In order to pull off any attack on telecom networks, attackers need to know the victim's international mobile subscriber identity (IMSI), a unique number that's stored in the subscriber's SIM card. The researchers showed that attackers can easily obtain this number once they're on the IPX network by masquerading as a Short Message service center (SMSC) that's trying to deliver a text message to a phone number.
The attackers only need to know the victim's phone number in international format -- this is known as the Mobile Station International Subscriber Directory Number (MSISDN) -- and the DEA of the victim's operator. They can then send a routing information request through the DEA to the operator's HSS, which will respond with the subscriber's IMSI as well as the identity of the MME the subscriber is connected to. This provides the information needed to launch future attacks.
Such an attack involves the attackers masquerading as a partner's HSS and sending a Cancel Location Request (CLR) message to the victim's MME. This will cause the MME to disconnect the subscriber.
CLR messages are used on a regular basis inside the network when subscribers switch from one MME to another because of a change in location. However, the interesting aspect of this attack, aside from forcing an MME to detach a subscriber from the network, is that when the subscriber re-attaches, their device will send 20 different messages to the MME.
This amplification effect might pose risks to the MME if, for example, attackers force the detachment of hundreds of subscribers at the same time, although the researchers didn't test how many messages it would take to overload an MME. If an MME becomes unresponsive it would be bad, because there are only a few of them in a network and they serve large areas.
A second DoS technique devised by the researchers involves impersonating an HSS and sending an Insert Subscriber Data Request (IDR) to the victim's MME with a special value that means no service. This will permanently detach the user from the network because their subscription will be changed in the MME's records. Recovering from this can take a long time because the subscriber needs to call his mobile operator and sort out the situation.
The researchers also showed two other DoS techniques involving other types of Diameter messages, but they're only temporary as the user can recover by restarting their mobile device.
People seem to think that all will be better with LTE and Diameter, but in reality it will be different, not better, if mobile operators don't take additional security measures, said Silke Holtmanns, a security specialist with Nokia Bell Labs, during her talk at Black Hat Europe.
Sign up for CIO Asia eNewsletters.