Draft 1 GISFI TR SP.108 V1.0.0 (2014-06)

GISFI TR SP.108

V1.0.0

(2014-06)

Technical Report

Global ICT Standardisation Forum for India;

Technical Working Group Security and Privacy;

Security Testing - MME (Mobility Management Entity);

(Draft)

The present document has been developed within GISFI and may be further elaborated for the purposes of GISFI.

GISFI

Draft 2 GISFI TR SP.108 V1.0.0 (2014-06)

GISFI

GISFI office address

Suite 303, 3 rd Floor, Tirupati Plaza, Plot

No. 4, Sector 11, Dwarka, New Delhi-

110075, India

Tel.: +91-11-47581800 Fax: +91-11-

47581801

Internet http://www.gisfi.org

E-mail: info@gisfi.org

Copyright Notification

No part may be reproduced except as authorized by written permission.

The copyright and the foregoing restriction extend to reproduction in all media.

© 2014, GISFI

All rights reserved.

GISFI

Draft 3 GISFI TR SP.108 V1.0.0 (2014-06)

Contents

Foreword ............................................................................................................................................................ 4

Introduction ........................................................................................................................................................ 5

1 Scope ....................................................................................................................................................... 6

2 References ............................................................................................................................................... 7

3 Definitions, symbols and abbreviations ................................................................................................... 7

3.1

3.2

Definitions ......................................................................................................................................................... 7

Abbreviations ..................................................................................................................................................... 7

4 General ..................................................................................................................................................... 9

4.1. Functionality of the MME ................................................................................................................................. 9

4.2.

4.3.

Standards based network architecture showing the interfaces of MME ............................................................ 9

Protocols in MME.............................................................................................................................................. 9

5 Security Threats and Requirements ....................................................................................................... 10

5.1.

5.2.

General security requirements ......................................................................................................................... 10

Attacker Models .............................................................................................................................................. 10

5.2.1

5.2.2.

5.2.3.

5.3

5.4

5.4.1.

5.4.2.

Inside Attacker .......................................................................................................................................... 10

External Attacker ...................................................................................................................................... 10

Hybrid Attacker ......................................................................................................................................... 10

Security requirements from specifications ....................................................................................................... 11

Threats and requirements from threats ............................................................................................................ 11

Threats on an MME ................................................................................................................................... 11

Requirements for securing MME ............................................................................................................... 11

Annex A: Heading levels in an annex .......................................................................................................... 13

Annex B: Change history: ................................................................................................................................ 14

GISFI

Draft 4 GISFI TR SP.108 V1.0.0 (2014-06)

Foreword

This Technical Report has been produced by GISFI.

The contents of the present document are subject to continuing work within the Technical Working Group

(TWG) and may change following formal TWG approval. Should the TWG modify the contents of the present document, it will be re-released by the TWG with an identifying change of release date and an increase in version number as follows:

Version x.y.z where: x the first digit shows the release to which the document belongs y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document.

GISFI

Draft 5 GISFI TR SP.108 V1.0.0 (2014-06)

Introduction

The MME (Mobility Management Entity) is one of the core network elements of the LTE (Long Term

Evolution) Evolved Packet Core (EPC) architecture. The MME handles a number of functionalities in the LTE architecture so securing it is crucial for the network. The MME contains a lot of sensitive data which needs to be protected from being exposed as it might lead to compromising the configuration of the MME platform and architecture. This document covers the various interfaces of an MME which are exposed to the network and how they communicate among themselves. The main focus of this document is on the threats posed on an MME from its exposed interfaces. The nature of threats perceived from such interfaces and the security requirements of the MME that are under study within the 3GPP SA3 work group. In this document, these threat scenarios have been studied and based on which the security requirements for MME have been identified.

GISFI

Draft 6 GISFI TR SP.108 V1.0.0 (2014-06)

1 Scope

3GPP LTE is a wireless communication standard providing high-speed data for mobile phones and other user devices. One of the key control nodes in the LTE EPC architecture is the MME which is responsible for managing and tracking the User Equipment (UE) in idle mode and other paging procedures including retransmissions. It has a number of other responsibilities including authentication of the user (by interacting with Home Subscriber Server (HSS)), authorization of UE with Public Land and Mobile Network (PLMN), implementing roaming restrictions, etc. Section 4 discusses the main assets and interfaces of an MME which are exposed to other network elements and need to be protected. Section 5 discusses the various threat models for an attack on an MME, threats scenarios and requirements of an MME to protect against the identified threats.

GISFI

Draft 7 GISFI TR SP.108 V1.0.0 (2014-06)

2 References

Below reference are available in 3GPP website (Checked as on 04 th March 2014)

(http://www.3gpp.org/ftp/tsg_sa/wg3_security/TSGS3_74_Taipei/TdocList_2014-01-27_11h30.htm)

1.

S3-140094 - Assets and external interfaces of MME

2.

S3-140095 - Security threat and requirements with respect to internal attacks on MME

3.

S3-140096 - Security threats of disclosure of sensitive information and security requirement on MME

4.

S3-140097 - Security threats on MME from the compromised or misbehaving UE and related requirements

5.

S3-140145 - SECAM MME attacker model

6.

S3-140164 - Security threats and requirements on MME software package integrity and anti-virus

7.

S3-140168 - Security threats and requirements on MME management and maintenance access

8.

S3-140170 - Security threats and requirements on MME user account and password management

3 Definitions, symbols and abbreviations

3.1 Definitions

[Editor’s Note: To be filled]

3.2

3GPP

ASME

AuC

CA

CMP

CK

CP eNB enc

EPC

Abbreviations

3 rd Generation Partnership Project

Access Security Management Entity

Authentication Centre

Certificate Authority

Certificate Management Protocol

Cipher Key

Control Plane

Evolved Node B

Encryption

Evolved Packet Core

GISFI

Draft ePDG

EPS

ESP

GRX

GTP-C

GW

HeNB

HNB

HSS

IK

IMS

IMEI

IMSI

int

K

LEA

LI

LTE

MME

NAS

PCRF

PDN

PKI

PLMN

RRC

SAE

SEG

SeGW

Serv.GW

UMTS

UP

USIM

8

Evolved Packet Data Gateway

Evolved Packet System

Encapsulating Security Payload

GPRS Roaming eXchange Network

GPRS Tunnelling Protocol - Control

Gateway

Home eNB

Home Node B

Home Subscriber Server

Integrity Key

IP Multimedia System

International Mobile Equipment Identity

International Mobile Subscriber Identity

Integrity

Key

Law Enforcement Agency

Lawful Interception

Long Term Evolution

Mobility Management Entity

Non Access Stratum

Policy and Charging Rules Function

Packet Data Network

Public Key Infrastructure

Public Land Mobile Network

Radio Resource Control

System Architecture Evolution

Security Gateway

Security Gateway

Serving Gateway

Universal Mobile Telecommunication System

User Plane

UMTS Subscriber Identity Module

GISFI

GISFI TR SP.108 V1.0.0 (2014-06)

Draft 9 GISFI TR SP.108 V1.0.0 (2014-06)

4 General

This section describes the functionality of MME from standards as well as practical perspective.

4.1. Functionality of the MME

[Editor’s Note: To be filled with functionality of MME from standard]

4.2. Standards based network architecture showing the interfaces of MME

[Editor’s Note: To be filled with standard based network architecture showing MME interfaces from standard]

4.3. Protocols in MME

[Editor’s Note: To be filled with the protocols used in MME interfaces]

GISFI

Draft 10 GISFI TR SP.108 V1.0.0 (2014-06)

5 Security Threats and Requirements

This section will discuss security threats and requirements of MME as per applicable 3GPP standards

5.1. General security requirements

[Editor’s Note: To be filled with general security requirements from standard]

5.2. Attacker Models

5.2.1 Inside Attacker

An inside attacker is one who has privileged access to the target MME. There are various methods by which an inside attacker can target the MME [5]:

Access and modify configuration files

Access and modify subscriber data

Access and modify logs files

Modify software, firmware and OS

Modify MME functionality by an attacker’s modified functionality

Make physical modifications to the hardware (eg. Splitters ),etc.

Some conceived attack scenarios for inside attackers are as follows:

HSS)

Attacks during the manufacturing process of MME(eg. Backdoors, rootkits)

Attacks on MME connections and interfaces within the core network components (eg. S6a interface to

• Attacks by authorized and authenticated personnel with access and permission to modify the MME configuration and data.

From the above it can be concluded that attacks from inside cannot be countered against. We can only try to sufficiently specify access to the various personnel so that it is possible to timely isolate such incidents using various counter measures for protection and detection (e.g. Access control on the interfaces and logging mechanisms for configuration changes).

5.2.2. External Attacker

External attackers are those who don’t have privileged access to the target. Any attacks in such scenarios are via the exposed interfaces of the MME in the earlier section. The approach of such an attacker varies with every individual based on interface vulnerabilities and access to MME.

5.2.3. Hybrid Attacker

An attacker can use a combination of the two attacks to make a more effective attack. By using means like bribing and blackmailing people on the inside and using them to gain access from the outside. Like any inside attack it is not possible to protect against such attacks except for properly vetting the personnel in the management.

GISFI

Draft 11 GISFI TR SP.108 V1.0.0 (2014-06)

5.3 Security requirements from specifications

[Editor’s Note: To be filled with general security requirements from standard]

5.4

5.4.1.

Threats and requirements from threats

Threats on an MME

Protocol/Network based attacks

T1. Internal Attacks[2]

An employee having internal access to the network misuses his privileges to attack the MME intentionally or coercively. Such an employee poses serious threat to the MME data and/or configuration.

T2. Sensitive Information Disclosure[3]

The MME stores a lot of sensitive information which if available to the attacker can lead to access violations, failed authentication, fake signaling etc. All such sensitive information like communication keys (i.e KNASenc,

KNASint, KeNB) and administrator password on MME needs to be protected from such tampering by using effective encryption techniques.

T3. Compromised/Misbehaving UE[4]

The attacker can use a UE or a number of compromised UEs to gain access to one MME at the same time thus draining all its resources and effectively blocking the MME. The same can also be done by using a fuzzing engine to send attach/detach requests to the MME and disrupting the MME service This leads to the loss of service or a degraded service for a legitimate user.

OAM based Attacks

T4. Software package integrity and anti-virus[6]

Software packages/upgrades which are installed in an MME may contain harmful viruses, tampered code, malware or other such attack vectors. Using such tampered packages can make the LTE core network vulnerable to attacks and information leakage.

T5. MME management and maintenance[7]

If an attacker can gain unauthorized access to the MME then he can control all the sensitive information including user and system data. He can also use it to gain access to other core network elements thus compromising the whole network.

T6. User account and password management[8]

Like any other password protected system the MME user account and password policy needs to be made secure from the various common case threats like

Default user password may be leaked to gain low privileged access.

Low strength of user password

Brute force attack

Secure storage for passwords using encryption.

Multiple login conflicts and configuration collisions

5.4.2. Requirements for securing MME

Protocol/Network based attacks

R1. Internal Attacks[2]

GISFI

Draft 12 GISFI TR SP.108 V1.0.0 (2014-06)

Such an attack cannot be stopped but steps can be taken to mitigate the damage.

Using strong and unique authentication mechanisms

Effective logging and auditing of users and configuration changes in MME

R2. Sensitive Information Disclosure[3]

To protect such sensitive information in the MME the following requirements have been identified:

The keys should be physically protected in a secure environment with authorized access

It should be encrypted when stored in files on MME

The password should not be transmitted or stored as clear text values.

R3. Compromised/Misbehaving UE[4]

To protect the MME from such threats:

MME should implement effective signal congestion prevention techniques.

It should include functionality to detect such misbehaving UEs and take preventive action.

OAM based Attacks

R4. Software package integrity and anti-virus[6]

Proper steps need to be followed to mitigate any threats on the MME caused due to software package integrity and anti-virus updates

Protect software package/patch integrity by using appropriate mechanisms (e.g. hash based check to find tampering, Digital Signatures to authenticate source, etc.)

Scan the package/updates using multiple anti-virus scanners and maintain logs of the same.

R5. MME management and maintenance interface[7]

Some steps required to protect the management console are:

Mutual authentication between the MME and other network entities for communicating over the network.

All communication between the MME and other network elements will use TLS(Transport Layer

Security) for authentication and secure tunnel established communication.

Use access control mechanisms to limit MME access control to selective users and terminals.

R6. User account and password management[8]

The various security requirements identified to secure the MME user account are as follows:

A consistent security policy for user accounts and password management

Password management policy (e.g. Initial forced password modification, Password strength level, password characters permitted, duration for password change, salting of password hashes, etc.)

Password lock-out policy (Maximum number of login attempts, duration till next attempt, timeout, etc.)

GISFI

Draft 13 GISFI TR SP.108 V1.0.0 (2014-06)

Annex A: Heading levels in an annex

GISFI

Draft 14

Annex B: Change history:

Date

2014-28-05

TSG

#

Change history

TSG Doc. CR Rev Subject/Comment

Initial Draft

GISFI TR SP.108 V1.0.0 (2014-06)

Old New

-

GISFI