Presented at
DEF CON 31 (2023),
Aug. 10, 2023, 3:30 p.m.
(45 minutes).
4G? LTE? 3GPP? A lot of telecommunications terminology gets thrown around, but what does it actually mean? While terms like “5G”, and “packet core” may be in common use, it’s hard to understand what they mean in terms of attack surface, or even as a consumer. Very often even network diagrams will show “Core Network” as a big blob, or stop at the Radio Access Network. It’s hard to have insight into the cellular network. So, I’ll explain generation by generation!
In this talk we will walk through each step of cellular evolution, starting at 2G and ending at 5G. The never-ending attack and defend paradigm will be clearly laid out. In order to understand the attack surface, I’ll cover network topology and protocol.
For each cellular generation, I will explain known vulnerabilities and some interesting attacks. In response to those vulnerabilities, mitigations for the subsequent cellular generation are put in place. But as we all know, new mitigations mean new opportunities for attackers to get creative.
While I will explain most cellular-specific terminology, a familiarity with security concepts will help to better understand this talk. Basic foundations of communications systems, information theory or RF definitely make this talk more enjoyable, but are absolutely not necessary. It’s a dense topic that is highly applicable to those working on anything that touches the cellular network!
REFERENCES:
1. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE, Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, Elisa Bertino
2. https://www.cybersecuritydive.com/news/5g-security-breaches/636693/
3. https://networksimulationtools.com/5g-network-attacks-projects
4. https://www.p1sec.com/corp/category/p1-security/
5. A Vulnerability in 5G Authentication Protocols and Its Countermeasure Xinxin HU, Caixia LIU, Shuxin LIU, Jinsong LI, and Xiaotao CHENG
6. New Vulnerabilities in 5G Networks Altaf Shaik* , Ravishankar Borgaonkar
7. ESF Potential Threats to 5G Network Slicing, NSA, CISA
8. https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203
9. https://www.pentestpartners.com/security-blog/zte-mf910-an-end-of-life-router-running-lots-of-vivacious-hidden-code/ pentestpartners DC27 talk
10. LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements P1 Security https://conference.hitb.org/hitbsecconf2013ams/materials/D1T2%20-%20Philippe%20Langlois%20-%20Hacking%20HLR%20HSS%20and%20MME%20Core%20Network%20Elements.pdf
11. Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui L,, Elisa Bertino
12. https://thehackernews.com/2018/03/4g-lte-network-hacking.html
13. https://www.pentestpartners.com/security-blog/zte-mf910-an-end-of-life-router-running-lots-of-vivacious-hidden-code/
14. A first look on the effects and mitigation of VoIP SPIT flooding in 4G mobile networks. 982-987. 10.1109/ICC.2012.6364233. Bou-Harb, Elias & Debbabi, Mourad & Assi, Chadi. (2012).
15. https://resources.infosecinstitute.com/topic/cheating-voip-security-by-flooding-the-sip/
16. https://www.mpirical.com/ for 5G trainings
17. https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203
18. https://www.pentestpartners.com/security-blog/zte-mf910-an-end-of-life-router-running-lots-of-vivacious-hidden-code/
19. https://en.wikipedia.org/wiki/Cellular_network
20. https://www.etsi.org/deliver/etsi_ts/123000_123099/123060/10.03.00_60/ts_123060v100300p.pdf Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); General Packet Radio Service (GPRS); Service description;
21. https://www.etsi.org/deliver/etsi_ts/133100_133199/133102/14.01.00_60/ts_133102v140100p.pdf Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); 3G security; Security architecture (3GPP TS 33.102 version 14.1.0 Release 14)
22. https://www.etsi.org/deliver/etsi_ts/133400_133499/133401/15.07.00_60/ts_133401v150700p.pdf Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 3GPP System Architecture Evolution (SAE); Security architecture
23. https://www.etsi.org/deliver/etsi_ts/133400_133499/133401/15.07.00_60/ts_133401v150700p.pdf Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 3GPP System Architecture Evolution (SAE); Security architecture (3GPP TS 33.401 version 15.7.0 Release 15)
24. https://www.etsi.org/deliver/etsi_ts/124300_124399/124301/17.06.00_60/ts_124301v170600p.pdf Universal Mobile Telecommunications System (UMTS); LTE; 5G; Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3 (3GPP TS 24.301 version 17.6.0 Release 17)
25. https://www.etsi.org/deliver/etsi_ts/133500_133599/133501/15.04.00_60/ts_133501v150400p.pdf 5G; Security architecture and procedures for 5G System (3GPP TS 33.501 version 15.4.0 Release 15)
Previous talk: https://www.youtube.com/watch?v=-JX7aC0AXEk&t=7387s
Presenters:
-
Tracy Mosley
- Trenchant
Tracy is a New York City based Lead Security Research Engineer at Trenchant (formerly known as Azimuth Security). With a degree in Computer Engineering and over 10 years in the industry, Tracy has predominantly focused on vulnerability research, reverse engineering and development for embedded devices. She has led teams focused on telecommunications equipment and contributed to teams large and small working on routers and various types of embedded devices.
Her first degree is in theatre performance, with a vocal performance minor. Vocal technique, performance and understanding the vocal mechanism are what drew her into telecommunications. You may have seen her presenting at conferences, attending trainings, dancing the night away or performing on stage.
Links:
Similar Presentations: