This document discusses five potential nightmares for telecom companies: 1) Gaining physical access to base station networks which could allow accessing clear text login credentials; 2) Exploiting vulnerabilities in Operation Support Systems to retrieve password hashes or gain administrative access; 3) Spoofing GTP packets to activate or delete PDP contexts and potentially steal money; 4) Losing over $1.5 million in a single day by exploiting a VoIP vulnerability to make calls to Cuba; 5) Bypassing CAPTCHAs and installing unauthorized services on user accounts through a self-service portal vulnerability. The document emphasizes that telecom systems are huge and complex with many possible security issues.

1. Five Nightmares for a Telecom
Dmitry Kurbatov
Information security specialist
Positive Technologies
Positive Hack Days III

2. Agenda
― Physical access to a base station network
― OSS vulnerabilities
― Attacks on GGSN, something about GRX
― How to lose 1,5 million with VoIP in a DAY
― VAS vulnerabilities

3. Physical access to a base
station network

4. Access networks for base stations
― Before: from ATM to SDH/SONET, DSL
Access network

5. Access networks for base stations
― Now: IP/MPLS, metro Ethernet

6. In the same wire
― Voice and data
― Device management channel
HTTP/HTTPS,Telnet/SSH, MML

7. Device management protocols
― Insecure HTTP, Telnet
― MML (man-machine language) ~ Telnet
Clear text: logins/passwords

8. Physical access
― How to get access and what to do next?

9. Attacks in Ethernet networks
― ARP spoofing
― No protection against gratuitous ARP

10. Results
Clear text: login/password
Command execution

11. Go further
A single IP subnet

12. BSC/RNC
― Radio resources management
― mobility
― User data encryption
OS
Windows
Linux
Services
RDP
SSH
MML/telnet
No patches
With Defaults

13. Real life
― Too many devices
― Equal/weak passwords
― Default accounts

14. OSS vulnerabilities

15. Operation support subsystem
Web interface
Client application

16. XML External Entity Injection
― “XML Data retrieval” by Yunusov and Osipov on
― Data retrieval

17. “All like it”

18. Example
Request for OSS
etc/shadow
in response

19. Go further
― Bruteforce hashes from etc/shadow
― OSS access with administrative privileges

20. Operation support subsystem
― Are vulnerable as other software
― Are there patch management?
Vulnerability
detected
Fixes developed Vulnerability and
fixes issued
? ?
137
114
46
3 6
28
12
22 26
13
5
Vulnerabilities by type
Denial of Service
Code Execution
Buffer Overflow
Memory Errors
SQL Injection
Cross-Site Scripting
Directory Traversal
Restriction Bypass
Information Disclosure
Priviledge-Escalation
Cross-Site Request Forgery

21. Attacks on GGSN,
something about GRX

22. Theory
Service deliveryMobility

23. Firewalling
VPN for a corporate client
ACL
inspect
???

24. GRX

25. GRX. Basics
• Open for all providers
• High quality (QoS)
• All in IP– easy support for SIP, RTP, GTP, SMTP, SIGTRAN
• ….. something more
• Secure, it means fully separated from the Internet, both
physically and logically.

26. Real life

27. Arguments

28. GTP
― no embedded
security functions
― no integrity
― no data encryption

29. Spoofed GTP PDP Context Activate/Delete
PDP Context
Activate/Delete
PDP Context
Activate/Delete

30. What is to be done?
― Monitor perimeter
― Configure GGSN correctly

31. Results
― Has no time for “usual” security?
― Useful functions are often ignored

32. How to lose 1,5 million
with VoIP in a DAY

33. True story SoftSwitch
• call service managements
• signalling
• etc.
VoIP
Anywhere

34. Fraud
VoIP to Cuba
To Cuba
$$$

35. Investigation
To Cuba
VoIP to Cuba
Additional
IP in Client
profile

36. Investigation
― Company’s engineer?
Web interface
Account: admin
Pass: default
Web access

37. Investigation goes further
― Software was updated
― There were deb packets on the server
Script to LOAD “some” DATA INTO Auth_table
Here is default administrator

38. Scheme
1) Information
2) Experience
3) Business ability
4) $$$
Vulnerability
after updating
Configuration
modification
To Cuba
VoIP to Cuba

39. Questions still remain
― Who created this deb packet?
― Who was able to understand the routing table?
― How many providers suffer?
IS audit required?

40. VAS vulnerabilities

41. Additional services
― Good ideas
― Joy for clients
― Low quality
― Vulnerabilities
― Possibility to steal money

42. Incident
― Attack against self-service portal
― Account bruteforce
― Service installation

43. Investigation
― Analysis of a web server event log
Attacker’s IP address

44. Investigation
― Source and used scripts are found
Service installation
Service confirmation
Log in the portal with the account

45. CAPTCHA Bypass
― The self-service portal incorrectly uses CAPTCHA
― CAPTCHA is not implemented in similar mobile applications

46. Scheme

47. Insufficient Authentication

48. Summary
― Telecom provider is a huge and complex system
― Only 5 hack incidents
― How many more options?

49. Optimistically
― Open Source solutions and research capabilities
― More audits
― Vulnerability databases
― Scanners and compliance management systems

50. Thank you for your attention!
Dmitry Kurbatov
dkurbatov@ptsecurity.ru
Information security specialist
Positive Technologies