TS-270

LTE Security and Insecurity

Security Training
Course Reference: TS-270

P1 Security. All rights reserved.

Contact:
Philippe Langlois
phil@p1sec.com
+33 98045 0447

TS-270 LTE Security and Insecurity

LTE and 4G security and vulnerabilities

Description of Training Class

Learn about modern telecom and mobile system and networks for LTE 4G
mobile network service. Understand the security mechanism of LTE and the
Evolved Packet Core network security and vulnerabilities. Learn in detail the
various problems that may happen in LTE networks and define a plan of study to
become a LTE Network auditor.

Duration

Unique version: 2 days

Attendees will receive

Evaluation access to P1 Securitys vulnerability scanner for Telecom

infrastructure (PTA - P1 Telecom Auditor)
Developer account for Immunapp mobile security platform for LTE.
Training material: Slides copy of the presenter.

Pre-requisites of training class

Basic knowledge of telecom & network principles;

o What is 2G, 3G, 4G;
o OSI network layers;
o Basic knowledge of telecom technologies
Laptop with Linux installed either in a VM or native, Backtrack or Ubuntu
with reverse engineering and hacking tools recommended.
Good knowledge and usage of Wireshark.
Basic skills and usage of Linux for reverse engineering (strings,
knowledge of tools in a Backtrack for reverse engineering).
Legal IDA Pro license optional, but recommended.

Covered in this training

LTE Introduction
LTE Security Architecture
LTE Network Elements overview and security roles, functions
LTE Communication security, Cryptography and Key management
Study of LTE protocols
o S1AP
o X2AP
o Diameter

P1 Security. All rights reserved.

o GTP-C
o GTP-U
o GTP v2
o GTP
o NAS
Typical attacks on LTE infrastructure
Role of legacy in LTE security (CS Fallback, CSFB vs. VOLTE)
Vulnerabilities in VOLTE
Analysis of Network Element and vulnerabilities
o Generic LTE Network Element vulnerabilities
o Huawei LTE SAE EPC HSS: structure, vulnerabilities, services
o Huawei LTE SAE RAN MME: role, attacks
o Ericsson LTE SAE RAN eNodeB: vulnerabilities, integration,
provisioning, hardware attacks
o Huawei LTE SAE EPC UGW (SeGW, S-GW, PDN GW): role, structure
Diameter security
Scenario of attack of LTE network
o Radio-based, subscriber role
o Infrastructure-based, Transmission or RAN vector
o Internal-based, attack
o Next steps to become a LTE network auditor

P1 Security. All rights reserved.

About P1 Security Inc.

P1 Security is a vendor independent, technology pioneer and leader in Telecom

Security Audit products with patent pending technology and top research and
development recognized by the GSM Association.

Experts from P1 Security give conferences and training on SIGTRAN and SS7
security worldwide.

Visit our website at www.p1sec.com or contact us for further information.

Contact
Email: sales@p1sec.com
Web: http://www.p1security.com
Address: P1 Security, 231 rue Saint Honor, 75001 Paris, France

P1 Security. All rights reserved.