Oct 11, 2022

Attendees:

Agenda

Threat modeling the IMSI path. Given that this data path is open to the world, what kind of mischief can be done?
Leveling Up Magma security. Breaking ground on a new organizational capability. Beginning to perform audits without an external contractor like NCC Group.

Follow-ups:

Yogesh and Ganesh
- Point Lucas to implementation of integrity algorithm and authentication code
- Compare our MCC / MNC code to other projects
Lucas
- Study authentication architecture
- Review Zoom recording for more specific definition of followups
- Contact Aswin and Shruti about original product goals of APN override feature
- Consult with Raphael and Tim on known vulnerabilities identified in other copies of this family of code. Is there any centralized security project?

Risks:

Learnings:

If the UE doesn't set an APN, there is code to select a default one.
The potential issues would affect both 4G and 5G.
IMSI spoofing is prevented by:
- integrity algorithm includes a UDP message count to prevent timing attacks.
- authentication mechanisms . These include the MME and Subscriber DB. The DB is consulted in two different places.
- Attacks may be possible, but more likely they are impossible until the authentication mechanism is compromised.
The character set would be verified as part of the initial handshake. (Threat: character set apart from UTF-8 (such as UTF-16) could cause a non-null-terminated string to be accepted as an IMSI).

Risks:

Given that we are using forked versions of fairly old code, there may have been vulnerabilities found in other forks that haven't been patched in ours.

Learnings:

Yogesh and Ganesh aren’t aware of any previously identified vulnerabilities in this legacy C code.
Both Raphael and Tim have a history with this code base.

Can we walk the entire path?

Learnings: start with authentication and message integrity checks.