Friday, February 28, 2014

Unusual 3G/4G Security: Access to a Backhaul Network

A backhaul network is used to connect base stations (known as NodeB in 3G terminology) to a radio network controller (RNC).

Connection costs for base stations comprise a significant part of provider's total expenses, so it is reasonable to reduce costs related to building and running of such networks, in particular by implementing new technologies.

Evolution made the trip from ATM connections to SDH/SONET, DSL, IP/MPLS and metro Ethernet. Today traffic is communicated through IP packets.

When a large metro network is given, we just can't use it for base stations connection only. So then it provides channels to legal entities and in some areas it provides home users with Internet access. A converged network as it is. And security is a pressing issue when it comes to converged networks.

Voice and GPRS packet data are transmitted in an encrypted form over the network section between a NodeB and an RNC. But what about management traffic? What protocols are used to manage the NodeB directly? Due to the choice of a provider, it may be HTTP/HTTPS, Telnet/SSH, as well as different types of MML (a man-machine language).

Unfortunately, protocols that do not encrypt data are often used to manage network elements.

What happens if an intruder gets access to a network segment? Is he able to capture data in this case? How will he do it?

At present, each device has an IP management interface and an Ethernet port to connect to a network. Base stations are no exception.

Upon intrusion into a network, an attacker can use common ARP spoofing to catch data that technicians use to manage network devices.

An example of an MML session shows how simple it is.

As you go further, you will understand it really is a problem. After getting access to one base station, it is possible to break into other stations, since management IP addresses are freely routed at least within one network.

Note: a mobile provider has hundreds of base stations in each city. What if it loses connection with one of the stations or has to execute works on site? For these purposes, there is a local account on a device. Such an account is usually equal for all devices, which means that an intruder can get control over hundreds of devices.

A telephone network used to be an extremely isolated and controlled system. It seems that times have changed. The question is, whether telecommunication companies realize that.

Author: Dmitry Kurbatov, Positive Research