Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX...
Transcript of Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX...
![Page 1: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/1.jpg)
ptsecurity.ru
Exploiting vulnerabilities of 4G Diameter interoperator network
Sergey Mashukov
![Page 2: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/2.jpg)
Signaling
According to Wikipedia:
“In telecommunication, signaling has the following
meanings:
• the use of signals for controlling communications
• the information exchange concerning the
establishment and control of a telecommunication
circuit and the management of the network, in
contrast to manual setup of circuits by users or
administrators
• the sending of a signal from the transmitting end of
a telecommunication circuit to inform a user at the
receiving end that a message is to be sent.”
Photo. Telephone operators, 1952 / Seattle Municipal Archives /
CC BY 2.0
![Page 3: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/3.jpg)
Blue Box
Photo. Blue Box at the Powerhouse Museum / Maksym Kozlenko / CC BY-SA 4.0
![Page 4: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/4.jpg)
SS7 Vulnerabilities
More than 50 different SS7 attacks:
• IMSI disclosure
• Location Discovery
• Subscriber DoS
• SMS interception and spoofing
• Calls interception
• Reading chats of Telegram,
![Page 5: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/5.jpg)
SS7 banking fraud case
• Send malware to get bank
account details and mobile
number
• Intercept SMS with OTP for the
rogue transaction
![Page 6: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/6.jpg)
Diameter
• Session-layer AAA protocol
• Cleartext
• Support for SCTP or TCP
• IPsec or TLS/DTLS for encryption
• Extensibility (Diameter Base and
Applications on top of it)
![Page 7: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/7.jpg)
Protocol-specific weaknesses
• Only peer-to-peer
encryption
• Spoofing friendly
• IP is convenient for a
malefactor
![Page 8: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/8.jpg)
Diameter vs SS7
![Page 9: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/9.jpg)
Diameter Roaming: IPX Network
• IPX = IP eXchange
• Successor of GPRS roaming
network
• Private network between MNO
• Guaranteed QoS
• Any network is only two hops
away
![Page 10: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/10.jpg)
Can attacker get in?
Legal with license
Semi legal without Find a guy Hack a border device
![Page 11: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/11.jpg)
Audit service
• We bought an access
• If we could, attacker can as well
![Page 12: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/12.jpg)
What is applicable to IPX and why?
• S6a/S6d for mobility
management while
roaming (3GPP TS29.272)
• Other interfaces closed or
not routed (may change in
future)
Scheme. End-to-end Diameter architecture / GSMA IR.88: LTE Roaming Guidelines / Copyright © 2013
GSM Association
![Page 13: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/13.jpg)
LTE nodes
• HSS – Home Subscriber
Server
• MME - Mobility Management
Entity
Scheme. EPC nodes and interfaces / Joe Deu-Ngoc / CC BY-SA 4.0
![Page 14: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/14.jpg)
Authentication veсtor theft via S6a AIR
An attacker sends an AIR message
to HSS with IMSI of the attacked
subscriber.
Messages:
AIR — Authentication-Information-Request (S6a)
AIA — Authentication-Information-Answer (S6a)
![Page 15: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/15.jpg)
Authentication veсtor theft via S6a AIR
• Authentication Vectors may be used to
setup a fake Base Station
• HSS identity is leaked
• Only subscriber’s IMSI is needed
• Hard to detect
• No way to counteract from subscriber’s
side
![Page 16: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/16.jpg)
DoS on subscriber via S6a ULR
An attacker periodically sends ULR
messages to HSS with IMSI of the
attacked subscriber
Messages:
ULR — Update-Location-Request (S6a)
ULA — Update-Location-Answer (S6a)
CLR — Cancel-Location-Request (S6a)
CLA — Cancel-Location-Answer (S6a)
![Page 17: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/17.jpg)
DoS on subscriber via S6a ULR
• Not possible to make or receive any
calls
• Not possible to send or receive SMS
• Internet is no available
• Only subscriber’s IMSI and HSS FQDN
are needed
• Continues until attacker keeps sending
ULR messages
• No network symbol on UE
• No way to counteract from subscriber’s
side
![Page 18: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/18.jpg)
Subscriber profile disclosure via S6a ULR
An attacker sends a ULR message
to HSS with:
• IMSI of the attacked subscriber
• Spoofing identity of the current
MME
Messages:
ULR — Update-Location-Request (S6a)
ULA — Update-Location-Answer (S6a)
![Page 19: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/19.jpg)
DoS on subscriber via S6a CLR
Messages:
CLR — Cancel-Location-Request (S6a)
CLA — Cancel-Location-Answer (S6a)
An attacker sends a CLR message
to MME with IMSI of the attacked
subscriber
![Page 20: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/20.jpg)
DoS on subscriber via S6a CLR
• Successful in 100% of roaming cases
• 4G services and internet are not
available, but other services still work
• Only subscriber’s IMSI and MME
FQDN are needed
• Possibility of mass DoS
• Fixed after reconnection to network from
UE
![Page 21: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/21.jpg)
DoS on subscriber via S6a IDR
An attacker sends an IDR message
to MME with IMSI of the attacked
subscriber.
Messages:
IDR — Insert-Subscriber-Data-Request (S6a)
IDA — Insert-Subscriber-Data-Answer (S6a)
![Page 22: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/22.jpg)
DoS on subscriber via S6a IDR
Four different ways to change a profile:
• Enforce barring of services
• Restrict use of radio technologies
• Replace APN
• Set upload and download speed to zero
![Page 23: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/23.jpg)
Location tracking via S6a IDR
An attacker sends an IDR message
to MME with:
• IMSI of the attacked subscriber
• EPS Location Information Request
bit set in the IDR-Flags AVP
![Page 24: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/24.jpg)
DoS on subscriber via S6a DSR
Messages:
DSR — Delete-Subscriber-Data-Request (S6a)
DSA — Delete-Subscriber-Data-Answer (S6a)
An attacker sends a DSR message to
MME with:
• IMSI of the attacked subscriber
• Correct Context-Identifier
![Page 25: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/25.jpg)
DoS on subscriber via S6a DSR
• 4G services and internet are not
available
• Subscriber’s IMSI, APN profile and
MME FQDN are needed
• Sometimes additional changes in
subscriber’s profile via S6a IDR are
needed
• Possibility of mass DoS
• Fixed after reconnection to network from
UE
![Page 26: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/26.jpg)
Conclusions
• All general classes of attacks are
theoretically possible
• Attacks work differently for different
operators
• It is possible to force device out of
4G to use 3G attacks
• In practice 4G signaling seems to
be more secure than in 2G/3G, at
least for the time being
![Page 27: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/27.jpg)
What should be changed
• Lack of security awareness.
• IDS + firewall should be used as a
short-term solution.
• Long-term solution is to use end-to-
end authentication, integrity
protection, and encryption.
• Mandatory use of this solution in 5G.
![Page 28: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/28.jpg)
Thank you!
ptsecurity.com
![Page 29: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/29.jpg)
DoS on subscriber via S6a IDR
Using Access-Restriction-Data AVP
To conduct this attack, an S6a IDR message
is sent to the Mobility Management Entity
(MME) that is currently serving the user,
containing:
• MME Host-Id in Destination-Host AVP
• IMSI of the target
• Subscription-Data AVP containing Access-
Restriction-Data AVP with value 127
Table 7.3.31/1: Access-Restriction-Data
Bit Description
0 UTRAN Not Allowed
1 GERAN Not Allowed
2 GAN Not Allowed
3 I-HSPA-Evolution Not Allowed
4 WB-E-UTRAN Not Allowed
5 HO-To-Non-3GPP-Access Not Allowed
6 NB-IoT Not Allowed
![Page 30: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/30.jpg)
DoS on subscriber via S6a IDR
Changing APN Configuration for the subscriber
To conduct this attack, an S6a IDR message is sent to the MME that is currently serving the user, containing:
• MME Host-Id in Destination-Host AVP
• IMSI of the target
• APN-Configuration-Profile AVP containing:
1. Correct Context-Identifier AVP value
2. APN-Configuration AVP with wrong APN name inside of Service-Selection AVP
3. All-APN-Configurations-Included-Indicator AVP set to 1
(MODIFIED/ADDED_APN_CONFIGURATIONS_INCLUDED)
![Page 31: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/31.jpg)
DoS on subscriber via S6a IDR
Max-Requested-Bandwidth-UL and Max-Requested-Bandwidth-DL
AVPs
• Limit the maximum upload and download bandwidth respectively.
• If both are set to 0, download speeds drop to 0 bytes per second for
some MMEs (receiving data from the Internet is not possible)
![Page 32: Exploiting vulnerabilities of 4G Diameter interoperator ......Diameter Roaming: IPX Network • IPX = IP eXchange • Successor of GPRS roaming network • Private network between](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ffc7ea203afdc2539241b11/html5/thumbnails/32.jpg)
DoS on subscriber via S6a IDR
Using Operator-Determined-Barring AVP
To conduct this attack, an S6a IDR message is sent to
the MME that is currently serving the user, containing:
• MME Host-Id in Destination-Host AVP
• IMSI of the target
• Subscription-Data AVP containing:
1. Operator-Determined-Barring AVP with first bit
set to 1
2. Subscriber-Status AVP set to 1
(OPERATOR_DETERMINED_BARRING)
Table 7.3.30/1: Operator-Determined-Barring
Bit Description
0 All Packet Oriented Services Barred
1 Roamer Access HPLMN-AP Barred
2 Roamer Access to VPLMN-AP Barred
3 Barring of all outgoing calls
4 Barring of all outgoing international calls
5 Barring of all outgoing international calls except those directed to the home PLMN country
6 Barring of all outgoing inter-zonal calls
7 Barring of all outgoing inter-zonal calls except those directed to the home PLMN country
8 Barring of all outgoing international calls except those directed to the home PLMN country and Barring of all outgoing inter-zonal calls