Oct 11, 2022
Attendees:
- Yogesh Pandey (Wavelabs)
- Ganesh Gedela (Wavelabs)
- Lucas Gonze (OSPOCO)
Agenda
- Threat modeling the IMSI path. Given that this data path is open to the world, what kind of mischief can be done?
- Leveling Up Magma security. Breaking ground on a new organizational capability. Beginning to perform audits without an external contractor like NCC Group.
Follow-ups:
- Meet again in two weeks
- Yogesh and Ganesh
- Point Lucas to implementation of integrity algorithm and authentication code
- Compare our MCC / MNC code to other projects
- Point Lucas to implementation of integrity algorithm and authentication code
- Lucas
- Study authentication architecture
- Review Zoom recording for more specific definition of followups
- Contact Aswin and Shruti about original product goals of APN override feature
- Consult with Raphael and Tim on known vulnerabilities identified in other copies of this family of code. Is there any centralized security project?
Risks
APN override risk
Risks:
Learnings:
- If the UE doesn't set an APN, there is code to select a default one.
- The potential issues would affect both 4G and 5G.
- IMSI spoofing is prevented by:
- integrity algorithm includes a UDP message count to prevent timing attacks.
- authentication mechanisms . These include the MME and Subscriber DB. The DB is consulted in two different places.
- Attacks may be possible, but more likely they are impossible until the authentication mechanism is compromised.
- integrity algorithm includes a UDP message count to prevent timing attacks.
- The character set would be verified as part of the initial handshake. (Threat: character set apart from UTF-8 (such as UTF-16) could cause a non-null-terminated string to be accepted as an IMSI).
Known vulnerabilities in legacy Eurecom code
https://github.com/magma/security/issues/136
Risks:
- Given that we are using forked versions of fairly old code, there may have been vulnerabilities found in other forks that haven't been patched in ours.
Learnings:
- Yogesh and Ganesh aren’t aware of any previously identified vulnerabilities in this legacy C code.
- Both Raphael and Tim have a history with this code base.
Other radio-based attack angles
Can we walk the entire path?
Learnings: start with authentication and message integrity checks.
Add Comment