Home  >  Research  >  Penetration Testing 4G/LT…

Penetration Testing 4G/LTE Signalling Protocols

Written By: Adam Greenhill

Modern city aerial view and 4G communication network concep

The world is transitioning to fifth generation (5G) telecommunications. 5G will revolutionize how humans will interface with the world around them and each other, and bring exceptionally high bandwidth, blazing fast speeds, and latencies of mere milliseconds. As detailed in the previous blog post, with all 5G’s technological improvements comes the potential for security flaws as well.

The biggest issue with 5G systems is their reliance on the previous generation’s cellular technologies. 5G has been designed in a modular fashion to provide telecommunications operators with the means for an easy transition from their existing 4G/LTE systems to 5G. Therefore, carriers can offer the benefits of 5G while still relying on 4G/LTE components. Depending on how carriers transition, the vulnerabilities that affect 4G/LTE systems will impact their networks for many years to come. 

4G/LTE systems are affected by several vulnerabilities inherent in the protocol stack. Depending on how the system is implemented by a carrier, how devices connect to a network, how device data is managed as it flows through a network, and how carriers themselves interact with each other in a network may leave the system vulnerable. The goal of this blog post is to focus on some of the vulnerabilities in a 4G/LTE network’s data flow.

4G vs 4G LTE

Defined by the ITU Radiocommunication sector (ITU-R) in March 2008, the fourth generation (4G) of cellular standards was released. It detailed how faster communication speeds and greater security could be achieved. 4G Long Term Evolution (LTE), commonly referred to as just LTE, is built with the same underlying technologies as 4G and offers the same functionalities. The difference is speed. 4G was designed as an ideal standard with a capacity beyond what phones and carriers would require (and would be extremely expensive to reach). LTE was defined as a standard that offers a capability close to 4G.

LTE Network Architecture

At a high level, LTE network architecture is composed of three main components:

  • User Equipment (UE): These devices wirelessly connect to the LTE network
  • The Evolved UMTS Terrestrial Radio Access Network (E-UTRAN): This is the bridge between wireless devices and the EPC network
  • The Evolved Packet Core (EPC): This network routes voice and data from one geographical location to another
Figure 1 High level overview of an LTE network

User Equipment (UE)

Any device that connects to an LTE network is categorized as user equipment (UE). These devices include the latest Pixel phone, a Tesla Roadster, or even an automated-teller machine’s (ATM) internal intrusion-detection hardware. Each of these devices contain the following modules:

  1. Mobile Termination (MT): This module handles communication functions
  2. Terminal Equipment (TE): This component manages data streams
  3. Universal Integrated Circuit Card (UICC): This is the SIM card for LTE networks. It runs an application called the Universal Subscriber Identity Module (USIM). The USIM stores user data like their phone number, home network identity, network keys, etc.

Evolved UMTS Terrestrial Radio Access Network (E-UTRAN)

The E-UTRAN consists of several base stations called E-UTRAN Node Bs (also known as eNode Bs or eNBs). In layman’s terms, base stations are radio towers that act as an intermediary between the UE and evolved packet core (EPC). The communication between them is bi-directional. To facilitate this communication, eNode Bs manage the full lifecycle from authenticating UEs, managing performance (such as handing off a user to an eNodeB closer to them), and more.

Evolved Packet Core (EPC)

The EPC is responsible for the core network in LTE networks. Unlike 2G and 3G networks, which have separate subsystems for packet-switched data (like Internet traffic) and circuit-switched data (like voice/SMS), the EPC carries both types of data over Internet protocol packets. The EPC comprises five main components:

  1. Mobility Management Entity (MME): The MME is responsible for the authentication and management of UEs in the network. A device can send and receive data on an LTE network because they were granted a session from an MME.
  2. Home Subscriber Server (HSS): After users are authenticated to the network, their information is stored in the HSS. In addition to authentication information, basic user data like the user’s International Mobile Subscriber identity (IMSI) and user profile information are stored here. The HSS component also manages identity keys to secure users’ data while in transit.
  3. Serving Gateway (S-GW): This component routes data from base stations to the P-GW for transmission out of the current EPC
  4. PDN Gateway (P-GW): The PDN gateway sends data to and receives data from external networks. This component is also where lawful interception of data is performed.
  5. Policy and Charging Rules Function (PCRF): The PCRF manages policy in the EPC. These policies affect how data is prioritized and managed. For example, the PCRF can prioritize emergency communications over regular data.

External Networks (EN)

External networks can include other LTE networks or even networks from previous generations of cellular technologies (e.g. 3G and 2G networks). Another external network could be a packet data network (PDN), such as the Internet.

Attacking 4G/LTE: A Look at Internal Vulnerabilities

There are several well-known 4G hacks that target each of the main LTE components, but the main focus of this article is related to the internal vulnerabilities (i.e. issues within the eNodeBs and Evolved Packet Core and the communication between them). These areas have issues inherent to their design (e.g. authentication parameters that can be easily brute forced). Internal protocols can be configured without confidentiality or integrity protections. These issues invite a number of different attack scenarios, like on-path attacks that result in eavesdropping or the modification of data, fraudulent activity going undetected, the denial-of-service, and much more.

Several open-source projects are available to enumerate and exploit vulnerabilities that affect LTE:

To install all of these tools in a Debian/Ubuntu environment, execute the following commands:

git clone https://github.com/AdamGreenhill/LTE-attack-tools
cd LTE-attack-tools/installer
sudo bash install.sh

The tools have also been built into a Docker container that can be deployed in Dockerized networks. The Dockerfile can be found at https://github.com/AdamGreenhill/LTE-attack-tools. The following commands can be used to build the container:

git clone https://github.com/AdamGreenhill/LTE-attack-tools
cd LTE-attack-tools/docker
sudo docker build -t lte-attack .

Building a Lab to Test Security Issues in 4G

To start pentesting LTE signalling protocols, a lab needs to be built. The lab needs to be able to emulate all three components of LTE and perform the necessary actions that emulate real users in a real telecommunications ecosystem. Recently, I attempted to create a fully simulated stack but was met with unresolvable issues. Instead, I created two separate labs that each emulate different parts of the LTE stack.

The first simulation is a fully working EPC. The EPC build is orchestrated with Kubernetes and leverages the open-source Open5GS software to emulate components (like the MME, HSS, etc.) of the environment. The second simulation emulates a full network stack from UE to the EPC and uses the open source srsLTE framework within Docker containers. The main difference between simulations is that the first works with the Diameter protocols whereas the second only deals with the GTP protocol.

Lab #1 – Open5GS

The setup instructions below (and subsequent build script) were derived from Christopher Adigun’s blog post (“Virtual 4G Simulation Using kubernetes And GNS3” (https://dev.to/infinitydon/virtual-4g-simulation-using-kubernetes-and-gns3-3b7k)) and were executed on a fresh installation of Ubuntu 18.04 Desktop running on VMWare Workstation. If these steps are attempted on other operating systems, there may be issues with certain parts of the build. 

Two methods of the setup follow:

  • Automated Installation: This shell script automates the installation in updated Ubuntu environments. The script has not been tested on relatives of Ubuntu (such as Debian) but is expected to work there.
  • Manual Installation: The full setup instructions are described in detail

Automated Installation

Before running the code, make sure that the operating system is up-to-date by running

sudo apt-get update
sudo apt-get upgrade

Restart the machine once the operating system is fully updated with

sudo reboot

If you’re feeling lucky, download and execute the following shell script with a fully updated machine (but please note that the full setup could take between thirty minutes to an hour):

wget https://gist.githubusercontent.com/AdamGreenhill/e1536cfb1b00da0e308df27a746f7f4f/raw/caa76af2bca67c6d856c01c77852a1b6a0324a7b/lte_attack_tools_installer.shsudo -O ./lte-lab-install.sh
sudo bash ./lte-lab-install.sh

Next, proceed to the Configuration section below.

Manual Installation

Installing the lab manually requires several different steps. To start, make sure the operating system is updated. Execute the following commands to do so:

sudo apt-get update 
sudo apt-get upgrade

After updating, restart the machine to ensure everything is setup properly with

sudo reboot

The first piece of software that needs to be installed is Docker. Docker is the container technology managed by Kubernetes. To install Docker, execute the following:

sudo apt-get remove -y docker docker-engine docker.io containerd runc
sudo apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository  "deb [arch=amd64] https://download.docker.com/linux/ubuntu  $(lsb_release -cs)  stable"
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io

Next, install Kubernetes and Calico. These tools will be used to manage the container ecosystem. To install them, execute the following:

curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
cat <<EOF | sudo tee /etc/apt/sources.list.d/kubernetes.list
deb https://apt.kubernetes.io/ kubernetes-xenial main
EOF
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl
sudo swapoff -a 
sudo kubeadm init --pod-network-cidr=192.168.0.0/16
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
kubectl create -f https://docs.projectcalico.org/manifests/tigera-operator.yaml
kubectl create -f https://docs.projectcalico.org/manifests/custom-resources.yaml
sleep 60
kubectl taint nodes --all node-role.kubernetes.io/master-

After Kubernetes has been set up, download the 4G-LTE lab configuration files, and execute Kubernetes against them to build the lab. The sleep commands are to ensure that the containers have been built before proceeding. This part of the setup can be done by executing the following:

git clone https://bitbucket.org/infinitydon/virtual-4g-simulator/
cd virtual-4g-simulator/open5gs
kubectl create ns open5gs
kubectl apply -f hss-database/
sleep 120
kubectl apply -f hss/
kubectl apply -f mme/
kubectl apply -f sgw/
kubectl apply -f pgw/
kubectl apply -f pcrf/
kubectl apply -f web-ui/
sleep 120

To check and make sure everything is running properly, execute the following command:

kubectl -n open5gs get po -o wide

After all of that, the compilation is next. This stage is by far the most time-consuming part and could take between thirty minutes to an hour. Compiling the UE and E-UTRAN can be performed with the following:

cd ../..
git clone https://gitlab.eurecom.fr/oai/openairinterface5g
cd openairinterface5g
export OPENAIR_HOME="`pwd`"
git checkout v1.2.1
cd cmake_targets
./build_oai --eNB --UE -c -I 

After the build, all tools will have been compiled, and tests executed without error.

Next, proceed to the Configuration section.

Configuration

The final configuration step for this lab is adding a subscriber. To do so, find the IP address of the Web UI by executing the following:

kubectl -n open5gs get service

Navigate to the URL (in this case was http://10.107.32.221), and log in to the portal with the following default credentials:

  • Username: admin
  • Password: 1423

To configure a subscriber (a device that uses the environment), perform the following actions:

  1. Click “ADD A SUBSCRIBER”
  2. Enter the following values:
    1. IMSI: 208930100001111
    2. Subscriber Key (K): 8baf473f2f8fd09487cccbd7097c6862
    3. Operator Key (OPc): e734f8734007d6c5ce7a0508809e7e9c
    4. Everything else can be left as the default.
  3. Click “Save”

Done

Now, the Kubernetes command-line executable (kubectl) can be leveraged to execute commands in the environment.

Lab #2 – srsLTE

The second lab is a Dockerized instance of srsLTE. This lab is based on Philipp Gorczak’s srslte-docker-emulated project (https://github.com/pgorczak/srslte-docker-emulated) with the addition of a Dockerized container with the tools discussed in the Attacking 4G/LTE section above. The Detailed Installation section below consists of more in-depth instructions for executing the following high-level steps:

  1. Install Docker and Docker-Compose
  2. Download the project files: https://github.com/AdamGreenhill/srslte-docker-emulated
  3. Build the environment: cd ./srslte-docker-emulated/; docker-compose up
  4. Done!

Detailed Installation

The following installation instructions were executed on a fresh installation of Ubuntu 18.04 hosted in a VMWare virtual machine. To start, make sure the operating system is updated. 

Execute the following commands to do this:

sudo apt-get update 
sudo apt-get upgrade

After updating, restart the machine to ensure everything is setup properly with

sudo reboot

The first piece of software that needs to be installed is Docker. Docker is the container technology managed by Kubernetes. To install Docker, execute the following:

sudo apt-get remove -y docker docker-engine docker.io containerd runc
sudo apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository  "deb [arch=amd64] https://download.docker.com/linux/ubuntu  $(lsb_release -cs)  stable"
sudo apt-get update
sudo apt-get install -y git docker-ce docker-ce-cli containerd.io

Next, install Docker-Compose. This can be done with the following commands:

sudo curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version

Finally, download the updated build scripts, and execute Docker-Compose against them to bring up the environment:

git https://github.com/AdamGreenhill/srslte-docker-emulated
cd srslte-docker-emulated
docker-compose up

Now the Docker command-line executable (docker) can be leveraged to execute commands in the environment.

Conclusion

This article walked you through what 4G and LTE networks are, then dove into their vulnerabilities. Following that, open-source attack tools were detailed with instructions on how to set up labs to test them in. Ultimately, this article demonstrates that as 5G technologies are rolling out across the world, telecommunication ecosystems will remain vulnerable to attacks and 4G hacking due to the legacy protocols and solutions that are relied upon.

Abbreviations

  • 1G – first generation of wireless cellular technologies
  • 2G – second generation of wireless cellular technologies
  • 3G – third generation of wireless cellular technologies
  • 4G – fourth generation of wireless cellular technologies
  • 5G – fifth generation of wireless cellular technologies
  • APN – Access Point Names
  • E-UTRAN – Evolved UMTS Terrestrial Radio Access Network
  • eNB – E-UTRAN Node B
  • eNode B – E-UTRAN Node B
  • EPC – Evolved Packet Core
  • GSM – Global System for Mobile Communications
  • GTP – GPRS Tunnelling Protocol
  • HSS – Home Subscriber Server
  • IMSI – International Mobile Subscriber Identity
  • ITU-R – ITU Radiocommunication Sector
  • LTE – Long Term Evolution
  • ME – Mobile Termination
  • MME – Mobility Management Entity
  • P-GW – PDN Gateway
  • PCRF – Policy and Charging Rules Function
  • PDN – Packet Data Network
  • S-GW – Serving Gateway
  • SIM – Subscriber Identity Module
  • SIP – Session Initiation Protocol
  • SMS – Short Message Service
  • SS7 – Signalling System No. 7
  • TE – Terminal Equipment
  • UE – User Equipment
  • UICC – Universal Integrated Circuit Card
  • USIM – Universal Subscriber Identity Module

References

1. Positive Technologies, “Threats to Packet Core Security,” 01 09 2017. [Online]. Available: https://www.gsma.com/membership/wp-content/uploads/2017/09/Positive-Technologies-White-Paper.pdf. [Accessed 01 02 2021].
2. J. Geovedi and D. Mende, “HITB Labs: Practical Attacks Against 3G/$G Telecommunication Networks,” ERNW, 10 10 2011. [Online]. Available: https://conference.hitb.org/hitbsecconf2011kul/materials/D2%20LABS%20-%20Daniel%20Mende%20and%20Jim%20Geovedi%20-%20Practical%203G-4G%20Attacks.pdf. [Accessed 01 02 2021].
3. P. Gorczak, “srslte-docker-emulated,” 3 12 2018. [Online]. Available: https://github.com/pgorczak/srslte-docker-emulated. [Accessed 1 02 2021].
C. Adigun, “Virtual 4G Simulation Using kubernetes And GNS3,” dev.io, 16 02 2020. [Online]. Available: https://dev.to/infinitydon/virtual-4g-simulation-using-kubernetes-and-gns3-3b7k. [Accessed 01 02 2021].

4. C. Adigun, “Virtual 4G Simulation Using kubernetes And GNS3,” dev.io, 16 02 2020. [Online]. Available: https://dev.to/infinitydon/virtual-4g-simulation-using-kubernetes-and-gns3-3b7k. [Accessed 01 02 2021].
5. D. Mende, “GTP_SCAN released,” Insinuator, 1 03 2011. [Online]. Available: https://insinuator.net/2011/03/gtp_scan-released/. [Accessed 01 02 2021].
6. R. D’Alessandro and I. D. Grande, “SigPloit,” 18 07 2018. [Online]. Available: https://github.com/SigPloiter/SigPloit. [Accessed 01 02 2021].
7. D. Mende, “Week of releases – apnbf,” Insinuator, 14 07 2011. [Online]. Available: https://insinuator.net/tag/apnbf/. [Accessed 01 02 2021].
8. D. Mende, “New Tool: s1ap_enum,” 25 06 2014. [Online]. Available: https://insinuator.net/2014/06/new-tool-s1ap_enum/. [Accessed 01 02 2021].
9. D. Mende and nschiess, “diameter_enum,” 06 09 2018. [Online]. Available: https://github.com/ernw/diameter_enum. [Accessed 01 02 2021].
10. D. Mende, “Pytacle alpha1 released!,” 31 10 2912. [Online]. Available: https://insinuator.net/2012/10/pytacle-alpha1-released/. [Accessed 01 02 2021].
11. D. Mende, “dizzy,” 25 07 2018. [Online]. Available: https://github.com/ernw/dizzy. [Accessed 01 02 2021].

Advisory Labs

Adam Greenhill
Principal Security Consultant
Adam Greenhill
As a Principal Security Consultant at Security Compass, Adam regularly applies his expertise to a diverse array of network, web, and mobile security assessments. His research in IoT, 5G, and other emerging technologies continues to contribute to a world in which we can all trust technology.

More Articles by Security Compass Advisory

Other Articles about Topic

Stay Up To Date

Get the latest cybersecurity news and updates delivered straight to your inbox.
Sign up today.