Cellular networks are connected with each other through a worldwide private, but not unaccessible network, called IPX network. Through this network user related information is exchanged for roaming purposes or for cross-network communication. This private network has been breached by criminals and nation states. Cellular networks are extremely complex and many attacks have been already been found e.g. DoS, location tracking, SMS interception, data interception. Many attacks have been seen in practice, but not all attack are understood and not all attack avenues using the IPX network have been explored. This presentation shows how a S9 interface in 4G networks, which is used for charging related user information exchange between operators can be exploited to perform fraud attacks. A demonstration with technical details will be given and guidance on practical countermeasures.
3. 3
Bell Labs
• Theoretical studies go into attack and
countermeasure design
• Validation and awareness of our research by
GSMA standards input and publication
• Customer feedback and test results allow us
to fine-tune and optimize our
countermeasures
• Research input will fit product needs and
operators requests
• Operator needs can be discovered ”live” for
new research challenges and disruptive new
solutions
Nokia Bell Labs – Future Attacks and Mitigation
Research that solves real problems together with our customers and sometimes even competitors
Lab
Problem study /
Threats/Attack
Design Attack
Testing
Counter
measures
Validation and
Awareness
Customer
Feedback
Product
Improvements
Bell Labs Research Lifecycle
5. 5
Bell Labs
Roaming
Why should you care?
Source: DefCon, National Geographics,
Wikipedia
You connected to AT&T,
Verizon, T-Mobile, Sprint
DefCon participants
CMCC, Airtel,
MegaFon, Telenor
My colleagues,
friends, family
connected to DNA,
Elisa, Telia
7. 7
Bell Labs
I switch on my phone
Las Vegas
Antenna Core Network
Carrier / IPX
Carrier / IPX
Core Network
Authentication -> run to home network
Checking subscriber
11. 11
Bell Labs
The technical details were worked out
Some new protocol
is needed for this.
We don’t need
security. It is a
closed network
just for us
We could invite
some other
operators.
Can you pass me
another beer and the
mustard?
People will love it.
Pizza delivery
everywhere.
I know
someone
in ITU
who can
help
The networks are
owned by the
governments
anyway.
Source: Kauppalehti.fi / Erja Lempinen
12. 12
Bell Labs
• Started with 5 Nordic operators and calls only about 35 years
ago
• Now about 2000 companies connected to it
- Mobile operators
- Service providers (SMS aggregators, password recovery)
- Satelite communication providers etc
• Very inhomogenous operator structure
• Networks are a mix and match
- 2G, 2.5G, 3G, 4G and now 5G
- Different hardware, protocols, products, releases
- Many services voice, SMS, MMS, IMS, data, VoIP
• Network evolved, but security awareness only recently
started (2014)
Evolutions of IPX
SMS providers
16. 16
Bell Labs
Source: wired, the intercept, Verint skylock product description, vault.co, trace any
mobile, bankinfosecurity, the hill
Who would hack this network
17. 17
Bell Labs
Source: Security Week, The register, YouTube, wireless, wired, techworm
Existing Attacks for the ”old” SS7
• Location Tracking
• Eavesdropping
• Fraud
• Denial of Service user & network
• Credential theft
• Data session hijacking
• Unblocking stolen phone
• SMS interception
• One time password theft and account
takeover for banks, Telegram, Facebook,
Whatsapp, bitcoin wallet
Most of the attacks today are still SS7 – but things change
18. 18
Bell Labs
How do attackers get in
Rent a Service
Kick in the door
Hack via Internet Social Engineering
Become an Operator
Bribing and Employee
19. 19
Bell Labs
That is how they get in
Well, of course there might be legitimate reason…maybe….
Some big Asian country
21. 21
Bell Labs
I switch on my phone
Las Vegas
Antenna Core Network
Carrier / IPX
Carrier / IPX
Core Network
Checking subscriber:
”Hey, does she have money, and what
did he pay for”
”Make sure it is really her”
27. 27
Bell Labs
Visited -
PCRF
Home -
PCRF
S9
CCR
CCA
RAR
RAA
Credit Control Request
- Money?
- What kind of service?
Re-Authentication Request
- All kind of control and information
- PCC management
Normal incoming request for roaming (Fin in US)
28. 28
Bell Labs
• Policy Charging Control
- Defines everything about your subsription
- Data type
- Data rates
- Whatever cellular service you can think off
• Defines how to handle you and what to grant you ”service flow filters”
• Usually identified by a string
• My own subscription is company paid and quite ”generous”
- Perfect target for an attacker
What is a ”PCC”?
Something you all have
40. 40
Bell Labs
• Attacker:
- Better services
- Shifting the costs – Letting somebody else pay the phone bill
- Re-selling ”opportunity”
• Users:
- Might be billed for services he has not used (in particular company subscriptions are at risk)
• Operators:
- Bill disputes (service desks)
- Loss of coporate customers
- Costs with partners that can not be charged to a user
• IPX carriers still want to see their money
Impacts
43. 43
Bell Labs
• S9 Interface -> use IPSec with trusted
partners directly
• S9 only open on need basis
• Routing via origin realm, origin host
• IMSI range – operator match
• Check not to get messages from
yourself
• Logical seperation of visitors and own
subscribers
• Location distance
• Fingerprint partner
• Fingerprint ”flows”
Countermeasures
For Operators For “normal” Users
• Check your bill
• Keep an eye on the news
• Security and network protection is
something that needs to be part of a
Service Layer Agreement
• It is a quality indicator, similar to
bandwith and coverage
For “corporate” Users