Fractured Backbones Incidents Detection and Forensics in Telco Networks

Transcription

1 Dmitry Kurbatov Sergey Puzankov Vladimir Kropotov Fractured Backbones Incidents Detection and Forensics in Telco Networks ptsecurity.com

2 About us Joint research of Incident Response and Telco Security Teams

3 Introduction

4 Technologies behind telco networks Чем мы пользуемся сегодня и на основе каких технологий это работает

5 Types of Incidents Subscriber location tracking Call interception (wiretapping) SMS interception and spoofing DoS, including balance DoS Other Fraudulent activities Phone number GPS location

6 Incidents statistics. Major threats Service Disruption Data Leakage Fraud Percentage of vulnerable networks

7 Incidents statistics. Data leakage Subscriber s Balance Disclosure Subscriber s Data Leakage Terminating SMS Interception Subscriber Location Discovery Voice Call Interception Percentage of vulnerable networks

8 Incidents statistics. Fraud Terminating Call Redirection Money Transfer via USSD Subscriber Profile Change Originating Call Redirection Percentage of vulnerable networks

9 Incident victims Mobile operator subscribers Mobile operator Other Mobile operators and their subscribers Third parties (often Banks and Their clients)

10 Prerequisites of attacks Internal intruder or Staff initiated attacks Level0 (almost) Kiddies - attacks that not require deep technical knowledge SMS fraud as preliminary stage of malware based attacks Fraud with social engineering (direct target is victim) Proxified fraud with social engineering Level1(Locally initiated) - attacks that require technical knowledge about Radio Access Network protocols IMSI Catcher Bluetooth Calls and SMS from the subscriber located nearby Level2 (Global impact) - attacks that require technical knowledge about telco infrastructure and protocols

11 Lightweight scenarios (Level0)

12 Kiddies fraud examples Typosquatting works well even here You received RUB, please follow the link for confirmation Purchase. Card *1234. Ammount 600 RUB. Drugstore 2000 Available balance RUB Not legit Legit

13 Central bank not only in s... Mature player and kiddies used the same brand name /Cental Bank of Russian Federation/ Your banking cards accounts was suspended! Info: /56e97c089a794797e5b8e6b3

14 Social engineering telco staff Temporary redirect calls and SMS to another number Own victim , social networks accounts, messengers and in some cases Money (Banking OTP TBD) Fast WIN

15 Cases (Level1)

16 SMS interception

17 Voice call interception Originating call Terminating call

18 Voice call interception. MitM

19 Level2 Cases (global impact)

20 Telco infrastructure, technical view

21 Telco infrastructure, technical view

22 Telco infrastructure, technical view

23 Telco infrastructure, technical view

24 IMSI Disclosure

25 Money fraud cases Infect smartphone with malware. Use fake base station (IMSI catcher) and to make software clone of SIM card. Conduct an attack via SS7 network forging USSD request.

26 USSD manipulation Request the balance *100#. Balance is Roubles

27 USSD manipulation *145*xxxxxx81142*10# - Transfer 10 Roubles to the number xxxxxx81142

28 USSD manipulation Cool security mechanism. Just send *145*851# to confirm the transaction

29 USSD manipulation New balance is Roubles. (10 Roubles ~ 0.15 )

30 Calls or SMS on behalf particular person located anywhere SMS spoofing

31 More sophisticated attacks

32 Example

33

34 Voice call redirection with a fraudulent activity Fraud case 1

35 Voice call redirection with a fraudulent activity HLR Billing GMSC Number Zimbabwe IMSI

36 Voice call redirection with a fraudulent activity RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS Zimbabwe Number IMSI

37 Voice call redirection with a fraudulent activity RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS IAM (A-Number, B-Number) Zimbabwe Number IMSI

38 Voice call redirection with a fraudulent activity RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) Zimbabwe Number IMSI

39 Voice call redirection with a fraudulent activity RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) Zimbabwe Number IMSI

40 Voice call redirection with a fraudulent activity RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) SendRoutingInfo (CFU, ) Zimbabwe Number IMSI

41 Voice call redirection with a fraudulent activity RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) SendRoutingInfo (CFU, ) InitialDP (B-Number, ) ApplyCharging, Continue Zimbabwe Number IMSI

42 Voice call redirection with a fraudulent activity RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) SendRoutingInfo (CFU, ) InitialDP (B-Number, ) ApplyCharging, Continue Cuba IAM (A-Number, ) Zimbabwe Number IMSI

43 Who pays? RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) SendRoutingInfo (CFU, ) InitialDP (B-Number, ) ApplyCharging, Continue Cuba IAM (A-Number, ) Zimbabwe Number IMSI

44 Who pays? RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) SendRoutingInfo (CFU, ) InitialDP (B-Number, ) ApplyCharging, Continue Cuba IAM (A-Number, ) Zimbabwe Number IMSI

45 Who pays? RegisterSS (IMSI, CFU, ) HLR Billing GMSC RegisterSS SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) SendRoutingInfo (CFU, ) InitialDP (B-Number, ) ApplyCharging, Continue Cuba IAM (A-Number, ) Zimbabwe Number IMSI

46 Voice call redirection with a fraudulent activity Fraud case 2

47 Voice call redirection with a fraudulent activity HLR Billing GMSC Number Zimbabwe IMSI

48 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) Zimbabwe Number IMSI

49 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) IAM (A-Number, B-Number) Zimbabwe Number IMSI

50 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) Zimbabwe Number IMSI

51 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) Zimbabwe Number IMSI

52 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) Zimbabwe Number IMSI

53 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) IAM (A-Number, B-Number) Zimbabwe Number IMSI

54 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) Zimbabwe Number IMSI

55 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue Zimbabwe Number IMSI

56 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue SendRoutingInfo (MSISDN) Zimbabwe Number IMSI

57 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue SendRoutingInfo (MSISDN) Zimbabwe Number IMSI

58 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) ProvideRoaminNumber (IMSI) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue SendRoutingInfo (MSISDN) Zimbabwe Number IMSI

59 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) ProvideRoaminNumber (IMSI) ProvideRoamingNumber (MSRN = ) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue SendRoutingInfo (MSISDN) Zimbabwe Number IMSI

60 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) ProvideRoaminNumber (IMSI) ProvideRoamingNumber (MSRN = ) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue SendRoutingInfo (MSISDN) SendRoutingInfo (MSRN = ) Zimbabwe Number IMSI

61 Voice call redirection with a fraudulent activity UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) ProvideRoaminNumber (IMSI) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue SendRoutingInfo (MSISDN) ProvideRoamingNumber (MSRN = ) SendRoutingInfo (MSRN = ) Cuba IAM (A-Number, ) Number Zimbabwe IMSI

62 Who pays? UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) ProvideRoaminNumber (IMSI) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue SendRoutingInfo (MSISDN) ProvideRoamingNumber (MSRN = ) SendRoutingInfo (MSRN = ) Cuba IAM (A-Number, ) Number Zimbabwe IMSI

63 Who pays? UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) ProvideRoaminNumber (IMSI) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue SendRoutingInfo (MSISDN) ProvideRoamingNumber (MSRN = ) SendRoutingInfo (MSRN = ) Cuba IAM (A-Number, ) Number Zimbabwe IMSI

64 Who pays? UpdateLocation (IMSI, Fake MSC/VLR) HLR Billing GMSC InsertSubscriberData (Profile) ProvideSubscriberInfo (IMSI) ProvideSubscriberInfo (Location = Home) SendRoutingInfo (MSISDN) SendRoutingInfo (Location = Home) IAM (A-Number, B-Number) ProvideRoaminNumber (IMSI) InitialDP (A-Num, B-Num, Location) ApplyCharging, Continue SendRoutingInfo (MSISDN) ProvideRoamingNumber (MSRN = ) SendRoutingInfo (MSRN = ) Cuba IAM (A-Number, ) Number Zimbabwe IMSI

65 Thank you! ptsecurity.com