SlideShare une entreprise Scribd logo

4G LTE Security - What hackers know?

S
Stephen Kho

4G LTE Security talk presented at OHM 2013, Netherlands by Stephen Kho & Rob Kuiters of KPN CISO.

InternetTechnologie
1  sur  29
Télécharger pour lire hors ligne
4G Security - What hackers know?4G Security - What hackers know? 4G Security - What hackers know? OHM 2013 0 1 August 2013 Stephen Kho/ Rob Kuiters
4G Security - What hackers know? Agenda •Who we are & why we are giving this talk? •Introduction and transition to 4G •4G network architectural overview •Protocols you need to know •LTE & EPC components and vulnerabilities •Mitigation & best practises •Conclusions •Q&A 1
4G Security - What hackers know? Who we are & why this talk? •Stephen Kho & Rob Kuiters •KPN CISO Team •KPN-CERT & REDteam •Penetration Testing & Incident Response •Overview of transition to 4G technology •Provide understanding of components, protocols and vulnerabilities 2
4G Security - What hackers know?3 Introduction and transition to 4G
4G Security - What hackers know? Introduction and transition to 4G 4
4G Security - What hackers know? Introduction and transition to 4G 5
4G Security - What hackers know? Introduction and transition to 4G 6 • 1G Nordic Mobile Telephone (1980) • 2G Global System for Mobile Communication (1994) • 3G Universal Mobile Telecommunications System (2004) • 4G Evolved Packet System (2013) • 5G ???? Somewhere 2023
4G Security - What hackers know? Introduction and transition to 4G 7
4G Security - What hackers know? Introduction and transition to 4G 8 User Equipment Radio Network Core Network
4G Security - What hackers know? Introduction and transition to 4G 2G 9 Basic Components • Basestation Tranciever • Basestation Controler • Mobile Switching Centre / Visitor Loction Register • Home Location Register Main Protocols • BSSAP • MAP / ISUP
4G Security - What hackers know? Introduction and transition to 4G 2G 10 BSC HLR UE BTS MSC / VLR GMSC voice SS7 Walled Garden
4G Security - What hackers know? Introduction and transition to 4G 2G and some 11 Basic Components • Basestation Tranciever • Basestation Controler • Mobile Switching Centre / Visitor Location Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS • Home Location Register Main Protocols • BSSAP / BSSGP • GTP • IP • MAP / ISUP
4G Security - What hackers know? Introduction and transition to 4G 2G and some 12 Not So Walled Garden BSC HLR UE BTS MSC / VLR GMSC voice SS7 SGSN GGSN WWW / PDN GRX DNS
4G Security - What hackers know? Introduction and transition to 4G 3G 13 Basic Components • NodeB • Radio Network Controller • Mobile Switching Centre / Visitor Loction Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS • Home Location Register / Authentication Centre Main Protocols • RANAP • GTP • IP • MAP / ISUP UMTS
4G Security - What hackers know? Introduction and transition to 4G 3G 14 BSC HLR UE BTS MSC / VLR GMSC voice SS7 SGSN GGSN WWW / PDN GRX DNS Not So Walled Garden RNC NodeB
4G Security - What hackers know? Introduction and transition to 4G 3G 15 Basic Components • E NodeB • Mobile Mobility Entity • Serving Gateway • Packet Data Network Gateway • DNS • Home Subscriber System Main Protocols • Diameter • GTP • IP
4G Security - What hackers know? Introduction and transition to 4G 2G 16 S-GW HSS UE BTS MME PDN GW WWW / PDN IPX / GRX Semi public open place
4G Security - What hackers know? EPC components and vulnerabilities Testing approach •Infrastructure penetration test •Host based security assessment •Web application testing •Code review 17 Information Gathering Vulnerability Analysis Exploitation
4G Security - What hackers know? EPC components and vulnerabilities 18 Where and what did we test? Evolved Packet Core (EPC) PDN-GWSeGW MME HSS eNodeB DRA UE Internet DNS
4G Security - What hackers know? EPC components and vulnerabilities Diameter Routing Agent (DRA) •Helps reduce number of connections between devices •Complex routing and provisioning •Load balancing and congestion control •Multi-vendor interoperability •Security functions – protocol validation 19
4G Security - What hackers know? EPC components and vulnerabilities 20 DRA vulnerabilities found (example from a vendor) •Infrastructure penetration test •MySQL installation running with root user privileges & without a password •Improper network segmentation for running services •Weak password policy on the OS •Multiple users with sudo rights without a password. •Multiple software security patches are missing •Easy to guess SNMPv3 password •Web application test •Multiple default accounts •Inadequate user privilege separation •Insecure SSL certificate
4G Security - What hackers know? EPC components and vulnerabilities 21 Packet Data Network Gateway (PDN-GW) • Connects UE to PDN • Performs policy enforcement • Packet filtering for each user • Charging support • Lawful Interception
4G Security - What hackers know? EPC components and vulnerabilities 22 PDN-GW vulnerabilities found (example from a popular vendor) •Host security assessment •No firmware hashing or cryptographic verification •Clear-text transmission of PDN-GW login credentials •PDN-GW username enumeration possible •No failed login account lockout •Self-signed and expired SSL certificate •Weak password policy – no complexity
4G Security - What hackers know? EPC components and vulnerabilities 23 PDN-GW vulnerabilities found (example from a popular vendor) •Code review (manual & automated static code analysis) •Hardcoded symmetric password encryption keys used •Weak lawful interception key generation •Software verification bypass •Weak authentication mechanism – weak encryption and hashing algorithm (DES,MD5)
4G Security - What hackers know? EPC components and vulnerabilities 24 Home Subscriber Server (HSS) •Central database for user-related and subscription-related information •Mobility management, call and session establishment support •User authentication and access authorization
4G Security - What hackers know? EPC components and vulnerabilities 25 HSS vulnerabilities found (example from another popular vendor) •Infrastructure penetration test •World exported NFS shares •Sensitive data stored on HSS NFS shares •Default account credentials in use •Critical security updates missing •Unnecessary services running
4G Security - What hackers know? Mitigation & best practises 26  Implement network segmentation & filtering  Utilise centralised identity and access management  Enforce vendor security patch update  Implement security patch management  Perform regular vulnerability scans  Carry out in-depth penetration tests  Implement host & network based IDS  Practice incident response
4G Security - What hackers know? Conclusion •The Wallled Garden telcos use to have are no longer •Vendor OSes are Linux or Windows based •Common IP network vulnerabilities are in 4G network •Telco vendors need to raise their IP security awareness •Adopt common IP network security best practises and mitigations •The community needs to help mature the overall security level of these “newer” protocols e.g. Diameter by doing more research 27
4G Security - What hackers know?4G Security - What hackers know? Thank you for your attention 28 rob.kuiters@kpn.com stephen.kho@kpn.com

Recommandé

Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
EC-Council
 
Security Testing 4G (LTE) Networks - 44CON 2012
Security Testing 4G (LTE) Networks - 44CON 2012Security Testing 4G (LTE) Networks - 44CON 2012
Security Testing 4G (LTE) Networks - 44CON 2012
44CON
 
4g security presentation
4g security presentation4g security presentation
4g security presentation
Kyle Ly
 
Lte security concepts and design considerations
Lte security concepts and design considerationsLte security concepts and design considerations
Lte security concepts and design considerations
Mary McEvoy Carroll
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
EC-Council
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy Agency
Stephen Kho
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
Siddharth Rao
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 

Recommandé

Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
EC-Council
 
Security Testing 4G (LTE) Networks - 44CON 2012
Security Testing 4G (LTE) Networks - 44CON 2012Security Testing 4G (LTE) Networks - 44CON 2012
Security Testing 4G (LTE) Networks - 44CON 2012
44CON
 
4g security presentation
4g security presentation4g security presentation
4g security presentation
Kyle Ly
 
Lte security concepts and design considerations
Lte security concepts and design considerationsLte security concepts and design considerations
Lte security concepts and design considerations
Mary McEvoy Carroll
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
EC-Council
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy Agency
Stephen Kho
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
Siddharth Rao
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyond
Siddharth Rao
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
securityxploded
 
Practical security testing for lte networks
Practical security testing for lte networksPractical security testing for lte networks
Practical security testing for lte networks
Pfedya
 
Diameter Penetration Test Lab
Diameter Penetration Test LabDiameter Penetration Test Lab
Diameter Penetration Test Lab
frcarlson
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth security
Shantanu Krishna
 
Wireless network security
Wireless network security Wireless network security
Wireless network security
Aurobindo Nayak
 
Wifi- technology_moni
Wifi- technology_moniWifi- technology_moni
Wifi- technology_moni
MD MONIRUZZAMAN
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Security
h_marvin
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
P1Security
 
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
P1Security
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to know
Paul Coomans
 
Security In LTE Access Network
Security In LTE Access NetworkSecurity In LTE Access Network
Security In LTE Access Network
Sukhvinder Singh Malik
 
Ip sec
Ip secIp sec
Ip sec
Shiva Krishna Chandra Shekar
 
Zigbee
ZigbeeZigbee
Zigbee
Shoaib A Siddiqui
 
DASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical PresentationDASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical Presentation
Maarten Weyn
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless network
Syed Ubaid Ali Jafri
 
LoRa Alliance
LoRa AllianceLoRa Alliance
LoRa Alliance
Sohan Bappy
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
Mihajlo Prerad
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
Vp ns
Vp nsVp ns
Vp ns
Ayano Midakso
 

Contenu connexe

Tendances

The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyond
Siddharth Rao
 
Practical security testing for lte networks
Practical security testing for lte networksPractical security testing for lte networks
Practical security testing for lte networks
Pfedya
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Security
h_marvin
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
Mihajlo Prerad
 

Tendances (20)

The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyond
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Practical security testing for lte networks
Practical security testing for lte networksPractical security testing for lte networks
Practical security testing for lte networks
 
Diameter Penetration Test Lab
Diameter Penetration Test LabDiameter Penetration Test Lab
Diameter Penetration Test Lab
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth security
 
Wireless network security
Wireless network security Wireless network security
Wireless network security
 
Wifi- technology_moni
Wifi- technology_moniWifi- technology_moni
Wifi- technology_moni
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Security
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
 
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to know
 
Security In LTE Access Network
Security In LTE Access NetworkSecurity In LTE Access Network
Security In LTE Access Network
 
Ip sec
Ip secIp sec
Ip sec
 
Zigbee
ZigbeeZigbee
Zigbee
 
DASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical PresentationDASH7 Alliance Protocol Technical Presentation
DASH7 Alliance Protocol Technical Presentation
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless network
 
LoRa Alliance
LoRa AllianceLoRa Alliance
LoRa Alliance
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 

Similaire à 4G LTE Security - What hackers know?

SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_Networks
Srinivasa Addepalli
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
EdgeUno
 

Similaire à 4G LTE Security - What hackers know? (20)

Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
Vp ns
Vp nsVp ns
Vp ns
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat Management
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
Myles firewalls
Myles firewallsMyles firewalls
Myles firewalls
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_Networks
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
 
Tech 2 tech low latency networking on Janet presentation
Tech 2 tech low latency networking on Janet presentationTech 2 tech low latency networking on Janet presentation
Tech 2 tech low latency networking on Janet presentation
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
 
It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
 
ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529
ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529
ITRI ICL LTE SmallCell & Multi-RAT G/W 技術介紹 20140529
 
Smart Object Architecture
Smart Object ArchitectureSmart Object Architecture
Smart Object Architecture
 
CompTIA Security+ Chapter Four Review
CompTIA Security+ Chapter Four ReviewCompTIA Security+ Chapter Four Review
CompTIA Security+ Chapter Four Review
 

Dernier

Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Chandigarh Call girls 9053900678 Call girls in Chandigarh
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
SUHANI PANDEY
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
kojalkojal131
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
nirzagarg
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
roncy bisnoi
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
SUHANI PANDEY
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 

Dernier (20)

Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 

4G LTE Security - What hackers know?

  • 1. 4G Security - What hackers know?4G Security - What hackers know? 4G Security - What hackers know? OHM 2013 0 1 August 2013 Stephen Kho/ Rob Kuiters
  • 2. 4G Security - What hackers know? Agenda •Who we are & why we are giving this talk? •Introduction and transition to 4G •4G network architectural overview •Protocols you need to know •LTE & EPC components and vulnerabilities •Mitigation & best practises •Conclusions •Q&A 1
  • 3. 4G Security - What hackers know? Who we are & why this talk? •Stephen Kho & Rob Kuiters •KPN CISO Team •KPN-CERT & REDteam •Penetration Testing & Incident Response •Overview of transition to 4G technology •Provide understanding of components, protocols and vulnerabilities 2
  • 4. 4G Security - What hackers know?3 Introduction and transition to 4G
  • 5. 4G Security - What hackers know? Introduction and transition to 4G 4
  • 6. 4G Security - What hackers know? Introduction and transition to 4G 5
  • 7. 4G Security - What hackers know? Introduction and transition to 4G 6 • 1G Nordic Mobile Telephone (1980) • 2G Global System for Mobile Communication (1994) • 3G Universal Mobile Telecommunications System (2004) • 4G Evolved Packet System (2013) • 5G ???? Somewhere 2023
  • 8. 4G Security - What hackers know? Introduction and transition to 4G 7
  • 9. 4G Security - What hackers know? Introduction and transition to 4G 8 User Equipment Radio Network Core Network
  • 10. 4G Security - What hackers know? Introduction and transition to 4G 2G 9 Basic Components • Basestation Tranciever • Basestation Controler • Mobile Switching Centre / Visitor Loction Register • Home Location Register Main Protocols • BSSAP • MAP / ISUP
  • 11. 4G Security - What hackers know? Introduction and transition to 4G 2G 10 BSC HLR UE BTS MSC / VLR GMSC voice SS7 Walled Garden
  • 12. 4G Security - What hackers know? Introduction and transition to 4G 2G and some 11 Basic Components • Basestation Tranciever • Basestation Controler • Mobile Switching Centre / Visitor Location Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS • Home Location Register Main Protocols • BSSAP / BSSGP • GTP • IP • MAP / ISUP
  • 13. 4G Security - What hackers know? Introduction and transition to 4G 2G and some 12 Not So Walled Garden BSC HLR UE BTS MSC / VLR GMSC voice SS7 SGSN GGSN WWW / PDN GRX DNS
  • 14. 4G Security - What hackers know? Introduction and transition to 4G 3G 13 Basic Components • NodeB • Radio Network Controller • Mobile Switching Centre / Visitor Loction Register • Serving GPRS Support Node / Vistor Location Register • Gateway GPRS Support Node • DNS • Home Location Register / Authentication Centre Main Protocols • RANAP • GTP • IP • MAP / ISUP UMTS
  • 15. 4G Security - What hackers know? Introduction and transition to 4G 3G 14 BSC HLR UE BTS MSC / VLR GMSC voice SS7 SGSN GGSN WWW / PDN GRX DNS Not So Walled Garden RNC NodeB
  • 16. 4G Security - What hackers know? Introduction and transition to 4G 3G 15 Basic Components • E NodeB • Mobile Mobility Entity • Serving Gateway • Packet Data Network Gateway • DNS • Home Subscriber System Main Protocols • Diameter • GTP • IP
  • 17. 4G Security - What hackers know? Introduction and transition to 4G 2G 16 S-GW HSS UE BTS MME PDN GW WWW / PDN IPX / GRX Semi public open place
  • 18. 4G Security - What hackers know? EPC components and vulnerabilities Testing approach •Infrastructure penetration test •Host based security assessment •Web application testing •Code review 17 Information Gathering Vulnerability Analysis Exploitation
  • 19. 4G Security - What hackers know? EPC components and vulnerabilities 18 Where and what did we test? Evolved Packet Core (EPC) PDN-GWSeGW MME HSS eNodeB DRA UE Internet DNS
  • 20. 4G Security - What hackers know? EPC components and vulnerabilities Diameter Routing Agent (DRA) •Helps reduce number of connections between devices •Complex routing and provisioning •Load balancing and congestion control •Multi-vendor interoperability •Security functions – protocol validation 19
  • 21. 4G Security - What hackers know? EPC components and vulnerabilities 20 DRA vulnerabilities found (example from a vendor) •Infrastructure penetration test •MySQL installation running with root user privileges & without a password •Improper network segmentation for running services •Weak password policy on the OS •Multiple users with sudo rights without a password. •Multiple software security patches are missing •Easy to guess SNMPv3 password •Web application test •Multiple default accounts •Inadequate user privilege separation •Insecure SSL certificate
  • 22. 4G Security - What hackers know? EPC components and vulnerabilities 21 Packet Data Network Gateway (PDN-GW) • Connects UE to PDN • Performs policy enforcement • Packet filtering for each user • Charging support • Lawful Interception
  • 23. 4G Security - What hackers know? EPC components and vulnerabilities 22 PDN-GW vulnerabilities found (example from a popular vendor) •Host security assessment •No firmware hashing or cryptographic verification •Clear-text transmission of PDN-GW login credentials •PDN-GW username enumeration possible •No failed login account lockout •Self-signed and expired SSL certificate •Weak password policy – no complexity
  • 24. 4G Security - What hackers know? EPC components and vulnerabilities 23 PDN-GW vulnerabilities found (example from a popular vendor) •Code review (manual & automated static code analysis) •Hardcoded symmetric password encryption keys used •Weak lawful interception key generation •Software verification bypass •Weak authentication mechanism – weak encryption and hashing algorithm (DES,MD5)
  • 25. 4G Security - What hackers know? EPC components and vulnerabilities 24 Home Subscriber Server (HSS) •Central database for user-related and subscription-related information •Mobility management, call and session establishment support •User authentication and access authorization
  • 26. 4G Security - What hackers know? EPC components and vulnerabilities 25 HSS vulnerabilities found (example from another popular vendor) •Infrastructure penetration test •World exported NFS shares •Sensitive data stored on HSS NFS shares •Default account credentials in use •Critical security updates missing •Unnecessary services running
  • 27. 4G Security - What hackers know? Mitigation & best practises 26  Implement network segmentation & filtering  Utilise centralised identity and access management  Enforce vendor security patch update  Implement security patch management  Perform regular vulnerability scans  Carry out in-depth penetration tests  Implement host & network based IDS  Practice incident response
  • 28. 4G Security - What hackers know? Conclusion •The Wallled Garden telcos use to have are no longer •Vendor OSes are Linux or Windows based •Common IP network vulnerabilities are in 4G network •Telco vendors need to raise their IP security awareness •Adopt common IP network security best practises and mitigations •The community needs to help mature the overall security level of these “newer” protocols e.g. Diameter by doing more research 27
  • 29. 4G Security - What hackers know?4G Security - What hackers know? Thank you for your attention 28 rob.kuiters@kpn.com stephen.kho@kpn.com