Introducing Application Engineered Routing Powered by Segment Routing
LTEcloudSecurityIssuesTakeaways-GP
1. Presented
@
CanSecWest,
2012,
Vancouver
&
ISSA
International
Conference
2012,
Anaheim,
CA
Galina
Pildush,
PhD
2. ! Is:
! LTE
introduction
! LTE
perspectives
and
vulnerabilities
! Is
not:
! Everything
else
3. ! LTE
=
Long-‐Term
Evolution
of
Evolved
Universal
Terrestrial
Radio
Access
Network
! Greater
flexibility
of
spectrum
usage
! Reduced
latency
! Interworking
with
other
systems,
for
example
CDMA2000
! LTE-‐Advanced
! Worldwide
functionality
and
roaming
! Service
compatibility
! Enhanced
peak
data
rates
(100
Mbps
–
1
Gpbs)
4. UTRAN
RNC
NodeB
GERAN
BSC
BTS
SGSN
HSS
(HLR,
AuC)
MSC
VLR
GGSN
PCRF
GMSC
CS-‐MGW
CS-‐MGW
Gi
Gn
Gx
IuPS
Gr
Gs
Gc
C
D
IuCS
Nc
Mc
Nb
IuCS
IuPS
IuCS
IuCS
Gb
Interfaces
supporting
user
traffic
Interfaces
supporting
signalling
This
is
where
it
was
a
few
years
ago
…
AN
CN
Note:
-‐ This
is
a
display
of
a
basic
GPRS
architecture
blocks
and
interfaces
-‐ Not
all
network
elements
and
interfaces
shown
A
PSTN
Internet
5. UTRAN
RNC
NodeB
GERAN
BSC
BTS
SGSN
HSS
(HLR,
AuC)
MSC
VLR
GGSN
PCRF
GMSC
CS-‐MGW
CS-‐MGW
Gi
Gn
Gx
IuPS
Gr
Gs
Gc
C
D
IuCS
Nc
Mc
Nb
IuCS
A
IuPS
IuCS
IuCS
Gb
This
is
where
it
is
today
…
and
still
evolving
…
AN
CN
MME
S-‐GW
PDN-‐GW
E-‐UTRAN
eNodeB
S1-‐U
S12
S5
S4
SGi
S1-‐MME
S11
S3
S8
S6a
Gxc
Gx
S4
Gxc
S3
PSTN
Internet
Internet
Note:
-‐ This
is
a
display
of
a
basic
GPRS
and
EPS
architecture
blocks
and
interfaces
-‐ Not
all
network
elements
and
interfaces
shown
6. GSM
RF
MAC
RLC
SND
CP
IP
Appl
-‐n
UE
L1bis
Laye
r
1
Laye
r
1
Laye
r
1
Netw
orkS
ervic
e
Laye
r
2
IP
GTP-‐U
Relay
SNDCP
Laye
r
2
Laye
r
2
GTP-‐U
GTP-‐U
Relay
Laye
r
1
GTP-‐
U
PDN
GW
Serving
GW
SGSN
Laye
r
2
SGi
S5/S8
S4
Um
LLC
GSM
RF
L1bis
MAC
Netw
ork
Servi
ce
UDP
BSSG
P
BSSGP
Relay
RLC
BS
LLC
IP
UDP
UDP
IP
IP
IP
UDP
Gb
Laye
r
1
MAC
RLC
PCD
P
IP
Appl-‐
n
UE
Laye
r
1
Laye
r
1
Laye
r
1
Laye
r
1
MAC
Laye
r
2
RLC
UDP
/IP
GTP-‐U
Relay
PDCP
Laye
r
2
Laye
r
2
UDP
/IP
UDP
/IP
GTP-‐U
GTP-‐U
Relay
Laye
r
1
GTP-‐
U
IP
PDN
GW
Serving
GW
UTRAN
UDP
/IP
Laye
r
2
SGi
S5/S8
Iu
Uu
Protocol
Reference
Model
GERAN
User
Plane
Protocol
Reference
Model
UTRAN
User
Plane
Layer
1
MAC
RLC
PCD
P
IP
Appl-‐
n
UE
Layer
1
Layer
1
Layer
1
Layer
1
MAC
Layer
2
RLC
UDP/
IP
GTP-‐U
Relay
PDCP
Layer
2
Layer
2
UDP/
IP
UDP/
IP
GTP-‐U
GTP-‐U
Relay
Layer
1
GTP-‐
U
IP
PDN
GW
Serving
GW
eNodeB
UDP/
IP
Layer
2
SGi
S5/S8
S1-‐U
LTE-‐Uu
Protocol
Reference
Model
E-‐UTRAN
User
Plane
10. ! Traditionally
PSTN
is
a
“Walled
Garden”
! Protocols
are
not
widely
spread
and/or
known
! Complex
protocols
! Closed
architectures
! Controlled
access
! Today
LTE
access
uses
IP
as
a
transport
! Convergence
of
voice
and
data
! Convergence
of
wireline
and
wireless
! Lower
operations
costs
! Ahh…
Life
is
good
…
or
IS
IT
NOT?
!
11. ! Love
sooo
…
many
Apps
-‐
over
10.9
billion
(expected
to
rise
to
76.9
billion
by
2014!)
*
! The
more
the
merrier
! Free
is
better
than
paid
for
! Voice,
video,
data
–
all
in
one!
! Enjoy
high
speed
! Want
my
SP
to
maintain
the
service
I
subscribe
to
! Ahh…
Life
is
good…
or
IS
IT
NOT?
*Source:
IDC
12. ! Can
connect
with
staff
any
time
from
anywhere
! Should
be
able
to
increase
productivity
! Faster
decisions
making
! Instant
access
to
teleworkers
! Instant
deal
making
! Etc.,
etc.,
etc
…
! Ahh…
Life
is
good
…
or
IS
IT
NOT?
13. ! The
more
apps,
the
merrier
–
! It’s
a
Wild-‐Wild
West
(WWW)
out
there
–
grab
as
much
as
you
can
! No
regulations,
validations,
or
restrictions
! I
can
masquerade
anyone
or
anything
! Phish
around
tricking
you
into
entering
sensitive
information
! Financial
theft
! Privacy
theft
! Challenge
is
invigorating
! This
is
a
wonderland
–
millions
of
walking
servers
with
eyes
and
ears
without
firewalls
! Ahh…
Life
IS
good!
14. ! LTE
is
IP
end-‐to-‐end
! The
protocols
are
open
! The
infrastructures
are
getting
more
complex
! This
could
introduce
new
vulnerabilities
! Complexity
does
not
mean
more
secure
! What
does
it
all
mean
to
a
security
person?
15. ! The
threats
are
possible
on:
• Network
Infrastructure
elements
–
RAN,
Core
• Bandwidth
consumption
• Servers
• UEs
16. ! On
network
elements
–
paralyzing
the
network
• Flood
attacks
• Worm
infections
and
Trojan
attacks
• Spam
and
virus
attacks
• Man
in
the
middle
attacks
! On
UEs
• Phishing
• Botnet
• Viruses
• Worms
• Trojan
attacks
! Trusted
but
infected
UEs
could
become
sources
of
attacks
17. ! Paralyzed:
! Network
elements
and/or
entire
network
infrastructures
! Fixed
servers
! Mobile
servers
–
UEs
! Misbehaved
servers
! Mis-‐billing
and/or
overbilling
! Battery
drainage
on
UEs
! Personal
data
compromised
! Financial
theft
! Misconduct
! Unhappy
customers
! Loss
of
privacy
! Loss
of
customers
! Bad
industry
reputation
! Loss
of
revenue
and
business
18.
19. ! UEs
! The
out-‐of-‐control
spread
of
unprotected
servers
–
smart
phones
EVERYWHERE! Operators
core
! Facing
Internet
! Peering
points
! RAN-‐Core
connection
! Operators
RAN
20. S-‐GW
PDN-‐GW
E-‐UTRAN
eNodeB
S1-‐MME
S1-‐U
H-‐PCRF
HSS
(HLR,
AuC)
MME
S10
S11
S5
S6a
Gx
SGi
Rx
PDN-‐GW
E-‐UTRAN
eNodeB
S1-‐MME
S1-‐U
V-‐PCRF
HSS
(HLR,
AuC)
MME
S10
S11
S5
S6a
Gx
SGi
Rx
Internet
HPLMN
VPLMN
S6a
S8
L-‐GW
Internet
L-‐GW
SGi
SGi
S8
S1-‐AP
SCTP
IP
Lower
Layers
S1-‐AP
SCTP
IP
Lower
Layers
3rd
Party
Application
Function
Domain
DIAMETER
SCTP
IP
Lower
Layers
IPX
Cloud
DIAMETER
SCTP
IP
Lower
Layers
S9
S-‐GW
S8
DIAMETER
SCTP
IP
Lower
Layers
OCS
Gy
21. ! SCTP
Association
hijacking:
! Address
camping
or
stealing
! If
attacker
can
take
over
an
IP
address
they
can
restart
the
association
! Man-‐in-‐the-‐middle
! Bombing
attacks:
! Get
a
server
to
amplify
packets
to
an
innocent
victim
! Allows
an
attacker
to
use
an
arbitrary
SCTP
endpoint
to
send
multiple
packets
to
a
victim
in
response
to
one
packet
! Allows
an
attacker
to
use
an
SCTP
server
to
send
a
larger
packet
to
a
victim
than
it
sent
to
the
SCTP
server
! Association
redirection
–
http://tools.ietf.org/html/
rfc5062
23. ! Diameter
attacks
! Negotiation
attack
–
could
cause
Diameter
server
to
choose
a
less
secure
authentication
method
(CHAP,
PAP,
for
example)
! Connection
hijacking
–
attacker
attempts
to
inject
packets
! Replay
! Snooping
packets
! Packet
modifications
! Impersonation
–
rogue
NEs
with
forged
IP
addresses
! Man-‐in-‐the-‐middle
attack
–
attackers
gain
control
of
a
Diameter
agent,
modifying
packets
in
transit
25. ! Attacks
from
a
peering
side
–
GTPv2
and
GTP-‐U
! GTP-‐in-‐GTP
could
be
used
as
an
attack
–
spoofing
NEs,
recursive
GTP
packet
processing
! Rogue
data
from
“trusted”
partners
! Remember
–
although
GTP
is
“GPRS
Tunnelling
Protocol”
there
is
no
built-‐in
encryption
26. S-‐GW
PDN-‐GW
E-‐UTRAN
eNodeB
S1-‐MME
S1-‐U
H-‐PCRF
HSS
(HLR,
AuC)
MME
S10
S11
S5
S6a
Gx
SGi
Rx
PDN-‐GW
E-‐UTRAN
eNodeB
S1-‐MME
S1-‐U
V-‐PCRF
HSS
(HLR,
AuC)
MME
S10
S11
S5
S6a
Gx
SGi
Rx
Internet
HPLMN
VPLMN
S6a
S8
L-‐GW
Internet
L-‐GW
SGi
SGi
S8
IP
Lower
Layers
IP
Lower
Layers
IP
Lower
Layers
IP
Lower
Layers
3rd
Party
Application
Function
Domain
IPX
Cloud
S9
S-‐GW
S8
OCS
Gy
27. ! Attacks
from
the
Internet
–
SGi
! DDoS
attacks
! Botnets
! Exploit
core
network
elements
and
turn
them
into
attack
vectors
! Viruses,
worms,
Trojans,
Overbilling
! Etc…
etc…
etc
28. ! SMS
Trojans
–
! Polymorphic,
mutating
with
every
download
! Known
as
server-‐side
polymorphism
! Existed
in
the
world
of
desktops
! More
can
be
found
here
-‐http://www.techworld.com.au/article/
414311/symantec_warns_android_trojans_mutate_every_download
! Attacks
evolved
from
SMS-‐type
to
application
layer,
covering
ALL
handheld
devices
–
iPhones/iPads,
Androids,
RIM,
Notebooks,
etc,
etc,
etc…
! Spam
messages
! Exploit
of
unregistered
pre-‐paid
SIM
cards
! Exploit
of
signaling
fraud
29. ! UE
! Network
Infrastructure
! RANs
! Against
known
and
unknown
attacks
32. ! While
convergence
sounds
great,
should
I
converge
all
my
networks
–
wireline,
wireless,
voice,
data,
others
(?)
! How
do
I
protect
my
cloud?
! Where
is
my
“walled
garden”?
! IP
transport
+
UEs
apps
bring
security
concerns
! Protocols
vulnerabilities
at
signaling/control
planes
! Open
protocols/applications
! Lack
of
apps
standards
! What
are
the
possible
vulnerabilities?
! Is
it
good
enough
to
just
do
NAT/CGNAT?
! Are
the
threats
really
there?
33. ! Exponential
spread
of
UEs
! Is
this
a
de
ja
vu
of
wired
line
10-‐15
years
ago?
! How
do
I
detect
an
infected
UE?
! What
do
I
do
with
the
infected
UE?
! Should
I
do
policy
enforcement
with
an
infected
UE?
! Can
I
be
held
liable
for
delivering
customer
traffic
securely?
! Cost
vs.
risk
! Complexity
vs.
ease
of
management
! IPv6
! Transition
to
! Could
IP
within
IP
pose
more
threat?
34. ! Protect
! My
phone
from
viruses,
Trojan
attacks,
worm,
etc.
! Integrity
of
my
data
! My
privacy
! Ensure
! Secure
access
! Secure
services
! Proper
billing
! Optimal
use
of
my
phone,
including
its
battery
life
! Privacy
35. ! Takes
a
long
time
! From
standards
security
perspective
! Missing
holistic
view
-‐
it
is
rather
piecemeal
! Optional
encryption
of
EVERYTHING
! Is
it
enough?
36. ! Be
careful
with
new
Apps
! Anything
free
could
bite
you
back
–
free
WiFi,
free
app,
free
…
! Check
for
availability
of
security
solutions
for
your
UEs
! Be
proactive
in
designing
your
protection
! Include
protection
of
the
protectors
–
firewalls
! Deploy
FWs
! Deploy
IPSec
VPNs
! Be
careful
with
what
is
encrypted
! Ensure
you
trust
the
termination
elements
of
IPSec
! Can
you
afford
to
trust
them?
37. ! Understand
the
“normal”
traffic
flows
! Throttle
at
perimeter,
as
close
to
source
as
feasible
! Pros
–
more
accurate
and
controlled
! Cons
–
could
be
scaling
difficulty
! Reduces
the
impact
of
unknown
! Evens
the
traffic
flows
! Deploy
elements
of
firewall
features
for
DDoS,
etc
attacks
Apply
FW
protection
Define
Baseline
Throttle
Traffic
Close
to
Source
38. ! You?
! Smart
phone
manufacturer?
! Service
provider?
! Anybody
else?
And
! Is
Mobile
protection
just
that
–
“mobile”
or
is
it
“YOUR
Identity”