Presentation Title Attacking 3G and 4G Telecommunication Networks
In 2010 a number of practical high-profile attacks against GSM has been discussed and demonstrated. Still it should be noted that those only work against GSM (“2G”) which has been standardized in the early 90s. It was followed by the “3G” family of standards in 2000 which in turn are currently superseded (better: complemented) by yet another generation (“4G”). LTE (4G) which is expected to be “the next big thing in mobile telco business” has an all-IP network architecture that is much flatter than the earlier architectures’ ones.
In the so-called backhaul and core parts of 3G and 4G networks mainly one IP based protocol can be found, that is GTP [GPRS Tunneling Protocol]. Given that 3GPP standards mandate that GTP is either only used within one security domain (operator) or in case of roaming users should be secured by IPsec one should never be able to reach GTP speaking components from the Internet. Well, yes, one should not, but we show that reality is so often a bit different.
We will outline 3G and 4G architectures and associated attack paths, enriched by “anecdotes from the field” and – potentially more interesting results from some 3G/4G security testing “performed in the wild”. An attack classification based on the protocols involved and the attack originating networks (user equipment, other operators, Internet etc.) will be given. Lastly, we will discuss (and, of course, release) a GTP scanning tool that allows to identify entry points into mobile telecommunication networks. A number of demos will add some spice.
Note: Presenting with Daniel Mende (ERNW)
About Enno Rey and Daniel Mende
Daniel Mende and Enno Rey are long time network geeks who love to explore network devices & protocols and to break flawed ones.