Clever Geek Handbook

Fifth Generation Attacks: Security Challenges for Industrial Control Systems in 4G / 5G Networks

Campus 4G / LTE and 5G in industrial environments meet the growing demand for low-latency connectivity without the cost of fixed lines. However, both the transition to 5G and the adoption of campus networks are highlighting security concerns, exacerbated by the fact that telecommunications and IT / OT are separate domains. In this post, we will share the findings of a 5G campus security study of the fictional Trend Micro Steel Mill. 





Source (hereinafter): Trend Micro
Source (hereinafter): Trend Micro

About TM Steel Mill plant

We designed and attacked the fictional Trend Micro steel mill. The scenarios ranged from common TCP / IP attacks, such as MitM attacks and on-the-fly packet modification, to telecommunications-specific schemes. To do this, we built an emulation of the campus network:





Complete diagram of the steel mill campus network

. — , . , . , , . , , , . , .





Steel Mill 5G. - . 





Sierra Wireless RV50x. , Sierra Wireless — , IPsec, VPN, (SMS).





, . , . , (). , . , , . . 





MQTT- Moxa MGate 5105. MQTT- write-only MQTT- , .





() . , — . — , /





TM Steel Mill

4G/5G. . , Nokia Ericsson, -.





, , , . Open5GS, Open5GS. EPC 5G, .





5G Gemtek WLTGFC (LTE Band 3). , , .





Open5GS architecture
Open5GS

Open5GS 4G/5G, . 5G, — 4G. . , (-c) (-u). — IP Multimedia Subsystem (IMS) - VoLTE. 5G N (N1, N3, N4 ); 4G S. —TCP, UDP SCTP. 





, «S1-MM1/SCTP/36412» , S1-MME 4G, SCTP- 36412.





Minimum Configuration of the TM Steel Mill Campus Network Built for Research
TM Steel Mill,

, , . .





Possible points of compromise of the campus network

-, , , , , .





x86, , Linux, , , (OAM). . 





root, . / (SR-IOV) Data Plane Development Kit (DPDK) .





BM

() . , , , OAM SSH. . , , , VNC .





, , , . , . .





. , ( , GPS) . , .





5G HTTP2 TLS, , , , , , . 





Positive Technologies, HTTP2 5G, « » (MitM) .





, , , . , , .





, . Attacks From 4G/5G Core Networks. Risks of the Industrial IoT in Compromised Campus Networks.









  • DNS;





  • MQTT;





  • Modbus/TCP;





  • ;





  • RDP VNC;





  • SIM-;





  • «» APN;





  • ;





  • SMS;





  • «« SMS;





  • GTP ( IP- );





  • .





DNS

, LTE- 4G/5G , Packet Data Network Gateway (PGW)/Session Management Function (SMF) DNS-, DHCP . DNS , DNS IP- DNS-. , (OTA) , . 





, DNS , . DNS-: 





  1. DNS-, DNS;





  2. DNS, . 





DNS , IP .





DNS settings changed by cybercriminals
DNS

, DNS DNS , , . 





DNS- OT. , , , DNS .





, / , . . , . SSL/TLS ( ) , DNS. DNS- (DNSSEC) DNS over HTTPS (DoH), .





MQTT

MQTT . MQTT SSL/TLS (MQTTS). MQTTS , — . . , , . MQTT, , .





:





  • SGi (LTE)/N6 (5G), , — MitM- TCP/1833 (MQTT) TCP/8833 (MQTTS, );





  • S1-U (LTE)/N3 (5G) , IPsec/VPN;





  • S5/8 (LTE) SGW PGW.





    As you can see from the packet dump, the username "lte" and the password "open5gs" are transmitted in cleartext if MQTT is used instead of MQTTS
    , «lte» «open5gs» , MQTT MQTTS

: MQTT , . , 29 50, .





MQTTS MQTT MQTTS .





TM Steel Mill:

, , HTTPS, MQTTS, LDAPS , S7Comm-Plus.  — VLAN IPsec. 





, OAM, , .







More articles:


All Articles