Telecom security issues (Raoul Chiesa, day 1 ) Presentation Transcript
“Telecom Security Issues”An overview of Key Threats & Actors, Case Studies and Possible Scenarios Raoul Chiesa, UNICRI Club Hack Conference, Pune December 4th, 2010
Disclaimer● The information contained within this presentation d t ti does not i f i t infringe on any i t ll t l intellectual property nor does it contain tools or recipe that could be in breach with known India laws (is there any lawyer in the room btw? ;)● Quoted trademarks belongs to registered owners.● The views expressed are those of the author and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the view of ENISA and its PSG (Permanent ( Stakeholders Group).
The speaker – Raoul “nobody” Chiesa On the underground scene since 1986 Senior Advisor on cybercrime at the United y Nations (UNICRI) ENISA PSG Member (2010‐2012) Founder, @ Mediaservice.net – Independent Security Advisory Company and @ PSS – a Digital Forensics Company Founder, Board of Directors at: CLUSIT (Italian Information Security Association), (It li I f ti S it A i ti ) ISECOM, OWASP Italian Chapter TSTF.net TSTF net Associated Member Member: ICANN, OPSI/AIP, EAST 3
About UNICRI What is UNICRI?United Nations Interregional Crime & Justice Research InstituteA United Nations entity established in 1968 to support countries worldwidein crime prevention and criminal justiceUNICRI carries out applied research, training, technical cooperation anddocumentation / information activitiesUNICRI disseminates information and maintains contacts with professionalsand experts worldwideCounter Human Trafficking and Emerging Crimes Unit: cyber crimes,counterfeiting, environmental crimes, trafficking in stolen works of art…
About ENISA What is ENISA?• European Network & Information Security Agency• ENISA is the EU’s response to security issues of the European Union• “Securing Europes Information Society” is our motto (27 Member States) Securing Europe s Society• In order to accomplish our mission, we work with EU Institutions and Member States• ENISA came into being following the adoption of Regulation (EC) No 460/2004 of theEuropean Parliament and of the Council on 10 March 2004. Operations started on September p p p2005, after moving from Brussels to Crete, and with the arrival of staff that were recruitedthrough EU25‐wide competitions with candidates coming from all over Europe.• ENISA is helping the European Commission, the Member States and the businesscommunity to address, respond and especially to prevent Network and Information Securityproblems.• The Agency also assists the European Commission in the technical preparatory work forupdating and developing Community legislation in the field of Network and InformationSecurity.• I’m a Member of ENISA’s PSG – Permanent Stakeholders Group.
About TSTF net TSTF.net• W are a think‐tank established more than 10 We hi k k bli h d h 10 years ago.• We know all of us (team members) since the 80’s.• Some names: Emmanuel Gadaix, Philippe Langlois, Stavroula “Venix” Ventouri, Fyodor Yarochkin (xprobe2), ….• All of us we have pentested/audited more than 120 phone operators all over the world the world.• Huge experience, no sales pitches: we know our stuff.• Built the very first open source SS7 Scanner (SCTP) the very first open‐source SS7 Scanner (SCTP).• Making R&D, everyday, every hour, every single minute ;)
More on TSTF.net More on TSTF netWho’s whoWh ’ h 35 years combined GSM telecommunications experience; 50 years combined information security experience; A unique view on telco security – nobody else does it; Active research (papers, tools, forums); Experience in Europe, Asia, USA; p p , , ; Self‐funded, no business cunts running it, no VCs.Networked structure Structure similar to the Global Business Network (http://www.gbn.org/); No central office, global coverage; Leverage on each individuals skills and services; Leverage on network effect.
Our experiences (excerpt, 1999‐2004) (obviously, we’got much MORE ☺ 1999: GSM Internet Data Access Penetration Tests 2000: GPRS Internet Data Access Penetration Tests 2000/2004: L.I.S./L.I.G. Security Audits on a +15 MLN subscribers 2000: SMS Spoofing PoC & Security Consulting 2001: Dealers’ shops Abuse Security Testing; 2001: SMSC Ethical Hacking Test 2001: SAP environments Security Audit 2001‐2004: VAS Security Audits and Pen‐testings y g 2001‐2004: xIDS and Firewall tuning and configurations review 2002/2003: Wireless Penetration Tests on HQ and main branches (+10 MLN subscribers; +15 MLN subscribers) 2002: Wireless Security Policy (private and public hot‐spots) 2003: Portals Web Applications S 2003 P t l W b A li ti Security T ti ( i it Testing (various t t on th applications d l tests the li ti developed f th subscribers) d for the b ib ) 2003: Billing gateway process Full Security Audit & Pentests 2003: MMS environment Ethical Hacking tests 2004: Black Berry FE/BE Penetration Testing 2004: X.25 Security Audit Full Process (9 months) 2004: New mobile threaths R&D process (3 months) 2004: DoS incident handling policy (referred to the private WAN)
Topics for this session• Introduction• MSC hacking / the Vodafone Greece MSC hacking / the Vodafone Greece Affair• Data Network Elements hacking (i.e.. GPRS)• Billing, Mediation, LIS/LIG hacking• SS7 hacking SS7 hacking• Web Applications’ suppliers standard issues
THE PROBLEMTelecommunications vendors (Nokia, Ericsson, Alcatel, etc.) are selling insecure software and systems to telcos.Telecommunications operators have a very poor understanding of security issues.Based on 10 years penetration testing experience, telco operators are the most vulnerable of all industry groups.are the most vulnerable of all industry groups.Sophisticated hackers have an increased interest in telco security and phone hacking.and phone hacking 10
THE VENDORS Some vendors have decided to take an active stance in security (e.g. Nokia), however such initiatives are isolated and do not address most telcos security y problems. Most vendors sell antiquated software full of bugs, running on old and unpatched version of operating systems and daemons version of operating systems and daemons. Operators cannot fix the identified security weaknesses because it would void their warranty.⌧ The result of this ‘head in the sand’ approach is an increase in the threat: national and international critical infrastructures are at risk. national and international critical infrastructures are at risk 11
THE OPERATORS Operators rely on vendors for secure solutions. Operators are primarily focused on network operations, software upgrades, Operators are primarily focused on network operations software upgrades network performance and other time‐consuming routine tasks. Operators lack in‐house expertise on telco security. Operators are usually divided between the IT and Engineering, departments, creating two separate security domains.⌧ Most telcos networks are open to attackers (I don’t say “hackers”!). 12
NETWORK OPS. I.T. ITGSM operators typically split their network between IT (the incompetent teamrunning th mail, th d i the il the domains, th printers and th proxy/firewall) and E i i the i t d the /fi ll) d Engineering i(the telco side).Usually there is distrust between the two entities, poor communications andcertainly no common policy towards security. y p y yIT of course believe they are important, but in fact they just have a support role. Ifall IT systems stop working, you can still make phone calls. (Emmanuel Gadaix, TSTF – Black Hat Asia Security Conference, 2001) 13
THE OPERATORSBased on a +10 years study encompassing 24 network operators in fourdifferent continents (EU, Asia, USA, Australia): ⌧ 100% could be hacked from the Internet via Web Apps ⌧ 90% could be hacked through PSTN X 25 ISDN or Wi‐Fi could be hacked through PSTN, X.25, ISDN or Wi‐Fi ⌧ 72% had a security incident in the last 2 years ⌧ 23% had appropriate perimeter security control ⌧ 0% had all their mission‐critical hosts (really) secured ⌧ 0% had comprehensive database security in place ⌧ 0% had integrity measures protecting billing data, nor encryption g y p g g , yp 14
THE ENEMY Telco fraud is still an attractive target: Bypassing toll, getting services without fees, setting up premium numbers, etc; Bypassing toll getting services without fees setting up premium numbers etc; Privacy invasions: interception of call‐related data (e.g. CDRs, SMS contents, signalling data, billing data; etc) Eavesdropping and cloning: illegal interception and cloning of mobile phones.⌧ Recently one underground group announced it was reverse engineering Nokia Recently one underground group announced it was reverse engineering Nokia and Symbian software;⌧ A group of sophisticated hackers is working on abusing the SS7 protocol;⌧ Another group of international security researchers is working on VoIP attacks in telcos environments (Mobile, PSTN/ISDN, SS7, I.N.) 15
THE COMPETITION⌧ Traditional security shops: no knowledge of telcos, poor understanding of telcos procedures.⌧ Traditional telcos consultancies: very poor knowledge of security issues.⌧ “Big 4” audit firms: focused on policies, no real expertise (they outsource their jobs to us). (they outsource their jobs to us).⌧ In‐house resources: very dangerous. Internal fraud is overlooked; interdepartmental ego problems; good security and bad security looks the same. 16
DOING NOTHING… … with yours telco infrastructures today is like doing nothing with the RAS accesses in the 80’s… nothing with the RAS accesses in the 80’s …with the X.25 networks in the 90’s… ….and with your Internet hosts during the Y2K:⌧ it’s an open invitation for disaster. 17
“BUT..WHY SH0ULD WE C@4E ‘BOUT TH3S3L33T ATTACK3RS ?!?” ….BECAUSE YOU LOOSE YOUR MONEY. MONEY. 18
AND, because…. AND because• Hackers are speaking about, investigating, discussing, hacking telco‐related stuff g g (everything!) since a lot of time now (began in the 70 s, became a trend in the 80 s and in the 70’s became a trend in the 80’s and 90’s, a standard from 2000 up to today).• ..Wanna see some examples??l
2008DEFCON 16 ‐ Taking Back your Cellphone Alexander LashDEFCON 16 Taking Back your Cellphone Alexander LashBH DC / BH Europe – Intercepting Mobile Phone/GSM Traffic David Hulton, Steve–BH Europe ‐ Mobile Phone Spying Tools Jarno Niemelä–BH Europe Mobile Phone Spying Tools Jarno NiemeläBH USA ‐ Mobile Phone Messaging Anti‐Forensics Zane Lackey, Luis MirasEkoparty ‐ Smartphones (in)security Nicolas Economou Alfredo Ortega (in)security Nicolas Economou, Alfredo Ortega BH Japan ‐ Exploiting Symbian OS in mobile devices Collin Mulliner–GTS‐12 ‐ iPhone and iPod Touch Forensics Ivo Peixinho25C3– Hacking the iPhone ‐ MuscleNerd, pytey, planetbeing ki h i h l d l b i25C3 Locating Mobile Phones using SS7 – Tobias Engel– Anatomy of smartphone hardware Harald Welte25C3 Running your own GSM network – H W l Di25C3 R i GSM k H. Welte, Dieter Spaar S25C3 Attacking NFC mobile phones – Collin Mulliner
2009/1ShmooCon Building an All Channel Bluetooth Monitor Michael All-ChannelOssmann and Dominic SpillShmooCon Pulling a John Connor: Defeating Android Charlie MillerBH USA– Attacking SMS - Zane Lackey, Luis Miras –BH USA P Premiere at YSTS 3.0 (BR) i t 30BH USA Fuzzing the Phone in your Phone - Charlie Miller, CollinMullinerBH USA Is Your Phone Pwned? - Kevin Mahaffey, Anthony Lineberry & y, y yJohn Hering–BH USA Post Exploitation Bliss –BH USA Loading Meterpreter on a Factory iPhone - Vincenzo Iozzo &C a eCharlie Miller– eBH USA Exploratory Android Surgery - Jesse BurnsDEFCON 17– Jailbreaking and the Law of Reversing - Fred VonLohmann, Jennifer Granick–DEFCON 17 Hacking WITH the iPod Touch - Thomas WilhelmDEFCON 17 Attacking SMS. Its No Longer Your BFF - Brandon DixonDEFCON 17 Bluetooth, Smells Like Chicken - Dominic Spill, MichaelOssmann, Mark Steward
2009/2BH Europe Fun and Games with Mac OS X and iPhone Payloads - Charlie Miller and Europe–Vincenzo Iozzo–BH Europe Hijacking Mobile Data Connections - Roberto Gassirà and RobertoPiccirillo–BH Europe Passports Reloaded Goes Mobile - Jeroen van BeekCanSecWest– The Smart-Phones Nightmare Sergio shadown AlvarezCanSecWest - A Look at a Modern Mobile Security Model: Googles Android JonOberheide–CanSecWest - Multiplatform iPhone/Android Shellcode and other smart phone Shellcode,insecurities Alfredo Ortega and Nico EconomouEuSecWest - Pwning your grandmothers iPhone Charlie Miller–HITB Malaysia - Bugs and Kisses: Spying on Blackberry Users for FunSheranGunasekeraGunasekera– YSTS 3.0 /HITB Malaysia - Hacking from the Restroom Bruno Gonçalves de OliveiraPacSec - The Android Security Story: Challenges and Solutions for Secure OpenSystems Rich Cannings & Alex StamosDeepSec - Security on the GSM Air Interface David Burgess Harald Welte Burgess,DeepSec - Cracking GSM Encryption Karsten Nohl–DeepSec - Hijacking Mobile Data Connections 2.0: Automated and Improved RobertoPiccirillo, Roberto Gassirà–DeepSec - A practical DOS attack to the GSM network Dieter Spaar
Overview on attacks O i k(then we’ll jump straight to a few, single topics)
ATTACKS & FRAUDSIN MOBILE ENVIRONMENTS 24
A MORE COMPLICATED WORLD… EMC Virtual Networks Video on demand SES y Public safety PTS B-ISDN TFTSBRAN DECT VSAT GSMIntelligent Networks SEC ISO/BSI ATMUMTS STQ Teleworking DTV ERM CTMTesting Methods Voice over Internet Protocol 25
...WITH DIFFERENT STANDARDS, BUT A UNIQUE MARKET 26
...BUT THE THREAT IS GLOBAL 27
PHREAKING TELCOS Phreaking is a slang term for the action of making a telephone system do something that it normally should not allow. Why would anyone do this?? Why would anyone do this??“ I do it for one reason and one reason only. Im learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what I do, it is only to explore a system. d d d? f d h d l l Computers, systems, thats my bag. The phone company is nothing but a computer. ” Captain Crunch From Secrets of the Little Blue Box From Secrets of the Little Blue Box Esquire Magazine, October 1971 28
(pause) LOL!!(pause) LOL!!
A QUICK OVERVIEW: ATTACKS ON MOBILE OPERATORS/1The “Phreaking” concept can be explained as “Hacking the phone line”;Since the 60’s, phreaking exploded all around the world; p g pFrom those times, intrusion stories in telcos environments became very common;In the following slides we will give you a resume of the various type of I th f ll i lid ill i f th i t fattacks that can be applied in Mobile Networks; Many of these attacks have been practical tested and demonstrated by our Tiger Team during the years. 30
A QUICK OVERVIEW: ATTACKS ON MOBILE OPERATORS/2Attacks have been classified into the following areas:RAN Attacks (Radio Access Network)RAN Att k (R di A N t k)TN Attacks (Transmission Network)NSS Attacks (Network Switched Network)NSS Attacks (Network Switched Network)IN Attacks (Intelligent Network)SMS/Messaging Attacks (SMS, VMS)MMS AttacksNMS/OSS Attacks (Network Management System/Operations)ME & Billing GW Attacks (Mediation and Billing)ME & Billi GW Att k (M di ti d Billi ) $LIS/LIG Attacks (Legal Interception System/Gateway)SS7 Attacks (Signalling System # 7)SS7 Attacks (Signalling System # 7)..not forgetting the “old school” PSTN, ISDN and X.25 attacks 31
THE NETWORK ELEMENTSRadio Access Network (BSS/RAN)Radio Access Network (BSS/RAN)Mobile Switching Center (MSC/NSS)Home Location Register (HLR/VLR)Home Location Register (HLR/VLR)Intelligent Network (IN) g g( , , ,Messaging (SMSC, MMSC, USSD, VMS) )Packet data (GPRS, EDGE, 3G/UMTS)Network Management (NMS, OMC, OSS)Mediation, Billing, Customer Care, LIG 32
MSC• Mobile Switching Center• Is probably the most important asset in a the most in a Mobile Operator• W will speak about the Vodafone Greece We ill k b h V d f G case shortly…
GGSN• Ollie Whitehouse around 2002/2003 successfully exploited Nokia GPRS‐related y p elements (GGSN, SGSN).• Result? DoS on all of your Data connections Result? DoS on all Data connections (Operator Level) if you run GPRS on Nokia’s HW (at that time, obviously). ( h b l )• Is it only Nokia? NO! ALL of them may be Nokia? NO! ALL of vulnerable.
Web Applications Web Applications Security• I’ve moved this i h l ’ d hi in the last section, along with i l ih “evidences”.• Basically, problem here is that the “standard p y players” (big 4, Accenture, etc etc) are often ( g , , ) releasing insecure Web Applications.• Exposed to: – XSS/CSRF /etc – SQL I j ti ( ) SQL Injection(s) – …whatever!
The “Vodafone Greece Affair”
In one shot ‐ Greece• Basically, what the hell happened ? +One hundreds “VIP” mobile subscribers have been eavesdropped: Government members, Defense officials mainly, including the Greek Prime Minister, Foreign, Defence, Public Order officials, etc. Calls from and to +100 SIMs were diverted to 14 “pay as you go” mobile and to +100 SIMs 14 pay‐as‐you‐go mobile phones. Four BTS were “interested” by the area where these receiving SIMs where located. “Incidentally”, Athens US Embassy is right in the middle of them ☺ This has been done via a high‐level hack to the Ericsson AXE GSM MSC; building a rootkit “parked” in the RAM area, since obviously the MSC was on “production” (!!!). production (!!!) “The Hack” was discovered on March 7th, 2005, by Ericsson technical staff. One year later at least. Maybe longer….nobody knows On March 9th, a Vodafone “top technician” (KT) commited suicide. (Kostas , p ( ) ( Tsalikidis, 39 y.o., Head of Network Design). EYP (Hellas National Intelligence Agency) began investigating at once. × Ri ht Right now, no‐one h no idea about who did it and why. has id b t h d h
Profiling: Actors involved• Some elite hacker. – Retired Ericsson technical guy(s) ? g y( )• Some seriously‐intentioned IA (CIA?).• Some historical and geo‐political situation (Carpe Diem).• Local politicians and National Secret Service• Th Ol The Olympic Games ? i G• The “best hack of 2005” prize. For sure. p
Targeted people (Vodafone Hellas/1) g p p ( / )• GOVERNMENT TARGETS: GOVERNMENT TARGETS: Karamanlis, Kostas Prime Minister of Greece (two phones of 20) Elef. 3Feb Molyviatis, Petros then Foreign Minister, a private phone Elef. 3Feb Spiliotopoulos, Spilios Spiliotopoulos Spilios then Minister of Defense Elef 3Feb Voulgarakis Elef. 3Feb Voulgarakis, Giorgos then Minister of Public Order Elef. 3Feb Papaligouras, Anastasios Minister of Justice Elef. 3Feb Valinakis, Giannis Alternate Foreign Minister Elef. 3Feb Dimas, Stavros EU Commissioner Elef. 3Feb Bakoyianni, Dora then Mayor of Athens Elef. 3Feb Vallindas, Giorgos Ambassador, Foreign h f h l f b ll d b d i Ministry Mideast Division Director Elef. 3Feb Choreftaki, Glykeria Foreign Ministry employee Elef. 3Feb Papantoniou, Giannis PASOK MP, ex Minister of Defense Elef Apostolidis Pavlos then Head of Greek Apostolidis, Pavlos Head of Intelligence Service (EYP), his car phone Nea Karamanli, Natasha wife of Prime Minister Nea eight unidentified foreign ministry officials Nea unnamed intelligence officials EYP operations officers Nea Korandis, Giannis current EYP di Gi i EYP director, then A b h Ambassador to T k hi private car d Turkey, his i phone Nea 3‐16 Molyviati, Lora daughter of former Foreign Minister Nea 3‐16
Targeted people (Vodafone Hellas/2) g p p ( / )• POLICE/SECURITY TARGETS: POLICE/SECURITY TARGETS: Maravelis, Dimitris Police officer in Olympic Security Elef. 3Feb Maris, Giorgos lawyer, legal advisor to Public Order Ministry Elef. 3Feb Angelakis, Dimitris Police in Olympic Security or EYP unionist Elef. 3Feb Angelakis Dimitris Police in Olympic Security or EYP unionist Elef 3Feb Sontis, Theodore U.S. Embassy Greek‐American, gave to security detail Elef Kyriakakis, Evstratios Former Director, Criminological Service, Greek Police Ta Nea Galiatsos, G. Director of Exercises, Athens Olympic Security Ta Nea Mitropoulos, G. Chief of Staff, Ministry of Public Order Ta Nea l hi f f ff i i f bli d Konstantinidis, V Olympic Games Security Director Ta Nea Nasiakos, Fotis Former Chief, Greek Police (phone given to another) Ta Nea Dimoschakis, An. Chief Staff, Greek Police Ta Nea Syrros, St. Former An Chief of Staff Greek Police Ta Nea Syrros St Former director of Counterterrorism division, Greek Police Ta Nea Galikas, D. Director of Counterterrorism Division, Greek Police Ta Nea Angelakos, Giorgos Chief of Greek Police Ta Nea seven senior military Senior officers in general staff Ta Nea G ff T N General S ff C l Staff Communications Di C i i Dir Communications Di i i Director, chief of General Staff Defense Ministry staffer Defense Ministry staff company Eleft 2/5
Targeted people (Vodafone Hellas/3) g p p ( / )• FOREIGNER CITIZIENS TARGETS FOREIGNER CITIZIENS TARGETS: Meim, Mohamad Pakistani Elef Moktar, Ramzi Sudanese Elef Maloum, Udin Sudanese Elef Maloum Udin Elef Jamal Abdullah Jamal, Abdullah Lebanon radio reporter or Syrian journalist, now fast food operator Elef Sadik, Hussein Moh. Pakistani store owner El f T k Ib hi Ah t I i El f K di A i Elef Tarek, Ibrahim Ahmet Iraqi Elef Kadir, Aris Kurd Elef Thair, Hermiz Iraqi Elef Ayoubi, Chadi Lebanese al Jazeera reporter, Gr resident Elef Basari, p , , Mohamed Iraqi immigrant Igoumenitsa, 3 years, furniture factory worker Nea 3‐16 Unnamed Syrian Unnamed Syrian 3 years Nea 3 16 Unnamed Iraqi Syrian, 3 years 3‐16 Unnamed Unnamed Iraqi, 2 years Nea 3‐16
Targeted people (Vodafone Hellas/4) g p p ( / )• UNEXPLAINED TARGETS UNEXPLAINED TARGETS: Fergadis, Theodoros businessman Elef. 3Feb Kakotaritis, Giorgos blanket factory? Elef. 3Feb Linardos, Nikolaos g y , Pegasus financial co, underwear firm Nea 3‐16 Cretan businessman shipper of remote control airplanes, including Souda Bay Vima 3/25 Cretan refrigeration tech Bay Vima 3/25 Cretan Refrigeration tech from Ag. Nikolaos Crete Vima 3/25 Koika, Katerina journalist Elef. 3Feb Psychogios, Giorgos criminal lawyer, Thebes criminal lawyer Thebes mayor candidate Elef 3Feb candidate Elef. 3Feb Makris, Kostas Elef. 3Feb Barbarousi, Dimitra Elef. 3Feb Notas, Anastasios Elef Pavlidis, Pavlos Elef Pnevmatikakis, Angelos Elef k A l El f unknown card phone 6942 5447 A ti t d d h 6942 5447.. Activated 2/28/05 Vima 2/25
Co c us o s Conclusions• A “suicided” dead man here too… – Telecom Italia scandal (2005) ( ) – KGB/CCC (1989)• A A very li ht negative image of V d f light ti i f Vodafone Hellas: media didn’t hit that much the subject on the news coverage.• Obscure CIA links ? CIA links• Rootkit Ericsson AXE MSC.
5 years later…. (2010) 5 years later (2010)• What’s going on?!?• It happened that cybercrime organized gangs cybercrime organized began realizing, since 2005, that it’s all about money….. money• And, that the end‐user it’s an easier hack rather than a Corporate Telco (depends on the Telco, tough! ;) Telco, tough! ;)
Upcoming issues: targetting the end‐user with mobile dialers d ih bil di l
Uh? How this happened??
“Playing games”, do ya??
Let’s pick up one…
..and its “hidden” code
The numbers• +882346077 Antarctica• +17675033611 Dominican republic• +88213213214 EMSAT satellite prefix• +25240221601 Somalia• +2392283261 São Tomé and Príncipe +2392283261 São Tomé and Príncipe• +881842011123 Globalstar satellite prefix
So…we’re talking about Billing, right? That, toTh t t me, goes straight along with t i ht l ith Mediation ☺
MEDIATION AND BILLINGMediation is the process that converts and transports raw CDR dataIt can also be used to translate provisioning commands to the NEIt isI i a critical part of the provisioning and billing cycles ii l f h i i i d billi lMost convenient place to commit fraud 56
THE BILLING PROCESS Not WCS Multiple Card CARD Fulfilment BANK payments ISCP ISCP Vendors. & authorisation AUTHORISATION SGSN Information access, TAP supply for Internet Reporting E-Wallet CLEARING information (APIs) and DD payments GGSN Interactive TV DD Returns Card payments HOUSE IN Security. & authorisation Platform Certification and encryption W AP To WAP, BANK I/F CARD PAYMENTS Small nd IVR Roaming ra a SMSC, IN (EFT) Purchases m e n da t call data s to VMS etc. Portal. Cu criptio Information access su bs DD payments device for Internet DD Returns External Billing for Card payments information (APIs) content supply SMC WWW Customer and Mediation SOG AuC service requests, subscription data, Billing Sys e & Go de Database g System Golden a abase Service requests System p and responses Service activation and real time billing and responses Collection d C ll ti and gateway CRM Tool Customer and service administration, personalisation, content management, normalisation of call HLR tariffing, SIM and number management, provisioning requests, call data ID & Address collection, rating and billing (roaming, retail and interconnect), and payment data, and transfer of Normalised service requests to Validation Customer details, collection call data BGW Customer details Credit score result GSM network Call data Billing gateway MSC Normalised address Credit Scoring manages integration Customer of billing system and Result of check external validation SIM orders, dispatched SIMS,CREDIT CHECK agencies. Dealer codes, activation Dispatch SIM Commissions BANK I/F information, money back SIM orders, dealers codes Sales and Dealer Customer deactivations, GL updates & Roaming Data Result of check general ledger updates Subscriber data Warehouse Bad Debt Rated CDRs Pre-pay CDRs Database Unrated CDRs Ernie PRINTING BLACKLIST ? SIM SAP SAP Manufacturer Sales support, logistics and finance processing, Human Resource, and Materials Management Customer and subscription changes Document Dealer information Imaging g g S Financial/Inve ntory -Outbound Outbound Electronic Queue inc IM lud + M Material master -Goods mvt inbound Manager POS FRAUD ing S I -Picking conf. inbound b l a SD N Service Centre Queue Activation ck n WCS Shops -Change serial# kits -Physical inv. inbound measurement tool lis um tin b Site rental Assets g e rs IM EI Retail Outlets Logistics Shops & Multi Company Dealers Media Screen Navigation Query type Isaac IMS Call (CLI) ACD Caller ID, CRM Tool Case Based Reasoning Sites, Sites administration, BTS buildCustomer call Per call Distribute customer Service Level, Manage customer Tool GIS faults provision and transmission, Preferred Language tasks to completion (Geographical Information operations and network faults calls in call centre Diagnose problems and & Links Recommendation System) logging recommend solutions Site, Dealer & Shops info IVR Caller ID and Screen Preference navigation Signal strength and coverage IVR O/S Scholar Predictive Knowledge System Identify customer, Operator services preference and satisfy Dialler Directory inquiries On-line call centre Radio planning reference simple queries tool 57
ATTACKS ON MEDIATION / BILLINGRaw database edit. Conveniently deletes selected records containing billing data.billing dataModification of the charging tables in the billing systemPatching of the rater application to eliminate certain CDR e.g. belonging to a given MSISDN Backdoors in mediation gateways to remove CDR dataConfidential information on subscribers activities (numbers called, Confidential information on subscribers activities (numbers called,received, SMS, data, etc.)Modification of CDR processing rulesModification of test numbers whitelistModification of “test numbers” whitelistLive patching of CDR data while in mediation queuePatching of mediation application (e.g. loading scripts)GPRS packet aggregation rules modification 58
L.I.G./ L.I.G./L.I.S. ATTACKSLegal Interception Gateway is used by police and intelligence agencies.Legal Interception Gateway is used by police and intelligence agenciesConnected to MSC though special interface. Very user‐friendly.Based on standard UNIX and TCP/IP so potentially open to common attacks tt kCompromise of a LIG would allow real‐time interception and call eavesdropping.Could compromise the agencies’ own facilities.RAOUL, don’t forget to tell ‘em about the “911 Pentest”…. ;) 59
SS7: the next SS7: the next nightmare• A Signalling & Billing (inter‐operators) p protocol build in the 70’s and developed in the p 80’s.• Why? LOL Why? LOL• …….‘cause Captain Crunch invented blue‐ boxing, that was running in‐band.• So SS7 went “out‐of‐band”. So SS7 went out‐of‐band• Simple (KISS)!
SS7 SIGNALLINGMobile networks primarily use signalling System no. 7 (SS7) for communication between networks for such activities as authentication, location update, and supplementary services and call control. The l i d d l i d ll l Thmessages unique to mobile communications are MAP messages.The security of the global SS7 network as a transport system for signallingThe security of the global SS7 network as a transport system for signallingmessages e.g. authentication and supplementary services such as call forwarding is open to major compromise. The problem with the current SS7 system is that messages can be altered, injected or deleted into the global SS7 networks in an uncontrolled manner. 61
EXAMPLES OF SS7 ATTACKSTheft of service, interception of calling cards numbers, privacy concerns , p g ,p yIntroduce harmful packets into the national and global SS7 networksGet control of call processing, get control of accounting reportsObtain credit card numbers, non listed numbers, etc.Obtain credit card numbers non‐listed numbers etcMessages can be read, altered, injected or deletedDenial of service, security triplet replay to compromise authenticationAnnoyance calls, free calls, disruption of emergency servicesAnnoyance calls free calls disruption of emergency servicesCapture of gateways, rerouting of call trafficDisruption of service to large parts of the networkCall processing exposed through Signaling CC ll i d h h Si li Control Protocol lP lAnnouncement service exposed to IP through RTPDisclosure of bearer channel traffic 62
SS7 ENTRY POINTS 63
SS7: A CLOSED NETWORKWith a limited number of carriers and limited points of interconnection, the p y p goperators could assume with fair certainty that all of the elements passing data were trusted sources. Unlike IP protocols, security features like authentication and encryption were not built into the SS7 protocol. Rather, the focus has been placed on creating p , p gsecure physical environments for the network equipment rather than secure protocols. STPs, the routers of the SS7 network, perform gateway screening to prohibit STPs, the routers of the SS7 network, perform gateway screening to prohibitinbound and outbound messages from unauthorized nodes. The addresses of individual nodes within a network are isolated. Global title translation (GTT) enables a network to receive messages from Global title translation (GTT) enables a network to receive messages fromother networks without disclosing the unique addresses, called point codes, of its own nodes. 64
SS7: ATTACK TAXONOMY 65
SOME REAL-LIFE EVIDENCES REAL- 66
WI-WI-FI: HW TOOLS FOR PROACTIVE SECURITY 67
CDR FILES FROM MEDIATION AREAXXX8557710<X81>^F<X81>3<X83>Uw^A<C/>^U<X80>^A^@<X81>^A^A<X82>^A^@<X83>XXX2199557<X83>^F<X81>3#<PU1>Yu<IND>^C^C^F<NEL>^C^O$<ESC><SSA>^A^A<ESA>^C^C^F<VT><HTS>^C^O$<ESC><HTJ>^B^@<PLU><VTS>^A^@<<<>^F<X80>^A^X<X81>^A^@<PLU>^A^@<SS2>^A^@<PU1>^B^A<o^><PU2>^A^B<3^>^U<X80>^A^@<X81>^A^A<X82>^A^@<X83> 68
OBTAINING CUSTOMERS INFORMATIONOBTAINING CUSTOMERS INFORMATION 74
This can bescripted ! 77
Contacts• Raoul ChiesaSenior Advisor, StrategicSenior Advisor, Strategic Alliances & & Cybercrime IssuesUNICRI – U i d N i United Nations IInterregional C i i l Crime & & Justice Research Institute@ Mediaservice.net, FounderEmail: E il chiesa@UNICRI.it (UN) hi @UNICRI it firstname.lastname@example.org (business)