Draft 1 GISFI TR SP.108 V1.0.0 (2014-06)
V1.0.0
Technical Report
The present document has been developed within GISFI and may be further elaborated for the purposes of GISFI.
GISFI

Draft 2 GISFI TR SP.108 V1.0.0 (2014-06)
GISFI
GISFI office address
Suite 303, 3 rd Floor, Tirupati Plaza, Plot
No. 4, Sector 11, Dwarka, New Delhi-
110075, India
Tel.: +91-11-47581800 Fax: +91-11-
47581801
Internet http://www.gisfi.org
E-mail: info@gisfi.org
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.
© 2014, GISFI
All rights reserved.
GISFI

Draft 3 GISFI TR SP.108 V1.0.0 (2014-06)
Foreword ............................................................................................................................................................ 4
Introduction ........................................................................................................................................................ 5
1 Scope ....................................................................................................................................................... 6
2 References ............................................................................................................................................... 7
3 Definitions, symbols and abbreviations ................................................................................................... 7
3.1
3.2
Definitions ......................................................................................................................................................... 7
Abbreviations ..................................................................................................................................................... 7
4 General ..................................................................................................................................................... 9
4.1. Functionality of the MME ................................................................................................................................. 9
4.2.
4.3.
Standards based network architecture showing the interfaces of MME ............................................................ 9
Protocols in MME.............................................................................................................................................. 9
5 Security Threats and Requirements ....................................................................................................... 10
5.1.
5.2.
General security requirements ......................................................................................................................... 10
Attacker Models .............................................................................................................................................. 10
5.2.1
5.2.2.
5.2.3.
5.3
5.4
5.4.1.
5.4.2.
Inside Attacker .......................................................................................................................................... 10
External Attacker ...................................................................................................................................... 10
Hybrid Attacker ......................................................................................................................................... 10
Security requirements from specifications ....................................................................................................... 11
Threats and requirements from threats ............................................................................................................ 11
Threats on an MME ................................................................................................................................... 11
Requirements for securing MME ............................................................................................................... 11
Annex A: Heading levels in an annex .......................................................................................................... 13
Annex B: Change history: ................................................................................................................................ 14
GISFI

Draft 4 GISFI TR SP.108 V1.0.0 (2014-06)
This Technical Report has been produced by GISFI.
The contents of the present document are subject to continuing work within the Technical Working Group
(TWG) and may change following formal TWG approval. Should the TWG modify the contents of the present document, it will be re-released by the TWG with an identifying change of release date and an increase in version number as follows:
Version x.y.z where: x the first digit shows the release to which the document belongs y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document.
GISFI

Draft 5 GISFI TR SP.108 V1.0.0 (2014-06)
The MME (Mobility Management Entity) is one of the core network elements of the LTE (Long Term
Evolution) Evolved Packet Core (EPC) architecture. The MME handles a number of functionalities in the LTE architecture so securing it is crucial for the network. The MME contains a lot of sensitive data which needs to be protected from being exposed as it might lead to compromising the configuration of the MME platform and architecture. This document covers the various interfaces of an MME which are exposed to the network and how they communicate among themselves. The main focus of this document is on the threats posed on an MME from its exposed interfaces. The nature of threats perceived from such interfaces and the security requirements of the MME that are under study within the 3GPP SA3 work group. In this document, these threat scenarios have been studied and based on which the security requirements for MME have been identified.
GISFI

Draft 6 GISFI TR SP.108 V1.0.0 (2014-06)
3GPP LTE is a wireless communication standard providing high-speed data for mobile phones and other user devices. One of the key control nodes in the LTE EPC architecture is the MME which is responsible for managing and tracking the User Equipment (UE) in idle mode and other paging procedures including retransmissions. It has a number of other responsibilities including authentication of the user (by interacting with Home Subscriber Server (HSS)), authorization of UE with Public Land and Mobile Network (PLMN), implementing roaming restrictions, etc. Section 4 discusses the main assets and interfaces of an MME which are exposed to other network elements and need to be protected. Section 5 discusses the various threat models for an attack on an MME, threats scenarios and requirements of an MME to protect against the identified threats.
GISFI

Draft 7 GISFI TR SP.108 V1.0.0 (2014-06)
Below reference are available in 3GPP website (Checked as on 04 th March 2014)
(http://www.3gpp.org/ftp/tsg_sa/wg3_security/TSGS3_74_Taipei/TdocList_2014-01-27_11h30.htm)
1.
S3-140094 - Assets and external interfaces of MME
2.
S3-140095 - Security threat and requirements with respect to internal attacks on MME
3.
S3-140096 - Security threats of disclosure of sensitive information and security requirement on MME
4.
S3-140097 - Security threats on MME from the compromised or misbehaving UE and related requirements
5.
S3-140145 - SECAM MME attacker model
6.
S3-140164 - Security threats and requirements on MME software package integrity and anti-virus
7.
S3-140168 - Security threats and requirements on MME management and maintenance access
8.
S3-140170 - Security threats and requirements on MME user account and password management
[Editor’s Note: To be filled]
3GPP
ASME
AuC
CA
CMP
CK
CP eNB enc
EPC
3 rd Generation Partnership Project
Access Security Management Entity
Authentication Centre
Certificate Authority
Certificate Management Protocol
Cipher Key
Control Plane
Evolved Node B
Encryption
Evolved Packet Core
GISFI

Draft ePDG
EPS
ESP
GRX
GTP-C
GW
HeNB
HNB
HSS
IK
IMS
int
K
LEA
LI
LTE
MME
NAS
PCRF
PDN
PKI
PLMN
RRC
SAE
SEG
SeGW
Serv.GW
UMTS
UP
USIM
8
Evolved Packet Data Gateway
Evolved Packet System
Encapsulating Security Payload
GPRS Roaming eXchange Network
GPRS Tunnelling Protocol - Control
Gateway
Home eNB
Home Node B
Home Subscriber Server
Integrity Key
IP Multimedia System
Integrity
Key
Law Enforcement Agency
Lawful Interception
Long Term Evolution
Mobility Management Entity
Non Access Stratum
Policy and Charging Rules Function
Packet Data Network
Public Key Infrastructure
Public Land Mobile Network
Radio Resource Control
System Architecture Evolution
Security Gateway
Security Gateway
Serving Gateway
Universal Mobile Telecommunication System
User Plane
UMTS Subscriber Identity Module
GISFI
GISFI TR SP.108 V1.0.0 (2014-06)

Draft 9 GISFI TR SP.108 V1.0.0 (2014-06)
This section describes the functionality of MME from standards as well as practical perspective.
[Editor’s Note: To be filled with functionality of MME from standard]
[Editor’s Note: To be filled with standard based network architecture showing MME interfaces from standard]
[Editor’s Note: To be filled with the protocols used in MME interfaces]
GISFI

Draft 10 GISFI TR SP.108 V1.0.0 (2014-06)
This section will discuss security threats and requirements of MME as per applicable 3GPP standards
[Editor’s Note: To be filled with general security requirements from standard]
5.2.1 Inside Attacker
•
•
•
•
•
•
An inside attacker is one who has privileged access to the target MME. There are various methods by which an inside attacker can target the MME [5]:
Access and modify configuration files
Access and modify subscriber data
Access and modify logs files
Modify software, firmware and OS
Modify MME functionality by an attacker’s modified functionality
Make physical modifications to the hardware (eg. Splitters ),etc.
Some conceived attack scenarios for inside attackers are as follows:
•
•
HSS)
Attacks during the manufacturing process of MME(eg. Backdoors, rootkits)
Attacks on MME connections and interfaces within the core network components (eg. S6a interface to
• Attacks by authorized and authenticated personnel with access and permission to modify the MME configuration and data.
From the above it can be concluded that attacks from inside cannot be countered against. We can only try to sufficiently specify access to the various personnel so that it is possible to timely isolate such incidents using various counter measures for protection and detection (e.g. Access control on the interfaces and logging mechanisms for configuration changes).
5.2.2. External Attacker
External attackers are those who don’t have privileged access to the target. Any attacks in such scenarios are via the exposed interfaces of the MME in the earlier section. The approach of such an attacker varies with every individual based on interface vulnerabilities and access to MME.
5.2.3. Hybrid Attacker
An attacker can use a combination of the two attacks to make a more effective attack. By using means like bribing and blackmailing people on the inside and using them to gain access from the outside. Like any inside attack it is not possible to protect against such attacks except for properly vetting the personnel in the management.
GISFI

Draft 11 GISFI TR SP.108 V1.0.0 (2014-06)
[Editor’s Note: To be filled with general security requirements from standard]
5.4.1.
Threats on an MME
Protocol/Network based attacks
T1. Internal Attacks[2]
An employee having internal access to the network misuses his privileges to attack the MME intentionally or coercively. Such an employee poses serious threat to the MME data and/or configuration.
T2. Sensitive Information Disclosure[3]
The MME stores a lot of sensitive information which if available to the attacker can lead to access violations, failed authentication, fake signaling etc. All such sensitive information like communication keys (i.e KNASenc,
KNASint, KeNB) and administrator password on MME needs to be protected from such tampering by using effective encryption techniques.
T3. Compromised/Misbehaving UE[4]
The attacker can use a UE or a number of compromised UEs to gain access to one MME at the same time thus draining all its resources and effectively blocking the MME. The same can also be done by using a fuzzing engine to send attach/detach requests to the MME and disrupting the MME service This leads to the loss of service or a degraded service for a legitimate user.
OAM based Attacks
T4. Software package integrity and anti-virus[6]
Software packages/upgrades which are installed in an MME may contain harmful viruses, tampered code, malware or other such attack vectors. Using such tampered packages can make the LTE core network vulnerable to attacks and information leakage.
T5. MME management and maintenance[7]
If an attacker can gain unauthorized access to the MME then he can control all the sensitive information including user and system data. He can also use it to gain access to other core network elements thus compromising the whole network.
T6. User account and password management[8]
Like any other password protected system the MME user account and password policy needs to be made secure from the various common case threats like

Default user password may be leaked to gain low privileged access.

Low strength of user password

Brute force attack

Secure storage for passwords using encryption.

Multiple login conflicts and configuration collisions
5.4.2. Requirements for securing MME
Protocol/Network based attacks
R1. Internal Attacks[2]
GISFI

Draft 12 GISFI TR SP.108 V1.0.0 (2014-06)
Such an attack cannot be stopped but steps can be taken to mitigate the damage.

Using strong and unique authentication mechanisms

Effective logging and auditing of users and configuration changes in MME
R2. Sensitive Information Disclosure[3]
To protect such sensitive information in the MME the following requirements have been identified:

The keys should be physically protected in a secure environment with authorized access

It should be encrypted when stored in files on MME

The password should not be transmitted or stored as clear text values.
R3. Compromised/Misbehaving UE[4]
To protect the MME from such threats:

MME should implement effective signal congestion prevention techniques.

It should include functionality to detect such misbehaving UEs and take preventive action.
OAM based Attacks
R4. Software package integrity and anti-virus[6]
Proper steps need to be followed to mitigate any threats on the MME caused due to software package integrity and anti-virus updates

Protect software package/patch integrity by using appropriate mechanisms (e.g. hash based check to find tampering, Digital Signatures to authenticate source, etc.)

Scan the package/updates using multiple anti-virus scanners and maintain logs of the same.
R5. MME management and maintenance interface[7]
Some steps required to protect the management console are:

Mutual authentication between the MME and other network entities for communicating over the network.

All communication between the MME and other network elements will use TLS(Transport Layer
Security) for authentication and secure tunnel established communication.

Use access control mechanisms to limit MME access control to selective users and terminals.
R6. User account and password management[8]
The various security requirements identified to secure the MME user account are as follows:

A consistent security policy for user accounts and password management

Password management policy (e.g. Initial forced password modification, Password strength level, password characters permitted, duration for password change, salting of password hashes, etc.)

Password lock-out policy (Maximum number of login attempts, duration till next attempt, timeout, etc.)
GISFI

Draft 13 GISFI TR SP.108 V1.0.0 (2014-06)
GISFI

Draft 14
Date
2014-28-05
TSG
#
Change history
TSG Doc. CR Rev Subject/Comment
Initial Draft
GISFI TR SP.108 V1.0.0 (2014-06)
Old New
-
GISFI