VIDEO
HIGHLIGHT
Log InSign up
DEF CON 31 War Stories - Nuthin But A G Thang Evolution of Cellular Networks - Tracy Mosley
SummaryTranscriptChat

DEF CON 31 War Stories - Nuthin But A G Thang Evolution of Cellular Networks - Tracy Mosley

Introduction to Cellular Networks

Speaker Introduction and Context

  • The speaker expresses gratitude for the audience's attendance, highlighting their excitement about speaking at DEF CON for the first time.
  • Tracy introduces herself as a vulnerability researcher at Trenchant, with a background in reverse engineering and embedded development focused on telecommunications.

Talk Overview

  • The presentation will cover network architecture, mitigations, and public vulnerabilities or attacks across various generations of cellular networks: 2G (GSM), 3G (UMTS), LTE (4G), and 5G (new radio).
  • Emphasis is placed on focusing more on cellular core networks rather than radio access networks.

Understanding Cellular Network Generations

Visual Representation of Network Evolution

  • A visual timeline illustrates the evolution of cellular networks from 1G to 5G, clarifying common misconceptions about terminology related to different generations.

Basic Cellular Concepts

  • Introduction of key concepts such as PSTN (Public Switched Telephone Network), which consists of circuit-switched landline systems initially based on analog technology.
  • Explanation of circuit switching as end-to-end unbroken communication lines, contrasting it with packet-switched technologies that are prevalent today.

Deep Dive into 2G Architecture

GSM Implementation

  • Discussion begins with the implementation of GSM for 2G in the '90s, noting its significance in enabling calls and SMS without data capabilities.

Network Components

  • Description of mobile stations as devices used for communication within the network; these connect to the Radio Access Network (RAN).
  • Breakdown of RAN components including antennas, radios, baseband units, and their role in connecting users to the core network.

Core Network Functionality

Mobile Switching Center Role

  • The Mobile Switching Center (MSC) is introduced as a critical component managing mobility functionality within cellular networks.

Databases Within Core Networks

  • Explanation of essential databases like Home Location Register (HLR), Visitor Location Register (VLR), Authentication Center (AuC), and Equipment Identity Register (EIR):
  • HLR stores information about local users' activity status and location.
  • VLR holds temporary data for visiting users.
  • AuC manages secret keys associated with SIM cards.

Understanding Mobile Network Architecture and Security Vulnerabilities

Overview of Mobile Network Components

  • The mobile station, which is a 2G-capable device, communicates with the base transceiver station (BTS), managed by the base station controller (BSC). This forms the radio access network.
  • The signal is then routed to the mobile switching center (MSC), which contains various registers and connects to external networks like PSTN through the gateway MSC.

Security Concerns in GSM Networks

  • GSM lacks mutual authentication, making it vulnerable to attacks such as IMSI-catchers.
  • A significant threat is the "man-in-the-middle" attack facilitated by rogue BTS, which can manipulate encryption schemes or disable them entirely.
  • Data beyond the BTS is transmitted in clear text, exposing sensitive information during transmission.

Introduction to GPRS: Enhancements and Features

  • General Packet Radio Service (GPRS), often referred to as 2.5G, integrates IP functionality into GSM's circuit-switched architecture, enabling multimedia messages and push-to-talk services.
  • GPRS introduces new components like serving GPRS support nodes (SGSN), responsible for location management, security controls, packet routing, and mobility management.

Core Network Structure in GPRS

  • The core network now includes both circuit-switched and packet-switched elements that share registers between MSC and SGSN for improved efficiency.
  • The gateway GPRS support node (GGSN), functioning as a router/firewall/gateway hybrid, assigns IP addresses within the core network before connecting to public data networks.

Attack Vectors in GPRS Networks

  • While some improvements have been made in mutual authentication for packet-switched portions of GPRS networks, vulnerabilities remain due to rogue BTS threats.
  • Research indicates instances of zero encryption implementations in live GPRS networks across countries like Italy and Denmark.

3G and UMTS: Evolution of Mobile Networks

Overview of 3G Technology

  • The device does not properly verify or validate HTTP traffic if packets have additional bytes, allowing them to bypass the GGSN.
  • Introduction of new signaling methods in 3G enhances internet functionality; UMTS implementation coincides with GPRS.
  • All generations of mobile technology are used concurrently, indicating that they are not standalone systems.

UMTS Network Structure

  • The term "user endpoint" replaces "mobile station," reflecting a shift in terminology within the network architecture.
  • The radio network controller manages NodeBs and handles mobility management, encryption, and radio management functions.
  • Core network structure remains similar but includes updated components like NodeB for base transceiver stations.

Security Enhancements in 3G

  • True mutual authentication is introduced to mitigate IMSI-catcher attacks; however, guidance on temporary identifier usage lacks specificity.
  • Increased confidentiality measures are expected in the radio access link and signaling/user planes; users can now see their connection type on devices.

Attack Vectors in 3G Networks

  • Rogue NodeB attacks persist but require more targeted approaches due to enhanced security measures.
  • Downgrade attacks force devices to revert to older communication standards (e.g., from 3G to 2G).
  • Remote IMSI attacks exploit unencrypted integrity keys generated by the core network, compromising user endpoint security.

HLR Overloading Attacks

  • Attackers can tie up SGSN resources by repeatedly sending resynchronization requests between user endpoints and HLR.
  • A variant attack involves generating RRC connection requests for valid IMSIs, overwhelming the HLR's authentication process.

Transitioning to LTE: Long-Term Evolution

Introduction to LTE

  • LTE is referred to as "3.95G" initially due to marketing debates over its classification as true 4G; it eventually gains acceptance as part of the 4G family.

Understanding the Evolution of Network Architecture

Transition to Fully IP-Based Networks

  • The network architecture has transitioned to a fully IP-based system, eliminating the separation between circuit-switched and IP portions.
  • Key components include user endpoints, evolved eNodeB (enhanced Node B), and mobility management entities that handle bearer activation, deactivation, paging, and authentication.
  • The Home Subscriber Server (HSS) integrates functions of the home location register and authentication register for improved efficiency in managing subscriber data.

Core Network Components

  • The Signal Gateway (SGW) resembles the Serving GPRS Support Node (SGSN), responsible for routing and forwarding data packets within the network.
  • The Public Data Network Gateway (PDN Gateway or PGW) serves as an entry/exit point for cellular networks, enforcing policies and handling packet filtering and charging.

Security Enhancements

  • Enhanced security measures require configuration authentication before sending mobile equipment identifiers (IMEI) to eNodeBs, marking a significant improvement in security protocols.
  • Mobility management is now separated into its own entity, reflecting ongoing changes in network function organization.

Attack Vectors in LTE Networks

  • A notable attack vector is described in the paper "LTEInspector," detailing an authentication relay attack where attackers impersonate legitimate devices to access core networks without credentials.
  • Paging channel hijacking involves malicious eNodeBs broadcasting fake messages at high frequencies during user endpoint paging cycles, disrupting legitimate notifications like calls or SMS.

Psychological Manipulation through Attacks

  • Attackers can inject fake paging messages causing panic alerts (e.g., tornado warnings), leading to psychological distress among users by exploiting critical communication channels.

Implementation Errors Leading to Vulnerabilities

  • Temporary identifiers such as GUTI can become permanent due to implementation errors, allowing attackers to infer user locations or identities based on leaked information.
  • Specific vulnerabilities exist within Cisco's PDN Gateway 2200 series related to malformed header processing that could lead to denial of service attacks against the gateway.

Consequences of Denial of Service Attacks

LTE Advanced and 5G Network Architecture Overview

LTE Advanced Features

  • Introduction to LTE Advanced or LTE Advanced Pro, highlighting key features such as IPv6 expansions, adaptive modulation, time-varying channels, VoLTE, and the IP multimedia subsystem.
  • Overview of network architecture components including user endpoint, eNodeB (evolved Node B), mobility management entity (MME), home subscriber server (HSS), signaling gateway, public data network gateway (PGW), and policy charging rules function.

Security Mitigations in LTE

  • Emphasis on mandatory encryption for all radio interface data; a shift from previous recommendations to requirements.
  • Explanation of the Authentication and Key Agreement (AKA) procedure for mutual authentication between user endpoints and evolved packet core.
  • Discussion of attack vectors like IMSI-catchers and vulnerabilities in Cisco ASR 5000 PDN gateway related to malformed encapsulating security payload packets affecting ICMP traffic.

Vulnerabilities Identified

  • Description of GPRS tunneling protocol (GTP) issues where crafted packets can restart session managers unexpectedly, leading to denial of service for users.
  • Mention of hard-coded MME keys found by P1 Security during research at Hack The Box; highlights risks associated with exposed interfaces on PDN gateways.

Transition to 5G Network Architecture

  • Introduction to significant changes in network architecture with the advent of 5G; focus on network function virtualization using COTS servers.
  • Importance of management and orchestration within the core network due to virtualization; API calls are essential for operation.

Key Concepts in 5G

  • Explanation of network slicing which allows logical networks over shared physical infrastructure catering to diverse device needs and quality-of-service expectations.
  • Transition from eNodeB in LTE to gNodeB in 5G; introduction of new acronyms like AMF (Access and Mobility Management Function), SMF (Session Management Function), UDM (Unified Data Management).

Detailed Components in 5G Architecture

  • Breakdown of new components: AMF handles mobility registration while SMF manages sessions. User plane functions serve as anchor points for NG-RAN.
  • Role of UDM in orchestrating access authorization, registration, mobility management alongside AMF and SMF interactions.

Policy Control Functions

  • Description of the Policy Control Function's role compared to PCRF; focuses on dynamic policy decisions based on current network conditions affecting user access rights.

5G Security and Vulnerabilities

Introduction to 5G Identifiers

  • In 5G, two new identifiers are introduced: SUCI (Subscriber Concealed Identifier) and SUPI (Subscription Permanent Identifier), which replace the IMSI used in previous generations.
  • These identifiers enhance security by reducing reliance on a single compromised identifier, thus mitigating risks associated with IMSI-catchers.

Core Network Security Features

  • The separation of security and mobility in the core network allows for larger keys and additional protections for user messages.
  • A security anchor function is co-located with the access and mobility management function, enabling devices to move between networks without full authentication renegotiation.

Attack Vectors in 5G Networks

  • Patrick Rhude from Nokia highlights that 5G networks have 200 times more attack vectors than 4G due to the variety of connected devices.
  • An attacker can sniff the Authentication and Keying (AKA) procedure transmitted in plaintext, allowing them to determine if a specific subscriber is present in a cell.

Specific Attacks Explained

  • By crafting messages using RAND and AUTN values from an authorization request, attackers can identify target users based on MAC checks.
  • Attach requests sent unencrypted can be tampered with during registration since integrity verification failures do not halt the process.

Battery Drainage and Other Attacks

  • Attackers can disable power-saving mode messages from the Access and Mobility Management Function (AMF), leading to significantly faster battery drainage.
  • Malformed packets may still cause crashes within the core network, indicating vulnerabilities that could be exploited by attackers.

Advanced Vulnerability Findings

  • Stream reuse attacks allow attackers to masquerade as valid network functions, potentially causing server crashes through TCP stream exhaustion.
  • Research utilizing machine learning has identified end-to-end vulnerabilities related to paging procedures; these findings were confirmed by China Unicom as real concerns.

Conclusion of Discussion

Video description

4G? LTE? 3GPP? A lot of telecommunications terminology gets thrown around, but what does it actually mean? While terms like “5G”, and “packet core” may be in common use, it’s hard to understand what they mean in terms of attack surface, or even as a consumer. Very often even network diagrams will show “Core Network” as a big blob, or stop at the Radio Access Network. It’s hard to have insight into the cellular network. So, I’ll explain generation by generation! In this talk we will walk through each step of cellular evolution, starting at 2G and ending at 5G. The never-ending attack and defend paradigm will be clearly laid out. In order to understand the attack surface, I’ll cover network topology and protocol. For each cellular generation, I will explain known vulnerabilities and some interesting attacks. In response to those vulnerabilities, mitigations for the subsequent cellular generation are put in place. But as we all know, new mitigations mean new opportunities for attackers to get creative. While I will explain most cellular-specific terminology, a familiarity with security concepts will help to better understand this talk. Basic foundations of communications systems, information theory or RF definitely make this talk more enjoyable, but are absolutely not necessary. It’s a dense topic that is highly applicable to those working on anything that touches the cellular network!