The core network of a 4G mobile network according to the 3GPP architecture can be divided into several domains, as visualized by the figure below.
Radio
In a pure 4G network, the core network is fully packet based, and is called Evolved Packet Core (EPC). As 4G networks are expected to be evolved from existing 3G networks, core network elements specific to a 3G network (i.e. up to 3GPP Rel.7) may also be part of the network. 3G core networks comprise the Circuit Switched (CS) domain and the Packet Switched (PS) domain. The CS domain supports circuit switched services, in particular voice.
The PS domain – similar to the EPC – provides IP connectivity between mobile terminals and IP service networks. These include external networks like corporate IP networks or the Internet. A specific IP service network that is typically not external, but part of the PLMN itself, is the IP Multimedia System (IMS).
Common to packet and circuit switched services is the need for subscriber management, including the location of mobile subscribers. 3GPP specifies the Home Subscriber Server (HSS) as the central component here. Functions like the Equipment Identity Register (EIR) complement the subscriber management domain.
Charging is an important function in mobile networks. 3GPP specifies the Policy and Charging Control (PCC) architecture, with the Policy and Charging Rules Function (PCRF) as the central control component. Charging systems are used to perform offline and online charging functions (for postpaid and prepaid service, respectively).
In addition to the domains and functions mentioned above, 4G mobile networks comprise various additional functions, including Messaging Services and Location Services.
The following sections discuss the risks for the various parts of a 4G mobile as summarized above. Note that there are many aspects that are similar for the different core network elements, e.g. they are located in a rather well protected area of the mobile network, they have many core-internal interfaces where external attackers cannot easily attack, they all provide functions to support operation, administration and maintenance, they are all located in physically protected premises etc. To avoid redundancy, this aspects are mostly discussed in an exemplary style for the SAE-GW, but not repeated for each core network element.
4.3.1 Evolved Packet Core (EPC)
In a pure 4G network, all user traffic is packet traffic and is transported via the EPC. The central user plane component is the SAE-GW, the control plane component for 4G access is the MME. Access via 2G/3G access networks to the EPC is possible via an SGSN. To allow for access via non-3GPP access networks, an evolved Packet Data Gateway (ePDG) may be used between core and access network, and a the 3GPP AAA-Server is specified to support user authentication in non-3GPP access scenarios.
Figure 1 on page 9 illustrates the EPC as the core network of a 4G mobile network. Note that that picture shows only the most relevant components and interfaces.
4.3.1.1 SAE-GW
The following picture shows the SAE-GW embedded in the EPS.
Figure 32: The SAE-GW within the Mobile Network
Note that the SAE-GW can be split in a Serving Gateway and a PDN Gateway. The reference point between these components is called S5 if it is inside one PLMN and S8 if it is between two PLMNs (to support roaming). S5 and S8 are functionally equivalent. Only S8 is discussed in the following; S5 is treated like an internal interface.
The SAE-GW supports the following functions/ protocols:
Termination of user plane tunnels towards UEs (includes tunnel control, e.g. protocols to set up or tear down tunnels):
o GTP at S4 interface to S4-SGSN, Gn/Gp interface to Gn/Gp-SGSN, S8 interface to (other) Serving-GW
o GTP-c (i.e. control only) at S1-MME interface to MME
o GTP-u (i.e. user plane only) at S1-U interface to eNBs and S12 interface to UTRAN RNC or UTRAN NodeB with RNC function
o MIPv4 (SAE-GW is Home Agent, S2a interface)
o PMIPv6 (SAE-GW is Local Mobility Anchor, S2a, S2b interface, S8 to other Serving-GW)
o DSMIP (SAE-GW is Home Agent, S2c interface) o GRE (S103 interface to CDMA2000 access)
o Note that IPsec is recommended at many of these interfaces, in particular at the S1 interface towards the RAN, or between core network components, if different security domains are involved (e.g. two different PLMNs)
Switching of user plane tunnels as a Serving-GW only (GTP-U or PMIP over the S8 interface to the PDN-GW function in another SAE-GW, Serving-GW is Mobile Access Gateway in PMIP)
Interconnection and IP forwarding between user plane tunnels to UEs and IP service networks, including MNO internal networks (e.g. an IMS core network) and external networks like corporate networks or the Internet.
o Interconnection to IP service networks may be IP user plane directly on layer 2, or may involve the tunneling protocols GRE, IPsec or L2TP
o IP routing protocols like OSPF may be supported
RADIUS client using RADIUS to communicate with RADIUS servers in IP service networks
DHCP relay agent using DHCP to communicate with DHCP servers in IP service networks and DHCP clients in UEs
Interaction with 3GPP AAA-Server using Diameter (S6b interface)
Policy and Charging Enforcement Function (PCEF), controlled by the Policy and Charging Rules Function (PCRF) using Diameter over the Gx or Gxc interface.
Client to an Online Charging System (Diameter Credit Control, RFC 4006).
Client to an (Offline) Charging Gateway using GTP' (GTP prime)
OAM functions (like SSH server, (S)FTP client/server, HTTP(S) server, SNMP instance, or proprietary OAM functions) using respective standardized or proprietary protocols to communicate with various components of an operation and maintenance center, like element managers, backup&restore servers, logging servers etc.)
Lawful Interception (receiving interception requests and transporting communication content and interception related information towards the law enforcement agencies' monitoring centers).
The SAE-GW typically communicates with network elements in external networks, e.g.
SGSNs, SAE-GWs or ePDGs in other PLMNs, (e)NBs or RNCs in LTE or UMTS radio access networks (that may belong to different organizations, e.g. in the case of RAN
sharing), components in non-3GPP access networks, AAA servers or DHCP servers in external IP service networks (e.g. corporate networks), or external monitoring centers for lawful interception.
The SAE-GW may communicate with various remote communication peers over backbones that are owned by 3.partys, e.g. backhauling networks (that connect access network components like eNBs to the core), a GRX (GPRS roaming exchange network) that interconnects different PLMNs, or backbone networks that interconnect core network sites. It should be noted that (e)NBs, even when being part of the same PLMN as the SAE-GW, may be deployed in locations where there is not much physical protection, so there is a non-neglectable probability that these communication peers of the SAE-GW may be compromised by attackers via physical access.
Note that user traffic from UEs is mostly only forwarded but not further processed by the SAE-GW. The same holds for traffic from IP service networks, except for communication with a AAA server or DHCP server in an external IP service network.
There is one notable case, where the SAE-GW communicates with terminals and must do more than pure IP forwarding: If the terminal uses DSMIP for non-3GPP access, the SAE-GW acts as home agent and has to process DSMIP control traffic of the terminal. Note that it is assumed that the vast majority of terminals will not be connected to the mobile network via DSMIP.
In the following, the threat categories specified in chapter 3 are discussed for the SAE-GW.
T1 Flooding an interface
The SAE-GW has many interfaces. It is connected to various different network elements. It has to process traffic from external IP networks, including the Internet, and from UEs (that may be hostile, e.g. may even form a Botnet). On the other hand, an SAE-GW should be prepared to process traffic on user interfaces in wire speed, and should comprise sound overload control mechanisms.
If one of the interfaces is flooded, this may result in a DoS condition for many users, which may be long lasting.
T2 Crashing a network element via a protocol or application implementation flaw The SAE-GW supports a multitude of protocols. There is a considerable chance of implementation errors in some of these protocols. Moreover, the SAE-GW communicates with hostile peers, e.g. hosts in the Internet and UEs. Mostly, this is only IP forwarding, but it may also include processing DSMIP control traffic.
The SAE-GW does not support any applications for end users. One function that maybe abused in the sense of this threat could be the RADIUS client function, which may have to process RADIUS replies from external AAA servers.
Crashing of the SAE-GW will mean DoS for many subscribers until the SAE-GW is restarted.
As long as the exploited vulnerability is not fixed, an attacker may be able to crash an SAE-GW repeatedly.
T3 Eavesdropping
Most of the SAE-GE interfaces are internal, i.e. between core components only, in the well protected network core, and so external attackers have few possibilities to attack. On the backhauling interfaces, 3GPP mandates the usage of IPsec encryption, unless the link is otherwise sufficiently protected. It is assumed that operators follow this recommendation.
T3.1 Control and management plane
Control protocols may be cryptographically protected on all interfaces – however, the focus of this protection may be on integrity rather than confidentiality.
Most control information may not be critical and not be valuable for attackers, i.e. cannot easily be abused.
T3.2 User plane
It seems much more obvious to mount eavesdropping attacks against the user plane not at the SAE-GW interfaces, but rather at other links in the communication path, e.g. in the IP service network (may be the Internet).
Sensitive user information may be protected by means independent of the mobile network, e.g. online banking is typically protected by the usage of HTTPS.
User information classification can range between "public" and "top secret". There is no valid estimation of the impact of loss of confidentiality (from the user's point of view). However, it is assumed that highly sensitive user plane data are secured independently of the mechanisms provided by the mobile network, so eavesdropping, even when breaking some mobile network specific protection, will only reveal encrypted data. This somewhat limits the impact of such an attack.
On the other hand, it should be noted that a high number of users could be affected if an attacker is able to eavesdrop user plane traffic at the SAE-GW.
T4 Unauthorized access to sensitive data on a network element via leakage
No user plane data are stored on the SAE-GW. The control data on the SAE-GW may be of no direct use for the attacker, so there may be no significant impact, if an attacker e.g. is able to read static configuration data or dynamic user profile data etc.
T5 Traffic modification
Similar considerations as for eavesdropping (T3) hold. Control traffic at external interfaces should be cryptographically integrity protected according to 3GPP standards.
A successful attack may lead to DoS or theft of service.
T6 Data modification on a network element
No user plane data are stored on the SAE-GW. As described in T4, there is not much chance to abuse user applications.
Modification of control data may lead to DoS or theft of service.
T7 Compromise of a network element via a protocol or application implement. flaw Typically, the SAE-GW will implement good protection mechanisms, adequate to the high importance of this network element. However, as an SAE-GW is highly complex, it cannot be safely assumed that there are no exploits possible via abuse of one of the various functions and protocols.
T8 Compromise of a network element via a management interface It is typical behavior of attackers to go for management interface weaknesses.
An SAE-GW is expected to provide means to secure the management properly, and these means may be used to an extent that depends on the operator. E.g., a well organized, solid
network operator may achieve a low vulnerability. However, poorer operational practices may lead to a significant vulnerability, taking into account that the SAE-GW is rather exposed to attackers via its user plane interconnections.
T9 Malicious insider
The likelihood of a malicious insider is relatively low, but may depend on (hard to influence factors) like the social and cultural context. An SAE-GW can be an attractive target for an insider, given its many functions, in particular for the user plane, and its central place in the network.
Abuse of an SAE-GW by a malicious insider, in particular an attacker with administrator access cannot be prevented by technical means. It may be logged however, so the attacker may fear to be detected afterwards. The vulnerability against the malicious insider threat also depends on organizational processes within the operator organization, and on operational practices with respect to the network operation.
T10 Theft of service
As the SAE-GW performs charging for user plane traffic, attacking it with the goal to steal services is assumed to be pretty likely. On the other hand, the charging function should not offer any obvious interfaces available to attackers, at least external attackers, so the vulnerability is estimated only at medium level. It may be lower, if only (simple) volume or time based charging is done, it may be higher, if more complex schemes like content based charging are applied. The impact of theft of service is obviously high for the operator, although it may not endanger the availability of the network and its services.
The following table shows the assessment resulting from the above considerations.
Threats Likelihood
Vulnerab.
Factor Impact Risk