• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Dmitry Kurbatov. Five Nightmares for a Telecom

Dmitry Kurbatov. Five Nightmares for a Telecom






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Dmitry Kurbatov. Five Nightmares for a Telecom Dmitry Kurbatov. Five Nightmares for a Telecom Presentation Transcript

    • Five Nightmares for a TelecomDmitry KurbatovInformation security specialistPositive TechnologiesPositive Hack Days III
    • Agenda― Physical access to a base station network― OSS vulnerabilities― Attacks on GGSN, something about GRX― How to lose 1,5 million with VoIP in a DAY― VAS vulnerabilities
    • Physical access to a basestation network
    • Access networks for base stations― Before: from ATM to SDH/SONET, DSLAccess network
    • Access networks for base stations― Now: IP/MPLS, metro Ethernet
    • In the same wire― Voice and data― Device management channelHTTP/HTTPS,Telnet/SSH, MML
    • Device management protocols― Insecure HTTP, Telnet― MML (man-machine language) ~ TelnetClear text: logins/passwords
    • Physical access― How to get access and what to do next?
    • Attacks in Ethernet networks― ARP spoofing― No protection against gratuitous ARP
    • ResultsClear text: login/passwordCommand execution
    • Go furtherA single IP subnet
    • BSC/RNC― Radio resources management― mobility― User data encryptionOSWindowsLinuxServicesRDPSSHMML/telnetNo patchesWith Defaults
    • Real life― Too many devices― Equal/weak passwords― Default accounts
    • OSS vulnerabilities
    • Operation support subsystemWeb interfaceClient application
    • XML External Entity Injection― “XML Data retrieval” by Yunusov and Osipov on― Data retrieval
    • “All like it”
    • ExampleRequest for OSSetc/shadowin response
    • Go further― Bruteforce hashes from etc/shadow― OSS access with administrative privileges
    • Operation support subsystem― Are vulnerable as other software― Are there patch management?VulnerabilitydetectedFixes developed Vulnerability andfixes issued? ?137114463 6281222 26135Vulnerabilities by typeDenial of ServiceCode ExecutionBuffer OverflowMemory ErrorsSQL InjectionCross-Site ScriptingDirectory TraversalRestriction BypassInformation DisclosurePriviledge-EscalationCross-Site Request Forgery
    • Attacks on GGSN,something about GRX
    • TheoryService deliveryMobility
    • FirewallingVPN for a corporate clientACLinspect???
    • GRX
    • GRX. Basics• Open for all providers• High quality (QoS)• All in IP– easy support for SIP, RTP, GTP, SMTP, SIGTRAN• ….. something more• Secure, it means fully separated from the Internet, bothphysically and logically.
    • Real life
    • Arguments
    • GTP― no embeddedsecurity functions― no integrity― no data encryption
    • Spoofed GTP PDP Context Activate/DeletePDP ContextActivate/DeletePDP ContextActivate/Delete
    • What is to be done?― Monitor perimeter― Configure GGSN correctly
    • Results― Has no time for “usual” security?― Useful functions are often ignored
    • How to lose 1,5 millionwith VoIP in a DAY
    • True story SoftSwitch• call service managements• signalling• etc.VoIPAnywhere
    • FraudVoIP to CubaTo Cuba$$$
    • InvestigationTo CubaVoIP to CubaAdditionalIP in Clientprofile
    • Investigation― Company’s engineer?Web interfaceAccount: adminPass: defaultWeb access
    • Investigation goes further― Software was updated― There were deb packets on the serverScript to LOAD “some” DATA INTO Auth_tableHere is default administrator
    • Scheme1) Information2) Experience3) Business ability4) $$$Vulnerabilityafter updatingConfigurationmodificationTo CubaVoIP to Cuba
    • Questions still remain― Who created this deb packet?― Who was able to understand the routing table?― How many providers suffer?IS audit required?
    • VAS vulnerabilities
    • Additional services― Good ideas― Joy for clients― Low quality― Vulnerabilities― Possibility to steal money
    • Incident― Attack against self-service portal― Account bruteforce― Service installation
    • Investigation― Analysis of a web server event logAttacker’s IP address
    • Investigation― Source and used scripts are foundService installationService confirmationLog in the portal with the account
    • CAPTCHA Bypass― The self-service portal incorrectly uses CAPTCHA― CAPTCHA is not implemented in similar mobile applications
    • Scheme
    • Insufficient Authentication
    • Summary― Telecom provider is a huge and complex system― Only 5 hack incidents― How many more options?
    • Optimistically― Open Source solutions and research capabilities― More audits― Vulnerability databases― Scanners and compliance management systems
    • Thank you for your attention!Dmitry Kurbatovdkurbatov@ptsecurity.ruInformation security specialistPositive Technologies