Five Nightmares for a TelecomDmitry KurbatovInformation security specialistPositive TechnologiesPositive Hack Days III
Agenda― Physical access to a base station network― OSS vulnerabilities― Attacks on GGSN, something about GRX― How to lose ...
Physical access to a basestation network
Access networks for base stations― Before: from ATM to SDH/SONET, DSLAccess network
Access networks for base stations― Now: IP/MPLS, metro Ethernet
In the same wire― Voice and data― Device management channelHTTP/HTTPS,Telnet/SSH, MML
Device management protocols― Insecure HTTP, Telnet― MML (man-machine language) ~ TelnetClear text: logins/passwords
Physical access― How to get access and what to do next?
Attacks in Ethernet networks― ARP spoofing― No protection against gratuitous ARP
ResultsClear text: login/passwordCommand execution
Go furtherA single IP subnet
BSC/RNC― Radio resources management― mobility― User data encryptionOSWindowsLinuxServicesRDPSSHMML/telnetNo patchesWith De...
Real life― Too many devices― Equal/weak passwords― Default accounts
OSS vulnerabilities
Operation support subsystemWeb interfaceClient application
XML External Entity Injection― “XML Data retrieval” by Yunusov and Osipov on― Data retrieval
“All like it”
ExampleRequest for OSSetc/shadowin response
Go further― Bruteforce hashes from etc/shadow― OSS access with administrative privileges
Operation support subsystem― Are vulnerable as other software― Are there patch management?VulnerabilitydetectedFixes devel...
Attacks on GGSN,something about GRX
TheoryService deliveryMobility
FirewallingVPN for a corporate clientACLinspect???
GRX
GRX. Basics• Open for all providers• High quality (QoS)• All in IP– easy support for SIP, RTP, GTP, SMTP, SIGTRAN• ….. som...
Real life
Arguments
GTP― no embeddedsecurity functions― no integrity― no data encryption
Spoofed GTP PDP Context Activate/DeletePDP ContextActivate/DeletePDP ContextActivate/Delete
What is to be done?― Monitor perimeter― Configure GGSN correctly
Results― Has no time for “usual” security?― Useful functions are often ignored
How to lose 1,5 millionwith VoIP in a DAY
True story SoftSwitch• call service managements• signalling• etc.VoIPAnywhere
FraudVoIP to CubaTo Cuba$$$
InvestigationTo CubaVoIP to CubaAdditionalIP in Clientprofile
Investigation― Company’s engineer?Web interfaceAccount: adminPass: defaultWeb access
Investigation goes further― Software was updated― There were deb packets on the serverScript to LOAD “some” DATA INTO Auth...
Scheme1) Information2) Experience3) Business ability4) $$$Vulnerabilityafter updatingConfigurationmodificationTo CubaVoIP ...
Questions still remain― Who created this deb packet?― Who was able to understand the routing table?― How many providers su...
VAS vulnerabilities
Additional services― Good ideas― Joy for clients― Low quality― Vulnerabilities― Possibility to steal money
Incident― Attack against self-service portal― Account bruteforce― Service installation
Investigation― Analysis of a web server event logAttacker’s IP address
Investigation― Source and used scripts are foundService installationService confirmationLog in the portal with the account
CAPTCHA Bypass― The self-service portal incorrectly uses CAPTCHA― CAPTCHA is not implemented in similar mobile applications
Scheme
Insufficient Authentication
Summary― Telecom provider is a huge and complex system― Only 5 hack incidents― How many more options?
Optimistically― Open Source solutions and research capabilities― More audits― Vulnerability databases― Scanners and compli...
Thank you for your attention!Dmitry Kurbatovdkurbatov@ptsecurity.ruInformation security specialistPositive Technologies
Upcoming SlideShare
Loading in …5
×

Dmitry Kurbatov. Five Nightmares for a Telecom

1,849 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,849
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Dmitry Kurbatov. Five Nightmares for a Telecom

  1. 1. Five Nightmares for a TelecomDmitry KurbatovInformation security specialistPositive TechnologiesPositive Hack Days III
  2. 2. Agenda― Physical access to a base station network― OSS vulnerabilities― Attacks on GGSN, something about GRX― How to lose 1,5 million with VoIP in a DAY― VAS vulnerabilities
  3. 3. Physical access to a basestation network
  4. 4. Access networks for base stations― Before: from ATM to SDH/SONET, DSLAccess network
  5. 5. Access networks for base stations― Now: IP/MPLS, metro Ethernet
  6. 6. In the same wire― Voice and data― Device management channelHTTP/HTTPS,Telnet/SSH, MML
  7. 7. Device management protocols― Insecure HTTP, Telnet― MML (man-machine language) ~ TelnetClear text: logins/passwords
  8. 8. Physical access― How to get access and what to do next?
  9. 9. Attacks in Ethernet networks― ARP spoofing― No protection against gratuitous ARP
  10. 10. ResultsClear text: login/passwordCommand execution
  11. 11. Go furtherA single IP subnet
  12. 12. BSC/RNC― Radio resources management― mobility― User data encryptionOSWindowsLinuxServicesRDPSSHMML/telnetNo patchesWith Defaults
  13. 13. Real life― Too many devices― Equal/weak passwords― Default accounts
  14. 14. OSS vulnerabilities
  15. 15. Operation support subsystemWeb interfaceClient application
  16. 16. XML External Entity Injection― “XML Data retrieval” by Yunusov and Osipov on― Data retrieval
  17. 17. “All like it”
  18. 18. ExampleRequest for OSSetc/shadowin response
  19. 19. Go further― Bruteforce hashes from etc/shadow― OSS access with administrative privileges
  20. 20. Operation support subsystem― Are vulnerable as other software― Are there patch management?VulnerabilitydetectedFixes developed Vulnerability andfixes issued? ?137114463 6281222 26135Vulnerabilities by typeDenial of ServiceCode ExecutionBuffer OverflowMemory ErrorsSQL InjectionCross-Site ScriptingDirectory TraversalRestriction BypassInformation DisclosurePriviledge-EscalationCross-Site Request Forgery
  21. 21. Attacks on GGSN,something about GRX
  22. 22. TheoryService deliveryMobility
  23. 23. FirewallingVPN for a corporate clientACLinspect???
  24. 24. GRX
  25. 25. GRX. Basics• Open for all providers• High quality (QoS)• All in IP– easy support for SIP, RTP, GTP, SMTP, SIGTRAN• ….. something more• Secure, it means fully separated from the Internet, bothphysically and logically.
  26. 26. Real life
  27. 27. Arguments
  28. 28. GTP― no embeddedsecurity functions― no integrity― no data encryption
  29. 29. Spoofed GTP PDP Context Activate/DeletePDP ContextActivate/DeletePDP ContextActivate/Delete
  30. 30. What is to be done?― Monitor perimeter― Configure GGSN correctly
  31. 31. Results― Has no time for “usual” security?― Useful functions are often ignored
  32. 32. How to lose 1,5 millionwith VoIP in a DAY
  33. 33. True story SoftSwitch• call service managements• signalling• etc.VoIPAnywhere
  34. 34. FraudVoIP to CubaTo Cuba$$$
  35. 35. InvestigationTo CubaVoIP to CubaAdditionalIP in Clientprofile
  36. 36. Investigation― Company’s engineer?Web interfaceAccount: adminPass: defaultWeb access
  37. 37. Investigation goes further― Software was updated― There were deb packets on the serverScript to LOAD “some” DATA INTO Auth_tableHere is default administrator
  38. 38. Scheme1) Information2) Experience3) Business ability4) $$$Vulnerabilityafter updatingConfigurationmodificationTo CubaVoIP to Cuba
  39. 39. Questions still remain― Who created this deb packet?― Who was able to understand the routing table?― How many providers suffer?IS audit required?
  40. 40. VAS vulnerabilities
  41. 41. Additional services― Good ideas― Joy for clients― Low quality― Vulnerabilities― Possibility to steal money
  42. 42. Incident― Attack against self-service portal― Account bruteforce― Service installation
  43. 43. Investigation― Analysis of a web server event logAttacker’s IP address
  44. 44. Investigation― Source and used scripts are foundService installationService confirmationLog in the portal with the account
  45. 45. CAPTCHA Bypass― The self-service portal incorrectly uses CAPTCHA― CAPTCHA is not implemented in similar mobile applications
  46. 46. Scheme
  47. 47. Insufficient Authentication
  48. 48. Summary― Telecom provider is a huge and complex system― Only 5 hack incidents― How many more options?
  49. 49. Optimistically― Open Source solutions and research capabilities― More audits― Vulnerability databases― Scanners and compliance management systems
  50. 50. Thank you for your attention!Dmitry Kurbatovdkurbatov@ptsecurity.ruInformation security specialistPositive Technologies

×