LTE Security - How Good Is It? - NIST

LTE Security – How Good Is It?Michael BartockJeffrey CichonskiJoshua FranklinIT Specialist (Security)National Institute ofStandards & TechnologyIT Specialist (Security)National Institute of Standards& TechnologyIT Specialist (Security)National Institute of Standards& Technology

DisclaimerCertain commercial entities, equipment, or materials may be identifiedin this presentation in order to describe an experimental procedure orconcept adequately. Such identification is not intended to implyrecommendation or endorsement by NIST, nor is it intended to implythat the entities, materials, or equipment are necessarily the bestavailable for the purpose.2

Agenda Discussion of LTE standards Description of LTE technology Exploration of LTE's protection mechanisms In-depth discussion of applied backhaul security research Enumeration of threats to LTE How good is LTE security? 3

Context of Research The Public Safety Communications Research (PSCR) program isjoint effort between NTIA & NIST Located in Boulder, CO PSCR investigates methods to make public safety communicationssystems interoperable, secure, and to ensure it meets the needs ofUS public safety personnel Researching the applicability of LTE in public safety communications4

What is LTE LTE – Long Term Evolution Evolutionary step from GSM to UMTS 4th generation cellular technology standard from the 3rdGeneration Partnership Project (3GPP) Deployed worldwide and installations are rapidly increasing LTE is completely packet-switched Technology to provide increased data rates5

Cybersecurity Research Objectives Led by the Information Technology Laboratory’s ComputerSecurity Division with support from Software and SystemDivision and Information Access Division Kicked off at the PSCR stakeholder meeting in June 2013 Takes a holistic approach to cybersecurity for public safetycommunications Leverages existing mobile cybersecurity efforts within thegovernment and industry Conduct research to fill gaps in cybersecurity

Cybersecurity Research Objectives LTE architecture, standards, and security (NISTIR) Identity management for public safety (NISTIR 8014) Mobile application security for public safety Enabling cybersecurity features in the PSCR demonstrationnetwork Mapping public safety communication network requirements tostandard cybersecurity controls and frameworks (NISTIR) Usable cybersecurity for public safety

3GPP Standards & Evolution2GGSM2.5GEDGE3GUMTSNote: Simplified for brevity83.5GHSPA4GLTE

LTE Technology Overview

The Basics A device (UE) connects to a network of base stations (E-UTRAN) The E-UTRAN connects to a core network (Core) The Core connects to the internet (IP network).10

Mobile Device User equipment (UE): Cellulardevice containing the following Mobile equipment (ME): Thephysical cellular deviceUICC: Known as SIM card Responsible for running the SIMand USIM ApplicationsCan store personal info (e.g.,contacts) & even play videogames!IMEI: Equipment IdentifierIMSI: Subscriber Identifier11

The Evolved Universal Terrestrial RadioAccess Network (E-UTRAN) eNodeB: Radio component of LTEnetwork De-modulates RF signals &transmits IP packets to core network Modulates IP packets & transmitsRF signals to UE E-UTRAN: mesh network ofeNodeBs X2 Interface: connectionbetween eNodeBs12

Evolved Packet Core (EPC) Mobility Management Entity (MME) Primary signaling node - does not interact with user trafficFunctions include managing & storing UE contexts, creatingtemporary IDs, sending pages, controlling authenticationfunctions, & selecting the S-GW and P-GWsServing Gateway (S-GW) Router of information between the P-GW and the E-UTRAN Carries user plane data, anchors UEs for intra-eNodeB handoffsPacket Data Gateway (P-GW) Allocates IP addresses and routes packets Interconnects with non 3GPP networksHome Subscriber Server (HSS) Houses subscriber identifiers and critical security informationNote: Simplified for brevity13

LTE Network14

Communications Planes LTE uses multiple planesof communication Different logical planesare multiplexed into sameRF signal Routed to different endpoints15

LTE ProtocolsTCP/IP sits on top of the cellular protocolstack: Radio Resource Control (RRC):Transfers NAS messages, ASinformation may be included, signaling,and ECM Packet Data Convergence Protocol(PDCP):header compression, radio encryption Radio Link Control (RLC):Readies packets to be transferred overthe air interface Medium Access Control (MAC):Multiplexing, QoS16

Subscriber Identity (IMSI) International Mobile SubscriberIdentity (IMSI) LTE uses a unique ID for everysubscriber 15 digit number stored on theUICC Consists of 3 values: MCC,MNC, and MSIN Distinct from the subscriber’sphone number17MCCMNC310014MSIN00000****

LTE Security Architecture

LTE Security Architecture We will explore several LTE defenses: SIM cards and UICC tokens Device and network authentication Air interface protection (Uu) Backhaul and network protection (S1-MME, S1-U)LTE's security architecture is defined by 3GPP's TS 33.401 There are many, many, many references to other standards within19

UICC Token Hardware storage location for sensitiveinformation Stores pre-shared key K Stores IMSI Limited access to the UICC via arestricted API Performs cryptographic operations forauthenticationTS 33.401 - 6.1.1: Access to E-UTRAN with a 2G SIM or a SIMapplication on a UICC shall not be granted.20

Device & Network Authentication Authentication and Key Agreement(AKA) is the protocol used fordevices to authenticate with thecarrier to gain network access The cryptographic keys needed toencrypt calls are generated uponcompletion of the AKA protocol3GPP 33.401 - 6.1.1: EPS AKA is the authentication and keyagreement procedure that shall be used over E-UTRAN.21

AKA Packet CaptureSending Temporary IdentityAuthentication VectorsAuthentication Response22

Cryptographic Key Usage K: 128-bit master key. Put into USIM and HSS bycarrierCK & IK: 128-bit Cipher key and Integrity keyKASME : 256-bit local master, derived from CK &IK KeNB: 256-bit key used to derive additional keys NASenc & NASint: 256/128-bit key protecting NAS RRCenc & RRCint: 256/128-bit key protecting RRC UPenc: 256/128-bit key protecting UP traffic23

Air Interface Protection The connection between the UE and the eNodeB isreferred to as the air interface 3 algorithms exist to protect the LTE air interface: SNOW 3G stream cipher designed by LundUniversity (Sweden) AES Block cipher standardized by NIST (USA) ZUC stream cipher designed by the ChineseAcademy of Sciences (China)Each algorithm can be used for confidentialityprotection, integrity protection, or to protect both.3GPP 33.401- 5.1.3.1: User plane confidentiality protection shall bedone at PDCP layer and is an operator option.24

Backhaul Protection Confidentiality protection oftraffic running over S1 Interface(Backhaul) Hardware security appliances areused to implement this standard Security Gateways (SEG) IPSEC tunnel created betweeneNodeB and SEG3GPP TS 33.401 - 13: NOTE: In case the S1 management plane interfaces are trusted (e.g.physically protected), the use of protection based on IPsec/IKEv2 or equivalent mechanisms isnot needed.25

PSCR Applied Research

PSCR Applied Research Our Focus is on communication from the cell site to corenetwork.

Our Focus is on communication from the cell site to corenetwork.

Initial Research Goal Enable data encryption on the backhaulconnection. Verify data is encrypted. Analyze impact on networks performance. Encourage the default use of backhaul encryption.

Why Encrypt the Backhaul User The data travels over the backhaul.backhaul may or may not be trusted.Example: Operator A uses Operators B’s fiber trunk toconnect remote cell sites to its core network. Anadversary could be listening in on thisconnection.

Implementation UseInternet Protocol Security (IPSEC) toencrypt this communication. Provides encryption at the Internet layer of the IP protocolstackCommercial base stations support IPSEC Usepublic key infrastructure (PKI) certificatesto provide strong authentication. Base station and core network authenticate each other.

Current State of Research Collaboratingwith CRADA partners to identifycommercial grade solutions Implementedbackhaul protection on part ofPSCR Demonstration Network Testingimpacts on network performance Workingto verify interoperability & scalability

Non Encrypted Traffic

Encrypted Traffic

Initial Performance ResultsMega Bits perSecondUDP Downlink4540353025201539.4739.391050UDP Downlink IPSEC UDP Downlink IPSECOffOn

Initial Performance ResultsUDP UplinkMega Bits perSecond14121086412.1211.0620UDP Uplink IPSEC Off UDP Uplink IPSEC On

Next Steps Identifyadditional more tests to better simulatereal world deployments. Simulate multiple base stations connecting to onesecurity gatewayInteroperability tests Identifysecure. Uuother vulnerable network interfaces to

Threats to LTE Networks

General Computer Security Threats Threat: LTE infrastructure runs offof commodity hardware &software. With great commodity, comesgreat responsibility.Susceptible to software andhardware flaws pervasive in anygeneral purpose operatingsystem or applicationMitigation: Security engineeringand a secure systemdevelopment lifecycle.39

Renegotiation Attacks Threat: Rogue base stations can force auser to downgrade to GSM or UMTS. Significant weaknesses exist in GSMcryptographic algorithms.Mitigation: Ensure LTE network connection.Most current mobile devices do notprovide the ability to ensure a user'smobile device is connected to an LTEnetwork. A ‘Use LTE only’ option is available tothe user Use a rogue base station detector40

Device & Identity Tracking Threat: The IMEI and IMSI can beintercepted and used to track a phoneand/or user. Rogue base stations can perform aMiM attack by forcing UEs to connectto it by transmitting at a high powerlevelThe phone may transmit its IMEI orIMSI while attaching or authenticating.Mitigation: UEs should use temporary identitiesand not transmit them in overunencrypted connections.IMSI-catcher-catcher41

Call Interception Threat: Renegotiation attacksmay also allow MitM attacks toestablish an unencryptedconnection to a device making aphone call Attacker may be able to listen tothe phone callMitigation: The ciphering indicatorfeature discussed in 3GPP TS 22.101would alert the user if calls are madeover an unencrypted connection42

Jamming UE Radio Interface Threat: Jamming the LTE radioprevents the phone from successfullytransmitting information. Jamming decreases the signal to noiseratio by transmitting static and/or noise athigh power levels across a given frequencyband.Research suggests that, due to the smallamount of control signaling in LTE, thisattack is possible.Prevents emergency callsMitigation: Unclear. Further research isrequired and may require changes to 3GPPstandards to mitigate this attack.43

Attacks Against the Secret Key (K) Threat: Attackers may be able tosteal K from the carrier's HSS/AuC orobtain it from the UICCmanufacturer: HSS/AuCCard manufacturers may keep adatabase of these keys within theirinternal networkMitigation(s): Physical security measures fromUICC manufacturerNetwork security measures fromcarrier44

Physical Base Station Attacks Threat: The radio equipmentand other electronics requiredto operate a base station maybe physically destroyed Mitigation: Provide adequatephysical security measuressuch as video surveillance,gates, and various tamperdetection mechanisms45

Availability Attacks on eNodeB & Core Threat: A large number ofsimultaneous requests mayprevent eNodeBs and corenetwork components (e.g.,HSS) from functioningproperly. Simulating large numbers offake handsetsMitigation: Unclear46

Apply What You Learned Today Following this talk: Take notice when you’re connected to non-LTE networks (e.g., EDGE,GPRS, UMTS, HSPA, WiFi) Understand protections are offered by LTE – and what isn’tDon’t send sensitive information over untrusted or non-LTEnetworks LTE helps mitigate rogue base station attacks47