Malicious AVPs: Exploits to the LTE Core
One of the most sensitive equipment in LTE 4G networks is the DRA (Diameter Router Agent), which represents the heart of LTE, exchanging Diameter messages and connecting external roaming partner operators and internal Network Elements. It notably connects and helps secure the HLR/HSS subscriber database (the brain of 4G networks) by filtering messages and allowing hosts. In our presentation, we will show examples of compromising a DRA Network Element through remote attacks. This research shows that 80% of worldwide LTE operators are vulnerable to these Diameter attacks. We will discuss how Telecom Operators are using products in their LTE / 4G Core Networks that have been developed with reliability in mind, not security, and the consequences to network security and subscriber privacy. At the moment the witnessed exploitability of software bugs in LTE is very high. We will show that remote exploitation and control of latest generation Core Networks is possible from an attacker from the telecom roaming network (GRX/IPX), allowing total compromise of an operator from another operator perspective. We will also present how not only Diameter implementations are vulnerable, but also how the protocol itself is vulnerable to non-blind spoofing. And we’ll present kill chains that allow attackers to compromise such infrastructures from Internet by chaining multiple vulnerabilities, sometimes in less than 2 days.
A large part of the presentation will show technical details of one example attack, involving vulnerability exploitation over Diameter, NX and ASLR bypassing, circumventing AVP payload size limitation, and will explore on Technical as well as Threat Management oriented approaches to improve the current situation.
This is the continuation of last year’s Hackito 2015 “Hacking Telco Equipment: The HLR/HSS” presentation [1], and a complementary view on Telecom Network Threats like Fraud, Geolocation, Interception [2].
[1] http://2014.hackitoergosum.org/slides/day1_Hacking-telco-equipment-The-HLR-HSS-Laurent-Ghigonis-p1sec.pdf
[2] http://ss7map.p1sec.com/
Bios:
Laurent Ghigonis
Laurent is working at P1 Security since 2011. He is involved in SS7 and LTE audits, Network Elements analysis and exploitation, developing telecom scanning tools and giving security trainings.
Philippe Langlois
Philippe Langlois is an entrepreneur and leading security researcher, expert in the domain of telecom and network security. He has founded internationally recognized security companies (Qualys, WaveSecurity, INTRINsec, P1 Security) as well as led technical, development and research teams (Solsoft, TSTF). When he founded Qualys, Philippe was CTO of this SaaS, world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France that was the first to propose Penetration Tests in France and amongst the first in Europe.
His first business, Worldnet, France’s first public Internet service provider, was founded in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB, Hack.lu). Previously a professor at Ecole de Guerre Economique and various universities in France (Amiens, Marne La Vallée). He is a FUSR-U collaborator and founding member, and founder of Hackito Ergo Sum conference.
Philippe advises industry associations (GSM Association Security Group, several national organizations) and governmental officials and contributes to Critical Infrastructure advisory committees and conferences in Telecom and Network security.
Now, Philippe is providing with P1 Security the first Core Network, Telecom and Mobile Signaling security scanner, IDS and fuzzers that help enterprises, operators and government analyze where and how their critical network infrastructure can be attacked. He can be reached through his website at: http://www.p1security.com.
Philippe has previously presented at the following security/hacking conferences: Hack.lu, Hack in the Box (HITB, Amsterdam, Dubai, Kuala Lumpur), Blackhat, Hackito Ergo Sum (paris,france), SOURCE, Chaos Communication Congress (Berlin, Germany), ekoparty (bueos aires, argentina), H2HC (sao paulo, brazil), SYSCAN (Hong Kong; Thailand), Bellua (Jakarta, Indonesia), INT (Mauritius), Interop (France), Rubicon (USA)… (You can find some of the events listed here http://www.p1sec.com/corp/about/events/).