Voice over LTE leaks like a sieve, because nobody’s paying attention to the details. That’s the conclusion in a paper (PDF)1 presented to the Symposium on Information and Communications Technology Security in Rennes, France last week. The researchers, from Priority 1 Security, warn the vulnerabilities could affect any of the hundred-plus operators using VoLTE worldwide.
VoLTE is the technology that back-ports voice calls onto the IP data-centric 4G standards via the IP Media Subsystem (IMS) . Without it, phones need the ability to fall back to 3G standards to place calls . Phones use the Session Initiation Protocol (SIP) for call signalling, with the Session Description Protocol (SDP) to let the callee know what type of call (for example voice or video) is requested. And, in an entirely unsurprising development, implementations aren’t particularly secure either on Android handsets, or in carriers’ networks. Some of the more outstanding insecurities outlined by the researchers include user enumeration using SIP INVITE messages; user spoofing with INVITE messages; a side-channel around data billing systems; IMEI leaks; personal information leaks and more.
Not all the attacks are simple . For example, the paper notes, while traffic eavesdropping (including password sniffing) is feasible, it depends on a compromise of a handset so the attacker can run something like tcpdump. User fingerprinting, on the other hand, is possible on a massive scale, the paper claims, via mass scanning of network address blocks to locate vulnerable systems . SIP OPTIONS response messages would let an attacker fingerprint customers, and on the operator side, both IMS and VoLTE network elements can be fingerprinted.
The free data vulnerability goes beyond the merely entertaining . An attacker can inject traffic into Session Description Protocol (SDP) messages, and it will travel over the network without hitting the billing system but it could also bypass a carrier’s lawful intercept infrastructure. MSISDN, the Mobile Station International Subscriber Directory Number, maps phone number to SIM card and this is what’s exploited to spoof a user in a SIP INVITE message. Rated critical, this vulnerability means the person receiving the call would think it comes from the spoofed identity, so Alice, thinking she’s receiving a call from Bob, will answer an attack call from Eve.
So what ? It’s exactly the kind of attack that can help someone access third parties’ voicemail and somewhat depressingly, the researchers that saw sit present in today’s VoLTE networks note that it was first disclosed by Hongil Kim and Dongkwan Kim and detailed in a presentation at the Chaos Computer Club’s CCC 32 conference. Also rated critical is the ability to localise users based on how their phones’ implementation completes the SIP session progress message: the response can include details of the cell station the callee is connected to including country, mobile network operator, area code, radio network controller and cell tower ID.
The paper notes that the vulnerabilities are fixable: they’re down to how operators configure their network, and vendor implementation of network elements and subscriber handsets.
You may have noticed that information security is something of a big deal these days . You ll also not have missed that the attackers capabilities are far ahead of those of us trying to defend our systems against them. For many people, and maybe you, it makes sense to fill that knowledge and skills gap by bringing in a support partner. Before you do, though, give some thought to what we mean by security . Back in the day, security meant stuff like privacy, encryption, and access control .
And look at standards such as PCI DSS (the payment card industry data security standard) and you ll find they re full of requirements like:
- Restrict access to cryptographic keys to the fewest number of custodians necessary.
- Install critical security patches within one month of release.
- Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
These days the scope has widened somewhat, and alongside confidentiality (ie, all of the above) we re now told that we have to think carefully about the integrity and availability of our systems, and that our Chief Information Security Officer cares deeply about ensuring that we do. So if we dig out our copy of the ISO 27001 standard we read stuff like:
- Backup copies of information, software and system images shall be taken and tested regularly.
- The use of resources shall be monitored, tuned and projections made of future capacity requirements.
Been there, done that
Am I alone in thinking that these latter items are what we system and network administrators have been doing for years ? When I was installing resilient pairs of Cisco ASA5510s I was a network manager, and I didn t need the security manager to tell me to do so . I ve had monitoring on the kit I ve installed over the years so I could see when a network link failed. I ve kept an eye on resource usage so I could be sure something wasn t about to fill up its boot drive .
The companies I ve worked for and with have all had HR teams that dealt with vetting new employees and ensuring employment terms were clear and obeyed. Much of what we today call security is what system and network managers of my age simply regard as basic enterprise architecture, network design, and even common sense . Of course you d consider pairing your edge routers if downtime isn t an option . And of course you d back up your data so you can restore it if the server disk crashes . Why would you need help with that?
So let s look back at what we d traditionally have called security . This is where you actually may need some help, because it s where the difficult and clever stuff resides particularly when it comes to picking up the pieces in the event of a successful (on the part of an intruder, that is) attack. The confidentiality elements of system and network management are where you are running to keep up with attackers: keeping up with developments in security algorithms, for example, and at the same time staying abreast of where the attackers are starting to defeat them (anyone think MD5 is the best choice for a hash algorithm these days?). Another area where you d enlist a third party for help is in the variety of accreditations and compliances that our customers insist on more and more as time goes by . These will almost certainly be new to you, and you d be mad to try to figure them out by yourself it ll just take an intractably long time to do so and you ll certainly miss some key points.
Training, training, training
In my experience, this latter third party involvement is something you can taper off over time . While you d be silly to try to gain, say, your first ISO 27001 or PCI DSS accreditation without external advice, I strongly suggest you shell out on some training for your in-house teams so you can gradually bring the work in-house over time . Money spent on training will inevitably be saved by not spending it on extended third-party relationships in this respect. The way we re heading with this is: use third parties when you can t reasonably expect to do everything yourself but only until you can do some things yourself . The clearest example here is security incident response: unless you re a huge company that has the time, money and people to keep up to date with the intricacies of security attacks and forensic analysis, a third party is the way to go.
Anyway, if you hire the right supplier they ll have way more experience of genuine problems and incident responses than you could ever dream of having, and will bring value that you couldn t have yourself . And if there s stuff that you need to kick-start then get someone in to do so but with caveats. And those caveats are simple: we re not talking about outsourcing your security function permanently, so be clear on the timescales and deliverables.
I know a contractor who s just hit the tenth anniversary of his current position, and your target is most definitely not to help someone beat this record . This will sound dumb, but before you sign on the dotted line you need to agree on both the deliverables and the timeframe for the third party involvement, with one of the key targets being skilling up your internal team and obtaining a hand-over of a significant portion of the security regime by the end of the contract. Extending the contract because you didn t agree on the terms of engagement is undesirable and expensive . And as you go, question yourself and your supplier even better get someone else to sanity-check what you re doing and ensure that you re not missing the point. In short: use a support partner to deal with emergencies, to bring short-term knowledge, and to help you temporarily if you simply don t have enough people to get the work done in the time available .
Be clear on what third parties do for you, and on the nature and duration of the relationship: use short, fixed-term engagements by default, with long-term relationships reserved for the things you can t expect to do yourself. But in the long term, your core support partner should be well, you.
- ^ Better Security . Fewer Resource .
Download the Whitepaper(go.theregister.com)
China’s new cyber-security laws, which come into effect on Thursday, may make it harder for foreign businesses to trade in the country. Under the regulations1, data on Chinese citizens including personal information, salary details and more can only be kept within China . The law would also prevent the transmission of any economic, scientific or technological data overseas on either national security or public interest grounds, as defined by the Chinese government. The rules apply to any “network operator” a term that encompasses social media companies and large internet firms and mean that they need users’ permission before transferring any data on them outside the country . The consequences for businesses that fail to comply with this new law are dire: a refused or revoked licence can never be reversed .
This means if companies that fail to comply with the so-called Bei’an licence laws2 are liable to get blacklisted. Bill Hagestad, a former US Marine Corps lieutenant colonel turned cyber conflict author and researcher, told El Reg that the new rules reflect heightened concern in Beijing about foreign influence mediated through the internet.
“The new Chinese internet security law is designed to protect the cyber borders of China against foreign negative influences,” Hagestad said. “It is also designed to ensure the Communist Party ideals are not directly or indirectly challenged by impure thoughts.
“Given the release of the Shadow Brokers’ NSA tools, the Chinese are now more certain than ever before that any foreign technology brought into the Middle Kingdom must be inspected and deemed pure/free from any vulnerabilities that could challenge China’s internet security.”
Alex Nam, EMEA managing director of content delivery network CDNetworks, warned that foreign internet companies will now find it harder to trade in China.
“The new cybersecurity law on 1 June will make it harder for non-Chinese businesses to trade in the country,” Nam said. “All businesses that host websites and web content (such as applications) in China will be affected . Yet many don’t know what impact the law has on them or whether their business is in jeopardy.
“Thousands of government officials, as well as intelligent algorithms, are currently investigating whether non-Chinese companies meet all of the requirements of the new legislation . The new law has a huge impact on network operators and critical information infrastructure operators because they host websites in China on behalf of other companies . As a result, checks are being carried out to determine whether hosting providers and content delivery network (CDN) providers have the necessary licences, and are being asked by government officials to make the necessary changes in the shortest possible time.”
CDNetworks says it’s seeing “uncertainty from companies as to whether they are affected by the legislation”.
“Without support and guidance, UK businesses are putting themselves at risk,” Nam added. “Especially the UK businesses operating in China, who are completely unaware that this new law even impacts them.”