08_threat_model_4g
Part 8: Threat Model - 4G LTE Attack Surface
Learning Objective: Apply STRIDE threat modeling to identify 4G EPC vulnerabilities and mitigations.
STRIDE Framework
| Category | Threat Type |
|---|---|
| S | Spoofing (identity) |
| T | Tampering (data) |
| R | Repudiation (deny actions) |
| I | Information Disclosure |
| D | Denial of Service |
| E | Elevation of Privilege |
4G Attack Surface Map
graph TB
subgraph "Radio Access"
UE[π± UE]
eNB[π‘ eNodeB]
end
subgraph "Control Plane"
MME[MME]
HSS[HSS]
PCRF[PCRF]
end
subgraph "User Plane"
SGWU[SGW-U]
UPF[UPF]
end
UE -.->|β S1-MME
Unencrypted NAS| MME
UE -.->|β S1-U
Unencrypted GTP| SGWU
eNB -.->|β S1-MME
No mutual auth| MME
eNB -.->|β S1-U
No encryption| SGWU
MME -.->|β S6a Diameter
No TLS| HSS
MME -.->|β S11 GTP-C
No encryption| SGWU
SGWU -.->|β S5-U GTP-U
No encryption| UPF
style UE fill:#ffcccc
style eNB fill:#ffcccc
style MME fill:#ffcccc
style HSS fill:#ffccccThreat Catalog
1. IMSI Catching (S, I)
Attack Vector:
- Rogue eNB broadcasts stronger signal than legitimate eNB
- UE connects to rogue eNB
- UE sends IMSI in cleartext during attach
Impact:
- Spoofing: Attacker impersonates legitimate network
- Information Disclosure: IMSI, location, device type exposed
Mitigation:
- β Use 5G SUCI (encrypted IMSI)
- β Deploy IMSI catchers detection (monitor for rogue cells)
- β οΈ 4G has no built-in mitigation
Real-World Examples:
- Stingrays / Harris Corporation β Used by US law enforcement to track suspects via IMSI
- CVE-2019-14934 β Qualcomm baseband leak allows IMSI extraction on certain chipsets
- IMSI-catcher detectors: SnoopSnitch (Android app by SR Labs)
STRIDE Score: S=High, I=High
2. Rogue eNodeB / Man-in-the-Middle (S, T, I, D)
Attack Vector:
- Attacker deploys fake eNB (e.g., using OpenBTS, srsRAN)
- UE connects to rogue eNB
- Attacker intercepts/modifies traffic
Impact:
- Spoofing: Fake network identity
- Tampering: Modify user data (downgrade to 2G, inject packets)
- Information Disclosure: Intercept SMS, calls, data
- DoS: Block UE from legitimate network
Mitigation:
- β Mutual authentication (eNB β MME via IPsec)
- β User plane encryption (AS-level, not S1-U)
- β οΈ Most operators don't encrypt S1-U
STRIDE Score: S=High, T=High, I=High, D=Medium
3. GTP-U Injection (T, D)
Attack Vector:
- Attacker on S1-U or S5-U path
- Inject malicious GTP-U packets with spoofed TEID
Impact:
- Tampering: Inject malicious payloads into UE traffic
- DoS: Flood UE with packets
Mitigation:
- β IPsec on S1-U and S5-U
- β GTP-U sequence number validation
- β οΈ Rarely deployed in practice
STRIDE Score: T=High, D=High
4. Diameter Exploitation (S, I, E)
Attack Vector:
- Attacker on S6a (MME β HSS) or Gx (PGW β PCRF)
- Exploit Diameter protocol vulnerabilities (no TLS, weak auth)
Impact:
- Spoofing: Impersonate HSS or PCRF
- Information Disclosure: Steal authentication vectors (RAND, AUTN, XRES)
- Elevation of Privilege: Modify subscriber profile (unlimited data, roaming)
Mitigation:
- β Diameter over TLS (DTLS)
- β Diameter firewall (DRA - Diameter Routing Agent)
- β IPsec between MME and HSS
Real-World Examples:
- SS7/Diameter hacking β Demonstrated at 31C3 by Karsten Nohl (SR Labs)
- GSMA FS.19 β GSMA published Diameter security guidelines after widespread exploitation
- 2018 NIST SP 800-187 β Guide to LTE Security identifying Diameter as critical weakness
STRIDE Score: S=High, I=Critical, E=High
5. HSS Credential Exfiltration (I, E)
Attack Vector:
- Compromise HSS database (MongoDB in Open5GS)
- Exfiltrate K, OPc keys
Impact:
- Information Disclosure: All subscriber secrets
- Elevation of Privilege: Clone SIM cards, impersonate users
Mitigation:
- β Encrypt database at rest
- β HSM (Hardware Security Module) for key storage
- β Network segmentation (HSS in isolated VLAN)
STRIDE Score: I=Critical, E=Critical
6. UE Tracking via TAU (I)
Attack Vector:
- Monitor Tracking Area Update (TAU) messages
- Correlate GUTI with location
Impact:
- Information Disclosure: Track user location over time
Mitigation:
- β Frequent GUTI reallocation
- β Use 5G SUCI (prevents IMSI correlation)
STRIDE Score: I=Medium
7. S1-MME / S1-U Unencrypted Transport (I, T)
Attack Vector:
- Sniff S1-MME (SCTP) or S1-U (GTP-U) traffic
- Extract NAS messages, user data
Impact:
- Information Disclosure: NAS signaling, user plane data
- Tampering: Modify packets in transit
Mitigation:
- β IPsec on S1-MME and S1-U
- β οΈ Most operators only encrypt S1-MME, not S1-U
STRIDE Score: I=High, T=High
8. Downgrade Attack (T, D)
Attack Vector:
- Rogue eNB forces UE to use weak encryption (EEA0 = null cipher)
- Intercept cleartext traffic
Impact:
- Tampering: Modify traffic
- DoS: Block encrypted connections
Mitigation:
- β Disable EEA0/EIA0 in MME config
- β UE should reject null ciphers
STRIDE Score: T=High, D=Medium
Threat Summary Table
| Threat | S | T | R | I | D | E | Severity |
|---|---|---|---|---|---|---|---|
| IMSI Catching | β | β | High | ||||
| Rogue eNB | β | β | β | β | Critical | ||
| GTP-U Injection | β | β | High | ||||
| Diameter Exploit | β | β | β | Critical | |||
| HSS Exfiltration | β | β | Critical | ||||
| UE Tracking | β | Medium | |||||
| S1 Unencrypted | β | β | High | ||||
| Downgrade Attack | β | β | High |
π¬ Lab Exercises (Threat Testing)
Using the Docker lab from Part 4, try these security exercises:
Exercise 1: Capture IMSI in Cleartext
# Capture S1AP traffic and look for InitialUEMessage containing IMSI
docker exec -it open5gs_mme tcpdump -i any -w /tmp/s1ap.pcap sctp
# Open in Wireshark, filter: s1ap.InitialUEMessage
# Look for: NAS-PDU β Attach Request β Mobile Identity β IMSI
Exercise 2: Observe Unencrypted GTP-U
# Capture GTP-U traffic (user data in cleartext)
docker exec -it open5gs_upf tcpdump -i any -w /tmp/gtpu.pcap udp port 2152
# Open in Wireshark, filter: gtp
# You'll see the UE's IP packets inside GTP tunnels (unencrypted)
Exercise 3: Test Null Cipher
# In mme.yaml, set null cipher first:
security:
ciphering_order: [EEA0, EEA1, EEA2] # EEA0 = null cipher!
# Then capture NAS and observe: NAS messages are integrity-protected but NOT encrypted
Warning
These exercises are for educational purposes only in your isolated Docker lab. Never test against real networks.
3GPP References
| Document | Title | Relevance |
|---|---|---|
| TS 33.401 | 3GPP System Architecture Evolution (SAE) Security | EPS security architecture |
| TS 33.210 | Network Domain Security: IP layer security | IPsec for backhaul |
| TS 29.272 | Diameter-based S6a interface | MMEβHSS protocol spec |
| NIST SP 800-187 | Guide to LTE Security | US gov LTE security guidelines |
| GSMA FS.19 | Diameter Interconnect Security | Diameter firewall recommendations |
Summary
- β 4G has significant attack surface due to unencrypted interfaces
- β IMSI catching is a major privacy risk (proven real-world)
- β Diameter protocol is vulnerable without TLS (SS7-era design)
- β Most mitigations require operator deployment (IPsec, HSM)
- β You can test these threats yourself in the Docker lab
Next: Part 9: 5G Threat Model β