Five Nightmares for a Telecom

Size: px

Start display at page:

Download "Five Nightmares for a Telecom"

Eleanore Cole
6 years ago
Views:

2 Five Nightmares for a Telecom Dmitry Kurbatov Information security specialist Positive Technologies Webinars by Positive Technologies

3 Agenda Physical access to a base station network OSS vulnerabilities Attacks on GGSN, something about GRX How to lose 1,5 million with VoIP in a DAY VAS vulnerabilities

4 Physical access to a base station network

5 Access networks for base stations Before: from ATM to SDH/SONET, DSL

6 Access networks for base stations Before: from ATM to SDH/SONET, DSL Access network

7 Access networks for base stations Now: IP/MPLS, metro Ethernet

8 Access networks for base stations Now: IP/MPLS, metro Ethernet

9 Access networks for base stations Now: IP/MPLS, metro Ethernet

10 In the same wire

11 In the same wire Voice and data

12 In the same wire Voice and data Device management channel HTTP/HTTPS, Telnet/SSH, MML

13 Device management protocols Insecure HTTP, Telnet MML (man-machine language) ~ Telnet Clear text: logins/passwords

14 Device management protocols Insecure HTTP, Telnet MML (man-machine language) ~ Telnet Clear text: logins/passwords

15 Physical access How to get access and what to do next?

16 Attacks in Ethernet networks ARP spoofing No protection against gratuitous ARP

17 Results Clear text: login/password Command execution

18 Go further A single IP subnet

19 Go further A single IP subnet

20 Go further A single IP subnet

21 BSC/RNC Radio resources management mobility User data encryption

22 BSC/RNC Radio resources management mobility User data encryption OS Windows Linux

23 BSC/RNC Radio resources management mobility User data encryption OS Windows Linux Services RDP SSH MML/telnet

24 BSC/RNC Radio resources management mobility User data encryption OS Windows Linux Services RDP SSH MML/telnet No patches With Defaults

25 Real life

26 Real life Too many devices

27 Real life Too many devices Equal/weak passwords Default accounts

28 OSS vulnerabilities

29 Operation support subsystem Web interface Client application

30 XML External Entity Injection XML Data retrieval by Yunusov and Osipov on Data retrieval

31 All like it

32 Example Request for OSS

33 Example etc/shadow in response Request for OSS

34 Go further Bruteforce hashes from etc/shadow OSS access with administrative privileges

35 Operation support subsystem Are vulnerable as other software Are there patch management? Vulnerabilities by type Denial of Service Code Execution Buffer Overflow Memory Errors SQL Injection Cross-Site Scripting Directory Traversal Restriction Bypass Information Disclosure Priviledge-Escalation Cross-Site Request Forgery Vulnerability detected?? Fixes developed Vulnerability and fixes issued

36 Attacks on GGSN, something about GRX

37 Theory

38 Theory Mobility Service delivery

39 Theory Mobility Service delivery

40 Theory Mobility Service delivery

41 Theory Mobility Service delivery

42 Firewalling VPN for a corporate client ACL inspect

43 Firewalling VPN for a corporate client ACL inspect???

44 GRX

45 GRX. Basics Open for all providers High quality (QoS) All in IP easy support for SIP, RTP, GTP, SMTP, SIGTRAN..something more Secure, it means fully separated from the Internet, both physically and logically.

46 Real life

47 Arguments

48 Arguments

49 GTP no embedded security functions no integrity no data encryption

50 Spoofed GTP PDP Context Activate/Delete PDP Context Activate/Delete PDP Context Activate/Delete

51 Spoofed GTP PDP Context Activate/Delete PDP Context Activate/Delete PDP Context Activate/Delete

52 Spoofed GTP PDP Context Activate/Delete PDP Context Activate/Delete PDP Context Activate/Delete

53 What is to be done? Monitor perimeter Configure GGSN correctly

54 Results Has no time for usual security? Useful functions are often ignored

55 How to lose 1,5 million with VoIP in a DAY

56 True story

57 True story VoIP

58 True story VoIP Anywhere

59 True story SoftSwitch call service managements signalling etc. VoIP Anywhere

60 Fraud VoIP to Cuba

61 Fraud $$$ VoIP to Cuba To Cuba

62 Investigation

63 Investigation To Cuba VoIP to Cuba

64 Investigation Additional IP in Client profile To Cuba VoIP to Cuba

65 Investigation Company s engineer?

66 Investigation Company s engineer? Web interface Web access

67 Investigation Company s engineer? Web interface Account: admin Web access

68 Investigation Company s engineer? Web interface Account: admin Pass: default Web access

69 Investigation goes further Software was updated There were deb packets on the server

70 Investigation goes further Software was updated There were deb packets on the server Script to LOAD some DATA INTO Auth_table Here is default administrator

71 Scheme 1) Information Vulnerability after updating

72 Scheme 1) Information 2) Experience Vulnerability after updating Configuration modification

73 Scheme 1) Information 2) Experience 3) Business ability Vulnerability after updating Configuration modification

74 Scheme 1) Information 2) Experience 3) Business ability 4) $$$ Vulnerability after updating Configuration modification To Cuba VoIP to Cuba

75 Questions still remain Who created this deb packet? Who was able to understand the routing table? How many providers suffer?

76 Questions still remain Who created this deb packet? Who was able to understand the routing table? How many providers suffer? IS audit required?

77 VAS vulnerabilities

78 Additional services Good ideas

79 Additional services Good ideas Joy for clients

80 Additional services Good ideas Joy for clients Low quality Vulnerabilities

81 Additional services Good ideas Joy for clients Low quality Vulnerabilities Possibility to steal money

82 Incident Attack against self-service portal Account bruteforce

83 Incident Attack against self-service portal Account bruteforce Service installation

84 Incident Attack against self-service portal Account bruteforce Service installation

85 Incident Attack against self-service portal Account bruteforce Service installation

86 Investigation Analysis of a web server event log Attacker s IP address

87 Investigation Source and used scripts are found

88 Investigation Source and used scripts are found Log in the portal with the account

89 Investigation Source and used scripts are found Log in the portal with the account Service installation

90 Investigation Source and used scripts are found Log in the portal with the account Service installation Service confirmation

91 CAPTCHA Bypass The self-service portal incorrectly uses CAPTCHA CAPTCHA is not implemented in similar mobile applications

92 Scheme

93 Scheme

94 Scheme

95 Scheme

96 Scheme

97 Scheme

98 Insufficient Authentication

99 Summary Telecom provider is a huge and complex system

100 Summary Telecom provider is a huge and complex system Only 5 hack incidents

101 Summary Telecom provider is a huge and complex system Only 5 hack incidents How many more options?

102 Optimistically Open Source solutions and research capabilities More audits Vulnerability databases Scanners and compliance management systems

103 Thank you for your attention! Dmitry Kurbatov Information security specialist Positive Technologies

104

Ethical Hacking and Prevention

Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive