Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Turner.issa vulns.150604


Published on

Turner.issa vulns.150604

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Turner.issa vulns.150604

  1. 1. 1 ©2014 IANS Cellular Network Attacks What the latest vulnerabilities mean for businesses and individuals Aaron Turner – CEO, IntegriCell IANS Research Faculty
  2. 2. 2 ©2014 IANS At a Glance  Every network humans have constructed has vulnerabilities  Why should cellular networks be any different?  The base station problem  Localized attacks with significant impacts  The SS7 problem  Global attacks with enormous consequences  How MDM/EMM/MAM are essentially useless playthings when it comes to these vulnerabilities  We’ve got a lot of work to do
  3. 3. 3 ©2014 IANS Cellular network architecture overview Operator 1 Operator 2 Operator 3 SS7Network
  4. 4. 4 ©2014 IANS A quick cellular network lesson  BTS – Base Transceiver Station  A ‘cell tower’, the point where the cellular network moves from fiber to RF  HLR – Home Location Register  The ‘billing database’ for non-roaming users – what services you’re entitled to  VLR – Visitor Location Register  The ‘billing database’ for roaming users – what services the home operator tells the roaming operator it can offer  SS7 – Signaling System #7  Packet-like network, relies on SIGTRAN (IETF protocol) to transmit messages between Operators  MSC – Mobile Switching Center  Handles the functions of cell-handoff, SS7 interchange (for cell-to- landline calls), SMS services, voice conferencing and billing/charging
  5. 5. 5 ©2014 IANS Remember when…  We used to create passive network sniffers?  Just a matter of double- connecting the TX and RX pairs  In the OSI Model – ‘Physical’ attack
  6. 6. 6 ©2014 IANS Back to the Future  Imagine cellular RF signals as the new physical attack layer  As copper was to CAT V cable, RF is to cellular  Unfortunately…  Cell phones do not have the integrity controls to assure connection to authorized BTS’  Most cellular subscribers have no idea what the state of their network connection is
  7. 7. 7 ©2014 IANS What does this mean?  Your cell phone will gladly connect to any BTS that says it wants to talk to it  The BTS instructs the phone what level of protection the communications must have  Weak or no encryption? Sure thing!  The BTS can terminate, capture, replay or otherwise manipulate anything flowing through the BTS  Yes, even if the BTS is not owned by the authorized operator, an attacker can capture all of the traffic  Voice, SMS & Data
  8. 8. 8 ©2014 IANS False BTS Scenario  Theory: Attackers would put their BTS in a cargo van, drive around the attack target and stay mobile  Reality: Attackers are placing their BTS inside of the building, and conducting persistent attacks
  9. 9. 9 ©2014 IANS What data can be stolen?  London: Media company’s offices targeted for pre-market access to financial information  Earnings report ‘heads up’ SMS sent to financial reporter  Financial reporter’s service intercepted  Attacker able to gain an advantage in commodities or equities  US: Engineering facilities targeted for product development information  Rapid prototyping teams rely more on their mobile devices than IT infrastructure  Attackers able to gather product development details & scheduling information
  10. 10. 10 ©2014 IANS 15 total areas of interest in DC Over 40 alerts in those areas 4 research devices Washington DC Findings
  11. 11. 11 ©2014 IANS Bay Area Findings 5 total areas of interest Over 30 firewall alerts 3 research devices 2 networks 2 locations where full intercept capabilities were underway
  12. 12. 12 ©2014 IANS BTS Vulnerabilities Bottom Line  Cellular network communications can be easily intercepted  Intercept is a localized attack  Limited to a particular area, based on the strength of the false BTS’ signal  Not necessarily scalable for large-scale attacks  Intercept can be universal or targeted  All devices in a particular area or interceptors can ‘shed’ non- targeted devices and only focus on those of interest  What controls exist?  Baseband firewalls are the best option for false BTS awareness  Beware of software-only offerings, true promiscuous-mode monitoring requires kernel- and driver-level modification of cellular radios
  13. 13. 13 ©2014 IANS What’s this SS7 thing?  SS7 is like DNS and SMTP rolled into one system  Allows carriers to perform lookups on subscribers’ status AND  Allows carriers to deliver content to each other on subscriber activity  What could possibly go wrong?  SS7 high-profile examples:  Number portability  SMS one-time-use codes  Subscriber geolocation (criminal investigation, etc.)
  14. 14. 14 ©2014 IANS SS7 – Vulnerabilities Overview  Every network operator has SS7 nodes which they have configured as Service Control Points (SCP) and Signaling Gateways (SG)  Perimeter-based protections & controls  Have security perimeters failed in the past?
  15. 15. 15 ©2014 IANS What attacks can be run today?  International Roaming Fraud  SIM vendor in country X sells an ‘unlimited roaming’ SIM for country Y  SIM vendor colludes with attackers to toggle the SIM from post-paid to pre-paid and back again  Essentially allows for a free month of roaming  SIM vendor profits, operator in country loses revenues  Bad news for operators… what about for enterprises?
  16. 16. 16 ©2014 IANS Subscriber Tracking & Information Disclosure  What if I wanted to track your company’s executives in real time?  Use the information for potential deal-making intelligence  M&A opportunities, etc.  Operators say, “Can’t happen!” VLR/ MSC HLR SS7 interconnect X
  17. 17. 17 ©2014 IANS But, the perimeter fails…  Just like with perimeters of the past, they can be bypassed HLR VLR/ MSC SS7 interconnect
  18. 18. 18 ©2014 IANS VLR Query Example  Even if the HLR filters request, most of the time the VLR is vulnerable  Operators have hardened their SG’s and HLR’s but not their VLR’s  IMEI and subscriber state (currently in a phone call or not?) can be requested
  19. 19. 19 ©2014 IANS SMS Intercept  electronic banking & SMS MFA fraud, made possible by forced re- routing of authentication SMS messages and/or calls to the attacker SS7 interconnect 1 4 HLR XVLR/ MSC SMSC 2. Bank sends text message with mTAN to subscriber A 1. Attacker tells HLR that subscriber A is now logged on to his “network” (updateLocation) 4. SMS is delivered to attacker (mt- ForwardSM) 3. SMSC gets referred to attacker’s “VLR” as destination by HLR (sendRoutingInfoForSM) 2 3 A
  20. 20. 20 ©2014 IANS Root cause analysis  Attackers are likely exploiting common cybersecurity vulnerabilities to gain access to SS7 Interconnects  As long as the attacker does not get too greedy or send too many commands through the roaming partner’s SS7 Interconnect, it is very difficult to detect these types of attacks  Attack surface is surprising large: 800 operators in 220 countries 1. Attacker identifies vulnerable international roaming partner and runs APT-style operation 2. Exploited SS7 Interconnect then used to send commands to target 3. Attacker exploits target SS7 network for fraud or information gathering
  21. 21. 21 ©2014 IANS Cellular Network Vulnerabilities The Bottom Line  BTS Vulns:  Enterprises are left with very little control  Deploy baseband firewalls and monitor  SS7 Vulns:  Shift away from SMS-driven authentication  Train executives to leave primary phones behind on sensitive trips  Vendors like Payfone are going to be in a rough situation
  22. 22. 22 ©2014 IANS Questions & Comments? Aaron Turner Or – connect with me on LinkedIn