We discussed several times the rule of the SS7 signaling protocol in mobile communications and how to exploit its flaws to track users.
When mobile users travel between countries, their mobile devices connect to the infrastructure of a local operator that communicates with their operator back home. The SS7 protocol allows to implement roaming, but as explained it is also affected by many vulnerabilities that could be exploited for:
Diameter is considered the evolution of the SS7 protocol for modern Long-Term Evolution (LTE) networks, respect its predecessor it is more secure, isn’t it?
Anyway. experts discovered that Diameter is also affected by security issues, one if them, is the lack of mandatory implementation of the Internet Protocol Security (IPsec) protocol.
According to researchers from Nokia Bell Labs and Aalto University in Finland, this means that Diameter could be hacked with the same techniques that are effective against SS7.
The team of experts made several tests to evaluate attacks against users connected to the LTE network. They simulated the attacks on a test network set up by an unnamed global mobile operator. In the tests, they powered a cyber attack against UK subscribers from Finland and discovered several methods of disrupting service to users.
The researchers were able to temporarily and permanently shut down users connections, they were also able to target entire regions.
The team presented the results of tests at the Black Hat Europe security conference in London.
In order to launch the attack against another operator’s systems or subscribers, the researchers need to access to the private interconnection network (IPX).The experts demonstrated that there are several ways to access IPX, for example, a persistent attacker like a government could oblige a local operator to gain access through it.
Attackers could act as a virtual network operator and get access to the roaming network through an existing operator. They could also hack into one of the nodes run by an operator that is accessible from the internet. Let’s give a close look at LTE networks and their main components:
Great now the attacker has the info to start the attack!
At this point, the attacker masquerading as a partner’s HSS sends a Cancel Location Request (CLR) message to the victim’s MME causing the disconnection of the specific subscriber.
The CLR messages are normally used inside the LTE network when subscribers switch from one MME to another because of a change in location.
The researchers also highlighted another possible to exploit this mechanism to obtain a sort of amplification factor of the request. The researchers noticed that when the subscriber re-attaches, their device will send 20 different messages to the MME.
Imagine the case the attackers force the detachment of hundreds of subscribers at the same time, the MME will be flooded by ‘re-attach’ messages causing a DoS in large areas covered by Mobility Management Entities.
There is also a second DoS attack scenario in which the attackers can impersonate an HSS and send an Insert Subscriber Data Request (IDR) to the victim’s MME with a special value that means no service. This will permanently detach the mobile user from the network because their subscription will be changed in the MME’s records.
In this case, the only way to attach the network again is contacting the mobile operator.
As you can see also LTE networks and Diameter are vulnerable to hacking attack, for this reason, the researchers highlighted the need for further security measures.
For further information give a look at the slides (“Detach me not DoS attacks against 4G cellular users worldwide from your desk“) presented at the BlackHatEurope 2016.
(Security Affairs – LTE Network, Hacking)