Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Diameter SecurityProtecting the network in LTE

Travis RussellDirector, Cyber Security, Service Provider NetworksOracle CommunicationsOctober, 2015

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

• “Please send money – Visa problems down under”

All things are not what they seem

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Highly Restricted

Mobile privacy open to global cyber

snooping from 'SS7 protocol'

Hackers demo network-level call interceptionJanuary 05, 2015White-hat hackers at the 31st Chaos Computer Congress have demonstrated fundamental flaws in the underlying infrastructure of 2G and 3G mobile phone networks. The flaws allow attackers to covertly track the location of a phone number as well as intercept calls and SMS - all at the network level.

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

The News Is Sensational!

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

The Issue is the Business of Interconnect

• Telecom networks are not designed with access control in mind–Signaling networks are only connected

with other “trusted” networks

–Signaling networks are secured through business arrangements rather than firewalls

6

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

What are the claims?

7

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

There are 5 claims being made

• The areas of focus have been around these 5 things:

– Location tracking

– Call intercept

– Subscriber Denial of Service

– Account fraud

– Sending SMS SPAM

• All of these areas utilize messages from the Mobile Application Part (MAP) to gain access and make modifications to subscriptions in network nodes

8

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

How do they get access?

• Researchers have admitted to paying for an interconnect

– And there are companies that are paying for SS7 access and in some cases reselling it

– There are several companies that offers discreet SS7 access to hundreds of networks

• At least one researcher advertises their own SS7 interconnect capability for “security audits”

9

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Some other security concerns

• The focus of the hacker community on telecom networks is increasing

– 2600 Magazine now featuring numerous articles on telecom technologies

• K. Singh, S. Sangal, N. Jain, P. Traynor and W.Lee, “Evaluating Bluetooth as a Medium for Botnet Command and Control,” July 2010.

• P. Traynor,M. Lin, M. Ongtang, V. Rao, T. Jaeger, T. La Portaand P. McDaniel, “On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core,” November 2009.

10

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

One such paper on using botnets“On Cellular Botnets: Measuring the Impact of Malicious Attacks”

• Devices on a Cellular Network Core– HLRs represent a chokepoint in the wireless network

– LTE outages have demonstrated the impact of HSS outages

• When combined with BOTNETs, a DDoS aimed at the HLR is a reality

• This paper (and the other related papers) all represent a continuing interest in wireless networks

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

• Stolen devices continue to plague the industry

• GSMA SG.24 Device Based Anti-Theft Feature Requirements

• Numerous applications for Apple, Android, Windows for disabling devices and locking data/content

• Does not solve the problem of selling devices for their parts

12

Stolen Devices

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

The GSMA maintains the IMEI database for the industry, and offers a variety of services, including Black Listing of stolen devices

• This allows services providers to connect their Equipment Identity Register (EIR) to the IMEI database for global visibility of stolen devices

• This is an effective network-based solution that mitigates the re-use of stolen equipment

13

GSMA IMEI DATABASE

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

The Interconnect Can Be SecuredOracle Communications Best Practices

14

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Don’t leave the door wide open• Restrict the access allowed for all

partner networks – do not give unlimited access

• Partner with the roaming department to better understand partner needs

• Never assume the partner network is secure – many times the attacker is on the other side of their network

• Treat your interconnect like any other network access privilege –use access control

15

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Best practices in signaling networks:

• Security is best implemented in layers

– Use static IP routing lists at the transport layer

– Add point code screening so only allowed point codes can access the network

– Use small global title address ranges

–Map partners to linksets and define controls on these linksets

– Add screening at the MAP layers based on GT, and opcode

• It is time to begin creating access permissions and not just black lists– It takes more time, but easier to maintain, and more effective in preventing

unauthorized access to network resources

16

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

The interconnect profile

• Create partner profiles for defining interconnect permissions

– This is critical to understanding what needs to be provisioned in the STP and DSC

– This should be done in partnership with the roaming group

– A profile can be defined for groups of interconnect partners to simplify the provisioning of rules

– Assign partners to each profile

17

Profile A

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

The interconnect profile

• Roaming Partner Profile

– Voice services

– SMS services

– CAMEL services

• Location Services Profile

– Location services / updates

• Content Provider Profile

– Content downloads / delivery

– Video streaming

18

Profile A

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Protect against non-telco partners

• Many partners are not true service providers

– They provide content and services such as location services

– These partners should not be granted access to SS7 or Diameter

• Their access should be controlled through APIs

19

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Monitor and Analyze everything!Analytics is key to understanding events

20

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

"If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

– Sun Tzu; "The Art of War"

21

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

We have reached a new era

• Researchers once focused on IT have turned their attention to telecom

–We will see many more reports about “hacking” the telecom networks

– Researchers are learning our craft and exploiting the fact that telecom networks have been “open” for some time

• We are migrating to an IT architecture– And so we should be migrating to IT practices as well, especially when it comes to

security

– Analytics and network signaling metadata are absolutely paramount to identifying interconnect abuse

22

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 23