Global ICT Standardization Forum for India (GISFI) s2

Global ICT Standardization Forum for India (GISFI)

Title: Study report on 3GPP Tdocs: MME - Threats and Requirements

Author(s): NEC.

Purpose: Discussion and Approval

Doc number: GISFI_SP_201403447

Meeting: GISFI#16; New Delhi, India, 10th - 12th March, 2014

Abstract

The MME (Mobility Management Entity) is one of the core network elements of the LTE (Long Term Evolution) Evolved Packet Core (EPC) architecture. The MME handles a number of functionalities in the LTE architecture so securing it is crucial for the network. The MME contains a lot of sensitive data which needs to be protected from being exposed as it might lead to compromising the configuration of the MME platform and architecture. This document covers the various interfaces of an MME which are exposed to the network and how they communicate among themselves. The main focus of this document is on the threats posed on an MME from its exposed interfaces.. The nature of threats perceived from such interfaces and the security requirements of the MME are under study within the 3GPP SA3 work group. In this document, these threat scenarios have been studied and based on which the security requirements for MME have been identified.

1.  Introduction

3GPP LTE is a wireless communication standard providing high-speed data for mobile phones and other user devices. One of the key control nodes in the LTE EPC architecture is the MME which is responsible for managing and tracking the User Equipment (UE) in idle mode and other paging procedures including retransmissions. It has a number of other responsibilities including authentication of the user (by interacting with Home Subscriber Server (HSS)), authorization of UE with Public Land and Mobile Network (PLMN), implementing roaming restrictions, etc. Sections 3 and 4 discuss the main assets and interfaces of an MME which are exposed to other network elements and need to be protected. Section 5 discusses the various threat models for an attack on an MME. Section 6 deals with the various threats scenarios that have been identified against an MME while section 7 perceives these threats to study the requirements of an MME to protect against the identified threats.

2.  Assets of MME[1]

The assets of MME to be protected are:

·  Access-account and control data, credentials, and log data.

·  Interface Configuration data: MME’s IP address, ports, VPN(Virtual Private Network) ID etc.

·  Operating System

·  Application(s)

·  Mobility Management data: subscriber’s identities (eg. (International Mobile Subscriber Identity)IMSI), subscriber keys (i.e KNASenc, KNASint, NH), authentication parameters, address of serving eNB(evolved Node B), APN(Access Point Name) name, data related to mobility management like UE status, UE’s IP address, etc., session management like PDN(Packet Data Network) type, QoS(Quality of Service) and so on, or node selection and routing selection, e.g. IP address of UE related S/P-GW(Serving/PDN Gateway), selected routing connection based on UE’s identity, etc.

·  Sufficient processing capacity: that processing powers are not consumed close to limits.

·  Hardware: mainframe, board, power supply unit etc.

3.  External interfaces of MME[1]

The various external interfaces of the MME which need to be protected are:

·  Console interface, for local access: local interface on MME

·  O&M(Operations & Maintenance Interface) interface, for remote access: interface between MME and O&M system

·  S1-MME: between MME and eNB

·  S10: between MME and MME

·  S11: between MME and S-GW

·  Gn: between MME and Gn/Gp SGSN(Serving GPRS Support Node)

·  S6a: between MME and HSS

·  SGs: between MME and MSC(Mobile Switching Centre)

4.  Attacker Models[5]

4.1. Inside Attacker

An inside attacker is one who has privileged access to the target MME. There are various methods by which an inside attacker can target the MME:

·  Access and modify configuration files

·  Access and modify subscriber data

·  Access and modify logs files

·  Modify software, firmware and OS

·  Modify MME functionality by an attacker’s modified functionality

·  Make physical modifications to the hardware (eg. Splitters ),etc.

Some conceived attack scenarios for inside attackers are as follows:

·  Attacks during the manufacturing process of MME(eg. Backdoors, rootkits)

·  Attacks on MME connections and interfaces within the core network components (eg. S6a interface to HSS)

·  Attacks by authorized and authenticated personnel with access and permission to modify the MME configuration and data.

From the above it can be concluded that attacks from inside cannot be countered against. We can only try to sufficiently specify access to the various personnel so that it is possible to timely isolate such incidents using various counter measures for protection and detection (e.g. Access control on the interfaces and logging mechanisms for configuration changes).

4.2. External Attacker

External attackers are those who don’t have privileged access to the target. Any attacks in such scenarios are via the exposed interfaces of the MME in the earlier section. The approach of such an attacker varies with every individual based on interface vulnerabilities and access to MME.

4.3. Hybrid Attacker

An attacker can use a combination of the two attacks to make a more effective attack. By using means like bribing and blackmailing people on the inside and using them to gain access from the outside. Like any inside attack it is not possible to protect against such attacks except for properly vetting the personnel in the management.

5.  Threats on an MME

5.1. Protocol/Network based attacks

T1. Internal Attacks[2]

An employee having internal access to the network misuses his privileges to attack the MME intentionally or coercively. Such an employee poses serious threat to the MME data and/or configuration.

T2. Sensitive Information Disclosure[3]

The MME stores a lot of sensitive information which if available to the attacker can lead to access violations, failed authentication, fake signaling etc. All such sensitive information like communication keys (i.e KNASenc, KNASint, KeNB) and administrator password on MME needs to be protected from such tampering by using effective encryption techniques.

T3. Compromised/Misbehaving UE[4]

The attacker can use a UE or a number of compromised UEs to gain access to one MME at the same time thus draining all its resources and effectively blocking the MME. The same can also be done by using a fuzzing engine to send attach/detach requests to the MME and disrupting the MME service This leads to the loss of service or a degraded service for a legitimate user.

5.2. OAM based Attacks

T4. Software package integrity and anti-virus[6]

Software packages/upgrades which are installed in an MME may contain harmful viruses, tampered code, malware or other such attack vectors. Using such tampered packages can make the LTE core network vulnerable to attacks and information leakage.

T5. MME management and maintenance[7]

If an attacker can gain unauthorized access to the MME then he can control all the sensitive information including user and system data. He can also use it to gain access to other core network elements thus compromising the whole network.

T6. User account and password management[8]

Like any other password protected system the MME user account and password policy needs to be made secure from the various common case threats like

·  Default user password may be leaked to gain low privileged access.

·  Low strength of user password

·  Brute force attack

·  Secure storage for passwords using encryption.

·  Multiple login conflicts and configuration collisions

6.  Requirements for securing MME

6.1. Protocol/Network based attacks

R1. Internal Attacks[2]

Such an attack cannot be stopped but steps can be taken to mitigate the damage.

·  Using strong and unique authentication mechanisms

·  Effective logging and auditing of users and configuration changes in MME

R2. Sensitive Information Disclosure[3]

To protect such sensitive information in the MME the following requirements have been identified:

·  The keys should be physically protected in a secure environment with authorized access

·  It should be encrypted when stored in files on MME

·  The password should not be transmitted or stored as clear text values.

R3. Compromised/Misbehaving UE[4]

To protect the MME from such threats:

·  MME should implement effective signal congestion prevention techniques.

·  It should include functionality to detect such misbehaving UEs and take preventive action.

6.2. OAM based Attacks

R4. Software package integrity and anti-virus[6]

Proper steps need to be followed to mitigate any threats on the MME caused due to software package integrity and anti-virus updates

·  Protect software package/patch integrity by using appropriate mechanisms (e.g. hash based check to find tampering, Digital Signatures to authenticate source, etc.)

·  Scan the package/updates using multiple anti-virus scanners and maintain logs of the same.

R5. MME management and maintenance interface[7]

Some steps required to protect the management console are:

·  Mutual authentication between the MME and other network entities for communicating over the network.

·  All communication between the MME and other network elements will use TLS(Transport Layer Security) for authentication and secure tunnel established communication.

·  Use access control mechanisms to limit MME access control to selective users and terminals.

R6. User account and password management[8]

The various security requirements identified to secure the MME user account are as follows:

·  A consistent security policy for user accounts and password management

·  Password management policy (e.g. Initial forced password modification, Password strength level, password characters permitted, duration for password change, salting of password hashes, etc.)

·  Password lock-out policy (Maximum number of login attempts, duration till next attempt, timeout, etc.)

7.  Conclusion

The 3GPP input documents have been studied to determine the various threat and security requirements of an MME. This document identifies the assets of an MME which needs to be protected and the external interfaces of the MME to the external network elements. The threats identified are just some of the possible threats and are non-exhaustive, it can be updated as and when more are identified. The requirements can serve as guidelines for the operators which can be met to reduce the possible occurrences of these threats.

8.  References

Below reference are available in 3GPP website (Checked as on 04th March 2014) (http://www.3gpp.org/ftp/tsg_sa/wg3_security/TSGS3_74_Taipei/TdocList_2014-01-27_11h30.htm)

1.  S3-140094 - Assets and external interfaces of MME

2.  S3-140095 - Security threat and requirements with respect to internal attacks on MME

3.  S3-140096 - Security threats of disclosure of sensitive information and security requirement on MME

4.  S3-140097 - Security threats on MME from the compromised or misbehaving UE and related requirements

5.  S3-140145 - SECAM MME attacker model

6.  S3-140164 - Security threats and requirements on MME software package integrity and anti-virus

7.  S3-140168 - Security threats and requirements on MME management and maintenance access

8.  S3-140170 - Security threats and requirements on MME user account and password management

- 1 -