Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs...
-
Upload
truongthuy -
Category
Documents
-
view
235 -
download
1
Transcript of Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs...
![Page 1: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/1.jpg)
Silke Holtmanns Nokia Bell LabsBhanu Kotte Nokia Bell LabsSiddharth Rao Aalto University
Detach me not DoS attacks against 4G cellular users worldwide from your desk
![Page 2: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/2.jpg)
We are hereconnected to Vodafone, O2, Orange, T-Mobile, 3
My home mobile network operatorColleagues & Family
Elisa, TeliaSonera, DNA
Blackhat StaffAT&T, Verizon, T-Mobile, Sprint..
Blackhat AttendeesOrange, DT, Vodafone, ePlus,..
![Page 3: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/3.jpg)
Roaming Network – Interconnect IPX
![Page 4: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/4.jpg)
We are all connectedto the Interconnection Network
![Page 5: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/5.jpg)
History – To Understand the Problem
Established more than 35 years ago between a fewstate owned operators
Build on trust (closed private network)
No inbuilt security (in particular, no sourceauthentication)
SS7 protocol was constantly extended for newservices and features
New service providers connect all the time e.g. IPX roaming hubs, Application to user SMS, etc
Now moving towards LTE / Diameter basedprotocols
![Page 6: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/6.jpg)
Closed & Private Network?
![Page 7: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/7.jpg)
How to get in?
Convincing
Hacking
Having Power
Bribing an EmployeeRenting a Service
Become an Operator
![Page 8: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/8.jpg)
Current Status of IPX Security
• Most commonly used protocol for interconnection is still SS7-MAP(message application part)
• Often intermediate nodes involved
• Often without any form of transport security
-> No IPSec, no TLS / DTLS, no MAPSec
• No source authentication, no integrity, no confidentiality
• For the legacy protocol, SS7 many attacks are known, some of them landed on TV (CBS 60 minutes)
![Page 9: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/9.jpg)
• Location Tracking
• Eavesdropping
• Fraud
• Denial of Service user & network
• Credential theft
• Data session hijacking
• Unblocking stolen phone
• SMS interception
• One time password theft and account
takeover for Telegram, Facebook,
SS7 Incidents Known
![Page 10: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/10.jpg)
All will be better with LTE and Diameter……
![Page 11: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/11.jpg)
All will be better different with
LTE and Diameter……
![Page 12: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/12.jpg)
IPX Providers
The HSS The HSS
DEA
MME MME
DEA
Mobile LTE Networks
![Page 14: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/14.jpg)
• Send Routing Info for SM
Request (SRR)
• Sent by SMSC to the HSS
• Retrieves subscriber’s IMSI
and identity of the serving
MME
• Routing a short message to
the recipient
IMSI retrieval using SRR
![Page 15: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/15.jpg)
Cancel Location Request (CLR)
Sent by HSS to the MME to
detach the UE
• MME change (location change)
• Subscription Withdrawal
DoS using CLR
![Page 17: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/17.jpg)
Insert Subscriber Data Request
(IDR)
Sent by HSS to the MME
• updating and/or requesting
certain user data in the MME
• retrieve location information
and/or state information from
the MME
DoS using IDR
![Page 19: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/19.jpg)
Update Location Request (ULR)
Sent by MME to the HSS to inform
about
• the serving MME (e.g. going
abroad)
• the user data such as terminal
information
DoS using ULR
![Page 20: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/20.jpg)
Notification Request (NOR)
Sent by MME to the HSS
• Notifying events such as device reachability, updated device information
DoS using IDR+NOR
![Page 21: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/21.jpg)
Practical Considerations
• IPSec for diameter is standardized
• It’s all IP, lets use IPSec! Maybe not that easy…… • Not all is IP (some part of SS7 / interworking)
• Who will host / create root certificates
• Operators in developing countries
• Interconnection service provider -> only hop-by-hop security
• Nodes difficult to upgrade
• Still no protection against• Partners renting out to ”service companies”
• Hacked nodes
• Bribed employees
• Governmental ties
![Page 22: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/22.jpg)
Countermeasures
MitigateFilter, filter, filter
Signaling Firewall at DEAIPSec usage for LTE-Diameter
SMS protection measures
CooperateShare experiences
Form circles of securityCooperation with legislators
PrepareBusiness rules for misusage
Investigate potential weaknessesNode hardening
DetectMonitor network traffic
Tenant monitoring
![Page 23: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/23.jpg)
Summary
• Interconnection attacks are reality, but current main focus is SS7
• LTE/Diameter has similar functionality-> hence similar attacks are possible there
• Independent of phone, platform or device
• DoS against users can be done in Diameter in many ways-> some have also network performance impacts
• Will LTE face the similar Interconnection weaknesses as SS7?• If networks don’t take protection measures, then yes.
![Page 24: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/24.jpg)
Mobile Networks arrived in the Internet
Let’s protect them
![Page 25: Detach me not Silke Holtmanns Nokia Bell Labs Bhanu Kotte ... · Bhanu Kotte Nokia Bell Labs Siddharth Rao Aalto University Detach me not ... SS7 protocol was constantly extended](https://reader031.fdocuments.in/reader031/viewer/2022020108/5ad69ccd7f8b9a6b668bebd1/html5/thumbnails/25.jpg)
ThanksYou
Finnish CyberTrust Project
Major global operators for their support and security engagement
Questions?