Day1 Ernw Ltevsdarwin Heslte

7/24/2019 Day1 Ernw Ltevsdarwin Heslte

1/97

LTE vs. DarwinHendrik Schmidt

Brian Butterly


2/97

Who we are Old-school network geeks,

working as security researchers for Germany based ERNW GmbH

Independent Deep technical knowledge Structured (assessment) approach Business reasonable recommendations We understand corporate

Blog: www.insinuator.net

Conference: www.troopers.de

Telco research project: www.asmonia.d

4/24/2014 ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg


3/97

Motivation - Long Term

Evolution (LTE)

4G wireless technology focommunication

The 4G standard introduc

new technologies providimodern services to the c This includes features as S

..Trust and optional co



4/97

Charles Darwin

and the Darwin Award

Taking oneself out of the gen

their own (unnecessarily foolis

First on Usenet group discussas 1985

1993 on a website and collecti

by University of California, Be

www.darwinawards.com


From: biography.com
http://www.darwinawards.com/http://www.darwinawards.com/


5/97

One Example

(2003, Australia) Parents often warn that firecrackers can blow your h

off, but as a 26-year-old Australian learned, they can also remove your

from the gene pool. An ambulance rushed to an Illawarra park after rereports that a man was hemorrhaging from his behind. The mercifully

unidentified man had placed a lit firecracker between the cheeks of hi

buttocks, stumbled, and fell upon it.

http://darwinawards.com/darwin/darwin2003-19.html



6/97

Rly?

From: youtube



7/97

Well start with some basics



8/97

Standards - Overview

International TelecommuUnion (ITU) http://www.itu.int/

3rd Generation Partnersh(3GPP) www.3gpp.org

Europisches Institut frTelekommunikationsnor



9/97


10/97

(Evolved)Packet System - Architecture


Ref.: 3gpp.org


11/97

Ref.: www.asmonia.de



12/97

LTE in the FieldWhat we see



13/97

eNodeB

The actual air interface.

Come in different shapes a Rack, Small-Boxes, Portab

Different types for different Macro (>100m), Micro (100m

50m), HeNB (10-20m)

(WiFi/WiMax)

Termination Point for Encry RF channel encryption

Backend channel encryption



14/97

This results in.. Het-Nets

4/24/2014 ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 HeidelbergSource: http://wwwen.zte.com.cn/endata/magazine/ztetechnologies/2012/no1/a


15/97

An actual R

eNodeB

Source: runcom



16/97


17/97

And now? => Starting with the phonePart 1: UE Awareness



18/97

Phone means

Usually, it has to do phone

or Internet; or some other stsee or everything merged toget

Weve got

$Tablets/Slates $USB-Sticks/-Modems $4G Cards $Mobile Hotspots Relay Nodes ;-)



19/97

Our Scope

When talking phone secuusually see the OS and itsapplications. Well check out some back

functionality



20/97

UE: Look, Feel, Ask

(Physical) Cell ID

Tracking Area Code

Signal Strength

Position



21/97

PCI & TAC

Physical Cell-ID

As known from old networ Regionally unique identifier

504 different IDs

Configured automatically

Tracking Area Code Contains multiple cells.

Paging area

UEs current location

Source: http://www.3gpp.org/technologies/keywords-acronyms/96-nas



22/97

Signal Strength &

Location

Signal Strength

Measured by device Output in different formats

Location Positioning request

Use of OTDA (Observed Timof Arrival)

Use differences in arrival tpackets from certain eNod

GPS...GALILEOGLONASS

Enhanced Serving Mobile Location Center(E-SMLC)

Backend part for positioning

Accepts requests from MME andorganizes the actual process ofpositioning



23/97

Accessing Data

Rather easy

Use of magic numbers

Apps

AT Commands



24/97

Hackers do Information

Gathering

The magic number for IP*3001#12345#*



25/97

And on Android

Network Signal Info

https://play.google.com/store/apps/details?id=de.android.telnet&hl=de



26/97

But why?

Knowledge! Understandi

Collect and Log Data

Answer a few questions How large are Cells?

How large are Tracking Are


From: youtube.com


27/97


28/97


29/97


30/97

Can you see me??

LTE is an IP Network Scanning can be possible

Exemplary Data Attach Process

Paging Process



31/97


32/97


33/97


34/97


35/97

#2



36/97


37/97

Paging



38/97


39/97

How to reach a certain

UE ?

Paging frames are sent o

certain tracking area per

Certain flags can be seframes

Actually in certain sub-fram

UE knows which flag to



40/97

Paging Frame, Easy Explanation


Source: http://lteuniversity.com


41/97

Where to look?

SFN mod T= (T div N) * (UE_id mod



42/97

Find the Frame

SFN mod T=(T div N) * (UE_id mod N)

SFN: System Frame Number T: DRX cycle of the UE

UEs wake up cycle (32, 64, 128,

nB: Number of paging occasio

cycle 4T, 2T, T, T/2, T/4, T/8, T/16, T/32

N: min(T,nB) UE_id: IMSI mod 1024

eNB and UE are synchronized during

attachment process!!



43/97


44/97

And now?

Closer look at (UE_id mo

N = 8 So () can be 32 max

Whole term can be max 8

We need:

SFN mod T=(T div N) * (UE_id mod N)



45/97

So

Weve got 8160 possible pag

frames And 4 possible paging locat

So we can page up to 32640devices

Orwellpage a few differethe same time



46/97

Impact?

You might loose some ex

power

Rather hard to actually trmobile phone, due to diff

constansts on different e



47/97


48/97

Remembe

The 4G LTE Ba

PDN-GW

Serving-GW

SS MME

eNodeB eNodeB

UE

LTE-Uu

X2

S1-MME S1-U

S11

S6a

S5-C S5-U

SGi



49/97

Access to Telco

Network??

Ever scanned your provid

address range?



50/97


51/97


52/97

Some quotes from 3GPP TS 33.403

Setting up and configuring eNBs shall be autheand authorizedso that attackers shall not be ablmodify the eNB settings and software configuratlocal or remote access.



53/97

Control Structure

GTP Interfaces

ShmooCon 2011: Attackingmobile telecommunication

S1 Interface S1-MME: control interface

eNB and MME

S1-U: user plane

IPSec Encryption



54/97

Specs about IPSec

But this doesnt matter, 4G security is mostly based oSecurity-Gateways

3GPP TS 33.401 In order to protect the S1 and X2 control plane [], it is re

implement IPsec []. For both S1-MME and X2-C, IKEv2 c

based authentication [] shall beimplemented. In order to protect the S1 and X2 user [], it is required to

IPsec [] with confidentiality, integrity and replay protectio

transport mode IPsec is optionalfor implementation



55/97

Specs about IPSec

NOTE 1: In case control plane interfaces are trusphysically protected), there is no need to use prote[].

NOTE 2: In case S1 and X2 user plane interfaces trusted (e.g. physically protected), the use of IPsecbased protection is not needed.



56/97


57/97


58/97

Some words on

security

In reality you will find Clients with process controls

certificates, auto-connection/configuration

Servers with DHCP, CMDB, CQoS

And you know how this wor Management Interfaces? Complexity? Common (IP) network proble



59/97

3GPP Security Assurance Methodology

(SECAM) Defined in 3GPP TR 33.805 (year 2013)

Each 3GPP network product class [] can have vulnerabilities whichcan damage the MNO and/or end-users.

4/24/2014 ERNW GmbH | Carl-Bosch-Str 4 | DE-69115 Heidelberg


60/97

e.g. Testing the S1

Interface

S1 Application Protocol (S1APby 3GPP for the S1 interface

Specified in 3GPP TS 36.413

Necessary for several procedubetween MME and eNodeB

Also supports transparent traprocedures from MME to the uequipment

SCTP Destination Port 36412

S1AP Protocol Stack



61/97

S1AP with

www.insinuato

www.c0decafe



62/97

Technolog

Perfection

From: youtube



63/97


64/97

Random Quote

It is likely that only a sub

functions can be standarwithin the timeframe of trelease of the EPS. For tha step-by-step roll out offunctions should be prov

From: 3GPP TS 32.500 V1(2011-12)



65/97

Self Configuration

Big style Plug & Play



66/97

Why?

Reduce on-site activities

installer Reduce work to:

Connect to Antenna

Connect to LAN-Cable

Connect to Power

Reduce installation costs

Increase flexibility

4/24/2014 ERNW GmbH | Carl Bosch Str 4 | DE 69115 Heidelberg


67/97

How?

eNB gets IP via DHCP

Config gets pushed depeHW-ID

Installer configures positdata or device uses inter

receiver (Work out PID and maybe

for surrounding cells)

Base firmware is installed in factory



68/97

Relay Nodes

Install and switch on

Relay Node acts as UE Connects to Configurator

Fetches config from backe

Relay Node relays data fr

Donor eNB

Selective repeaters

Repeat data for certain eNodeBs



69/97

Self-Optimization



70/97


71/97

Self-Optimization

Automatically avoiding ove

eNBs are aware of neighboeNBs/cells

Automated communication

adjacent eNBs Band sharing both in time an

domains

Adapting of signal strength



72/97

ANR P


73/97

ANR Process

4/24/2014 ERNW G bH | C l B h St 4 | DE 69115 H id lb

Cell APhy-CID=3Global-CID =17

1) report(Phy-CID=5,strong signal)

2) Report Global-CIDRequest (Target Phy-CID=5)

2

3) ReportGlobal-CID=19

Source: 3GPP TS 36.3


74/97

O&M


75/97

Neighbour

DetectionFunction

Internal

Iinformation

RRC

Mrmnt

reportsMrmnt

requests

Add/Upda

teNeighborRelations

NRr

eport

ANR function

eNB

NRadd

NRT

ManagemntFunction

Neighbour

Removal

Function

NRremove

NRupdate

Neighbor Relation Table

1

2

TCI

3

NoRemove

TCI#1

TCI#1

No HO No X2

O&M controlled

Neighbour Relation AttributesNeighbour Relation

NR

TCl#1

ANR@eNB

Source: 3GPP T(2014-03)



76/97

HeNBs

Home-eNodeBs are able

part in SON process The ones you might have at

The ones you might have harooted

Protocol was adapted to communication with HeN Addition of extra security g



77/97


78/97

Hitachi ER5000

Quotes I

Autonomous Inter-cell InterfeControl

Hitachi ER5000 LTE Femtocell (autonomously mitigates inter-cthat deteriorates data rate and coutage at cell boundary.

Femto-GW Minimizing Impact Reduction of signaling load on M

GW, with 3GPP compliant technproprietary enhancement such messaging reduction and intra-mobility control.

4/24/2014 ERNW G bH | C l B h S 4 | DE 69115 H id lb

Alas! A scientific man ought to have nowishes, no affections a mere heart ofstone.

Charles Darwin


79/97

Hitachi ER5000

Quotes II

Mobile Traffic Offloading The ER5000 LTE Femtocell (HeN

Femto-GW enable traffic offloadmacrocell-eNBs and operator's

Integrated OAM & P Solution The ER5000 LTE Femtocell syst

Play', 'Self Planning,' 'Self Reco

Healing' and 'Self Optimization' helps management of a large nuHeNBs with enabling easy instamaintenance as well as optimiz

4/24/2014| |

I love fools' experiments. I am alwaysmaking them.

Charles Darwin


80/97

Hitachi ER5000

Summary

Autonomous Inter-cell InterfeControl

So it ought to be using SON/ANthe X2 channel

Femto-GW Minimizing Impact Just as the specs recommend

Mobile Traffic Offloading Will only I be able to use my He

you be connected to it, too? Integrated OAM & P Solution

So itll get an IP, should be forwconfiguration Server and fetch imy line?

4/24/2014| |

Source: http://www.hitachi.com/


81/97


82/97

X2AP

Basic procedure: X2 Setu

Some more interesting eNB Configuration Update

Handover Preparation/Initi

Cell Activation

Load Information Exchange

But also: Relaying of NAS



83/97

Nobody

w

this in the

http://blog.err1/masscan-susctp.html#.U1



84/97


85/97

Problems in Reality

Default configuration

Even you are not able to gIPSec communication, eNmay process non-encryp



86/97



87/97


88/97

Will Darwin strike again?



89/97


90/97

Theres never enough time


91/97

g

THANK YOU ...for y


Blog: Conference:


92/97

Stay in touch

Visit our blog and join the

discussion:

Join us at confe

Ping us at Twitter: @WEare@Insinu

Drop us a mail.

https://www.troopers.de/https://twitter.com/WEareTROOPERShttps://twitter.com/Insinuatorhttps://www.troopers.de/http://insinuator.net/https://twitter.com/Insinuatorhttps://twitter.com/WEareTROOPERS


93/97

Random Darwin Award

Protesting motorcycle he

laws, an Onondaga, NY mparticipating in a bare-noprotest ride when he wasflipping over the handleb

(July 2011, New York)




94/97

Random Darwin Award

A 63-year-old man's extraoeffort to eradicate moles fr

property resulted in a victomoles. The man pounded smetal rods into the ground connected them [] to a higpower line, intending to ren

subterranean realm uninhaIncidentally, the maneuver the very ground on which h

(10 January 2007, Germany)




95/97

Random Darwin Award

Azninski, 30, had been drinfriends when it was sugges

strip naked and play some games". Initially they hit eaover the head with frozen tuthen one man upped the anseizing a chainsaw and cuttend of his foot. Not to be ou

Azninski grabbed the saw ashouting "Watch this then,"at his own head and choppe

(1995)




96/97

Random Darwin Award

Gary was at a friend's apwhen he spotted a salsa jcontaining a mystery fluiThinking that it was an albeverage, he helped himssizeable swig of gasolineenough, he immediately sthe offending liquid onto clothes. Then, to recovershock, Gary lit a cigarette

(27 February 2012, North Carolina)




97/97

Random Darwin Award

Mechanic Srgio A. Rosawelding a gas tanker thatcuriously, exploded, sendremains flying 400 meterthe air.

(5 Feb 2013, So Paulo, Brazil)



Documents

Day1 Ernw Ltevsdarwin Heslte