LTE Masterclass: “Signaling network vulnerabilities and protection strategies for operators”
Transcript of LTE Masterclass: “Signaling network vulnerabilities and protection strategies for operators”
Signaling securityAfricaCom
Ilia AbramovProduct Director
|
2 |
SS7 network security takes the stage
XURA SIGNALING FRAUD MANAGEMENT
Annual Chaos Communication Congress event held in Hamburg• December 2014
Featured 3 presentations on SS7 security• SS7: Locate Track Manipulate•Mobile self-defense • SS7 Map – Mapping vulnerability of
international mobile roaming infrastructure
Demonstrated attacks though SS7 interconnects:
• Location and tracking of mobile users• Denial of Service attacks• Eavesdropping via man in the middle
attack – 2G and 3G• Traffic diversion• De-anonymization• Fraud• Spam
|
Is There a Problem? We Think So …
XURA SIGNALING FRAUD MANAGEMENT EXECUTIVE SUMMARY PRESENTATION3
| XURA SIGNALING FRAUD MANAGEMENT EXECUTIVE SUMMARY PRESENTATION4 Examples of the attacks
Location tracking of the subscribersIllegal access to operator HLR (SRI, Femto cell, ATI, etc)
Impact• Loss of subscriber privacy• Loss of revenue by the MNO (location tracking
service)
Voice Call interceptionFaking of the subscriber profile (multiple ways)
Impact• Loss of subscriber privacy• Subscriber churn• Legal exposure of MNO up to revoking of
license
SMS interceptionFaking of the subscriber profile (multiple ways)
Impact• Loss of subscriber privacy• Impact on A2P revenue due to compromised 2 layer
authentication
Spoofing of the network elementsFaking of the network element addressing
Impact• Attack on the other operator network• Revenue impact (e.g. fake SMSC)• Exposure of own network element in the other
operator attack
5 | XURA SIGNALING FRAUD MANAGEMENT
• Confidential data• Private and business conversations• Messaging and data exchange
Most valuable asset is INFORMATION !!!
• DoS attack on subscriber• Enforced service degradation
Service interruption
• IRSF calls• Messaging fraud• Grey Routes
Financial
Attack motivation
|6 XURA SIGNALING FRAUD MANAGEMENT
Anatomy of the signaling attacks
IMSI Fake
Obtain Subscriber IMSI Fake subscriber profile
i
HLRHSS
MSCMME
HLRVLR
Receive callSMSData
SRI-SMATI
Attacks on subscriber private communication
Main attack action
| XURA SIGNALING FRAUD MANAGEMENT COMMERCIAL PRESENTATION7 |
• Keeping one’s network safe is an ongoing task of determining and blocking attacks, to be done by signaling experts• Can only be automated partially
•Monitor to see what kind of attacks your networks is exposed to• See the SS7 Monitoring Guidelines, authored by RIFS
• Filter at the network edge• SS7 firewall• SMS Home Routing/Firewall•Diameter Edge Agent (DEA) at the edge to the IPX Network
Mitigation: Technical Measures
FASG
|8 XURA SIGNALING FRAUD MANAGEMENT
IMSI Harvesting
HLR phishing
HLR/HSS
SRI for SM
ATI
Home Routing
STP filtering
FemtoCell
• All security measures make senseHowever• Impossible to have full IMSI protection
IMSI
|9 XURA SIGNALING FRAUD MANAGEMENT EFFICIENT SECURITY ENFORCEMENT
Signaling Fraud Management
Monitors and detects HLR interrogations
Prevents faking
Detects signaling flow irregularities
Implements signaling policies
Provides operator with detailed insight
Native Network integration
Real-Time monitoring
Traffic Control and Enforcement
10 |
Signaling challenges in LTE & VoLTE
XURA SIGNALING FRAUD MANAGEMENT
|11 XURA SIGNALING FRAUD MANAGEMENT
Potential IP vulnerabilities rise in Telco industry
|12
Issue Risk CostPrepaid Abuse High HighDenial of Service (area) High HighVoIP Originated SS7 Injection Medium HighFinancial/charging fraud High HighPrivacy Theft Medium MediumIoT intrusion High High
XURA SIGNALING FRAUD MANAGEMENT
Attack dimensions and Impact
Diameter attacks occur in multiple
dimensionsAVP combinations and values
Sequ
enci
ng
and
Flow
Optional
parameters
|13
Enable secure transport for the interconnects
• Ensures 1st hop protection• Challenge: administration nightmare• Does protect from signaling attacks
Validate protocol consistency
• Check packet compliancy• Enforce Diameter message dictionary to the applications• Selectively filter any protocol extensions• Perform address consistency validation• Block suspect packets
Monitor and Act
• Collect interconnect signaling data• Analyze detected inconsistencies• Identify the sources• Engage with roaming partners
XURA SIGNALING FRAUD MANAGEMENT
Protecting Diameter signaling network
|14
Pr
ot
ect L
egacy SS
7/SI
GT
RAN
net
work
Secur
e
desig
n
of E
PC
Ens
ur
e sig
nali
ng p
eri
met
er c
ontr
ol a
nd
monit
ori
ng
XURA SIGNALING FRAUD MANAGEMENT
Signaling Network protection strategy
15 | You partner in signaling security
XURA SIGNALING FRAUD MANAGEMENT
Understanding of Signaling network architecture and principles
Years of reliable Carrier Grade signaling service
Enforcement of security policies and real-time monitoring
Revenue assurance
Network audit and penetration testing
Guaranteed confidentiality!
THANK YOU