol is a signaling and call control protocol used within VoIP that interoperates with PSTN. Functionality: Call control via Call Agent Uses Session Description Protocol (SDP) for specifying and negotiating the media streams Typical architecture consists of Call Agent and Media Gateway. MEGACO MGCP RTP
Security Challenges: MGCP Cas susceptible to DoS attacks and malformed packets
SIGTRAN Description: Real-time Transport Protocol (RTP) defines a standardized packet format for delivering audio and video over IP networks. Functionality: Extensively used in communication and entertainment systems such as telephony, video conference applications etc,. RTP is used in conjunction with RTCP RTP is originated and received on even port numbers and the associated RTCP communication uses the next higher odd port number. MEGACO MGCP RTP
Security Challenges: Call tampering Man-in-the middle attacks DoS attacks
Protocols
MTP
MTP Description: Media Termination Point. MTPs bridge the media streams between two connections. SCCP ISUP TCAP INAP ISDN MAP
Functionality: Passes streaming data to other connection MTP trancodes a-law to mu-law (and vice versa) and adjusts packet sizes as required by the two connections MTPs extend supplementary services, such as call hold, call transfer, call park, and conferencing
Security Challenges:
Protocols
SCCP
MTP Description: Skinny Client Control Protocol (SCCP) is a lightweight protocol for session signaling with Cisco Call Manager. Functionality: Primarily used for communication between IP Phones and Call Manager SCCP clients include Cisco 7900 series of IP Phones, Cisco IP communicator soft phone and the 802.11b wireless Cisco 7920 and Cisco Unity voicemail server. SCCP ISUP TCAP INAP ISDN Security Challenges: Eavesdropping Man-in-the-middle attacks ARP spoofing attacks Caller id spoofing SIP registration hacking MAP
Protocols
ISUP
MTP Description: ISDN User Part (ISUP) is part of SS7 which is used to set up calls in Public Switched Telephone Networks. Functionality: Common messages transmitted in ISUP are Initial Address Message (IAM) Subsequent Address Message (SAM) Address Complete Message (ACM) Answer Message (ANM) Release (REL) Release complete (RLC) SCCP ISUP TCAP INAP ISDN Security Challenges: Eavesdropping Man-in-the-middle attacks ARP spoofing attacks Caller id spoofing SIP registration hacking MAP
Protocols
TCAP
MTP Description: Transaction Capabilities Application Part (TCAP) is a protocol in the SS7 suite SCCP ISUP Supports non-circuit related information exchange between signaling points using the Signalling Connection Control Part (SCCP) connectionless service TCAP also supports ability to invoke features in another remote network switch TCAP INAP ISDN Security Challenges: MAP
Functionality:
Protocols
INAP
MTP Description: The Intelligent Network Application Part (INAP) is a signalling protocol used in the intelligent network architecture. Functionality: Part of SS7 protocol suite Typically layered on top of TCAP Provides logic for controlling telecommunication services migrated from traditional switching points to computer based service SCCP ISUP TCAP INAP ISDN Security Challenges: MAP
Protocols
ISDN
MTP Description: Integrated Services Digital Network (ISDN) is a communication standard for simultaneous transmission of voice, data and other network services over traditional circuits. Functionality: Circuit switched telephone network Comprises of BRI and PRI BRI 2B + 1D (192 Kbps) PRI T1 (23B + 1D), E1 (30B + 1D) TCAP INAP ISDN Security Challenges: MAP SCCP ISUP
Protocols
MAP
MTP Description: Mobile Application Protocol (MAP) is an SS7 protocol which provides an application layer for the various nodes in GSM and UMTS Functionality: The primary facilities provided by MAP are: Mobility Services Operation and Maintenance Call Handling Supplementary Services Short Message Service Packet Data Protocol (PDP) services for GPRS Location Service Management Services Security Challenges: SCCP ISUP TCAP INAP ISDN MAP
Protocol Analyzers and Tools
Protocol Analyzers
Description: Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. Functionality: Wireshark has a rich feature set which includes the following: Deep inspection Live capture and offline analysis Standard three-pane packet browser Runs on Multi-platform GUI Interface Rich VoIP analysis Support to different capture file formats
Wireshark Tektronix K15-2
Protocol Analyzers
Description: Tektronix Communications brings the K-15 Classic, a cross-technology, high port density analyzer which excels in multi-technology protocol tests and supports a broad range of 2G, 2.5G and 3G services troubleshooting applications. Functionality: Easy - Troubleshooting support. Fast Real time performance Extensive Auto-configuration features Effective Highest port density Broadest range of services troubleshooting applications Multi-user feature Tektronix K15 Classic is an unbeatable tool to effectively face your network challenges.
Wireshark Tektronix K15-2
P1 Telecom Auditor
Description: P1 Telecom Auditor is a SS7 and SIGTRAN vulnerability scanner and security auditor. Today, the security situation of SS7 and SIGTRAN is identical. P1 Telecom Auditor offers Telecom and Mobile operators the capability to assess and analyze their security in their core network and signaling perimeters, continuously.
Deployment: Easily deployed with a single lightweight Virtual Appliance using VMware technology and a web-based control and reporting server using SaaS technology. Integrates seamlessly in the Signalling Infrastructure Requires an IP address and a Signalling Point Code Ready for deployment in both legacy SS7 and state-of-the-art SIGTRAN, UMTS/CDMA 3G, IMS and LTE environments.
P1 Telecom Monitor
Description: P1 Telecom Monitor (PTM) is a SS7, SIGTRAN and IMS network intrusion detection (IDS/NIDS) and monitoring system. SS7 and SIGTRAN networks lack precision monitoring such as that found in the IP world. IDS and specifically NIDS technologies do not yet exist for these types of networks, until today.
Deployment: Easily deployed with a single lightweight Virtual Appliance using VMware technology and a web-based control and reporting server using SaaS technology. Integrates seamlessly with your Signalling Infrastructure Requires an IP address to communicate its detected event Ready for deployment in both legacy SS7 and state-of-the-art SIGTRAN, UMTS/CDMA 3G, IMS and LTE environments. PTM rule base is updated weekly with emergency patterns
Elements STP (Quick View) MSC, MGW MMSC, SMSC, FDA HLR, HSS, AUC, EIR Native SS7 and SIGTRAN security auditing solution IN, VAS, Billing Platforms Mission-based and Permanent scanning FMS, LIG SS7 Interconnect security analysis GGSN, perspective Network Element, DPC and SSN exposure tests from an external SGSN SG, AS, ASP, SN Telecom Network Elements vulnerability analysis GRX and IPX routers, GRX, 3G and IPX DNS, External and Internal security audit SGW, PGW / PDG / PDN GW, ePDG, GPRS Telecom product analysis billing gateways SS7 external information gathering Internet Gateways, PS domain routers, Web based admin, campaign control and reporting Protocols Reliable, repeatable scanner results, clear Part 3 (mtp3), SCCP, Legacy PS equipment, WAP GW SS7 Message Transfer deliverables Proxies, Protection methods against DoS MAP, OMAP, INAP, ATM switches TCAP, ISUP, TUP, BICC, Audit staging for controlled environment assessment Billing Centre, Billing systems, reconciliation CAMEL, BSSAP, RANAP, UMA systems Multiple Signalling Point CodeSCTP, M3UA, M2PA, M2UA, IUA SIGTRAN support IN, AIN, CAP and CAMEL systems CDR tagging to prevent chargingSUA, V5UA (ISDN, Q.931), BSC, BTS, Node B, RNC, LTE e-Node B GPRS GTP-U, GTP-C, GTP, GPX DNS SBC, SIP AS, SIP gateways AAA Radius, Diameter H248, VoIP / ToIP SIP, H323, Skinny / SCCP, Call Session Control Function equipment: PCSCF, I-CSCF, S-CSCF MGCP, MEGACO HNB, Core network protocols MPLS, LDP, BGP, eHNB, UMA Femtocells, UMA support system, BRAS-AC, PDC VPLS, L2TP, GRE, IPsec, SAAL, LDP, BGP Legacy equipment, X25, XOT Circuit Switched (CS) / Packet Switched (PS) networks and interfaces
Technology, Protocols and Equipment
Thank You
(2010) KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International Cooperative ("KPMG International").

Session1 Telecom Security A Primer v6 SonyRevise

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Session1 Telecom Security A Primer v6 SonyRevise

Uploaded by

Copyright:

Available Formats

Telecom Security A Primer

29th May 2012 Sony Anthony Director Management Consulting IT Advisory

Evolution of Telecom The Layers (Terminal, Access and Core)

Protocol Analyzers and Tools

Our Experiences Thus

History of our Experience

History of our Experience

RIP, OSPF, BGP SAN, NAS, DAS Routers, Switches, Firewalls

SNMP, TCP/IP, Telnet, FTP, HTTP

Virtualization, Replication, Mirroring, Data De-Duplication

Applications, Databases, Middleware

Win, Linux, *NIX

Future of our Experience

Future of our Experience

NGN Architecture MSC DX 200 3G MGW IPA 2800

Microwave Equipment Vendors: NEC, ARYA, GTL, Envision, Aster, BNN

Security Consulting Engagements Tomorrow.are we Ready.

Telecom configuration audit

Technology GSM GPRS

The Fundamentals on Channel Access Methods

FDM: Frequency Division Multiplexing

TDM: Time Division Multiplexing

The Fundamentals on Planes

Operations and Management Data

Control / Signaling Plane (Control Signals)

Manage ment Plane

Data / User / Bearer Plane (Network Traffic)

Switching and Transmission Technologies Wired End

Switching and Transmission Technologies

Switching and Transmission Technologies

Security Challenges: 1. Eavesdropping 2. Denial of Service

Switching and Transmission Technologies

Security Challenges: 1. Eavesdropping 2. Denial of Service

Switching and Transmission Technologies

Telecom Technologies Wireless End

Security Challenges: 1. GSM Technology Security Issues prevalent

The Basics GSM and The Geographic Structure

The Basics GSM and The Geographic Structure

Cell and Base Transceiver Station (BTS)

BTS MSC Location Area 1 Cell 1 Location Area 2

Group of cells together represent a location area within GSM network.

AUCEIR HLR VLR

The Evolution of Telecom Networks

Components of 2G Networks and Typical Challenges

Components of 3G Networks and Typical Challenges

1.Attacks persist primarily because of backward compatibility to 2G or GSM networks.

UMTS 3GPP Layer

Evolved Packet System

5.Impersonation of the Network 6.Impersonation of the User

Components of 4G Networks and Typical Challenges

1.Femto Cell Device compromise 2.UE Tracking

3.IMSI catching 4.Force Handovers to compromised eNB.

UMTS 3GPP Layer

Evolved Packet System

Components of Non-3GPP Layers

UMTS 3GPP Layer

3. Route APs connection to 3GPP Network

H(e)NB Non-3GPP Trusted Layer

Evolved Packet System

The Terminal Layer

The Terminal Layer User Equipment (UE)

SIM Card (described in subsequent paragraphs)