Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

Diameter Security: An Auditor's Viewpoint

Sergey Mashukov

0 vote(s)

Fourth-generation mobile networks have shaped the way we communicate, with their popularity and deployment increasing every year. Almost all users of 4G networks are, perhaps without even knowing it, users of previous-generation networks as well. While a mobile operator can provide only data transfer over LTE, for example, making phone calls and exchanging SMS messages requires technology for temporarily falling back to older networks (Circuit-Switched Fallback). Therefore, 4G subscribers are still susceptible to the threats associated with previous-generation networks.

In our presentation and report, we will share our experience of conducting security audits for several different MNOs and discuss the difficulties that we encountered in the process. We will also describe successful testing attacks we managed to perform in these environments. Some of these attacks have not been published previously.

We intend to focus on how one of the main protocols used for signaling on 4G networks, Diameter, can be subverted with the same attacks previously described by us in our report on SS7 signaling protocol vulnerabilities on mobile networks. On every one of the Diameter-based 4G networks on which Positive Technologies performed security audits in 2016, we found vulnerabilities enabling attacks for locating users, intercepting SMS messages, instigating denial of service, and performing other illegitimate actions. The attack techniques that we will outline are either ones which we have observed taking place, or have discovered are possible in the course of testing on the networks we work with. Though the community have not seen examples of Diameter attacks in the wild as of yet, we do believe now that it is possible to carry all the same attacks as SS7 flaws allow, and even worse.

We will also highlight previously undisclosed techniques that could allow DoS attacks directly on operator equipment, which could cause wide-scale network outages. This finding is particularly important, given the central role such equipment is set to play in enabling the connection of everything—from cars to industrial devices. Diameter is the chosen bedrock for the brave new connected world. However, it appears similar vulnerabilities, which have existed in SS7 for many years, still provide attackers with too many opportunities.

About Sergey Mashukov

As a telecom security specialist, his main point of interest is Diameter security. Took part in development and maintenance of a Diameter Base implementation for the one of the most deployed telecom platforms in the world. Performs Diameter security audits for international MNOs and conducts research on the protocol weaknesses.