Taking Over Telecom Networks

Similar documents
Cyber Security Threats to Telecom Networks. Rosalia D Alessandro Hardik Mehta Loay Abdelrazek

THREATS TO PACKET CORE SECURITY OF 4G NETWORK

IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://

Agenda. Introduction Roaming Scenarios. Other considerations. Data SMS Voice IMS

E. The enodeb performs the compression and encryption of the user data stream.

Exam Questions 4A0-M02

Virtual Evolved Packet Core (VEPC) Placement in the Metro Core- Backhual-Aggregation Ring BY ABHISHEK GUPTA FRIDAY GROUP MEETING OCTOBER 20, 2017

Mobile operators vs. Hackers: new security measures for new bypassing techniques

3GPP TS V9.4.0 ( )

MSF Architecture for 3GPP Evolved Packet System (EPS) Access MSF-LTE-ARCH-EPS-002.FINAL

Understand iwag Solution for 3G Mobile Data

Trojans in SS7 - how they bypass all security measures

GPRS billing: getting ready for UMTS

IPv6 migration strategies for mobile networks

IMS Migrations IMS Enabling Common Network Convergence. Michael Coward CTO and Co-founder

Improvement of VoLTE Domain HO with Operators Vision

E N H A N C E D F R A U D D E T E C T I O N U S I N G S I G N A L I N G. W U G M a l a y s i a

The Evolution of Diameter Signaling

DAY 2. HSPA Systems Architecture and Protocols

5G World 2016 VoLTE Roaming: an opportunity for new business models. Cédric Bonnet - Orange London June 30 th, 2016

SGSN Service Configuration Procedures

WIT VoWiFi. Leverage Wi-Fi for voice calling. vowifi.wit-software.com

ETSI TS V ( )

Spirent Landslide VoLTE

Leveraging Wi-Fi Calling To Reduced Operator Costs and Improve the Customer Experience

GTP-based S2b Interface Support on the P-GW and SAEGW

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Service Provider Mobility UMTS Networks (SPUMTS) Version: Demo

07/08/2016. Sami TABBANE. I. Introduction II. Evolved Packet Core III. Core network Dimensioning IV. Summary

Certkiller 4A0-M02 140q

Path to 5G: A Control Plane Perspective

Packet Core 2009 Training Programs. Catalog of Course Descriptions

VoLTE is the mainstream solution

Sh Gy. Ro Gx. Cx Ici. Mr Mj

HSS and PCRF Based P-CSCF Restoration Support

Passguide q

M2M in the Real World: Security Best Practices and Lessons Learned

Long Term Evolution - Evolved Packet Core S1 Interface Conformance Test Plan

Mobile Security Fall 2013

Simulation of LTE Signaling

SGSN in a 2.5G GPRS Network, page 1

Load Balance MME in Pool

Test-king QA

Direct Tunnel for 4G (LTE) Networks

LTE Data Roaming over IPX Service Schedule

The digital copy of this thesis is protected by the Copyright Act 1994 (New Zealand).

Rethinking Cellular Architecture and Protocols for IoT Communica9on

TECHNICAL BRIEFING: MOBILE ACCESS TO THE INTERNET. Bornholm, October 2003

Timmins Training Consulting

Operator Policy. What Operator Policy Can Do. A Look at Operator Policy on an SGSN

Signaling for the Internet of Things. Michael Senn Principal Technologist

Overview of GPRS and UMTS

Overview of GPRS and UMTS

IxLoad LTE Evolved Packet Core Network Testing: enodeb simulation on the S1-MME and S1-U interfaces

CSC 401 Data and Computer Communications Networks

Copyright 2012 Alcatel-Lucent. All Rights Reserved. TMO21026_V2.0-IG-EN-LE5.0-Edition 1 Section 1 Module 2 Page 1

CDG Technology Forum Inter-Technology Networking

Development of IPX: Myth or Reality?

Evolution to A Common Core

UNIK4230: Mobile Communications Spring Semester, Per Hj. Lehne

P-GW Service Configuration Mode Commands

COPYRIGHTED MATERIAL. Contents. 1 Short Message Service and IP Network Integration 1. 2 Mobility Management for GPRS and UMTS 39

5G NSA for MME. Feature Summary and Revision History

CSFB and SMS over SGs Interface

Packet Core 2010 Training Programs. Catalog of Course Descriptions

Load & Stress component

Measuring the Explosion of LTE Signaling Traffic - A Diameter Traffic Model

Dedicated Core Networks on MME

Dimensioning, configuration and deployment of Radio Access Networks. part 1: General considerations. Mobile Telephony Networks

LTE Training LTE (Long Term Evolution) Training Bootcamp, Crash Course

Nexus8610 Traffic Simulation System. Intersystem Handover Simulation. White Paper

Contents VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014

Delivery of Voice and Text Messages over LTE 13 年 5 月 27 日星期 一

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

RE-ARCHITECTING THE GI LAN OPTIMIZE & MONETIZE MOBILE BROADBAND. Bart Salaets Solution Architect

Real-time Communications Security and SDN

Dedicated Core Networks on MME

ELEC-E7230 Mobile Communication Systems

UMTS System Architecture and Protocol Architecture

ARCHITECTURE MATTERS. Dilbert by Scott Adams

5G NSA for SGSN. Feature Summary and Revision History

Voice over LTE via Generic Access (VoLGA) A Whitepaper - August 2009

VoLTE Lab allows the detailed assessment of the involved technology, and is able to clarify your needs in terms of higher scale VoLTE acquisition.

GPRS security. Helsinki University of Technology S Security of Communication Protocols

Basic SAE Management Technology for Realizing All-IP Network

Communication Networks 2 Signaling 2 (Mobile)

Signaling System 7 (SS7) By : Ali Mustafa

MSF Non-3GPP EPS Access Tile. MSF Architecture for Non-3GPP Evolved Packet System (EPS) Access Tile. MSF-LTE-ARCH-non3GPP-EPS-FINAL

3GPP security hot topics: LTE/SAE and Home (e)nb

vepc-based Wireless Broadband Access

Diameter Routing. Use Case Guide

Native Deployment of ICN in 4G/LTE Mobile Networks

Analysis of key functions, equipment and

Chapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach

IPv6 deployment scenarios in mobile networks Jouni Korhonen Netnod Spring Meeting 9-11 March, 2011 Stockholm, Sweden

8.4 IMS Network Architecture A Closer Look

Agenda. LTE Data Roaming. Role of IPX as defined by i3forum Manpreet Singh ibasis Inc., a KPN Company.

CertifyMe. CertifyMe

P-GW Service Configuration Mode Commands

Virtual Mobile Core Placement for Metro Area BY ABHISHEK GUPTA FRIDAY GROUP MEETING NOVEMBER 17, 2017

CONTENTS. Subscriber denial of service...9 Causes of vulnerabilities Recommendations for protection Conclusion... 13

Transcription:

Taking Over Telecom Networks Hardik Mehta (@hardw00t) Loay Abdelrazek (@sigploit) Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 1

Press Release: some highlights 2

Glossary Acronyms Operator Subscriber SS7 MME SGW HLR MSC CRBT IMSI Telecom service provider Definition A user using he services of the telecom operator Signalling System 7 is a signalling protocol Mobility Management Entity (MME) is responsible for initiating paging and authentication of the mobile device in LTE networks Serving Gateway (SGW) is responsible for creating and maintaining subscriber s data traffic in LTE networks Home Location Register (HLR) is the main database containing subscriber information Mobile Switching Centre (MSC) is a telephone exchange which makes connection between mobile users within the network Caller Ring Back Tone (CRBT) solution is part of value added services which enables subscriber to opt for a personalised ring back tone International Mobile Subscriber Identity (IMSI) is an internationally standardized unique number to identify a mobile subscriber 3

Architecture Illustration Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 4

Architecture Illustration IMS MME HSS Internet 4G ENodeB SGW PGW PCRF Other Data Network MVNO CRBT IPX 3G NodeB RNC SGSN MSC/VLR HLR GGSN Internet Other Data Network Streaming Server FTTH OLT SBC CDN Content Transcoder DRM Access Network Core Network MVNO GRX OLO 5

Possible Entry Points Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 6

Possible Entry Points IMS MME HSS Internet 4G ENodeB SGW PGW PCRF Other Data Network MVNO CRBT IPX 3G NodeB RNC SGSN MSC/VLR HLR GGSN Internet Other Data Network Streaming Server FTTH OLT SBC CDN Content Transcoder DRM Access Network Core Network MVNO GRX OLO 7

Attack Vectors Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 8

Mobile Stations (3G/ 4G): Attack Vectors Enumeration and exploitation of internal core network nodes Sending crafted SIP messages to perform tasks like, Caller ID spoofing Identifying nodes running signaling stacks (e.g. SIGTRAN stack) and sending malicious signaling traffic using SigPloit Evolve Packet Core MME EPDG PCRF IMS SGW PGW I CSCF HSS P CSCF S- CSCF 4G ENodeB Datacenter Network Operations Corporate Network 9

Fiber to The Home (FTTH): Attack Vectors Enumeration and exploitation of internal core network nodes VLAN hoping possible between VoIP, ITPV and Data Using VoIP, Crafted SIP messages can be sent to perform SIP attacks like DoS Using IPTV, Send crafted IGMP messages to subscribe unbilled channels Evolve Packet Core EPDG SGW MME PCRF PGW IMS I CSCF HSS P CSCF S- CSCF Streaming Server Datacenter FTTH OLT SBC CDN DRM Content Transcoder Network Operations Corporate Network 10

Internet: Attack Vectors Compromise web applications deployed in DMZ Exploitation of internal network components possible if there is lack of segregation between DMZ and core network Possible to connect with network nodes (e.g. PGW/GGSN or SGSN) exposed on the public domain Sending crafted SIP messages to SBCs exposed on the public domain Evolve Packet Core EPDG SGW MME PCRF PGW IMS I CSCF HSS Internet P CSCF S- CSCF Datacenter Network Operations Corporate Network 11

Roaming interfaces: Attack Vectors Using SS7, perform HLR lookup to get subscriber information like, IMSI and serving MSC Using GTP, identify active tunnel session and hijack the session Using SS7/ Diameter, perform attacks leading to fraud like over-billing Using SS7/ Diameter, perform interception attacks like, SMS and Call 12

Attack Vectors Passive IMSI Sniffing using RTL-SDR and OsmocomBB phone 13

Attack Vectors Passive IMSI Sniffing using RTL-SDR and OsmocomBB phone 14

Attack Vectors Roaming in Pakistan https://github.com/sigploiter/hlr-lookups 15

Attack Vectors Example Realm Format epc.mnc<mnc>.mcc<mcc>.3gppnetwork.org DNS Lookups for exposed LTE nodes 3gppnetwork.org 16

Attack Scenario Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 17

Attack Scenario - Internal network enumeration resulted in identification of node part of VAS networks, CRBT - Caller Ring Back Tone (CRBT), is connecting with HLR,MSC and IN charging nodes and it enables customers to subscribe for personalized audio, in place of regular tone - Due to lack of basic security controls, it was possible to gain root access of the node from subscriber network segment MME HSS 4G ENodeB SGW PGW PCRF CRBT 3G NodeB RNC SGSN MSC/VLR HLR GGSN 18

- The compromised node is connected to the core. - It is then possible to use the node to initiate other core related attacks (i.e using protocol vulnerabilities like SS7, Diameter of GTP). - Using a global title scanner, we can gather more info about the SS7 core. Attack Scenario https://github.com/sigploiter/gtscan 19

Attack Scenario - HLR(s) are identified. - Query the HLR(s) to retrieve the IMSI. - Bypassing SMS Home Routing if implemented. - IMSI is the key to any mobile operation. Attacker MSC HLR SendRoutingInfoForSM Req. (MSISDN) SendRoutingInfoForSM Resp. (IMSI, VMSC GT) https://github.com/sigploiter/sigploit 20

Attack Scenario Identification of IMSI and MSC GT can help attackers perform various further attacks Parameter IMSI Impersonation Data overbilling Impact Authentication Vector Retrieval MSC GT Subscriber profile Manipulation Interception Tracking DoS 21

Attack Scenario - Internet at the expense of others. - Works for EPC and UMTS packet core. - Using GTPv1 or GTPv2. - Hijack the data connection of a subscriber using his retrieved IMSI. Reference: Positive Technologies EPC Research 2018 22

Attack Scenario 23

Attack Demonstration Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 24

Best Practices Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 25

Best Practices to Reduce Attack Exposure Implement network traffic segregation. Bind services to correct network interfaces. Limit the reachability of internal nodes from UEs. Limit the reachability of network nodes from Internet by configuring correctly routing protocols Deploy secure configuration of network nodes Secure configuration of all network services; Disabling of insecure and unneeded network services; Changing of default passwords; Hardening; Configuration and enabling of authentication and access control; Logging of all access attempts and other security-relevant events; Configuration of the network node to not disclose unnecessary information; Continuous deployment of the latest security patches. Security testing and regular vulnerability scanning; Implement traffic filtering policies at the boundaries. Basic IP Filtering; Signaling FW; Monitor network traffic to discover anomalies. Deploy a Security Signaling Monitoring (Intrusion Detection System / IDS). Effective Threat modelling. 26

Q&A Thank You Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback