Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Небезопасность сотовых сетей вчера, сегодня, завтра

249 views

Published on

Ведущие: Кирилл Пузанков, Сергей Машуков, Павел Новиков

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Небезопасность сотовых сетей вчера, сегодня, завтра

  1. 1. ptsecurity.ru Insecurity of mobile networks: Yesterday - Today – Tomorrow Kirill Puzankov Sergey Mashukov Pavel Novikov
  2. 2. SS7 - Technology from the 1970s SS7 network developed in the 1970s – 1990s Mobile communication developed in the 2000s Mobile internet Social networks Messengers Online banking Internet of Things What we use today and what technology lies at the heart of it
  3. 3. SS7 Vulnerabilities More than 50 different SS7 attacks: • IMSI disclosure • Location Discovery • Subscriber DoS • SMS interception and spoofing • Calls interception • Reading chats of Telegram, WhatsApp
  4. 4. How to Get Into Telecom Networks Legal with license Semi legal without Find a guy Hack a border device
  5. 5. Find a guy
  6. 6. Find a guy
  7. 7. Find a guy
  8. 8. Find a guy
  9. 9. Hack a border device
  10. 10. IP Connectivity
  11. 11. Misconfiguration Example Critical
  12. 12. News
  13. 13. News
  14. 14. How to Intercept SMS • A virus on a smartphone – and what if a certain subscriber is a target? How to infect him particularly? • Reissue SIM? It works only once. • Radio signal interception (GSM A5/1)? You need to be nearby. • Via SS7 network
  15. 15. Interception of incoming SMS messages Messages: SRI4SM – SendRoutingInfoforSM Procedure UL – UpdateLocation Procedure
  16. 16. Interception of incoming SMS messages
  17. 17. Possibilities for adversary • Recover passwords for email and social networks • Access to payment service • Online banking OTP
  18. 18. Recent case • Send malware to get bank account details and mobile number • Intercept SMS with OTP for the rogue transaction
  19. 19. What about new technologies?
  20. 20. New Diameter – old threats SS7 Diameter Interception Tracking DoS on subscriber DoS on network equipment Fraud
  21. 21. LTE nodes • HSS – Home Subscriber Server • MME - Mobility Management Entity • S6a interface defined in 3GPP specification: TS29.272 Scheme. EPC nodes and interfaces / Joe Deu-Ngoc / CC BY-SA 4.0
  22. 22. Intelligence gathering IMSI Disclosure 1. Vulnerabilities in the SS71 2. IMSI-catcher 3. WiFi-based IMSI-catcher2 4. Web-based Number Lookup Services 5. Vulnerabilities in the Diameter 1 - SIGNALING SYSTEM 7 (SS7) SECURITY REPORT (https://www.ptsecurity.com/upload/corporate/ww-en/analytics/SS7-Vulnerabilities-eng.pdf) 2 - WiFi-Based IMSI Catcher (https://www.blackhat.com/docs/eu-16/materials/eu-16-OHanlon-WiFi-IMSI-Catcher.pdf)
  23. 23. Disrupting subscriber service Messages: ULR - Update-Location-Request (S6a) ULA - Update-Location-Answer (S6a) CLR - Cancel-Location-Request CLA - Cancel-Location-Answer Attacker sends ULR message to HSS with IMSI of subscriber whom should be disconnected
  24. 24. Disrupting subscriber service
  25. 25. Disrupting subscriber service
  26. 26. Interception of incoming SMS messages Messages: SRR - Send-Routing-Info-for-SM-Request (S6c) SRA - Send-Routing-Info-for-SM-Answer (S6c) ULR - Update-Location-Request (S6a) ULA - Update-Location-Answer (S6a)
  27. 27. Disrupting subscriber service • To make someone unavailable. • To cause reputational damage. • What else?
  28. 28. Telco and IoT Internet of Things is a huge army of “new desirable clients” for telecoms when most of the human clients are covered
  29. 29. Telco and IoT https://blogs.sap.com/wp-content/uploads/2015/03/internetofthingshorizontal1_653122.png • EC-GSM-IoT • NB-IoT • LTE-M • 5G • LoRa?
  30. 30. Mobile World Congress #17
  31. 31. Mobile World Congress #17
  32. 32. Mobile World Congress #17
  33. 33. Mobile World Congress #17
  34. 34. Mobile World Congress #17
  35. 35. Mobile World Congress #17
  36. 36. Mobile World Congress #17
  37. 37. Mobile World Congress #17
  38. 38. Mobile World Congress #17
  39. 39. Mobile World Congress #17
  40. 40. Mobile World Congress #17
  41. 41. Mobile World Congress #17
  42. 42. Mobile World Congress #17
  43. 43. Mobile World Congress #17
  44. 44. Possible consequences
  45. 45. Thank you! ptsecurity.com

×