SlideShare ist ein Scribd-Unternehmen logo

Security Testing 4G (LTE) Networks

44CON
44CON

Martyn Ruks & Nils present Security Testing 4G (LTE) Networks at 44CON 2012 in London, September 2012.

1 von 61
Downloaden Sie, um offline zu lesen
Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn Ruks & Nils 11/09/2012 1
Today’s Talk • Intro to 4G (LTE) Networks • Technical Details • Attacks and Testing • Defences • Conclusions 11/09/2012 2
Intro to 4G (LTE) Networks 11/09/2012 3
Mobile Networks A Brief History Lesson • 1G – 1980s Analogue technology (AMPS, TACS) • 2G – 1990s Move to digital (GSM,GPRS,EDGE) • 3G – 2000s Improved data services (UMTS, HSPA) • 4G – 2010s High bandwidth data (LTE Advanced) 11/09/2012 4
Mobile Networks Historic Vulnerabilities • Older networks have been the subject of practical and theoretical attacks • Examples include: • Ability to man in the middle • No perfect forward secrecy • No encryption on the back-end • LTE Advanced addresses previous attacks 11/09/2012 5
Mobile Networks Current Status of 4G • Lots of 4G networks running or planned (eg Scandinavia, US) • UK Trials have run in Cornwall, London etc • Spectrum auction is important • EE services launches soon! 11/09/2012 6
Mobile Networks Why is 4G Important? • Digital Britain strategy • Fixed line broadband expensive in remote locations • Provides high speed mobile data services • High level of scalability on the back- end 11/09/2012 7
Technical Details 11/09/2012 8
Conceptual View 3G Core NodeB Network RNC User Base Station Back-End Internet 11/09/2012 9
Network Overview 3G HSS AuC NB UE NB RNC SGSN GGSN Internet Core Network 11/09/2012 10
Conceptual View 4G EPC eNodeB User Base Station Back-End Internet 11/09/2012 11
Network Overview 4G eNB MME HSS UE eNB SGw PGw PCRF Internet EPC 11/09/2012 12
The Components User Equipment (UE) • What the customer uses to connect • Mainly dongles and hubs at present • Smartphones and tablets will follow (already lots in US) 11/09/2012 13
The Components evolved Node B (eNB) • The bridge between wired and wireless networks • Forwards signalling traffic to the MME • Passes data traffic to the PDN/Serving Gateway 11/09/2012 14
The Components Evolved Packet Core (EPC) • The back-end core network • Manages access to data services • Uses IP for all communications • Divided into several components 11/09/2012 15
The Components Mobile Management Entity (MME) • Termination point for UE Signalling • Handles authentication events • Key component in back-end communications 11/09/2012 16
The Components Home Subscriber Service (HSS) • Contains a user’s subscription data (profile) • Typically includes the Authentication Centre (AuC) • Where key material is stored 11/09/2012 17
The Components PDN and Serving Gateways (PGw and SGw) • Handles data traffic from UE • Can be consolidated into a single device • Responsible for traffic routing within the back-end • Implements important filtering controls 11/09/2012 18
The Components Policy Charging and Rules Function (PCRF) • Does what it says on the tin • Integrated into the network core • Allows operator to perform bandwidth shaping 11/09/2012 19
The Components Home eNB (HeNB) • The “FemtoCell” of LTE • An eNodeB within your home • Talks to the MME and PDN/Serving Gateway • Expected to arrive much later in 4G rollout 11/09/2012 20
Network Overview Control and User Planes 11/09/2012 21
The Protocols Radio Protocols (RRC, PDCP, RLC) • These all terminate at the eNodeB • RRC is only used on the control plane RRC • Wireless user and control data PDCP RLC is encrypted (some exceptions) • Signalling data can also be encrypted end-to-end 11/09/2012 22
The Protocols Internet Protocol (IP) • Used by all back-end comms • All user data uses it • Supports both IPv4 and IPv6 IP • Important to get routing and filtering correct • Common UDP and TCP services in use 11/09/2012 23
The Protocols The Protocols - SCTP • Another protocol on top of IP • Robust session handling • Bi-directional sessions SCTP • Sequence numbers very IP important 11/09/2012 24
The Protocols The Protocols – GTP-U • Runs on top of UDP and IP • One of two variants of GTP used in LTE GTP-U • This transports user IP data UDP • Pair of sessions are used IP identified by Tunnel-ID 11/09/2012 25
The Protocols The Protocols – GTP-C • Runs on top of UDP and IP • The other variant of GTP used in LTE GTP-C • Used for back-end data UDP • Should not be used by the IP MME in pure 4G 11/09/2012 26
The Protocols S1AP • Runs on top of SCTP and IP • An ASN.1 protocol • Transports UE signalling S1AP • UE sessions distinguished by SCTP IP a pair of IDs 11/09/2012 27
The Protocols X2AP • Very similar to S1AP • Used between eNodeBs for signalling and handovers X2AP • Runs over of SCTP and IP and SCTP is also an ASN.1 protocol IP 11/09/2012 28
Potential Attacks 11/09/2012 29
Targets for Testing What Attacks are Possible • Wireless attacks and the baseband • Attacking the EPC from UE • Attacking other UE • Plugging into the Back-end • Physical attacks (HeNB) 11/09/2012 30
Targets for Testing Wireless Attacks and the Baseband • A DIY kit for attacking wireless protocols is now closer (USRP based) • Best chance is using commercial kit to get a head-start • Not the easiest thing to attack 11/09/2012 31
Targets for Testing Attacking the EPC from UE • Everything in the back-end is IP • You pay someone to give you IP access to the environment  • Easiest place to start 11/09/2012 32
Targets for Testing Attacking other UE • Other wirelessly connected devices are close • May be less protection if seen as a local network • The gateway may enforce segregation between UE 11/09/2012 33
Targets for Testing Wired network attacks • eNodeBs will be in public locations • They need visibility of components in the EPC • Very easy to communicate with an IP network • Everything is potentially in scope 11/09/2012 34
Targets for Testing Physical Attacks (eNB) • Plugging into management interfaces is most likely attack, except … • A Home eNodeB is a different story • Hopefully we have learned from the Vodafone Femto-Cell Attack 11/09/2012 35
What you can Test 11/09/2012 36
Tests to Run As a Wirelessly Connected User • Visibility of the back-end from UE • Visibility of other UEs • Testing controls enforced by Gateway • Spoofed source addresses • GTP Encapsulation (Control and User) 11/09/2012 37
Tests to Run From the Back-End • Ability to attack MME (signalling) • Robustness of stacks (eg SCTP) • Fuzzing • Sequence number generation • Testing management interfaces • Web consoles • SSH • Proprietary protocols 11/09/2012 38
Tests to Run Challenges • Spoofing UE authentication is difficult • Messing with radio layers is hard • ASN.1 protocols are a pain • Injecting into SCTP is tough • Easy to break back-end communications 11/09/2012 39
Tests to Run S1AP Protocol • By default no authentication to the service • Contains eNodeB data and UE Signalling • UE Signalling can make use of encryption and integrity checking • If no UE encryption is used attacks against connected handsets become possible 11/09/2012 40
Tests to Run S1AP and Signalling S1AP NAS NAS UE eNB MME 11/09/2012 41
Tests to Run S1AP and Signalling Spoofed Spoofed UE eNB MME UE eNB 11/09/2012 42
Tests to Run S1AP and Signalling S1 Setup S1 Setup Response Attach Request eNB MME Authentication Request Authentication Response Security Mode 11/09/2012 43
Tests to Run GTP Protocol • Gateway can handle multiple encapsulations • It uses UDP so easy to have fun with • The gateway needs to enforce a number of controls that stop attacks 11/09/2012 44
Tests to Run GTP and User Data GTP IP IP IP UE eNB SGw Internet 11/09/2012 45
Tests to Run GTP and User Data IP UE GTP UDP IP GTP eNodeB UDP IP 11/09/2012 46
Tests to Run GTP and User Data GTP IP GTP IP GTP IP GTP UE eNB SGw Internet 11/09/2012 47
Tests to Run GTP and User Data Destination IP Address (IP) GTP Tunnel Source IP Invalid IP ID (GTP) Address (IP) Protocols (IP) Source IP Address (GTP) UE eNB SGw PGw 11/09/2012 48
Tests to Run Old Skool • Everything you already know can be applied to testing the back-end • Its an IP network and has routers and switches • There are management services running 11/09/2012 49
Defences 11/09/2012 50
Defences The Multi-Layered Approach • Get the IP network design right • Protect the IP traffic in transit • Enforce controls in the Gateway • Ensure UE and HeNBs are secure • Monitoring and Response • Testing 11/09/2012 51
Defences Unified/Consolidated Gateway • The “Gateway” enforces some very important controls: • Anti-spoofing • Encapsulation protection • Device to device Routing • Billing and charging of users 11/09/2012 52
Defences IP Routing • Architecture design and routing in the core is complex • Getting it right is critical to security • We have seen issues with this • This must be tested before an environment is deployed 11/09/2012 53
Defences IPSec • If correctly implemented will provide Confidentiality and Integrity protection • Can also provide authentication between components • Keeping the keys secure is not trivial and not tested 11/09/2012 54
Defences Architecture Consideration MME HSS EPC Switch Internet eNodeB Gateway Internet Serving Gateway PDN Gateway EPC 11/09/2012 55
Conclusions 11/09/2012 56
Conclusion 1 • There are 3 key protective controls that should be tested within LTE environments • Policies and rules in the Unified/Consolidated Gateway • The implementation of IPSec between all back- end components • A back-end IP network with well-designed routing and filtering 11/09/2012 57
Conclusion 2 • Despite fears from the use of IP in 4G, LTE will improve security if implemented correctly • The 3 key controls must be correctly implemented • Testing must be completed for validation • Continued scrutiny is required • Legacy systems may be the weakest link 11/09/2012 58
Conclusion 3 • Protecting key material used for IPSec is not trivial • The security model for IPSec needs careful consideration • Operational security processes are also important • Home eNodeB security is a challenge 11/09/2012 59
Conclusion 4 • More air interface testing is needed • Will need co-operation from vendors/operators • “Open” testing tools will need significant development effort • Still lower hanging fruit if support for legacy wireless standards remain 11/09/2012 60
Questions @mwrinfosecurity @mwrlabs 11/09/2012 61

Empfohlen

Practical security testing for lte networks
Practical security testing for lte networksPractical security testing for lte networks
Practical security testing for lte networksPfedya
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?Stephen Kho
 
Lte security concepts and design considerations
Lte security concepts and design considerationsLte security concepts and design considerations
Lte security concepts and design considerationsMary McEvoy Carroll
 
4g security presentation
4g security presentation4g security presentation
4g security presentationKyle Ly
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
 
IoT, Demystified
IoT, DemystifiedIoT, Demystified
IoT, DemystifiedYulian Slobodyan
 
Carrier grade wi fi integration architecture
Carrier grade wi fi integration architectureCarrier grade wi fi integration architecture
Carrier grade wi fi integration architectureSatish Chavan
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSrinivasa Addepalli
 

Empfohlen

Practical security testing for lte networks
Practical security testing for lte networksPractical security testing for lte networks
Practical security testing for lte networksPfedya
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?Stephen Kho
 
Lte security concepts and design considerations
Lte security concepts and design considerationsLte security concepts and design considerations
Lte security concepts and design considerationsMary McEvoy Carroll
 
4g security presentation
4g security presentation4g security presentation
4g security presentationKyle Ly
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
 
IoT, Demystified
IoT, DemystifiedIoT, Demystified
IoT, DemystifiedYulian Slobodyan
 
Carrier grade wi fi integration architecture
Carrier grade wi fi integration architectureCarrier grade wi fi integration architecture
Carrier grade wi fi integration architectureSatish Chavan
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSrinivasa Addepalli
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginEC-Council
 
Unit 4
Unit 4Unit 4
Unit 4Mayura shelke
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentationsaddepalli
 
Software Defined Networks (SDN) and Cloud Computing in 5G Wireless Technologies
Software Defined Networks (SDN) and Cloud Computing in 5G Wireless TechnologiesSoftware Defined Networks (SDN) and Cloud Computing in 5G Wireless Technologies
Software Defined Networks (SDN) and Cloud Computing in 5G Wireless Technologiesspirit conference
 
Zigbee intro
Zigbee introZigbee intro
Zigbee introPradheep Shrinivasan
 
CCNA (R & S) Module 02 - Connecting Networks - Chapter 1
CCNA (R & S) Module 02 - Connecting Networks - Chapter 1CCNA (R & S) Module 02 - Connecting Networks - Chapter 1
CCNA (R & S) Module 02 - Connecting Networks - Chapter 1Waqas Ahmed Nawaz
 
Profinet and the Industrial Internet of Things (IIoT) - Peter Thomas - Sept ...
Profinet and the Industrial Internet of Things (IIoT) - Peter Thomas - Sept ...Profinet and the Industrial Internet of Things (IIoT) - Peter Thomas - Sept ...
Profinet and the Industrial Internet of Things (IIoT) - Peter Thomas - Sept ...PROFIBUS and PROFINET InternationaI - PI UK
 
CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4Nil Menon
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9Waqas Ahmed Nawaz
 
Zigbee intro v5
Zigbee intro v5Zigbee intro v5
Zigbee intro v5rajrayala
 
IO-Link for the last metres communication - Derek Lane
IO-Link for the last metres communication - Derek LaneIO-Link for the last metres communication - Derek Lane
IO-Link for the last metres communication - Derek LanePROFIBUS and PROFINET InternationaI - PI UK
 
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5Waqas Ahmed Nawaz
 
CCNA v6.0 ITN - Chapter 11
CCNA v6.0 ITN - Chapter 11CCNA v6.0 ITN - Chapter 11
CCNA v6.0 ITN - Chapter 11Irsandi Hasan
 
CCNA4 Verson6 Chapter8
CCNA4 Verson6 Chapter8CCNA4 Verson6 Chapter8
CCNA4 Verson6 Chapter8Chaing Ravuth
 
Presentation on 5G security
Presentation on 5G securityPresentation on 5G security
Presentation on 5G securityRanjitUpadhyay4
 
Itn6 instructor materials_chapter4
Itn6 instructor materials_chapter4Itn6 instructor materials_chapter4
Itn6 instructor materials_chapter4limenih muluneh
 
CCNA v6.0 ITN - Chapter 04
CCNA v6.0 ITN - Chapter 04CCNA v6.0 ITN - Chapter 04
CCNA v6.0 ITN - Chapter 04Irsandi Hasan
 
CCNA RS_ITN - Chapter 11
CCNA RS_ITN - Chapter 11CCNA RS_ITN - Chapter 11
CCNA RS_ITN - Chapter 11Irsandi Hasan
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyStephen Kho
 
Zigbee technology and its application in
Zigbee technology and its application inZigbee technology and its application in
Zigbee technology and its application inIJCNCJournal
 
5G-webinar from 5G-course, Anritsu, adcomm
5G-webinar from 5G-course, Anritsu, adcomm 5G-webinar from 5G-course, Anritsu, adcomm
5G-webinar from 5G-course, Anritsu, adcomm Saurabh Verma
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network SecuritySatish Chavan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginEC-Council
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentationsaddepalli
 
Software Defined Networks (SDN) and Cloud Computing in 5G Wireless Technologies
Software Defined Networks (SDN) and Cloud Computing in 5G Wireless TechnologiesSoftware Defined Networks (SDN) and Cloud Computing in 5G Wireless Technologies
Software Defined Networks (SDN) and Cloud Computing in 5G Wireless Technologiesspirit conference
 
CCNA (R & S) Module 02 - Connecting Networks - Chapter 1
CCNA (R & S) Module 02 - Connecting Networks - Chapter 1CCNA (R & S) Module 02 - Connecting Networks - Chapter 1
CCNA (R & S) Module 02 - Connecting Networks - Chapter 1Waqas Ahmed Nawaz
 
CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4Nil Menon
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9Waqas Ahmed Nawaz
 
Zigbee intro v5
Zigbee intro v5Zigbee intro v5
Zigbee intro v5rajrayala
 
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5Waqas Ahmed Nawaz
 
CCNA v6.0 ITN - Chapter 11
CCNA v6.0 ITN - Chapter 11CCNA v6.0 ITN - Chapter 11
CCNA v6.0 ITN - Chapter 11Irsandi Hasan
 
CCNA4 Verson6 Chapter8
CCNA4 Verson6 Chapter8CCNA4 Verson6 Chapter8
CCNA4 Verson6 Chapter8Chaing Ravuth
 
Presentation on 5G security
Presentation on 5G securityPresentation on 5G security
Presentation on 5G securityRanjitUpadhyay4
 
Itn6 instructor materials_chapter4
Itn6 instructor materials_chapter4Itn6 instructor materials_chapter4
Itn6 instructor materials_chapter4limenih muluneh
 
CCNA v6.0 ITN - Chapter 04
CCNA v6.0 ITN - Chapter 04CCNA v6.0 ITN - Chapter 04
CCNA v6.0 ITN - Chapter 04Irsandi Hasan
 
CCNA RS_ITN - Chapter 11
CCNA RS_ITN - Chapter 11CCNA RS_ITN - Chapter 11
CCNA RS_ITN - Chapter 11Irsandi Hasan
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyStephen Kho
 
Zigbee technology and its application in
Zigbee technology and its application inZigbee technology and its application in
Zigbee technology and its application inIJCNCJournal
 

Was ist angesagt? (20)

Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
 
Unit 4
Unit 4Unit 4
Unit 4
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentation
 
Software Defined Networks (SDN) and Cloud Computing in 5G Wireless Technologies
Software Defined Networks (SDN) and Cloud Computing in 5G Wireless TechnologiesSoftware Defined Networks (SDN) and Cloud Computing in 5G Wireless Technologies
Software Defined Networks (SDN) and Cloud Computing in 5G Wireless Technologies
 
Zigbee intro
Zigbee introZigbee intro
Zigbee intro
 
CCNA (R & S) Module 02 - Connecting Networks - Chapter 1
CCNA (R & S) Module 02 - Connecting Networks - Chapter 1CCNA (R & S) Module 02 - Connecting Networks - Chapter 1
CCNA (R & S) Module 02 - Connecting Networks - Chapter 1
 
Profinet and the Industrial Internet of Things (IIoT) - Peter Thomas - Sept ...
Profinet and the Industrial Internet of Things (IIoT) - Peter Thomas - Sept ...Profinet and the Industrial Internet of Things (IIoT) - Peter Thomas - Sept ...
Profinet and the Industrial Internet of Things (IIoT) - Peter Thomas - Sept ...
 
CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 9
 
Zigbee intro v5
Zigbee intro v5Zigbee intro v5
Zigbee intro v5
 
IO-Link for the last metres communication - Derek Lane
IO-Link for the last metres communication - Derek LaneIO-Link for the last metres communication - Derek Lane
IO-Link for the last metres communication - Derek Lane
 
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
 
CCNA v6.0 ITN - Chapter 11
CCNA v6.0 ITN - Chapter 11CCNA v6.0 ITN - Chapter 11
CCNA v6.0 ITN - Chapter 11
 
CCNA4 Verson6 Chapter8
CCNA4 Verson6 Chapter8CCNA4 Verson6 Chapter8
CCNA4 Verson6 Chapter8
 
Presentation on 5G security
Presentation on 5G securityPresentation on 5G security
Presentation on 5G security
 
Itn6 instructor materials_chapter4
Itn6 instructor materials_chapter4Itn6 instructor materials_chapter4
Itn6 instructor materials_chapter4
 
CCNA v6.0 ITN - Chapter 04
CCNA v6.0 ITN - Chapter 04CCNA v6.0 ITN - Chapter 04
CCNA v6.0 ITN - Chapter 04
 
CCNA RS_ITN - Chapter 11
CCNA RS_ITN - Chapter 11CCNA RS_ITN - Chapter 11
CCNA RS_ITN - Chapter 11
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy Agency
 
Zigbee technology and its application in
Zigbee technology and its application inZigbee technology and its application in
Zigbee technology and its application in
 

Andere mochten auch

5G-webinar from 5G-course, Anritsu, adcomm
5G-webinar from 5G-course, Anritsu, adcomm 5G-webinar from 5G-course, Anritsu, adcomm
5G-webinar from 5G-course, Anritsu, adcomm Saurabh Verma
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network SecuritySatish Chavan
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryptionRK Nayak
 
IoT and 5G: Opportunities and Challenges, SenZations 2015
IoT and 5G: Opportunities and Challenges, SenZations 2015IoT and 5G: Opportunities and Challenges, SenZations 2015
IoT and 5G: Opportunities and Challenges, SenZations 2015SenZations Summer School
 
Smart Cities, IoT, SDN, 5G Networks, Cloud Computing… Managing Complexity wit...
Smart Cities, IoT, SDN, 5G Networks, Cloud Computing… Managing Complexity wit...Smart Cities, IoT, SDN, 5G Networks, Cloud Computing… Managing Complexity wit...
Smart Cities, IoT, SDN, 5G Networks, Cloud Computing… Managing Complexity wit...Bristol Is Open
 
Lte security solution white paper(20130207)
Lte security solution white paper(20130207)Lte security solution white paper(20130207)
Lte security solution white paper(20130207)Mohamed Tharwat Waheed
 
Rethinking the Telcos business models in the age of 5G - Carlos LOPEZ, Telefó...
Rethinking the Telcos business models in the age of 5G - Carlos LOPEZ, Telefó...Rethinking the Telcos business models in the age of 5G - Carlos LOPEZ, Telefó...
Rethinking the Telcos business models in the age of 5G - Carlos LOPEZ, Telefó...IDATE DigiWorld
 
5 g business potential ieee 5g summit_110717_a
5 g business potential ieee 5g summit_110717_a5 g business potential ieee 5g summit_110717_a
5 g business potential ieee 5g summit_110717_aMaria Boura
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryptionjyothsnapaidi
 
Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksNaveen Kumar
 
Security and Transport Performance in 5G
Security and Transport Performance in 5GSecurity and Transport Performance in 5G
Security and Transport Performance in 5GDirk Kutscher
 
Internet of Things: The story so far
Internet of Things: The story so farInternet of Things: The story so far
Internet of Things: The story so farPayamBarnaghi
 
Small Cells & 5G IoT champions work item
Small Cells & 5G IoT champions work itemSmall Cells & 5G IoT champions work item
Small Cells & 5G IoT champions work itemSmall Cell Forum
 
The leadership in the new digital age carved by the fourth industrial revolu...
The leadership in the new digital age carved by the fourth industrial revolu...The leadership in the new digital age carved by the fourth industrial revolu...
The leadership in the new digital age carved by the fourth industrial revolu...Osaka University
 
5G Presentation
5G Presentation5G Presentation
5G PresentationEricsson
 
4G LTE Presentation Group 9
4G LTE Presentation Group 94G LTE Presentation Group 9
4G LTE Presentation Group 9eel4514team9
 
Analysis of 1G, 2G, 3G & 4G
Analysis of 1G, 2G, 3G & 4GAnalysis of 1G, 2G, 3G & 4G
Analysis of 1G, 2G, 3G & 4GPrateek Aloni
 

Andere mochten auch (20)

5G-webinar from 5G-course, Anritsu, adcomm
5G-webinar from 5G-course, Anritsu, adcomm 5G-webinar from 5G-course, Anritsu, adcomm
5G-webinar from 5G-course, Anritsu, adcomm
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryption
 
IoT and 5G: Opportunities and Challenges, SenZations 2015
IoT and 5G: Opportunities and Challenges, SenZations 2015IoT and 5G: Opportunities and Challenges, SenZations 2015
IoT and 5G: Opportunities and Challenges, SenZations 2015
 
Smart Cities, IoT, SDN, 5G Networks, Cloud Computing… Managing Complexity wit...
Smart Cities, IoT, SDN, 5G Networks, Cloud Computing… Managing Complexity wit...Smart Cities, IoT, SDN, 5G Networks, Cloud Computing… Managing Complexity wit...
Smart Cities, IoT, SDN, 5G Networks, Cloud Computing… Managing Complexity wit...
 
Lte security solution white paper(20130207)
Lte security solution white paper(20130207)Lte security solution white paper(20130207)
Lte security solution white paper(20130207)
 
Rethinking the Telcos business models in the age of 5G - Carlos LOPEZ, Telefó...
Rethinking the Telcos business models in the age of 5G - Carlos LOPEZ, Telefó...Rethinking the Telcos business models in the age of 5G - Carlos LOPEZ, Telefó...
Rethinking the Telcos business models in the age of 5G - Carlos LOPEZ, Telefó...
 
5 g business potential ieee 5g summit_110717_a
5 g business potential ieee 5g summit_110717_a5 g business potential ieee 5g summit_110717_a
5 g business potential ieee 5g summit_110717_a
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryption
 
Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) Networks
 
Security In LTE Access Network
Security In LTE Access NetworkSecurity In LTE Access Network
Security In LTE Access Network
 
Security and Transport Performance in 5G
Security and Transport Performance in 5GSecurity and Transport Performance in 5G
Security and Transport Performance in 5G
 
Internet of Things: The story so far
Internet of Things: The story so farInternet of Things: The story so far
Internet of Things: The story so far
 
Small Cells & 5G IoT champions work item
Small Cells & 5G IoT champions work itemSmall Cells & 5G IoT champions work item
Small Cells & 5G IoT champions work item
 
Long Term Evolution (LTE) -
Long Term Evolution (LTE) -Long Term Evolution (LTE) -
Long Term Evolution (LTE) -
 
The leadership in the new digital age carved by the fourth industrial revolu...
The leadership in the new digital age carved by the fourth industrial revolu...The leadership in the new digital age carved by the fourth industrial revolu...
The leadership in the new digital age carved by the fourth industrial revolu...
 
5G Presentation
5G Presentation5G Presentation
5G Presentation
 
4G LTE Presentation Group 9
4G LTE Presentation Group 94G LTE Presentation Group 9
4G LTE Presentation Group 9
 
Analysis of 1G, 2G, 3G & 4G
Analysis of 1G, 2G, 3G & 4GAnalysis of 1G, 2G, 3G & 4G
Analysis of 1G, 2G, 3G & 4G
 
LTE Basics
LTE BasicsLTE Basics
LTE Basics
 

Ähnlich wie Security Testing 4G (LTE) Networks

Getting to the Edge – Exploring 4G/5G Cloud-RAN Deployable Solutions
Getting to the Edge – Exploring 4G/5G Cloud-RAN Deployable SolutionsGetting to the Edge – Exploring 4G/5G Cloud-RAN Deployable Solutions
Getting to the Edge – Exploring 4G/5G Cloud-RAN Deployable SolutionsRadisys Corporation
 
GE Smallworld Network Inventory Overview
GE Smallworld Network Inventory OverviewGE Smallworld Network Inventory Overview
GE Smallworld Network Inventory Overviewcwilson5496
 
244079168 lte-overview
244079168 lte-overview244079168 lte-overview
244079168 lte-overviewArbab Husain
 
Software-Defined Networking (SDN): Unleashing the Power of the Network
Software-Defined Networking (SDN): Unleashing the Power of the NetworkSoftware-Defined Networking (SDN): Unleashing the Power of the Network
Software-Defined Networking (SDN): Unleashing the Power of the NetworkRobert Keahey
 
Backhaul considerations-ver2
Backhaul considerations-ver2Backhaul considerations-ver2
Backhaul considerations-ver2Rafael Junquera
 
LTE and Satellite: Solutions for Rural and Public Safety Networking
LTE and Satellite: Solutions for Rural and Public Safety NetworkingLTE and Satellite: Solutions for Rural and Public Safety Networking
LTE and Satellite: Solutions for Rural and Public Safety NetworkingSmall Cell Forum
 
Webcast: Reduce latency, improve analytics and maximize asset utilization in ...
Webcast: Reduce latency, improve analytics and maximize asset utilization in ...Webcast: Reduce latency, improve analytics and maximize asset utilization in ...
Webcast: Reduce latency, improve analytics and maximize asset utilization in ...Emulex Corporation
 
Supelec m2 m - iot - course 1 - update 2015 - part 1 - warming - v(0.4)
Supelec m2 m - iot - course 1 - update 2015 - part 1 - warming - v(0.4)Supelec m2 m - iot - course 1 - update 2015 - part 1 - warming - v(0.4)
Supelec m2 m - iot - course 1 - update 2015 - part 1 - warming - v(0.4)Thierry Lestable
 
Wireless cellular technologies draft0.3
Wireless cellular technologies draft0.3Wireless cellular technologies draft0.3
Wireless cellular technologies draft0.3ganeshmaali
 
Named Data Networking Operational Aspects - IoT as a Use-case
Named Data Networking Operational Aspects - IoT as a Use-caseNamed Data Networking Operational Aspects - IoT as a Use-case
Named Data Networking Operational Aspects - IoT as a Use-caseRute C. Sofia
 
4G wireless communication
4G wireless communication4G wireless communication
4G wireless communicationAnuraj Anand
 
Wireless cellular technologies
Wireless cellular technologiesWireless cellular technologies
Wireless cellular technologiesganeshmaali
 
Wireless cellular technologies
Wireless cellular technologiesWireless cellular technologies
Wireless cellular technologiesganeshmaali
 
Isep m2 m - iot - course 1 - update 2013 - 09122013 - part 2 - v(0.5)
Isep m2 m - iot - course 1 - update 2013 - 09122013 - part 2 - v(0.5)Isep m2 m - iot - course 1 - update 2013 - 09122013 - part 2 - v(0.5)
Isep m2 m - iot - course 1 - update 2013 - 09122013 - part 2 - v(0.5)Thierry Lestable
 
Implications of 4G Deployments (MEF for MPLS World Congress Ethernet Wholesa...
Implications of 4G Deployments (MEF for MPLS World Congress Ethernet Wholesa...Implications of 4G Deployments (MEF for MPLS World Congress Ethernet Wholesa...
Implications of 4G Deployments (MEF for MPLS World Congress Ethernet Wholesa...Javier Gonzalez
 

Ähnlich wie Security Testing 4G (LTE) Networks (20)

Telco systems final
Telco systems finalTelco systems final
Telco systems final
 
Getting to the Edge – Exploring 4G/5G Cloud-RAN Deployable Solutions
Getting to the Edge – Exploring 4G/5G Cloud-RAN Deployable SolutionsGetting to the Edge – Exploring 4G/5G Cloud-RAN Deployable Solutions
Getting to the Edge – Exploring 4G/5G Cloud-RAN Deployable Solutions
 
GE Smallworld Network Inventory Overview
GE Smallworld Network Inventory OverviewGE Smallworld Network Inventory Overview
GE Smallworld Network Inventory Overview
 
White Paper: LTE Needs Small Cells
White Paper: LTE Needs Small CellsWhite Paper: LTE Needs Small Cells
White Paper: LTE Needs Small Cells
 
244079168 lte-overview
244079168 lte-overview244079168 lte-overview
244079168 lte-overview
 
Software-Defined Networking (SDN): Unleashing the Power of the Network
Software-Defined Networking (SDN): Unleashing the Power of the NetworkSoftware-Defined Networking (SDN): Unleashing the Power of the Network
Software-Defined Networking (SDN): Unleashing the Power of the Network
 
Backhaul considerations-ver2
Backhaul considerations-ver2Backhaul considerations-ver2
Backhaul considerations-ver2
 
LTE and Satellite: Solutions for Rural and Public Safety Networking
LTE and Satellite: Solutions for Rural and Public Safety NetworkingLTE and Satellite: Solutions for Rural and Public Safety Networking
LTE and Satellite: Solutions for Rural and Public Safety Networking
 
Webcast: Reduce latency, improve analytics and maximize asset utilization in ...
Webcast: Reduce latency, improve analytics and maximize asset utilization in ...Webcast: Reduce latency, improve analytics and maximize asset utilization in ...
Webcast: Reduce latency, improve analytics and maximize asset utilization in ...
 
Supelec m2 m - iot - course 1 - update 2015 - part 1 - warming - v(0.4)
Supelec m2 m - iot - course 1 - update 2015 - part 1 - warming - v(0.4)Supelec m2 m - iot - course 1 - update 2015 - part 1 - warming - v(0.4)
Supelec m2 m - iot - course 1 - update 2015 - part 1 - warming - v(0.4)
 
Wireless cellular technologies draft0.3
Wireless cellular technologies draft0.3Wireless cellular technologies draft0.3
Wireless cellular technologies draft0.3
 
LTE CONCEPTS.pdf
LTE CONCEPTS.pdfLTE CONCEPTS.pdf
LTE CONCEPTS.pdf
 
LTE
LTELTE
LTE
 
Named Data Networking Operational Aspects - IoT as a Use-case
Named Data Networking Operational Aspects - IoT as a Use-caseNamed Data Networking Operational Aspects - IoT as a Use-case
Named Data Networking Operational Aspects - IoT as a Use-case
 
4G wireless communication
4G wireless communication4G wireless communication
4G wireless communication
 
Wireless cellular technologies
Wireless cellular technologiesWireless cellular technologies
Wireless cellular technologies
 
Wireless cellular technologies
Wireless cellular technologiesWireless cellular technologies
Wireless cellular technologies
 
SDN use cases_2014
SDN use cases_2014SDN use cases_2014
SDN use cases_2014
 
Isep m2 m - iot - course 1 - update 2013 - 09122013 - part 2 - v(0.5)
Isep m2 m - iot - course 1 - update 2013 - 09122013 - part 2 - v(0.5)Isep m2 m - iot - course 1 - update 2013 - 09122013 - part 2 - v(0.5)
Isep m2 m - iot - course 1 - update 2013 - 09122013 - part 2 - v(0.5)
 
Implications of 4G Deployments (MEF for MPLS World Congress Ethernet Wholesa...
Implications of 4G Deployments (MEF for MPLS World Congress Ethernet Wholesa...Implications of 4G Deployments (MEF for MPLS World Congress Ethernet Wholesa...
Implications of 4G Deployments (MEF for MPLS World Congress Ethernet Wholesa...
 

Mehr von 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 

Mehr von 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 

Security Testing 4G (LTE) Networks

  • 1. Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn Ruks & Nils 11/09/2012 1
  • 2. Today’s Talk • Intro to 4G (LTE) Networks • Technical Details • Attacks and Testing • Defences • Conclusions 11/09/2012 2
  • 3. Intro to 4G (LTE) Networks 11/09/2012 3
  • 4. Mobile Networks A Brief History Lesson • 1G – 1980s Analogue technology (AMPS, TACS) • 2G – 1990s Move to digital (GSM,GPRS,EDGE) • 3G – 2000s Improved data services (UMTS, HSPA) • 4G – 2010s High bandwidth data (LTE Advanced) 11/09/2012 4
  • 5. Mobile Networks Historic Vulnerabilities • Older networks have been the subject of practical and theoretical attacks • Examples include: • Ability to man in the middle • No perfect forward secrecy • No encryption on the back-end • LTE Advanced addresses previous attacks 11/09/2012 5
  • 6. Mobile Networks Current Status of 4G • Lots of 4G networks running or planned (eg Scandinavia, US) • UK Trials have run in Cornwall, London etc • Spectrum auction is important • EE services launches soon! 11/09/2012 6
  • 7. Mobile Networks Why is 4G Important? • Digital Britain strategy • Fixed line broadband expensive in remote locations • Provides high speed mobile data services • High level of scalability on the back- end 11/09/2012 7
  • 9. Conceptual View 3G Core NodeB Network RNC User Base Station Back-End Internet 11/09/2012 9
  • 10. Network Overview 3G HSS AuC NB UE NB RNC SGSN GGSN Internet Core Network 11/09/2012 10
  • 11. Conceptual View 4G EPC eNodeB User Base Station Back-End Internet 11/09/2012 11
  • 12. Network Overview 4G eNB MME HSS UE eNB SGw PGw PCRF Internet EPC 11/09/2012 12
  • 13. The Components User Equipment (UE) • What the customer uses to connect • Mainly dongles and hubs at present • Smartphones and tablets will follow (already lots in US) 11/09/2012 13
  • 14. The Components evolved Node B (eNB) • The bridge between wired and wireless networks • Forwards signalling traffic to the MME • Passes data traffic to the PDN/Serving Gateway 11/09/2012 14
  • 15. The Components Evolved Packet Core (EPC) • The back-end core network • Manages access to data services • Uses IP for all communications • Divided into several components 11/09/2012 15
  • 16. The Components Mobile Management Entity (MME) • Termination point for UE Signalling • Handles authentication events • Key component in back-end communications 11/09/2012 16
  • 17. The Components Home Subscriber Service (HSS) • Contains a user’s subscription data (profile) • Typically includes the Authentication Centre (AuC) • Where key material is stored 11/09/2012 17
  • 18. The Components PDN and Serving Gateways (PGw and SGw) • Handles data traffic from UE • Can be consolidated into a single device • Responsible for traffic routing within the back-end • Implements important filtering controls 11/09/2012 18
  • 19. The Components Policy Charging and Rules Function (PCRF) • Does what it says on the tin • Integrated into the network core • Allows operator to perform bandwidth shaping 11/09/2012 19
  • 20. The Components Home eNB (HeNB) • The “FemtoCell” of LTE • An eNodeB within your home • Talks to the MME and PDN/Serving Gateway • Expected to arrive much later in 4G rollout 11/09/2012 20
  • 21. Network Overview Control and User Planes 11/09/2012 21
  • 22. The Protocols Radio Protocols (RRC, PDCP, RLC) • These all terminate at the eNodeB • RRC is only used on the control plane RRC • Wireless user and control data PDCP RLC is encrypted (some exceptions) • Signalling data can also be encrypted end-to-end 11/09/2012 22
  • 23. The Protocols Internet Protocol (IP) • Used by all back-end comms • All user data uses it • Supports both IPv4 and IPv6 IP • Important to get routing and filtering correct • Common UDP and TCP services in use 11/09/2012 23
  • 24. The Protocols The Protocols - SCTP • Another protocol on top of IP • Robust session handling • Bi-directional sessions SCTP • Sequence numbers very IP important 11/09/2012 24
  • 25. The Protocols The Protocols – GTP-U • Runs on top of UDP and IP • One of two variants of GTP used in LTE GTP-U • This transports user IP data UDP • Pair of sessions are used IP identified by Tunnel-ID 11/09/2012 25
  • 26. The Protocols The Protocols – GTP-C • Runs on top of UDP and IP • The other variant of GTP used in LTE GTP-C • Used for back-end data UDP • Should not be used by the IP MME in pure 4G 11/09/2012 26
  • 27. The Protocols S1AP • Runs on top of SCTP and IP • An ASN.1 protocol • Transports UE signalling S1AP • UE sessions distinguished by SCTP IP a pair of IDs 11/09/2012 27
  • 28. The Protocols X2AP • Very similar to S1AP • Used between eNodeBs for signalling and handovers X2AP • Runs over of SCTP and IP and SCTP is also an ASN.1 protocol IP 11/09/2012 28
  • 30. Targets for Testing What Attacks are Possible • Wireless attacks and the baseband • Attacking the EPC from UE • Attacking other UE • Plugging into the Back-end • Physical attacks (HeNB) 11/09/2012 30
  • 31. Targets for Testing Wireless Attacks and the Baseband • A DIY kit for attacking wireless protocols is now closer (USRP based) • Best chance is using commercial kit to get a head-start • Not the easiest thing to attack 11/09/2012 31
  • 32. Targets for Testing Attacking the EPC from UE • Everything in the back-end is IP • You pay someone to give you IP access to the environment  • Easiest place to start 11/09/2012 32
  • 33. Targets for Testing Attacking other UE • Other wirelessly connected devices are close • May be less protection if seen as a local network • The gateway may enforce segregation between UE 11/09/2012 33
  • 34. Targets for Testing Wired network attacks • eNodeBs will be in public locations • They need visibility of components in the EPC • Very easy to communicate with an IP network • Everything is potentially in scope 11/09/2012 34
  • 35. Targets for Testing Physical Attacks (eNB) • Plugging into management interfaces is most likely attack, except … • A Home eNodeB is a different story • Hopefully we have learned from the Vodafone Femto-Cell Attack 11/09/2012 35
  • 36. What you can Test 11/09/2012 36
  • 37. Tests to Run As a Wirelessly Connected User • Visibility of the back-end from UE • Visibility of other UEs • Testing controls enforced by Gateway • Spoofed source addresses • GTP Encapsulation (Control and User) 11/09/2012 37
  • 38. Tests to Run From the Back-End • Ability to attack MME (signalling) • Robustness of stacks (eg SCTP) • Fuzzing • Sequence number generation • Testing management interfaces • Web consoles • SSH • Proprietary protocols 11/09/2012 38
  • 39. Tests to Run Challenges • Spoofing UE authentication is difficult • Messing with radio layers is hard • ASN.1 protocols are a pain • Injecting into SCTP is tough • Easy to break back-end communications 11/09/2012 39
  • 40. Tests to Run S1AP Protocol • By default no authentication to the service • Contains eNodeB data and UE Signalling • UE Signalling can make use of encryption and integrity checking • If no UE encryption is used attacks against connected handsets become possible 11/09/2012 40
  • 41. Tests to Run S1AP and Signalling S1AP NAS NAS UE eNB MME 11/09/2012 41
  • 42. Tests to Run S1AP and Signalling Spoofed Spoofed UE eNB MME UE eNB 11/09/2012 42
  • 43. Tests to Run S1AP and Signalling S1 Setup S1 Setup Response Attach Request eNB MME Authentication Request Authentication Response Security Mode 11/09/2012 43
  • 44. Tests to Run GTP Protocol • Gateway can handle multiple encapsulations • It uses UDP so easy to have fun with • The gateway needs to enforce a number of controls that stop attacks 11/09/2012 44
  • 45. Tests to Run GTP and User Data GTP IP IP IP UE eNB SGw Internet 11/09/2012 45
  • 46. Tests to Run GTP and User Data IP UE GTP UDP IP GTP eNodeB UDP IP 11/09/2012 46
  • 47. Tests to Run GTP and User Data GTP IP GTP IP GTP IP GTP UE eNB SGw Internet 11/09/2012 47
  • 48. Tests to Run GTP and User Data Destination IP Address (IP) GTP Tunnel Source IP Invalid IP ID (GTP) Address (IP) Protocols (IP) Source IP Address (GTP) UE eNB SGw PGw 11/09/2012 48
  • 49. Tests to Run Old Skool • Everything you already know can be applied to testing the back-end • Its an IP network and has routers and switches • There are management services running 11/09/2012 49
  • 51. Defences The Multi-Layered Approach • Get the IP network design right • Protect the IP traffic in transit • Enforce controls in the Gateway • Ensure UE and HeNBs are secure • Monitoring and Response • Testing 11/09/2012 51
  • 52. Defences Unified/Consolidated Gateway • The “Gateway” enforces some very important controls: • Anti-spoofing • Encapsulation protection • Device to device Routing • Billing and charging of users 11/09/2012 52
  • 53. Defences IP Routing • Architecture design and routing in the core is complex • Getting it right is critical to security • We have seen issues with this • This must be tested before an environment is deployed 11/09/2012 53
  • 54. Defences IPSec • If correctly implemented will provide Confidentiality and Integrity protection • Can also provide authentication between components • Keeping the keys secure is not trivial and not tested 11/09/2012 54
  • 55. Defences Architecture Consideration MME HSS EPC Switch Internet eNodeB Gateway Internet Serving Gateway PDN Gateway EPC 11/09/2012 55
  • 57. Conclusion 1 • There are 3 key protective controls that should be tested within LTE environments • Policies and rules in the Unified/Consolidated Gateway • The implementation of IPSec between all back- end components • A back-end IP network with well-designed routing and filtering 11/09/2012 57
  • 58. Conclusion 2 • Despite fears from the use of IP in 4G, LTE will improve security if implemented correctly • The 3 key controls must be correctly implemented • Testing must be completed for validation • Continued scrutiny is required • Legacy systems may be the weakest link 11/09/2012 58
  • 59. Conclusion 3 • Protecting key material used for IPSec is not trivial • The security model for IPSec needs careful consideration • Operational security processes are also important • Home eNodeB security is a challenge 11/09/2012 59
  • 60. Conclusion 4 • More air interface testing is needed • Will need co-operation from vendors/operators • “Open” testing tools will need significant development effort • Still lower hanging fruit if support for legacy wireless standards remain 11/09/2012 60
  • 61. Questions @mwrinfosecurity @mwrlabs 11/09/2012 61