6.2 Results
6.2.3 DoS Attack with IDR
Figure 6.7 illustrates a successful DoS attack on the subscriber with IDR message. The attacker impersonated the HSS and sent an IDR to the MME. The MME barred the services for the subscriber and detached the UE from the network. The highlighted portions show the sequence of messages. Fig- ure 6.8 shows the contents of the IDR message. The change of subscription data could not be captured in wireshark as it is an MME internal opera- tion. The fraud attack sequence is the same as the DoS attack except for the changes in IDR content.
Figure 6.7: IDR DoS: Wireshark Overview
Countermeasures
In this chapter we discuss potential countermeasures and mitigation strate- gies to counteract the attacks we identified. We also discuss the challenges and trade-offs for these countermeasures.
7.1
Using IPsec
IPsec protection following 3GPP TS 33.210 is one of the foremost protection measures that can be deployed. IPsec ensures that the both ends of a tunnel know the identity of each other. But it is helpful only if the other end could be trusted. The trust issue becomes challenging, in particular, when hop- by-hop security is deployed, for example, in roaming hubs because each hop would need its own IPsec tunnel. In such a hop-by-hop security approach, the duty of checking the next leg of the communication and ensuring that the communication is secure within the roaming hub server falls on the roaming hub provider. In SS7, there was no need for certificate management, therefore the roaming hub providers did not have any related costs. When it comes to Diameter, extra costs are to be incurred by the roaming hub providers. So changes to business practices would be needed. Another major challenge is that, if a partner operator rents out access to less trustworthy entities, it might potentially lead to the misuse of the trusted certificates of the partner operator. Also governments and spy agencies can misuse the operators in their own country, for e.g. to track the location of people.
7.2
SMS Home Routing
SMS protocol is one of the most commonly exploited protocols by the attack- ers to sniff operator network topology and to obtain subscriber information
such as IMSI. As per 3GPP TS 29.338 [67], for SMS routing, the SMSC of the subscriber contacts the HSS of the home network to identify the location of the recipient’s UE. Normally all outbound and cross-network SMS messages pass through the sender’s home network. Since SMS was initially designed for voice-message notification and not as a person-to-person messaging sys- tem, the inbound messages generated on other networks can be directly sent to the target subscribers that are under the control of the sending network. The MT-SMS protocol is discussed in Section 5.5.3.
Figure 7.1: SMS Home Routing
The 3GPP TR 23.840 [76], defines Mobile Terminated SMS home routing where the inbound short messages are routed through a MT service platform (commonly called SMS router), in the recipient’s home network. Figure 7.1 illustrates the working of SMS home routing. The SMS router safeguards the IMSI of a subscriber by using a 15 digit MT-SMS Correlation ID, which is unique and mapped to the IMSI and MSISDN of a subscriber. In a SRA message the Correlation-ID is sent instead of the IMSI, thereby hiding the IMSI from the sender’s SMSC. The Correlation-ID consists of a 3-digit MCC, a 3-digit MNC and a 9-digit Sender ID. The structure of MT-SMS Correlation ID is shown in Figure 7.2. The MCC and MNC are the codes of receiver’s HPLM, whereas the Sender ID is a random number unique for its lifetime. The Sender ID maps the inbound MT Forward SM message to a previous SRR.
SMS home routing relieves the VPLMN from requesting the IMSI and lo- cation of the receiving UE, and thereby defends the network against privacy
Figure 7.2: MT-SMS Correlation ID
breaches and fraud. The SMS router can also implement other protection mechanisms, such as anti-spam and filtering to defend against spam, phishing and malware. SMS home routing is not mandatory and the implementation of the protection mechanisms is up to the operator. However, the possi- ble implementation flaw with SM-Delivery Not Intended AVP discussed in Section 5.5.3 should be take care of when implementing SMS home routing.
7.3
Enhancements in DEA/DRA
Diameter Edge Agents and Diameter Routing Agents are the entry and exit points of any roaming interconnection. So securing the DEA/DRA can help in preventing many attacks. Since some of the messages used for the attacks that we described are part of regular communication, directly blocking those messages would interrupt the cellular services. The first approach is, that the nodes residing on the edge have proper interface separation i.e. they know if a message is for the Sh or S6a interface. For example, only some interfaces are open on the roaming interconnection such as S6a/S6d, S8, S9, and all other interface connections should be rejected on the interconnection.
Efficient filtering mechanisms based on the smart combination of cross- layer verification, IP address based blocking, origin host and realm checking, AVP verification and advance access control methods are recommended the LTE networks against the location privacy breach attacks. Firstly, the opera- tors should white-list their partners based on the protocols, IP address of the nodes, or origin host and realm and support for requested applications and required permissions. Such white-listing is highly recommended due to the increased risk for the support for interoperability with lower generation net- works of partner operators. Secondly, the operators should thoroughly mon- itor their network traffic in real time. They should include robust statistical traffic analysis methods to detect any unusual or abnormal behavior of the network nodes. Furthermore, the traffic from suspected nodes should be di- rected to honey-pots for further investigation to finally block the nodes. One of the key advantages of using strong access control policies in the nodes—
particularly in DEA/DRA — is that, even if the attacker bypasses sender origin filtering, the node would not respond beyond its configured functional- ity. On the other hand, the cross-layer verification in the hop-by-hop routes of Diameter helps to verify the origin of a message such that the operators can automatically block the messages originated from illicit nodes. However, telecom networks have a large number of requests every second and filtering every message might have a significant effect on the node performance. So, there is a security vs performance trade-off. The above mentioned filtering mechanisms might be available in the firewalls available in the market and it is very important to configure the firewall policies to effectively defend the LTE network against the attacks that are discussed in this thesis.
Conclusion
Diameter is gradually replacing the SS7 signaling protocol in the next gener- ation telecommunication networks. In this thesis, we provided a comprehen- sive review of security considerations of Diameter protocol. We discussed the possible exploits in Diameter signaling for an LTE network, which enables an attacker to deny services to targeted subscribers and illegitimately track the location of the mobile users. Though the advantages of Diameter signal- ing are many, the default security provided by Diameter is not sufficient to make LTE an attack-resistant network. While the roaming interconnections ensures cost-efficient way to provide cellular services on a global scale, it is important to deploy additional measures in the interconnection network to protect the users from privacy breaches and denial of service.
We described the various internal components of the core network, the roaming architecture to provide an insight into the working of 4G networks. Furthermore, we gave a detailed background on the interconnection network and the signaling protocols used. We explained how an attacker can gain access to the interconnection network and exploit the diameter signaling messages. We described in detail the various attacks ranging from denial of service to location tracking. We demonstrated the practical relevance of these attacks by implementing some of them in a test network and discussed their results in detail. We also articulated some potential countermeasures and explained the security mechanisms that can be used to identify attackers and block malicious messages at the Diameter Edge Agents (DEA) without affecting the normal functioning of other core network nodes.
The findings in this thesis are very useful to ensure interconnection secu- rity in the existing LTE deployments and the ones that are to be deployed. The standardization of fifth generation mobile networks has gained a lot of momentum recently and we argue that, without appropriate countermeasures and mitigation techniques in place, the threats discussed in this thesis might
be carried onto the next generation networks. With this thesis, we go one step further in the direction towards a sound telecom security architecture. The future work includes implementation of unverified attacks and finding appropriate mitigation strategies.
[1] B. Sanou, “The World in 2015: ICT facts and figures,” International Telecommunications Union, 2015.
[2] Statistia, “Number of LTE subscriptions worldwide from 2015 to 2020.” http://www.statista.com/statistics/206615/ forecast-of-the-number-of-global-hspa-LTE-subscriptions-up-to-2014/. [Accessed 30-June-2016], 2012.
[3] “White Paper: 5G Security,” tech. rep., Ericsson AB, 2015.
[4] E. Noam, “Interconnection practices,” Handbook of telecommunications economics, vol. 1, pp. 385–421, 2002.
[5] J. Postel, “Internet Protocol,” RFC 791, The Internet Engineering Task Force, September 1981.
[6] M. Paolini, “White Paper: Wireless security in LTE networks,” tech. rep., Senza Fili Consulting, 2012. [Accessed 30-June-2016].
[7] C. Cox, An introduction to LTE: LTE, LTE-advanced, SAE and 4G mobile communications. John Wiley & Sons, 2012.
[8] S. Sesia, I. Toufik, and M. Baker, LTE: the UMTS long term evolution. Wiley Online Library, 2nd ed., 2011.
[9] A. A. Atayero, M. K. Luka, M. K. Orya, and J. O. Iruemi, “3GPP long term evolution: Architecture, protocols and interfaces,” International Journal of Information and Communication Technology Research, vol. 1, no. 7, pp. 306–310, 2011.
[10] 3GPP, “Evolved Universal Terrestrial Radio Access Network (E- UTRAN); S1 layer 1 general aspects and principles,” TS 36.410; Release 12, 3rd Generation Partnership Project (3GPP).
[11] 3GPP, “Evolved Universal Terrestrial Radio Access Network (E- UTRAN); X2 Application Protocol (X2AP),” TS 36.423; Release 12, 3rd Generation Partnership Project (3GPP).
[12] M. Anas, C. Rosa, F. D. Calabrese, P.-H. Michaelsen, K. I. Pedersen, and P. E. Mogensen, “QoS-aware single cell admission control for UTRAN LTE uplink,” in Vehicular Technology Conference, 2008. VTC Spring 2008. IEEE, pp. 2487–2491, IEEE, 2008.
[13] 3GPP, “Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Frequency (RF) system scenarios,” TR 36.942; Release 12, 3rd Genera- tion Partnership Project (3GPP).
[14] F. Firmin, “The Evolved Packet Core,” http://www.3gpp.org/ technologies/keywords-acronyms/100-the-evolved-packet-core [Ac- cessed 30-June-2016].
[15] “The LTE network Architecture—A comprehensive tutorial,” tech. rep., Alcatel Lucent, 2009.
[16] 3GPP, “Architecture enhancements for non-3GPP accesses,” TS 23.402; Release 12, 3rd Generation Partnership Project (3GPP).
[17] 3GPP, “General Packet Radio Service (GPRS); Evolved GPRS Tun- nelling Protocol (eGTP) for EPS,” TS 29.274; Release 12, 3rd Genera- tion Partnership Project (3GPP).
[18] B. Dhindsa, A. Kaur, and S. Ahuja, “LTE interfaces and protocols,” in Computer Engineering and Applications (ICACEA), 2015 International Conference on Advances in, pp. 870–874, IEEE, 2015.
[19] 3GPP, “Interworking between the Public Land Mobile Network (PLMN) supporting packet based services and Packet Data Networks (PDN),” TS 29.061; Release 12, 3rd Generation Partnership Project (3GPP).
[20] G. Sanders, L. Thorens, M. Reisky, O. Rulik, and S. Deylitz, GPRS networks. John Wiley & Sons, 2004.
[21] 3GPP, “Policy and charging control over Gx reference point,” TS 29.212; Release 12, 3rd Generation Partnership Project (3GPP).
[22] 3GPP, “Policy and charging control over Rx reference point,” TS 29.214; Release 12, 3rd Generation Partnership Project (3GPP).
[23] N. Kottapalli, “Diameter and LTE Evolved Packet System: Radisys White Paper,” tech. rep., Radisys, 2011.
[24] M. Hata, “Empirical formula for propagation loss in land mobile radio services,” Vehicular Technology, IEEE Transactions on, vol. 29, no. 3, pp. 317–325, 1980.
[25] 3GPP, “Policy and Charging Control (PCC) over S9 reference point,” TS 29.215; Release 12, 3rd Generation Partnership Project (3GPP).
[26] Y. Park and T. Park, “A survey of security threats on 4G networks,” in 2007 IEEE Globecom Workshops, pp. 1–6, IEEE, 2007.
[27] N. Seddigh, B. Nandy, R. Makkar, and J.-F. Beaumont, “Security ad- vances and challenges in 4G wireless networks,” in Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on, pp. 62– 71, IEEE, 2010.
[28] J. Zheng, “Research on the Security of 4G Mobile System in the IPv6 Network,” in Recent Advances in Computer Science and Information Engineering, pp. 829–834, Springer, 2012.
[29] C. Sankaran, “Network access security in next-generation 3GPP sys- tems: A tutorial,” IEEE Communications Magazine, vol. 47, no. 2, pp. 84–91, 2009.
[30] D. Forsberg, H. Leping, K. Tsuyoshi, and S. Alanara, “Enhancing se- curity and privacy in 3GPP E-UTRAN radio interface,” in 2007 IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications, pp. 1–5, IEEE, 2007.
[31] M. Zhang and Y. Fang, “Security analysis and enhancements of 3GPP authentication and key agreement protocol,” IEEE Transactions on wireless communications, vol. 4, no. 2, pp. 734–742, 2005.
[32] B. Ravishankar and M. Harishankar, “Roaming issues in 3GPP se- curity architecture and solution using UMM architecture,” in Mo- bile Ubiquitous Computing, Systems, Services and Technologies, 2008. UBICOMM’08. The Second International Conference on, pp. 457–462, IEEE, 2008.
[33] D. S. Tonesi, L. Salgarelli, and A. Tortelli, “Securing the signaling plane in beyond 3G networks: analysis of performance overheads,” Security and Communication Networks, vol. 3, no. 2-3, pp. 217–232, 2010.
[34] “General Recommendations on Telephone Switching and Signalling- Vocabulary of switching and signalling terms,” tech. rep., ITU- Telecommunication Standardization sector, 1993.
[35] P. Calhoun, J. Loughney, E. Guttman, G. Zorn, and J. Arkko, “Diam- eter base protocol,” RFC 3588, The Internet Engineering Task Force, September 2003.
[36] S. Holtmanns, S. P. Rao, and I. Oliver, “User Location Tracking At- tacks for LTE Networks Using the Interworking Functionality,” in IFIP Networking Conference (IFIP Networking), IEEE, 2016.
[37] B. Gabelgaard, “The (GSM) HLR-advantages and challenges,” in Uni- versal Personal Communications, 1994. Record., 1994 Third Annual In- ternational Conference on, pp. 335–339, IEEE, 1994.
[38] 3GPP, “Interface Protocols for the Connection of Short Message Ser- vice Centers (SMSCs) to Short Message Entities (SMEs),” TR 23.039; Release 12, 3rd Generation Partnership Project (3GPP).
[39] L. Dryburgh and J. Hewett, Signaling System No. 7 (SS7/C7): protocol, architecture, and services. Cisco press, 2005.
[40] T. Moore, T. Kosloff, J. Keller, G. Manes, and S. Shenoi, “Signal- ing System 7 (SS7) network security,” in Circuits and Systems, 2002. MWSCAS-2002. The 2002 45th Midwest Symposium on, vol. 3, pp. III– 496, IEEE, 2002.
[41] 3GPP, “Mobile Application Part (MAP) specification,” TS 29.002; Re- lease 12, 3rd Generation Partnership Project (3GPP).
[42] S. Rao, “Analysis and Mitigation of Recent Attacks on Mobile Commu- nication Backend,” Master’s thesis, Aalto University School of Science and Technology, Espoo, Finland, 2015.
[43] C. Rigney, A. Rubens, W. Simpson, and S. Willens, “Remote Authen- tication Dial In User Service (RADIUS),” RFC 2865, The Internet En- gineering Task Force, June 2000.
[44] R. Stewart, “Stream Control Transmission Protocol,” RFC 4960, The Internet Engineering Task Force, September 2007.
[45] J. Liu, S. Jiang, and H. Lin, “Introduction to Diameter.” https: //www.ibm.com/developerworks/library/wi-diameter/. [Accessed 30- June-2016].
[46] 3GPP, “3G security; Network Domain Security (NDS); IP network layer security,” TS 33.210; Release 12, 3rd Generation Partnership Project (3GPP).
[47] E. Guttman, C. Perkins, and J. Kempf, “Service Templates and Service: Schemes,” RFC 2609, Internet Engineering Task Force, June 1999.
[48] S. Cheshire and M. Krochmal, “DNS-Based Service Discovery,” RFC 6763, Internet Engineering Task Force, Feb. 2013.
[49] T. Dierks and E. Rescorla, “The Transport Layer Security (TLS) Pro- tocol,” RFC 5246, The Internet Engineering Task Force, August 2008.
[50] P. Langlois, “Diameter vs SS7 from a security perspective,” 2013. http: //labs.p1sec.com/2013/07/28/346/ [Accessed 30-June-2016].
[51] S. K. Yoo, H. G. Kim, and S. W. Sohn, “Enhancement of failover using application layer watchdog and SCTP heartbeat in diameter,” in Mobile Communications, pp. 239–246, Springer, 2003.
[52] A. Hosia, “Comparison between RADIUS and Diameter.” http://www. tml.tkk.fi/Studies/T-110.551/2003/papers/11.pdf, May 2003.
[53] 3GPP, “InterWorking Function (IWF) between MAP based and Diame- ter based interfaces,” TS 29.305; Release 12, 3rd Generation Partnership Project (3GPP).
[54] 3GPP, “InterWorking Function (IWF) between MAP based and Diame- ter based interfaces,” TR 29.805; Release 12, 3rd Generation Partnership Project (3GPP).
[55] “Claro Americas IR.21 Data.” http://www.claro.com.br/sites/files/ contratos/arquivos/orpa_roam_claro_001-2015_-_anexo_4-apend_ a-roaming_nacional_-_ir_21_0.pdf. [Accessed 30-June-2016].
[56] “Vivo Brazil IR.21 Data.” https://www.vivo.com.br/portalweb/ ShowPropertyServlet?nodeId=/UCMRepository/CONTRIB_093689. [Ac- cessed 30-June-2016].
[57] 3GPP, “Numbering, addressing and identification,” TS 23.003; Release 12, 3rd Generation Partnership Project (3GPP).
[58] L. Ghigonis, “SS7map: SS7 country risk ratings,” 2014. http:// labs.p1sec.com/2014/12/28/ss7map-country-risk-ratings/ [Accessed 30-June-2016].
[59] T. Engel, “Locating mobile phones using signalling system 7,” in 25th Chaos communication congress, 2008.
[60] GSMA, “IR.77 Inter-Operator IP Backbone requirements for service providers and Inter-Operator Ip backbone providers,” Tech. Rep. 3.0, GSM Association (GSMA), 2015. (Internal document).
[61] A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, and E. Weippl, “IMSI-catch me if you can: IMSI-catcher-catchers,” in Proceedings of the 30th annual computer security applications Conference, pp. 246–255, ACM, 2014.
[62] 3GPP, “Feasibility study on 3GPP system to Wireles Local Area Net- work (WLAN) interworking,” TR 22.934; Release 12, 3rd Generation Partnership Project (3GPP).
[63] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, “Ex- tensible Authentication Protocol (EAP),” RFC 3748, The Internet En- gineering Task Force, June 2004.
[64] H. Haverinen and J. Salowey, “Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Sub- scriber Identity Modules (EAP-SIM),” RFC 4186, The Internet Engi- neering Task Force, January 2006.
[65] J. Arkko and H. Haverinen, “Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP- AKA),” RFC 4187, The Internet Engineering Task Force, January 2006.
[66] 3GPP, “3G security; Wireless Local Area Network (WLAN) interwork- ing security,” TS 33.234; Release 12, 3rd Generation Partnership Project (3GPP).
[67] 3GPP, “Diameter based protocols to support Short Message Service (SMS) capable Mobile Management Entities (MMEs),” TS 29.338; Re- lease 12, 3rd Generation Partnership Project (3GPP).
[68] ITU-T, “E 164: The international public telecommunication numbering plan,” International Telecommunications Union (ITU), 2010.
[69] 3GPP, “MME Related Interfaces Based on Diameter Protocol,” TS 29.272; Release 12, 3rd Generation Partnership Project (3GPP).
[70] 3GPP, “Circuit Switched (CS) fallback in Evolved Packet System (EPS); Stage 2,” TS 23.272; Release 12, 3rd Generation Partnership Project (3GPP).
[71] 3GPP, “Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3,” TS 24.301; Release 12, 3rd Generation Partnership Project (3GPP), Sept. 2008.
[72] 3GPP, “Technical realization of Operator Determined Barring (ODB),” TS 23.015; Release 12, 3rd Generation Partnership Project (3GPP).
[73] 3GPP, “Mobility Management Entity (MME) - Visitor Location Regis- ter (VLR) SGs interface specification,” TS 29.118; release 12, 3rd Gen- eration Partnership Project (3GPP).
[74] “RestComm JDiameter.” https://github.com/RestComm/jdiameter/. [Accessed 30-June-2016].
[75] “Wireshark.” https://www.wireshark.org/. [Accessed 30-June-2016].
[76] 3GPP, “Study into routing of MT-SMS via the HPLMN,” TR 23.840; Release 7, 3rd Generation Partnership Project (3GPP).