LTE networks are a critical piece of technology of growing importance to many operators worldwide with specific vulnerabilities and security aspects.
The security principles of LTE have greatly improved previous telecom technologies with NDS/IP, cryptographic implementation and keying strategies, segmentation and isolation of domains, use of cryptographic and certificate-based enrollment of eNodeBs.
Yet, LTE poses some critical problems with its flat nature, its increased attack surface, its generalization of commoditized technologies such as ATCA, Linux, S1AP, X2AP, Diameter.
Diameter in itself poses specific security problems as it expands the attack surface. Most of SS7, GSM and UMTS protocols were ported over Diameter so that specific AVPs can be used to conduct the same sessions and transactions as used to be transported over SS7 MAP for example.
It is important to understand and consider the reach of signaling messages within the IMS Core or the LTE EPC core over Diameter, and to audit these specifically, including the impact of the new infrastructures on the legacy equipment.
Consulting, Pentest and Audit Missions
P1 Security has provided critical audit services to operators for their LTE operations. Here is a list of security audits that we have performed so far:
- LTE eRAN penetration testing : Product Security audit (PSR/PVR) of the eNodeB, their enrollment mechanism, the Ericsson COMINF enrollment and OAM servers, penetration testing then audit of S1 and X2 signaling between eNodeB and MME;
- Pre-deployment and pre-production penetration testing of Ericsson and Huawei eNodeB systems, Ericsson and Huawei OSS systems, Huawei MME
- LTE EPC testbed Product Security audit (PSR/PVR) of Huawei EPC Core Network Elements: MME, UGW (SeGW, SGW, PDN GW), HSS, MSC Proxy (based on MSoftX 3000)
- LTE EPC links to existing Network Elements: HLR, MSC, PCRF, …
- LTE GTP-U, GTP-C and GTP’ (GTP Prime) audit and penetration testing in specific situations
- Diameter audit for both Authentication (AAA), MSU and signaling transport and Charging
- Impact audit of LTE new platforms over SS7 security (both on legacy and newly deployed equipment)
- LTE User Equipment (UE) testing both in subscriber situation and in M2M situation
- Operator-wide penetration testing of LTE implementation (Subscriber access through normal LTE Radio and APNs, physical access to eNodeBs, external exposure of LTE systems).
On top of these missions showing our expertise on LTE technologies, P1 Security has more than 110 private vulnerabilities in its VKB that apply to LTE networks.
P1 Security has been delivering speeches and presentations to many industry associations including TCERT, TelcoSecDay and HITB regarding LTE Security specifics.