Over-the-air platform security review

February 14th, 2014, Published in Articles: EngineerIT

 

The universal integrated circuit card (UICC) is the smart card used in mobile terminals. The card authenticates the subscriber to the network while ensuring the integrity and security of their personal data. In addition, it also stores applications for both operator and end-user use for the correct deployment of mobile services.

Fig. 1: OTA LTE platform high-level architecture.

Fig. 1: OTA LTE platform high-level architecture.

The integration of UICC into IP networks and the ability for carriers to use the UICC for plug and play personalisation of the handset, thereby offering a more tailored service for their subscribers, exposes not only the end-user UICC card but also the carrier’s over-the-air (OTA) long term evolution (LTE) platform to attacks. For this reason, Gemalto designed specific security schemes to not only protect the OTA LTE platform but also theend-user UICC.

Mandiant performed an in-depth security review of the OTA LTE platform from the perspectives of not only external attacks but also a malicious user that has compromised UICC cards and is able to successfully authenticate to the OTA LTE platform.

Platform overview

Gemalto’s OTA LTE platform introduces an important innovation in OTA management by using HTTPs protocol and by reversing the classical OTA server push model to a pull model, in which the UICC initiates the dialogue.

This approach relies on field-proven protocols and architecture to achieve performance, reliability, scalability and availability. Moreover, it makes integration and deployment schemas in carrier networks easier. The

Fig. 2: Trust boundaries.

Fig. 2: Trust boundaries.

high-level architecture of the OTA LTE platform is shown in Fig. 1.

The card management system is in charge of preparing and storing commands for each request submitted by external systems or customer care agents. When a card contacts the OTA platform, the pending commands are sent to the card on which they are executed.

The image of each card is updated after the OTA update and stored in the card management system.

Gemalto implemented two interfaces to protect the card management system from external attacks: An MMOG HTTPS interface implemented over PSK-TLS based on private keys known by both entities, to ensure mutual authentication, integrity and privacy and an OTA IP Gateway implemented using SOAP over HTTP that makes available specific services.

Mandiant testing methodology

Fig. 3: Identifying two attach vectors from an external perspective.

Fig. 3: Identifying two attack vectors from an external perspective.

Mandiant used the following methodology to test the OTA IP gateway:

  • OTA attack model
  • Application assessment

OTA attack model

Mandiant followed the steps below in order to build an attack model for the OTA IP Gateway interface:

  • lDocumentation review: Mandiant reviewed the relevant product documentation in order to identify some of the use cases and possible abuse cases.
  • Data flow analysis: Mandiant performed a high-level data flow analysis for some of the major use cases for the product. This helped to identify some of the critical components of the product.
  • Attack identification and classification: Based on prior experience and an understanding of the product, Mandiant identified attacks that an attacker could use against the product.

Attack surface

Mandiant identified two attack vectors from an external perspective (Fig. 3):

  • An attacker with knowledge of the external IP address of the OTA LTE platform attempts to compromise the PSK-TLS protocol implementation of the MMOG HTTPS interface
  • An attacker who has access to a valid SIM card authenticates to the OTA IP gateway and attempts to compromise the HTTP-based OTAP IP gateway interface.

In order to test the two interfaces, Mandiant did the following:

  • Generated and issued fuzzed traffic against the MMOG HTTPS and OTA IP gateway interfaces.
  • Performed a configuration review of the MMOG HTTPS interface to ensure weak ciphers were not supported.
  • Reviewed the key management algorithm used by the MMOG HTTPS interface to negotiate security with the UICC.
  • Reviewed the OTA IP Gateway interface from within the Gemalto Trusted Area in order to simulate an attack where the attacker had successfully authenticated to the MMOG HTTPS interface using valid keys.

With the increase in the usage of all-IP mobile networks for communications between UICC cards and OTA LTE platform, the security of the OTA LTE platform interface related to IP connectivity becomes critical to ensuring the confidentiality and integrity of requests to and from UICC cards.

Gemalto’s implementation of the OTA LTE platform and the related interfaces, MMOG HTTPS and OTA IP gateway, ensures that these security requirements are met. Mandiant did not find any critical vulnerability on either the MMOG HTTPS or OTAP IP Gateway interfaces.

Mandiant’s review of the OTA LTE platform was completed in February 2010. As with every product, feature additions or modifications as well as the discovery of new vulnerabilities introduce new risks that may require additional mitigating controls not currently implemented. At this time, however, based on its in-depth analysis, Mandiant is confident that the controls in place ensure that the MMOG and OTA IP Connectivity interfaces are properly secured from malicious external entities.

Contact Jeremy Osborne, Gemalto Southern Africa, Tel 011 088-8500, jeremy.osborne@gemalto.com