The world is transitioning to fifth generation (5G) telecommunications. 5G will revolutionize how humans will interface with the world around them and each other, and bring exceptionally high bandwidth, blazing fast speeds, and latencies of mere milliseconds. As detailed in the previous blog post, with all 5G’s technological improvements comes the potential for security flaws as well.
The biggest issue with 5G systems is their reliance on the previous generation’s cellular technologies. 5G has been designed in a modular fashion to provide telecommunications operators with the means for an easy transition from their existing 4G/LTE systems to 5G. Therefore, carriers can offer the benefits of 5G while still relying on 4G/LTE components. Depending on how carriers transition, the vulnerabilities that affect 4G/LTE systems will impact their networks for many years to come.
4G/LTE systems are affected by several vulnerabilities inherent in the protocol stack. Depending on how the system is implemented by a carrier, how devices connect to a network, how device data is managed as it flows through a network, and how carriers themselves interact with each other in a network may leave the system vulnerable. The goal of this blog post is to focus on some of the vulnerabilities in a 4G/LTE network’s data flow.
4G vs 4G LTE
Defined by the ITU Radiocommunication sector (ITU-R) in March 2008, the fourth generation (4G) of cellular standards was released. It detailed how faster communication speeds and greater security could be achieved. 4G Long Term Evolution (LTE), commonly referred to as just LTE, is built with the same underlying technologies as 4G and offers the same functionalities. The difference is speed. 4G was designed as an ideal standard with a capacity beyond what phones and carriers would require (and would be extremely expensive to reach). LTE was defined as a standard that offers a capability close to 4G.
LTE Network Architecture
At a high level, LTE network architecture is composed of three main components:
User Equipment (UE): These devices wirelessly connect to the LTE network
The Evolved UMTS Terrestrial Radio Access Network (E-UTRAN): This is the bridge between wireless devices and the EPC network
The Evolved Packet Core (EPC): This network routes voice and data from one geographical location to another
User Equipment (UE)
Any device that connects to an LTE network is categorized as user equipment (UE). These devices include the latest Pixel phone, a Tesla Roadster, or even an automated-teller machine’s (ATM) internal intrusion-detection hardware. Each of these devices contain the following modules:
Mobile Termination (MT): This module handles communication functions
Terminal Equipment (TE): This component manages data streams
Universal Integrated Circuit Card (UICC): This is the SIM card for LTE networks. It runs an application called the Universal Subscriber Identity Module (USIM). The USIM stores user data like their phone number, home network identity, network keys, etc.
Evolved UMTS Terrestrial Radio Access Network (E-UTRAN)
The E-UTRAN consists of several base stations called E-UTRAN Node Bs (also known as eNode Bs or eNBs). In layman’s terms, base stations are radio towers that act as an intermediary between the UE and evolved packet core (EPC). The communication between them is bi-directional. To facilitate this communication, eNode Bs manage the full lifecycle from authenticating UEs, managing performance (such as handing off a user to an eNodeB closer to them), and more.
Evolved Packet Core (EPC)
The EPC is responsible for the core network in LTE networks. Unlike 2G and 3G networks, which have separate subsystems for packet-switched data (like Internet traffic) and circuit-switched data (like voice/SMS), the EPC carries both types of data over Internet protocol packets. The EPC comprises five main components:
Mobility Management Entity (MME): The MME is responsible for the authentication and management of UEs in the network. A device can send and receive data on an LTE network because they were granted a session from an MME.
Home Subscriber Server (HSS): After users are authenticated to the network, their information is stored in the HSS. In addition to authentication information, basic user data like the user’s International Mobile Subscriber identity (IMSI) and user profile information are stored here. The HSS component also manages identity keys to secure users’ data while in transit.
Serving Gateway (S-GW): This component routes data from base stations to the P-GW for transmission out of the current EPC
PDN Gateway (P-GW): The PDN gateway sends data to and receives data from external networks. This component is also where lawful interception of data is performed.
Policy and Charging Rules Function (PCRF): The PCRF manages policy in the EPC. These policies affect how data is prioritized and managed. For example, the PCRF can prioritize emergency communications over regular data.
External Networks (EN)
External networks can include other LTE networks or even networks from previous generations of cellular technologies (e.g. 3G and 2G networks). Another external network could be a packet data network (PDN), such as the Internet.
Attacking 4G/LTE: A Look at Internal Vulnerabilities
There are several well-known 4G hacks that target each of the main LTE components, but the main focus of this article is related to the internal vulnerabilities (i.e. issues within the eNodeBs and Evolved Packet Core and the communication between them). These areas have issues inherent to their design (e.g. authentication parameters that can be easily brute forced). Internal protocols can be configured without confidentiality or integrity protections. These issues invite a number of different attack scenarios, like on-path attacks that result in eavesdropping or the modification of data, fraudulent activity going undetected, the denial-of-service, and much more.
Several open-source projects are available to enumerate and exploit vulnerabilities that affect LTE:
To start pentesting LTE signalling protocols, a lab needs to be built. The lab needs to be able to emulate all three components of LTE and perform the necessary actions that emulate real users in a real telecommunications ecosystem. Recently, I attempted to create a fully simulated stack but was met with unresolvable issues. Instead, I created two separate labs that each emulate different parts of the LTE stack.
The first simulation is a fully working EPC. The EPC build is orchestrated with Kubernetes and leverages the open-source Open5GS software to emulate components (like the MME, HSS, etc.) of the environment. The second simulation emulates a full network stack from UE to the EPC and uses the open source srsLTE framework within Docker containers. The main difference between simulations is that the first works with the Diameter protocols whereas the second only deals with the GTP protocol.
Lab #1 – Open5GS
The setup instructions below (and subsequent build script) were derived from Christopher Adigun’s blog post (“Virtual 4G Simulation Using kubernetes And GNS3” (https://dev.to/infinitydon/virtual-4g-simulation-using-kubernetes-and-gns3-3b7k)) and were executed on a fresh installation of Ubuntu 18.04 Desktop running on VMWare Workstation. If these steps are attempted on other operating systems, there may be issues with certain parts of the build.
Two methods of the setup follow:
Automated Installation: This shell script automates the installation in updated Ubuntu environments. The script has not been tested on relatives of Ubuntu (such as Debian) but is expected to work there.
Manual Installation: The full setup instructions are described in detail
Before running the code, make sure that the operating system is up-to-date by running
sudo apt-get update
sudo apt-get upgrade
Restart the machine once the operating system is fully updated with
If you’re feeling lucky, download and execute the following shell script with a fully updated machine (but please note that the full setup could take between thirty minutes to an hour):
After Kubernetes has been set up, download the 4G-LTE lab configuration files, and execute Kubernetes against them to build the lab. The sleep commands are to ensure that the containers have been built before proceeding. This part of the setup can be done by executing the following:
To check and make sure everything is running properly, execute the following command:
kubectl -n open5gs get po -o wide
After all of that, the compilation is next. This stage is by far the most time-consuming part and could take between thirty minutes to an hour. Compiling the UE and E-UTRAN can be performed with the following:
git clone https://gitlab.eurecom.fr/oai/openairinterface5g
git checkout v1.2.1
./build_oai --eNB --UE -c -I
After the build, all tools will have been compiled, and tests executed without error.
Next, proceed to the Configuration section.
The final configuration step for this lab is adding a subscriber. To do so, find the IP address of the Web UI by executing the following:
kubectl -n open5gs get service
Navigate to the URL (in this case was http://10.107.32.221), and log in to the portal with the following default credentials:
To configure a subscriber (a device that uses the environment), perform the following actions:
Now, the Kubernetes command-line executable (kubectl) can be leveraged to execute commands in the environment.
Lab #2 – srsLTE
The second lab is a Dockerized instance of srsLTE. This lab is based on Philipp Gorczak’s srslte-docker-emulated project (https://github.com/pgorczak/srslte-docker-emulated) with the addition of a Dockerized container with the tools discussed in the Attacking 4G/LTE section above. The Detailed Installation section below consists of more in-depth instructions for executing the following high-level steps:
Finally, download the updated build scripts, and execute Docker-Compose against them to bring up the environment:
Now the Docker command-line executable (docker) can be leveraged to execute commands in the environment.
This article walked you through what 4G and LTE networks are, then dove into their vulnerabilities. Following that, open-source attack tools were detailed with instructions on how to set up labs to test them in. Ultimately, this article demonstrates that as 5G technologies are rolling out across the world, telecommunication ecosystems will remain vulnerable to attacks and 4G hacking due to the legacy protocols and solutions that are relied upon.
1G – first generation of wireless cellular technologies
2G – second generation of wireless cellular technologies
3G – third generation of wireless cellular technologies
4G – fourth generation of wireless cellular technologies
5G – fifth generation of wireless cellular technologies
APN – Access Point Names
E-UTRAN – Evolved UMTS Terrestrial Radio Access Network
As a Principal Security Consultant at Security Compass, Adam regularly applies his expertise to a diverse array of network, web, and mobile security assessments. His research in IoT, 5G, and other emerging technologies continues to contribute to a world in which we can all trust technology.