Part 8: Threat Model - 4G LTE Attack Surface

Learning Objective: Apply STRIDE threat modeling to identify 4G EPC vulnerabilities and mitigations.

STRIDE Framework

4G Attack Surface Map

graph TB
    subgraph "Radio Access"
        UE[📱 UE]
        eNB[📡 eNodeB]
    end
    
    subgraph "Control Plane"
        MME[MME]
        HSS[HSS]
        PCRF[PCRF]
    end
    
    subgraph "User Plane"
        SGWU[SGW-U]
        UPF[UPF]
    end
    
    UE -.->|❌ S1-MME
Unencrypted NAS| MME
    UE -.->|❌ S1-U
Unencrypted GTP| SGWU
    eNB -.->|❌ S1-MME
No mutual auth| MME
    eNB -.->|❌ S1-U
No encryption| SGWU
    
    MME -.->|❌ S6a Diameter
No TLS| HSS
    MME -.->|❌ S11 GTP-C
No encryption| SGWU
    
    SGWU -.->|❌ S5-U GTP-U
No encryption| UPF
    
    style UE fill:#ffcccc
    style eNB fill:#ffcccc
    style MME fill:#ffcccc
    style HSS fill:#ffcccc

Threat Catalog

1. IMSI Catching (S, I)

Attack Vector:

• Rogue eNB broadcasts stronger signal than legitimate eNB
• UE connects to rogue eNB
• UE sends IMSI in cleartext during attach

Impact:

• Spoofing: Attacker impersonates legitimate network
• Information Disclosure: IMSI, location, device type exposed

Mitigation:

• ✅ Use 5G SUCI (encrypted IMSI)
• ✅ Deploy IMSI catchers detection (monitor for rogue cells)
• ⚠️ 4G has no built-in mitigation

Real-World Examples:

• Stingrays / Harris Corporation — Used by US law enforcement to track suspects via IMSI
• CVE-2019-14934 — Qualcomm baseband leak allows IMSI extraction on certain chipsets
• IMSI-catcher detectors: SnoopSnitch (Android app by SR Labs)

STRIDE Score: S=High, I=High

2. Rogue eNodeB / Man-in-the-Middle (S, T, I, D)

Attack Vector:

• Attacker deploys fake eNB (e.g., using OpenBTS, srsRAN)
• UE connects to rogue eNB
• Attacker intercepts/modifies traffic

Impact:

• Spoofing: Fake network identity
• Tampering: Modify user data (downgrade to 2G, inject packets)
• Information Disclosure: Intercept SMS, calls, data
• DoS: Block UE from legitimate network

Mitigation:

• ✅ Mutual authentication (eNB ↔ MME via IPsec)
• ✅ User plane encryption (AS-level, not S1-U)
• ⚠️ Most operators don't encrypt S1-U

STRIDE Score: S=High, T=High, I=High, D=Medium

3. GTP-U Injection (T, D)

Attack Vector:

• Attacker on S1-U or S5-U path
• Inject malicious GTP-U packets with spoofed TEID

Impact:

• Tampering: Inject malicious payloads into UE traffic
• DoS: Flood UE with packets

Mitigation:

• ✅ IPsec on S1-U and S5-U
• ✅ GTP-U sequence number validation
• ⚠️ Rarely deployed in practice

STRIDE Score: T=High, D=High

4. Diameter Exploitation (S, I, E)

Attack Vector:

• Attacker on S6a (MME ↔ HSS) or Gx (PGW ↔ PCRF)
• Exploit Diameter protocol vulnerabilities (no TLS, weak auth)

Impact:

• Spoofing: Impersonate HSS or PCRF
• Information Disclosure: Steal authentication vectors (RAND, AUTN, XRES)
• Elevation of Privilege: Modify subscriber profile (unlimited data, roaming)

Mitigation:

• ✅ Diameter over TLS (DTLS)
• ✅ Diameter firewall (DRA - Diameter Routing Agent)
• ✅ IPsec between MME and HSS

Real-World Examples:

• SS7/Diameter hacking — Demonstrated at 31C3 by Karsten Nohl (SR Labs)
• GSMA FS.19 — GSMA published Diameter security guidelines after widespread exploitation
• 2018 NIST SP 800-187 — Guide to LTE Security identifying Diameter as critical weakness

STRIDE Score: S=High, I=Critical, E=High

5. HSS Credential Exfiltration (I, E)

Attack Vector:

• Compromise HSS database (MongoDB in Open5GS)
• Exfiltrate K, OPc keys

Impact:

• Information Disclosure: All subscriber secrets
• Elevation of Privilege: Clone SIM cards, impersonate users

Mitigation:

• ✅ Encrypt database at rest
• ✅ HSM (Hardware Security Module) for key storage
• ✅ Network segmentation (HSS in isolated VLAN)

STRIDE Score: I=Critical, E=Critical

6. UE Tracking via TAU (I)

Attack Vector:

• Monitor Tracking Area Update (TAU) messages
• Correlate GUTI with location

Impact:

• Information Disclosure: Track user location over time

Mitigation:

• ✅ Frequent GUTI reallocation
• ✅ Use 5G SUCI (prevents IMSI correlation)

STRIDE Score: I=Medium

7. S1-MME / S1-U Unencrypted Transport (I, T)

Attack Vector:

• Sniff S1-MME (SCTP) or S1-U (GTP-U) traffic
• Extract NAS messages, user data

Impact:

• Information Disclosure: NAS signaling, user plane data
• Tampering: Modify packets in transit

Mitigation:

• ✅ IPsec on S1-MME and S1-U
• ⚠️ Most operators only encrypt S1-MME, not S1-U

STRIDE Score: I=High, T=High

8. Downgrade Attack (T, D)

Attack Vector:

• Rogue eNB forces UE to use weak encryption (EEA0 = null cipher)
• Intercept cleartext traffic

Impact:

• Tampering: Modify traffic
• DoS: Block encrypted connections

Mitigation:

• ✅ Disable EEA0/EIA0 in MME config
• ✅ UE should reject null ciphers

STRIDE Score: T=High, D=Medium

Threat Summary Table

🔬 Lab Exercises (Threat Testing)

Using the Docker lab from Part 4, try these security exercises:

Exercise 1: Capture IMSI in Cleartext

# Capture S1AP traffic and look for InitialUEMessage containing IMSI
docker exec -it open5gs_mme tcpdump -i any -w /tmp/s1ap.pcap sctp
# Open in Wireshark, filter: s1ap.InitialUEMessage
# Look for: NAS-PDU → Attach Request → Mobile Identity → IMSI

Exercise 2: Observe Unencrypted GTP-U

# Capture GTP-U traffic (user data in cleartext)
docker exec -it open5gs_upf tcpdump -i any -w /tmp/gtpu.pcap udp port 2152
# Open in Wireshark, filter: gtp
# You'll see the UE's IP packets inside GTP tunnels (unencrypted)

Exercise 3: Test Null Cipher

# In mme.yaml, set null cipher first:
security:
  ciphering_order: [EEA0, EEA1, EEA2]  # EEA0 = null cipher!
# Then capture NAS and observe: NAS messages are integrity-protected but NOT encrypted

3GPP References

Summary

• ✅ 4G has significant attack surface due to unencrypted interfaces
• ✅ IMSI catching is a major privacy risk (proven real-world)
• ✅ Diameter protocol is vulnerable without TLS (SS7-era design)
• ✅ Most mitigations require operator deployment (IPsec, HSM)
• ✅ You can test these threats yourself in the Docker lab

Next: Part 9: 5G Threat Model →