SlideShare ist ein Scribd-Unternehmen logo

4G LTE Security - What hackers know?

S
Stephen Kho

4G LTE Security talk presented at OHM 2013, Netherlands by Stephen Kho & Rob Kuiters of KPN CISO.

InternetTechnologie
1 von 29
Downloaden Sie, um offline zu lesen
4G Security - What hackers know?4G Security - What hackers know? 4G Security - What hackers know? OHM 2013 0 1 August 2013 Stephen Kho/ Rob Kuiters
4G Security - What hackers know? Agenda •Who we are & why we are giving this talk? •Introduction and transition to 4G •4G network architectural overview •Protocols you need to know •LTE & EPC components and vulnerabilities •Mitigation & best practises •Conclusions •Q&A 1
4G Security - What hackers know? Who we are & why this talk? •Stephen Kho & Rob Kuiters •KPN CISO Team •KPN-CERT & REDteam •Penetration Testing & Incident Response •Overview of transition to 4G technology •Provide understanding of components, protocols and vulnerabilities 2
4G Security - What hackers know?3 Introduction and transition to 4G
4G Security - What hackers know? Introduction and transition to 4G 4
4G Security - What hackers know? Introduction and transition to 4G 5
4G Security - What hackers know? Introduction and transition to 4G 6 • 1G Nordic Mobile Telephone (1980) • 2G Global System for Mobile Communication (1994) • 3G Universal Mobile Telecommunications System (2004) • 4G Evolved Packet System (2013) • 5G ???? Somewhere 2023
4G Security - What hackers know? Introduction and transition to 4G 7
4G Security - What hackers know? Introduction and transition to 4G 8 User Equipment Radio Network Core Network
4G Security - What hackers know? Introduction and transition to 4G 2G 9 Basic Components • Basestation Tranciever • Basestation Controler • Mobile Switching Centre / Visitor Loction Register • Home Location Register Main Protocols • BSSAP • MAP / ISUP
4G Security - What hackers know? Introduction and transition to 4G 2G 10 BSC HLR UE BTS MSC / VLR GMSC voice SS7 Walled Garden
4G Security - What hackers know? Introduction and transition to 4G 2G and some 11 Basic Components • Basestation Tranciever • Basestation Controler • Mobile Switching Centre / Visitor Location Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS • Home Location Register Main Protocols • BSSAP / BSSGP • GTP • IP • MAP / ISUP
4G Security - What hackers know? Introduction and transition to 4G 2G and some 12 Not So Walled Garden BSC HLR UE BTS MSC / VLR GMSC voice SS7 SGSN GGSN WWW / PDN GRX DNS
4G Security - What hackers know? Introduction and transition to 4G 3G 13 Basic Components • NodeB • Radio Network Controller • Mobile Switching Centre / Visitor Loction Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS • Home Location Register / Authentication Centre Main Protocols • RANAP • GTP • IP • MAP / ISUP UMTS
4G Security - What hackers know? Introduction and transition to 4G 3G 14 BSC HLR UE BTS MSC / VLR GMSC voice SS7 SGSN GGSN WWW / PDN GRX DNS Not So Walled Garden RNC NodeB
4G Security - What hackers know? Introduction and transition to 4G 3G 15 Basic Components • E NodeB • Mobile Mobility Entity • Serving Gateway • Packet Data Network Gateway • DNS • Home Subscriber System Main Protocols • Diameter • GTP • IP
4G Security - What hackers know? Introduction and transition to 4G 2G 16 S-GW HSS UE BTS MME PDN GW WWW / PDN IPX / GRX Semi public open place
4G Security - What hackers know? EPC components and vulnerabilities Testing approach •Infrastructure penetration test •Host based security assessment •Web application testing •Code review 17 Information Gathering Vulnerability Analysis Exploitation
4G Security - What hackers know? EPC components and vulnerabilities 18 Where and what did we test? Evolved Packet Core (EPC) PDN-GWSeGW MME HSS eNodeB DRA UE Internet DNS
4G Security - What hackers know? EPC components and vulnerabilities Diameter Routing Agent (DRA) •Helps reduce number of connections between devices •Complex routing and provisioning •Load balancing and congestion control •Multi-vendor interoperability •Security functions – protocol validation 19
4G Security - What hackers know? EPC components and vulnerabilities 20 DRA vulnerabilities found (example from a vendor) •Infrastructure penetration test •MySQL installation running with root user privileges & without a password •Improper network segmentation for running services •Weak password policy on the OS •Multiple users with sudo rights without a password. •Multiple software security patches are missing •Easy to guess SNMPv3 password •Web application test •Multiple default accounts •Inadequate user privilege separation •Insecure SSL certificate
4G Security - What hackers know? EPC components and vulnerabilities 21 Packet Data Network Gateway (PDN-GW) • Connects UE to PDN • Performs policy enforcement • Packet filtering for each user • Charging support • Lawful Interception
4G Security - What hackers know? EPC components and vulnerabilities 22 PDN-GW vulnerabilities found (example from a popular vendor) •Host security assessment •No firmware hashing or cryptographic verification •Clear-text transmission of PDN-GW login credentials •PDN-GW username enumeration possible •No failed login account lockout •Self-signed and expired SSL certificate •Weak password policy – no complexity
4G Security - What hackers know? EPC components and vulnerabilities 23 PDN-GW vulnerabilities found (example from a popular vendor) •Code review (manual & automated static code analysis) •Hardcoded symmetric password encryption keys used •Weak lawful interception key generation •Software verification bypass •Weak authentication mechanism – weak encryption and hashing algorithm (DES,MD5)
4G Security - What hackers know? EPC components and vulnerabilities 24 Home Subscriber Server (HSS) •Central database for user-related and subscription-related information •Mobility management, call and session establishment support •User authentication and access authorization
4G Security - What hackers know? EPC components and vulnerabilities 25 HSS vulnerabilities found (example from another popular vendor) •Infrastructure penetration test •World exported NFS shares •Sensitive data stored on HSS NFS shares •Default account credentials in use •Critical security updates missing •Unnecessary services running
4G Security - What hackers know? Mitigation & best practises 26  Implement network segmentation & filtering  Utilise centralised identity and access management  Enforce vendor security patch update  Implement security patch management  Perform regular vulnerability scans  Carry out in-depth penetration tests  Implement host & network based IDS  Practice incident response
4G Security - What hackers know? Conclusion •The Wallled Garden telcos use to have are no longer •Vendor OSes are Linux or Windows based •Common IP network vulnerabilities are in 4G network •Telco vendors need to raise their IP security awareness •Adopt common IP network security best practises and mitigations •The community needs to help mature the overall security level of these “newer” protocols e.g. Diameter by doing more research 27
4G Security - What hackers know?4G Security - What hackers know? Thank you for your attention 28 rob.kuiters@kpn.com stephen.kho@kpn.com

Empfohlen

Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
 
Security Testing 4G (LTE) Networks - 44CON 2012
Security Testing 4G (LTE) Networks - 44CON 2012Security Testing 4G (LTE) Networks - 44CON 2012
Security Testing 4G (LTE) Networks - 44CON 201244CON
 
4g security presentation
4g security presentation4g security presentation
4g security presentationKyle Ly
 
Lte security concepts and design considerations
Lte security concepts and design considerationsLte security concepts and design considerations
Lte security concepts and design considerationsMary McEvoy Carroll
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginEC-Council
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyStephen Kho
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 

Empfohlen

Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
 
Security Testing 4G (LTE) Networks - 44CON 2012
Security Testing 4G (LTE) Networks - 44CON 2012Security Testing 4G (LTE) Networks - 44CON 2012
Security Testing 4G (LTE) Networks - 44CON 201244CON
 
4g security presentation
4g security presentation4g security presentation
4g security presentationKyle Ly
 
Lte security concepts and design considerations
Lte security concepts and design considerationsLte security concepts and design considerations
Lte security concepts and design considerationsMary McEvoy Carroll
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginEC-Council
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyStephen Kho
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondSiddharth Rao
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]securitysecurityxploded
 
Practical security testing for lte networks
Practical security testing for lte networksPractical security testing for lte networks
Practical security testing for lte networksPfedya
 
Diameter Penetration Test Lab
Diameter Penetration Test LabDiameter Penetration Test Lab
Diameter Penetration Test Labfrcarlson
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth securityShantanu Krishna
 
Wireless network security
Wireless network security Wireless network security
Wireless network security Aurobindo Nayak
 
Wifi- technology_moni
Wifi- technology_moniWifi- technology_moni
Wifi- technology_moniMD MONIRUZZAMAN
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Securityh_marvin
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...P1Security
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to knowPaul Coomans
 
Security In LTE Access Network
Security In LTE Access NetworkSecurity In LTE Access Network
Security In LTE Access NetworkSukhvinder Singh Malik
 
Ip sec
Ip secIp sec
Ip secShiva Krishna Chandra Shekar
 
Zigbee
ZigbeeZigbee
ZigbeeShoaib A Siddiqui
 
DASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical PresentationDASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical PresentationMaarten Weyn
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless networkSyed Ubaid Ali Jafri
 
LoRa Alliance
LoRa AllianceLoRa Alliance
LoRa AllianceSohan Bappy
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practicesMihajlo Prerad
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
Vp ns
Vp nsVp ns
Vp nsAyano Midakso
 

Weitere ähnliche Inhalte

Was ist angesagt?

The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondSiddharth Rao
 
Practical security testing for lte networks
Practical security testing for lte networksPractical security testing for lte networks
Practical security testing for lte networksPfedya
 
Diameter Penetration Test Lab
Diameter Penetration Test LabDiameter Penetration Test Lab
Diameter Penetration Test Labfrcarlson
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
Wireless network security
Wireless network security Wireless network security
Wireless network security Aurobindo Nayak
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Securityh_marvin
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...P1Security
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to knowPaul Coomans
 
DASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical PresentationDASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical PresentationMaarten Weyn
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practicesMihajlo Prerad
 

Was ist angesagt? (20)

The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyond
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Practical security testing for lte networks
Practical security testing for lte networksPractical security testing for lte networks
Practical security testing for lte networks
 
Diameter Penetration Test Lab
Diameter Penetration Test LabDiameter Penetration Test Lab
Diameter Penetration Test Lab
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth security
 
Wireless network security
Wireless network security Wireless network security
Wireless network security
 
Wifi- technology_moni
Wifi- technology_moniWifi- technology_moni
Wifi- technology_moni
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Security
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
 
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to know
 
Security In LTE Access Network
Security In LTE Access NetworkSecurity In LTE Access Network
Security In LTE Access Network
 
Ip sec
Ip secIp sec
Ip sec
 
Zigbee
ZigbeeZigbee
Zigbee
 
DASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical PresentationDASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical Presentation
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless network
 
LoRa Alliance
LoRa AllianceLoRa Alliance
LoRa Alliance
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 

Ähnlich wie 4G LTE Security - What hackers know?

Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedFelipe Prado
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat ManagementTapas Shome
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSrinivasa Addepalli
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11Waqas Ahmed Nawaz
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...Priyanka Aash
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfThangDang53
 
Tech 2 tech low latency networking on Janet presentation
Tech 2 tech low latency networking on Janet presentationTech 2 tech low latency networking on Janet presentation
Tech 2 tech low latency networking on Janet presentationJisc
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityEdgeUno
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterShawn Zandi
 
It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11newbie2019
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)Rofiq Fauzi
 
ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529
ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529
ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529Stanley Tseng
 
CompTIA Security+ Chapter Four Review
CompTIA Security+ Chapter Four ReviewCompTIA Security+ Chapter Four Review
CompTIA Security+ Chapter Four ReviewDCPS
 

Ähnlich wie 4G LTE Security - What hackers know? (20)

Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
Vp ns
Vp nsVp ns
Vp ns
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat Management
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
Myles firewalls
Myles firewallsMyles firewalls
Myles firewalls
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_Networks
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
 
Tech 2 tech low latency networking on Janet presentation
Tech 2 tech low latency networking on Janet presentationTech 2 tech low latency networking on Janet presentation
Tech 2 tech low latency networking on Janet presentation
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
 
It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
 
ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529
ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529
ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529
 
Smart Object Architecture
Smart Object ArchitectureSmart Object Architecture
Smart Object Architecture
 
CompTIA Security+ Chapter Four Review
CompTIA Security+ Chapter Four ReviewCompTIA Security+ Chapter Four Review
CompTIA Security+ Chapter Four Review
 

Kürzlich hochgeladen

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 

Kürzlich hochgeladen (20)

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 

4G LTE Security - What hackers know?

  • 1. 4G Security - What hackers know?4G Security - What hackers know? 4G Security - What hackers know? OHM 2013 0 1 August 2013 Stephen Kho/ Rob Kuiters
  • 2. 4G Security - What hackers know? Agenda •Who we are & why we are giving this talk? •Introduction and transition to 4G •4G network architectural overview •Protocols you need to know •LTE & EPC components and vulnerabilities •Mitigation & best practises •Conclusions •Q&A 1
  • 3. 4G Security - What hackers know? Who we are & why this talk? •Stephen Kho & Rob Kuiters •KPN CISO Team •KPN-CERT & REDteam •Penetration Testing & Incident Response •Overview of transition to 4G technology •Provide understanding of components, protocols and vulnerabilities 2
  • 4. 4G Security - What hackers know?3 Introduction and transition to 4G
  • 5. 4G Security - What hackers know? Introduction and transition to 4G 4
  • 6. 4G Security - What hackers know? Introduction and transition to 4G 5
  • 7. 4G Security - What hackers know? Introduction and transition to 4G 6 • 1G Nordic Mobile Telephone (1980) • 2G Global System for Mobile Communication (1994) • 3G Universal Mobile Telecommunications System (2004) • 4G Evolved Packet System (2013) • 5G ???? Somewhere 2023
  • 8. 4G Security - What hackers know? Introduction and transition to 4G 7
  • 9. 4G Security - What hackers know? Introduction and transition to 4G 8 User Equipment Radio Network Core Network
  • 10. 4G Security - What hackers know? Introduction and transition to 4G 2G 9 Basic Components • Basestation Tranciever • Basestation Controler • Mobile Switching Centre / Visitor Loction Register • Home Location Register Main Protocols • BSSAP • MAP / ISUP
  • 11. 4G Security - What hackers know? Introduction and transition to 4G 2G 10 BSC HLR UE BTS MSC / VLR GMSC voice SS7 Walled Garden
  • 12. 4G Security - What hackers know? Introduction and transition to 4G 2G and some 11 Basic Components • Basestation Tranciever • Basestation Controler • Mobile Switching Centre / Visitor Location Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS • Home Location Register Main Protocols • BSSAP / BSSGP • GTP • IP • MAP / ISUP
  • 13. 4G Security - What hackers know? Introduction and transition to 4G 2G and some 12 Not So Walled Garden BSC HLR UE BTS MSC / VLR GMSC voice SS7 SGSN GGSN WWW / PDN GRX DNS
  • 14. 4G Security - What hackers know? Introduction and transition to 4G 3G 13 Basic Components • NodeB • Radio Network Controller • Mobile Switching Centre / Visitor Loction Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS • Home Location Register / Authentication Centre Main Protocols • RANAP • GTP • IP • MAP / ISUP UMTS
  • 15. 4G Security - What hackers know? Introduction and transition to 4G 3G 14 BSC HLR UE BTS MSC / VLR GMSC voice SS7 SGSN GGSN WWW / PDN GRX DNS Not So Walled Garden RNC NodeB
  • 16. 4G Security - What hackers know? Introduction and transition to 4G 3G 15 Basic Components • E NodeB • Mobile Mobility Entity • Serving Gateway • Packet Data Network Gateway • DNS • Home Subscriber System Main Protocols • Diameter • GTP • IP
  • 17. 4G Security - What hackers know? Introduction and transition to 4G 2G 16 S-GW HSS UE BTS MME PDN GW WWW / PDN IPX / GRX Semi public open place
  • 18. 4G Security - What hackers know? EPC components and vulnerabilities Testing approach •Infrastructure penetration test •Host based security assessment •Web application testing •Code review 17 Information Gathering Vulnerability Analysis Exploitation
  • 19. 4G Security - What hackers know? EPC components and vulnerabilities 18 Where and what did we test? Evolved Packet Core (EPC) PDN-GWSeGW MME HSS eNodeB DRA UE Internet DNS
  • 20. 4G Security - What hackers know? EPC components and vulnerabilities Diameter Routing Agent (DRA) •Helps reduce number of connections between devices •Complex routing and provisioning •Load balancing and congestion control •Multi-vendor interoperability •Security functions – protocol validation 19
  • 21. 4G Security - What hackers know? EPC components and vulnerabilities 20 DRA vulnerabilities found (example from a vendor) •Infrastructure penetration test •MySQL installation running with root user privileges & without a password •Improper network segmentation for running services •Weak password policy on the OS •Multiple users with sudo rights without a password. •Multiple software security patches are missing •Easy to guess SNMPv3 password •Web application test •Multiple default accounts •Inadequate user privilege separation •Insecure SSL certificate
  • 22. 4G Security - What hackers know? EPC components and vulnerabilities 21 Packet Data Network Gateway (PDN-GW) • Connects UE to PDN • Performs policy enforcement • Packet filtering for each user • Charging support • Lawful Interception
  • 23. 4G Security - What hackers know? EPC components and vulnerabilities 22 PDN-GW vulnerabilities found (example from a popular vendor) •Host security assessment •No firmware hashing or cryptographic verification •Clear-text transmission of PDN-GW login credentials •PDN-GW username enumeration possible •No failed login account lockout •Self-signed and expired SSL certificate •Weak password policy – no complexity
  • 24. 4G Security - What hackers know? EPC components and vulnerabilities 23 PDN-GW vulnerabilities found (example from a popular vendor) •Code review (manual & automated static code analysis) •Hardcoded symmetric password encryption keys used •Weak lawful interception key generation •Software verification bypass •Weak authentication mechanism – weak encryption and hashing algorithm (DES,MD5)
  • 25. 4G Security - What hackers know? EPC components and vulnerabilities 24 Home Subscriber Server (HSS) •Central database for user-related and subscription-related information •Mobility management, call and session establishment support •User authentication and access authorization
  • 26. 4G Security - What hackers know? EPC components and vulnerabilities 25 HSS vulnerabilities found (example from another popular vendor) •Infrastructure penetration test •World exported NFS shares •Sensitive data stored on HSS NFS shares •Default account credentials in use •Critical security updates missing •Unnecessary services running
  • 27. 4G Security - What hackers know? Mitigation & best practises 26  Implement network segmentation & filtering  Utilise centralised identity and access management  Enforce vendor security patch update  Implement security patch management  Perform regular vulnerability scans  Carry out in-depth penetration tests  Implement host & network based IDS  Practice incident response
  • 28. 4G Security - What hackers know? Conclusion •The Wallled Garden telcos use to have are no longer •Vendor OSes are Linux or Windows based •Common IP network vulnerabilities are in 4G network •Telco vendors need to raise their IP security awareness •Adopt common IP network security best practises and mitigations •The community needs to help mature the overall security level of these “newer” protocols e.g. Diameter by doing more research 27
  • 29. 4G Security - What hackers know?4G Security - What hackers know? Thank you for your attention 28 rob.kuiters@kpn.com stephen.kho@kpn.com