View
217
Download
0
Category
Preview:
Citation preview
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
1/96
Telecom Security A Primer
29th May 2012
Sony Anthony
Director
Management Consulting IT Advisory
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
2/96
Our Experiences
The Very Very Basics
Switching and Transmission Technologies
Telecom Technologies
Evolution of Telecom
The Layers (Terminal, Access and Core)
Telecom Architecture Threats
Understanding the Stack and Protocols
Protocol Analyzers and Tools
Case Study - FemtoCells
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
3/96
Our Experiences Thus
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
4/96
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
5/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
History of Telecommunication
Telegraph
Telephone
Mobility
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
6/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
History of our Experience
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
7/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
History of our Experience
RIP, OSPF, BGP
SAN, NAS, DAS
Win, Linux, *NIX
Routers, Switches,Firewalls
Applications,
Databases,Middleware
SNMP, TCP/IP,
Telnet, FTP, HTTP
Virtualization,
Replication,Mirroring, DataDe-Duplication
IPV4 / IPV6
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
8/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Future of our Experience
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
9/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Future of our Experience
Switching and Transmission Technologies: ATM, SDH, STM, PDH, T1, E1
Data Speeds and Telecom Technologies: EVDO, EDGE, GPRS, GSM, TDM, WCDMA, PSTN
Protocols: MTP, SCCP, ISUP, TCAP, INAP, ISDN, MAP, CAP, BSSAP
Intelligent Network : SSF, SCP, SDP, IVR VOIP: SIGTRAN, MEGACO, H.248, MGCP, RTP
Protocol Analyzers: Tektronix K15-2, Ethereal, Wire shark, Eye Spot
The Stack: SS7, CCS7
Microwave Equipment Vendors: NEC, ARYA, GTL, Envision, Aster, BNN
Components: NSC, MSS, MGW, HLR, POI, BSC, AUC, SCP, MPBN, EIR, GMSC, VLR
Ericsson Alcatel / Lucent Nokia / Siemens
MSC - AXE 10/810MSS - AXE 810MGW CPP (R5/R6)MPBN Red Back RoutersMPBN Black Diamond SwitchesBlades APZ 2130/40/50/60
NGN Architecture
MSC DX 200 3GMGW IPA 2800
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
10/96
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
11/96
The Basics
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
12/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
The Generations
Generation Technology Description and Working
2G GSM Global System for Mobile Communication(Circuit Switched)
2.5G GPRS General Packet Radio Service(Packet Switched for IP Services)Uses SGSN-GGSN or Serving Gateway GPRS Support Node
3G UMTS Universal Mobile Telecommunication System(CS + PS)Uses Transport options like ATM / TDM / IPNew RAN : NodeB / RNC
4G LTE/SAE Long Term Evolution / System Architecture EvolutionOnly PSNew Core: Mobility Management Entity and SAE GatewayNew RAN : evolved NodeB / RNC
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
13/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
The Fundamentals on Channel Access Methods
FDM: FrequencyDivision
Multiplexing
TDM: Time DivisionMultiplexing
FDMA:1. Division of Frequency in to multiple (30) channels2. Each channel can carry a voice conversation or, with digital service, carrydigital data.
TDMA:
1. Chops up the channel into sequential time slices.2. User of the channel takes turns transmitting and receiving in a round-robin
fashion. (Only one person using the channel at a time)
3. (GSM uses TDMA Signaling)
CDMA :1. Everyone transmit at the same time.2. CDMA is a "spread spectrum" technology, allowing many users to occupy the
same time and frequency allocations in a given band/space.3. Assigns unique codes to each communication to differentiate it from others in
the same spectrum
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
14/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
The Fundamentals on Planes
Data / User / Bearer Plane
(Network Traffic)
Control / Signaling Plane(Control Signals)
DataIN
DataOUT
Signaling ControlManage
mentPlane
Operationsand
ManagementData
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
15/96
Switching and TransmissionTechnologies Wired End
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
16/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Switching and Transmission Technologies ATM
Functionality:
Packets of fixed size of 53 bytes Assures no single type of data hogs the bandwidth
Uses concept of Virtual Circuits
Security Challenges:1. Eavesdropping (Tapping of fiber optic cable
Equipment costs about $2000)2. Spoofing3. Denial of Service
4. Stealing of VCs5. Traffic analysis
ATM
SONET/SDH
STM
T1/E1
Description: Asynchronous Transfer Mode (ATM) is alayer 2 technology which transfers data in cells of fixedsize
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
17/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Switching and Transmission Technologies SONET/SDH
Functionality:
Guaranteed bandwidth Line rates of 155 Mbps to more than 10 Gbps Common circuits OC-3 (155 Mbps) and OC-12 (622
Mbps) (OC-48 = 2048Mbps or 2Gbps Circuit) Automatic recovery capabilities and self-healingmechanisms
Security Challenges:1. Eavesdropping2. Denial of Service
Description: Synchronous Optical Network/SynchronousDigital Hierarchy delivers high speed services overoptical network
ATM
SONET/SDH
STM
T1/E1
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
18/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Switching and Transmission Technologies STM
Functionality:
STM-1 has a bit rate of 1.544 Mbps and higher levelsgo up 4 at a time. Currently supported levels are STM-4, STM-16, STM-64
and STM-256.
Security Challenges:1. Eavesdropping2. Denial of Service
Description: Synchronous Transport Module is a fiberoptic network transmission standard
ATM
SONET/SDH
STM
T1/E1
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
19/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Switching and Transmission Technologies T1/E1
Functionality:
T1/E1 circuit based on Time Division Multiplexing T1 is primarily used in North America E1 is primarily used in Europe T1 circuit provides 1.544 Mbps of data consisting of 24timeslots of 64 kbps each and 8 kbps channel for control
information E1 circuit provides 2.048 Mbps of bandwidth consistingof 30 channels.
Security Challenges:1. Port Mirroring2. Data Sniff of Un-encrypted data channels3. Denial of Service
Description: Type of circuit used for data transmission.ATM
SONET/SDH
STM
T1/E1
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
20/96
Telecom TechnologiesWireless End
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
21/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Telecom Technologies EVDO
Functionality:
Primarily used for broadband internet access Uses multiplexing techniques including CDMA and TDM EV-DO channel has a bandwidth of 1.25 Mhz
Back-end network is entirely packet-based.
Security Challenges:1. EV-DO base transceiver is prone to hacking and
misuse
2. WAP Servers and WML compromises.3. GSM Technology Security Issues prevalent
(Confirm if this is a GSM Technology)
EVDO
EDGE
GPRS
Description: Evolution-Data Optimized is atelecommunication standard for wireless transmission ofdata through radio signals
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
22/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Telecom Technologies GPRS
Functionality: GPRS is a best-effort service 2G cellular technology combined with GPRS issometimes described as 2.5G The GPRS core network allows 2G, 3G and WCDMAmobile networks to transmit IP packets to external
networks such as the internet.
Security Challenges: Points of attack comprises of thefollowing: Mobile device and SIM card Interface between mobile device and SGSN GPRS backbone network
Packet network that connects different operators Public internet
Description: General Packet Radio Service is a packetoriented mobile data service for GSM users
EVDO
GPRS
EDGE
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
23/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Telecom Technologies EDGE
Functionality:
Considered a pre-3G radio technology Peak rates of 1 Mbps and typical rates of 400 kbit/s canbe expected.EDGE requires no hardware of software changes to bemade in GSM core networks. ??
Security Challenges:1. GSM Technology Security Issues prevalent
Description: Enhanced Data Rates for GSM Evolution isa digital mobile phone technology that allows improved
data transmission rates.
EVDO
GPRS
EDGE
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
24/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
The Basics GSM and The Geographic Structure
Originally defined as a pan-European open standard for adigital cellular telephone network to support voice, data,text messaging and cross-border roaming GlobalSystem for Mobile Communications (GSM), is nowone of the world's main 2G digital wireless standards.
GSM is present in more than 160 countries andaccording to the GSM Association, accounts forapproximately 70 percent of the total digital cellularwireless market.
GSM is a time division multiplex (TDM) system.Implemented on 800, 900, 1800 and 1900 MHzfrequency.
GSM Architecture each cell is governed by a BaseStation or BTS.
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
25/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
The Basics GSM and The Geographic Structure
Cell 1
BTS
Cell and Base Transceiver Station (BTS)
In GSM architecture, every geographical area covered by the operators network is divided into smaller parts.
Each of these parts has a Mobile Signal tower, responsible for providing connectivity between your Mobile hand set
and the Network.
This small area is called as a Cell and the Mobile Signaling tower assigned to each Cell is called a BTS.
Location Area 1 Location Area 2
Location Area
Group of cells together represent
a location area within GSM
network.
Cell 1
BTS
Location Area 1 Location Area 2HLR VLR
MSC
AUCEIR
MSC (Mobile Switching Center)Service Area
A group of many Location Areas
(LAs) is called MSC area.
Public Land Mobile Network (PLMN)
A group of MSC areas serviced by the same
operator refer to PLMN area it represents an
entire set of cells, served by one network operator
Incase of multiple operators in a country, there wil
be more than one PLMN.
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
26/96
The Evolution of TelecomNetworks
C f 2G N k d T i l Ch ll
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
27/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Components of 2G Networks and Typical Challenges
EIR
AUC
SGSN
Terminal
1.False BTS Active Attacks
(Reveal the IMSI and currentTMSI)
2.Cipher keys and AuthenticationData in Clear (Between andWithin Networks)
3.Attacks on COMP128
4.Encryption not extended till core(Clear text transmission of user
and signaling data acrossmicrowave links) (e.g. in GSMBTS-> BSC)
5.User Authentication with apreviously known Cipher
6.IMEI is an unsecured identify
7.Fraud and LI not considered inthe design of the 2G network
8. No flexibility to upgrade andimprove security.
Access Core IP Services
Requirement - Voice
Internet
3GPPLayer
BTSBSC
GERAN
DHCP
DNS
Char
ging
GSM
Reference : TR 33.120
C t f 3G N t k d T i l Ch ll
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
28/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Components of 3G Networks and Typical Challenges
EIR
AUC
HSS
SGSN
MME
IN-VAS
Terminal
1.Attacks persist primarily because
of backward compatibility to 2G orGSM networks.
2.Smart-Phones with capability toIntercept and Analyze traffic,
3.Multiple IP based services enabledto facilitate user, data andmanagement channels.
4.Denial of Service
1.User De-registration requestspoofing2.Location update request
spoofing3.Camping on a false BS/MS
4.Passive and Active IdentifyCatching
5.Impersonation of the Network
6.Impersonation of the User
Access Core IP Services
Requirement Voice + Data
Internet
Corporate Networks
3GPPLayer
NBRNC
BTSBSC
UTRAN
GERAN
DHCP
DNS
Char
gingApplication SPs
EvolvedPacketSystem
GSM
UMTS
C t f 4G N t k d T i l Ch ll
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
29/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Components of 4G Networks and Typical Challenges
EIR
AUC
HSS
SGSN
MME
IN-VAS
Terminal Access Core IP Services
Requirement Data Continuous
Internet
Internet
Corporate Networks
3GPPLayer
H(e)NB
eNB Sec-Gw
NBRNC
BTSBSC
UTRAN
GERAN
E-UTRAN
DHCP
DNS
Char
gingApplication SPs
EvolvedPacketSystem
GSM
UMTS
1.Femto Cell Device compromise
2.UE Tracking
3.IMSI catching
4.Force Handovers to compromisedeNB.
5.Capture of System information andcompromise of credentials
6.Physical attacks
7.Configuration attacks
8.Protocol attacks
Reference : TR 33.820
Components of Non 3GPP Layers
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
30/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Components of Non-3GPP Layers
EIR
AUC
HSS
SGSN
MME
AAA
ePDG
IN-VAS
Terminal
1. Authentication Bypass
2. Gateway Bypass
3. Route APs connectionto 3GPP Network
Access Core IP Services
Risks
Internet
Internet
Corporate Networks
3GPP
Layer
n-trustedLayer
TrustedL
ayer
Non-3GPP
CDMA2000
WIMAX-WLAN
H(e)NB
eNB Sec-Gw
NBRNC
BTSBSC
UTRAN
GERAN
E-UTRAN
DHCP
DNS
Char
gingApplication SPs
EvolvedPacketSystem
GSM
UMTS
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
31/96
Break
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
32/96
The Terminal Layer
The Terminal Layer User Equipment (UE)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
33/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
The Terminal Layer User Equipment (UE)
Mobile Station or User Equipment (UE)
Mobile Station comprises of 2 components a Mobile phone and a SIM (Subscriber
Identification Module) card.
While a mobile phone is a device that enables communication between two people
through telecom network, a SIM card is a smart card that stores unique subscriber
information in order to identify subscriber and permit communication.
SIM Card (described in subsequent paragraphs)
Receiver and Transmitter used to perform functions such as
receiving and transmitting voice and data communication.
On-board memory chips used to store internal mobile software
and other user data like contact list, messages, pictures etc.
A SIM card contains
information like authentication
key, security algorithms, etc.
which are used to authenticate
the subscriber.
Such information is stored on
the card prior to sale.
The Terminal Layer User Equipment (UE)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
34/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
The Terminal Layer User Equipment (UE)
MSISDN (Mobile Subscriber Integrated Services Digital Network)
Generally known as Mobile phone number. It is a unique number for each mobile
subscriber. It is composed of the following components:
CC (Country Code) + NDC (National Destination Code) + SS (Subscriber Number)
For example: +91 80 98455 65222
International Mobile Subscriber Identity (IMSI)
A unique 15 digit number associated with all GSM network mobile phone users. IMSI is
stored in the SIM and is used by the network to identify the subscriber.
It is composed of the following components:
IMSI = MCC (Mobile Country Code) + MNC (Mobile Network Code)+ MSIN (Mobile
Subscriber Identity Number)
For example: 89914 50004 01062 (9419 9)
IMEI (International Mobile Equipment Identity)
A unique 14 to 17 digit code / or serial number used to identify an individual Mobile Phone
to a GSM network. (3561 880 4850 4945)
2041271796002QA
The Terminal Layer User Equipment (UE) States of Operation
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
35/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
State 1 Detached
1. Mobile Station (MS) is not within the network coverage area.
2. This also refers to the state when the mobile phone is switched off.
Detached
NOTE: the mobile station is notconnected to network, hence no
process is established here
The Terminal Layer User Equipment (UE) States of Operation
The Terminal Layer User Equipment (UE) States of Operation
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
36/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
State 2 Idle
1. When you switch on the mobile station, it moves to Idle state from Detached state.
2. In this state mobile station is within the network coverage area but is not being used (e.g. making or receiving a call,data communication etc)
When your mobile station is switched on, it attaches itself to the nearest BTS tower in the location area. This process of
attaching the phone to nearest BTS tower is called Registration.
Further, when you move from one location area to another, your mobile station, on a continuous basis sends a message to
the nearest BTS tower. The network updates the changing information about the subscriber and this process is called
Location Updating.
Registration Updating
IdleDetached
NOTE: the mobile station is notconnected to network, hence no
process is established here
The Terminal Layer User Equipment (UE) States of Operation
The Terminal Layer User Equipment (UE) States of Operation
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
37/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
State 3 Active
1. When your mobile station is used to make or receive a call, send or receive data, it moves to Active state
from Idle State.
In active state, whenever you use the mobile station to either receive or make a call, then the MSC finds out
the Location Area (LA) in which you are present and connects you to other network elements within the
Location Area. This process is called Paging.
Registration Updating Paging
IdleDetached
NOTE: the mobile station is notconnected to network, hence no
process is established here
Active
y q p ( ) p
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
38/96
The Access Layer
Telecom Components (2G/GSM/CDMA)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
39/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
p ( )
BTS
BSC
Functionality
1. Radio reception and transmission2. Signal Processing3. Signal Link Management4. Synchronization5. Encodes, Encrypts, Multiplexes, Modulates and
feeds the RF signal to the antenna
Security Challenges:1. Physical Tampering MW equipment
2. Fake BTS3. IMSI Catcher4. Over-The-Air Cloning
The Base Transceiver Station (BTS) is the transmit andreceive link for a mobile communication system. Its adevice that actually communicates with the cell phone.The BTS connects to a BSC and communicates in an(Abis Interface)
BTS Base Tranceiver Station
GPS War Driving Nano BTS in a Nano
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
40/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Telecom Components (2G/GSM/CDMA)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
41/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
BTS
BSC
Functionality1. Handovers of Calls from one BTS to other2. BSC passes on your call to Mobile Switching Center
(MSC).3. Manages Radio resources for BTS4. Assigns frequency and timeslots to MS
Security Challenges:1. OpenBSC Software2. Cipher keys and Authentication Data in Clear
(Between and Within Networks)3. Attacks on COMP1284. Encryption not extended till core (Clear text
transmission of user and signaling data acrossmicrowave links) (e.g. in GSM BTS-> BSC)
BSC is used to control a group of BTS. It providesconnection between BTS and other network elementsthat are needed to complete the call.
BSC Base Station Controller
Telecom Components (3G/UMTS)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
42/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality1. Modulation and spreading2. RF Processing
3. Inner-loop power control4. Rate matching5. Macro diversity combining/splitting inside Node B
Security Challenges:1. Unknown
A UMTS (3G) mobile connects to the Node B to transmitor receive a voice call or carry out a data-modeconnection.
RNC
Node BNode B
Telecom Components (3G/UMTS)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
43/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality
1. Closed loop power control2. Handover control3. Admission control4. Code allocation5. Packet scheduling6. Macro diversity combining/splitting over number of
Node Bs
Security Challenges:1. Unknown
Comparable to Base Station Controller in GSM. It isresponsible for L2 processing of user data and RadioResource Management.
RNC
Node BRNC Radio Network Controller
Telecom Components (4G/LTE)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
44/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality1. Radio resource management2. IP header compression and encrypting of user data
stream3. Selection of an MME at UE attachment4. Routing of user plane data towards SAE gateway
5. Measurement and measurement reportingconfiguration for mobility and scheduling
Security Challenges:1. Placing a lot number of eNodeB in a large L2 domain
results in Distributed Denial of Service (DDoS)attacks.
2. IP address of neighboring cell sites can be extractedthrough Automatic Neighbor Relation (ANR)messages for use on dynamic ACLs that will onlyallow communication between defined neighboringcell sites.
eNode B is the base station in the LTE/SAE network.
eNode B
eNODE B
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
45/96
The Core Layer
CDMA Network Architecture
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
46/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 45
Core Components:
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
47/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
p
6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 46
CDMA
HA - Locates the place where the Mobile Nodeopens its account;
MSC - Authenticates the subscriber to establishthe call.
GMSC Switch which interrogates subscriber HLRto obtain routing information (transit calls).
HLR - Centralized database that stores andmanages all subscriber related information
required to set up calls. VLR - Database containing subscriber informationof all subscribers currently located in the areaserved by MSC.
AuC - Authenticates each SIM card that attemptsto connect to the network.
EIR - Optional database containing mobileequipment identity information.
PDSN - Implements the switching of packet dataservices of mobile subscribers.
AUC
EIR
HLR/VLR
HA
SGSN/GGSN
PGW
SGW
MME
MSC/GMSC
PDSN
PCRF
2G and 3G Network Architecture
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
48/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 47
Core Components:
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
49/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
p
6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 48
GSM
MSC/MGW - Performa call control function and
authenticates the subscriber to establish the call. GMSC Switch which interrogates subscriber HLR
to obtain routing information (transit calls). HLR - Centralized database that stores and
manages all subscriber related informationrequired to set up calls.
VLR - Database containing subscriber informationof all subscribers currently located in the area
served by MSC. AuC - Authenticates each SIM card that attempts
to connect to the network. EIR - Optional database containing mobile
equipment identity information. SGSN - Delivery of data packets from and to the
mobile stations within its geographical servicearea.
GGSN - Interworking between the GPRS networkand external packet switched networks.
AUC
EIR
HLR/VLR
HA
SGSN/GGSN
PGW
SGW
MME
MSC/MGW/GMSC
PDSN
PCRF
Core Components:
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
50/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
p
6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 49
3G
MSC/MGW - Performa call control function and
authenticates the subscriber to establish the call. GMSC Switch which interrogates subscriber HLR
to obtain routing information (transit calls). HLR - Centralized database that stores and
manages all subscriber related informationrequired to set up calls.
VLR - Database containing subscriber informationof all subscribers currently located in the area
served by MSC. AuC - Authenticates each SIM card that attempts
to connect to the network. EIR - Optional database containing mobile
equipment identity information. SGSN - Delivery of data packets from and to the
mobile stations within its geographical servicearea.
GGSN - Interworking between the GPRS networkand external packet switched networks.
AUC
EIR
HLR/VLR
HA
SGSN/GGSN
PGW
SGW
MME
MSC/MGW/GMSC
PDSN
PCRF
4G/ LTENetwork Architecture
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
51/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 50
Core Components:
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
52/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 51
4G
MME- Manages the subscriber session controlplane functionality,
HSS - It is the concatenation of the HLR and AuC . HLR part of the HSS is in charge of storing
and updating when necessary the databasecontaining all the user subscriptioninformation.
AuC part of the HSS is in charge ofgenerating security information from useridentity keys. This security information isprovided to the HLR and furthercommunicated to other entities in thenetwork.
SGW - Receives and routes all UE packet dataand serves as a mobility anchor while UEstransition between eNodeB.
PGW - Routes data packets from the SGW toexternal services .
PCRF - Server manages the service policy andsends QoS setting information for each usersession and accounting rule information.
AUC
EIR
HSS
HA
SGSN/GGSN
PGW
SGW
MME
MSC/MGW
PDSN
PCRF
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
53/96
Telecom Components
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
54/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality1. Subscribers supplementary services2. Subscribers identity3. Subscribers location information (MSC service area)4. Subscribers authentication information.
Security Challenges:1. HLR/VLR Database Compromise2. Wrong Entry flushed in to the Database3. Access control to HLRs should be based on user profiles, using at least a unique username and a password as
authentication data4. Remote access to HLR should be protected from eavesdropping, source and destination spoofing and session
hijacking. Achieved by limiting the range of protocols for communication with HLR
It is a centralized database that stores and manages all subscriberrelated information required to set up calls. It acts as a personal storefor subscriber information until such subscription is cancelled.
1. VLR is a database containing subscriber information of all subscribers currently located in the area served by MSC.2. The most important information is about current location of the subscriber.3. Whenever a MSC detects a new subscriber in its network, in addition to creating a new record in the VLR, it also
updates the HLR of the mobile subscriber, apprising it of the new location
HLR / VLR/HSS Home / Visitor Location Register (CDMA/2G/3G)
AUC
HLR
HA
EIR
MSC
PDSN
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
55/96
Telecom Components
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
56/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality1. It provides information to allow the mobile phones to access the network.2. AuC generally performs its functions when you switch on your mobile station.3. AuC is responsible for the generation of the parameters used for the privacy and the
ciphering of the radio link.
4. To ensure the privacy of the mobile subscriber a Temporary Mobile Subscriber Identity(TMSI) is assigned for the duration that the subscriber is under control of the specificMobile Switching Centre (MSC) associated with the AuC.
Security Challenges:1. Number of employees having physical and logical access to AuC should be limited such that it is then reasonable
to use an AuC which is not integrated with HLR.
2. Operators should carefully consider the need for encryption of AuC data. Some vendors use default encryption.3. The encryption is questionable since the algorithm is proprietary and confidential.4. If decided to use an add-on ciphering facility, attention should be paid to cryptographic key management.5. Authentication triplets can be obtained from AuC by masquerading as another system entity (namely HLR). The
threat is present when HLR and AuC are physically separated.
AuC is a network element which is used to authenticate each SIM card that attempts toconnect to the network.
AUC
HLR/VLR/HSS
HA
EIR
MSC
PDSN
AuC Authentication Center (CDMA/2G/3G)
Telecom Components (CDMA)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
57/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality1. Broadcast the accessible information of MN.2. Setup the tunnel between FA&HA.3. Transfer the data from other computer to the MN via the
tunnel.
The home agent locates the place where the Mobile Nodeopens its account; receive the registration information fromMN,
HA Home Agent
AUC
HLR
HA
EIR
MSC
PDSN
Telecom Components (CDMA)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
58/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality1. Provides the interface between the radio network and the
packet data network
The PDSN implements the switching of packet data servicesof mobile subscribers.
PDSN Packet Data Service Node
AUC
HLR/VLR/HSS
HA
EIR
MSC
PDSN
Telecom Components
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
59/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 58
Functionality1. GGSN maintains routing necessary to tunnel the Protocol
Data Units (PDUs) to the SGSN that services a particularMS
2. SGSN tasks include packet routing and transfer, mobility
management (attach/detach and location management),logical link management, and authentication and chargingfunctions.
The Gateway GPRS Support Node (GGSN) is a maincomponent of the GPRS network. It is responsible for theinterworking between the GPRS network and external packetswitched networks,A Serving GPRS Support Node (SGSN) is responsible for thedelivery of data packets from and to the mobile stations within
its geographical service area.
SGSN/GGSN Service/Gateway GPRS Support Node (2G/3G)
AUC
HLR/VLR/HSS
HA
EIR
MSC
SGSN/GGSN
Telecom Components (4G/LTE)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
60/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality1. Authentication,2. Authorization3. Ciphering4. Security key management
MME manages the subscriber session control planefunctionality, which uses the S1-C (C is for Control Plane)interface to communicate through the eNodeB to the UE.
MME Mobile Management Entity
SGW
HSS
PGW
MME
PCRF
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
61/96
Telecom Components (4G/LTE)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
62/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality
1. Performs packet filtering,.2. Policy enforcement and lawful interception,.3. Charging support, and packet screening.
Routes data packets from the SGW to external servicessuch as the Internet, IP Multimedia Systems (IMS), orPSTN.
PGW PDN Gateway
SGW
HSS
PGW
MME
PCRF
Telecom Components(4G/LTE)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
63/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
6/5/2012GO HEADER & FOOTER TO EDIT THIS TEXT 62
SGW
HSS
PGW
MME
PCRF
Functionality The Policy Decision Function (PDF)
Network entity where the policy decisions are made. As the IMS session is beingset up, SIP signaling containing media requirements are exchanged between the
terminal and the P-CSCF. Some time in the session establishment process, the PDF receives requirements
from the P-CSCF and makes decisions based on network operator rules, such as:Allowing or rejecting the media request, using new or existing PDP context for anincoming media request, checking the allocation of new resources against themaximum authorized.
The Charging Rules Function (CRF) Provide operator defined charging rules applicable to each service data flow.
Selects the relevant charging rules based on information provided by the P-CSCF, such as Application Identifier, Type of Stream (audio, video, etc.),Application Data Rate, etc.
Manages the service policy and sends QoS setting information for each user session andaccounting rule information.
PCRF Policy and Charging Rules Function
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
64/96
Call Routing
Call Routing-1
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
65/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
EIR AUC HLR VLR
DHCP
DNS Mail Content
Data Center Infrastructure
BTSModem
Amplifier
BTS
Modem
Amplifier
BTS
Modem
Amplifier
MobilePhone
MobilePhone
MobilePhone
BSC
BSC
MSC
MSC
GMSC
Mediation Rating/Billing
Printing Data warehouseNetworkSwitch
NetworkSwitch
BTS Base Transceiver StationBSC Base Station Controller
BSS Base Station SubsystemMSC Mobile Switching CenterGMSC Gateway Mobile Switching CenterPSTN Public Switched Telephone Network
BSS Infrastructure EIR Equipment Identity RegisterAUC Authentication Center
HLR Home Location RegisterVLR Visited Location RegisterDHCP Dynamic Host Control ProtocolDNS Domain Name SystemMIS Management Information System
Internet
PSTN
OperatorB
IP PhoneWAP
Local Area Routing
Multi LocalAreaRouting
MultiOperatorRouting
Multi Local Area Routing
Multi Operator Routing
MIS
Support Infrastructure
Business Infrastructure
Call Routing-2
Check if the
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
66/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
VLR
EIR
AuC
BTS
SUBSCRIBER
(A Number)
BSC
HLR
BTS
SUBSCRIBER(B Number)
SIM card
authentication atthe time of switch
on
Connect to BTSbased on the
location of the
subscriber
Link with
BSC Link withMSC
Communicationwith VLR
Check with HLR
to determineMSC of BNumber
Check if theequipment used
is approved
If no profile ofsubscriber exists
in VLR thendownload from
HLR
Transfer call toMSC (2)
Communicate
with BSCBSC
Connect toBTS
ContactSubscriber (B
Number)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
67/96
Break
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
68/96
Telecom Architecture and
Threats
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
69/96
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
70/96
GSM Security Challenges
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
71/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Only provides accesssecurity communications
and signaling traffic in thefixed network are notprotected
Does not address activeattacks, whereby somenetwork elements (e.g.
BTS: Base Station)
Only as secure as the fixed
networks to which theyconnect
Difficult to upgrade thecryptographic mechanisms
Terminal identity cannot betrusted
Lawful interception only
considered as an after-thought
Lack of user visibility (e.g.
doesnt know if encryptedor not)
2G(GSM) Security v/s 3G(UMTS) Security
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
72/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Security Enhancements in 3G
Fake Base
Station
A change was made to defeat the false base station attack. The security
mechanisms include a sequence number that ensures that the mobile canidentify the network
Stronger CiphersKey lengths were increased to allow for the possibility of strongeralgorithms for encryption and integrity
Security onDevice
Mechanisms were included to support security within and betweennetworks.
Security fromOutside to Inside
Security is based within the switch rather than the base station as in GSM.Therefore links are protected between the base station and switch.
IntegrityIntegrity mechanisms for the terminal identity (IMEI) have been designedin from the start, rather than that introduced late into GSM
What good are these security enhancements when operators today
run Insecure 2G and Security Enhanced 3G networks in parallel.
Result : Weakened Network Architecture
Emerging Threats and Classification- Telecom
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
73/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
T6Data
modification ona networkelement
T1Flooding an
interface
T2Crashing anetwork element
T3Eavesdropping
T4Unauthorized data
access
T5Traffic
Modification
T7Compromise viaimplementation
flaw
T8Compromise via
managementinterface
T9Malicious
insider
T10Theft of service
Telecom
EmergingThreats
Availability
Confidentiality
Integrity
Loss of Control
Loss of Service
Attack analysis and Security concepts foMObile Network infastructures
supported by collaborative InformationexchAnge (AsmonI)
Emerging Threats and Classification- Telecom
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
74/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Ranking of Threats
Ranking ofNetworkElements(Critical)
Ranking of
Network Elements(Less Critical)
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
75/96
Understanding the Telecom
Stack and Protocols
Intelligent Network (IN)
Description: The Intelligent Network (IN) is the
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
76/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Description: The Intelligent Network (IN), is thestandard network architecture specified in theITU-T Q.1200 series recommendations. It is
intended for fixed as well as mobile telecomnetworks.
IN is supported by the Signaling System #7 (SS7)protocol between telephone network switchingcenters and other network nodes owned bynetwork operators.
Functionality: Allows operators to differentiate themselves by
providing value-added services. Intelligent Network Nodes Modular and more secure network The initial use of IN technology was for number
translation services
The Stack
SS7Description: Signaling System No 7 (SS7) is a set of
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
77/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality: The main purpose is to set up and teardown telephone calls. Other uses include numbertranslation, local number portability, prepaid billingmechanisms, short message service (SMS), and avariety of other mass market services.
Security Challenges:1. Internet-PTN convergence allows attackers inroads
via entities with poorly secured SS7 networks.2. ISDN connections are also points of unauthorized
entry.3. Advanced services like call forwarding have intrinsic
vulnerabilities attackers can create havoc bymodifying SCPs containing forwarding destinations.
4. Anyone capable of generating SS7 messages andintroducing them into a network can disrupt PTNservices.
SS7
CCS7
Description: Signaling System No. 7 (SS7) is a set oftelephony signaling protocols which are used to set upmost of the world's public switched telephone networktelephone calls. (The Link )
The Stack
SS7Description: In Common Channel Signaling (CCS) there
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
78/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality: Higher signaling capacity. More number of speech/data channels as there is only
one signaling channel. Central offices can exchange information , not related
to speech/data between themselves e.g. subscriber
data. Various high end features like roaming are possible by
using CCS7.
Security Challenges:1. DoS-Attack2. Flooding with SCTP-Chunks3. MitM-Attack: Eavesdropping
4. MitM-Attack: Unrecognized Data Alteration
CCS7
SS7Description: In Common Channel Signaling (CCS) thereis a common signaling channel which takes care of all thesignaling information to be exchanged duringcommunication. All other channels can be used forspeech or data as required. (The Link Information)
SP(SPC=100)
SRP
(SPC=400)
STP(SPC=300)
STP(SPC=2
00)
SEP(SPC=500)
SIGTRAN and Protocols
SIGTRAN
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
79/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality: SIGTRAN uses IP transport protocolcalled Stream Control Transmission Protocol (SCTP),which is used to carry PSTN over IP. (AND SCTP issomething like HTTP)
Security Challenges: SCTPscan tool (from backtrack) can be used forscanning for services IAM Attack : Capacity DoS -> Similar to SIP flooding REL attack: Targeted Call release -> Terminate a userconversation SRI attack: Tracking of users
HLR attack: Fake location update -> redirects calls toanother country, until phone reboots
SIGTRAN
MEGACO
MGCP
RTP
Description: Derived from Signaling Transport . Providesreliable datagram service and user layer adaption forSignaling System 7(SS7) and ISDN communications
protocol. (IF SS7 is IP, SIGTRAN is IPV4)
SIGTRAN and Protocols
SIGTRAN
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
80/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality:
Although H.248 performs the same function as MGCP, ituses different commands and processes and supports abroad range of networks.
Security Challenges: Malformed request to port 2944/tcp used by MEGACOis known to cause Denial of Service attacks
Description: Media Gateway Control Protocol (H.248) isused for controlling media gateways in Internet Protocoland PSTN.
SIGTRAN
MEGACO
MGCP
RTP
SIGTRAN and Protocols
SIGTRAN
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
81/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality:
Call control via Call Agent Uses Session Description Protocol (SDP) for specifyingand negotiating the media streams Typical architecture consists of Call Agent and MediaGateway.
Security Challenges: MGCP Cas susceptible to DoS attacks and malformedpackets
Description: Media Gateway Control Protocol is asignaling and call control protocol used within VoIP thatinteroperates with PSTN. MEGACO
MGCP
RTP
SIGTRAN and Protocols
SIGTRAN
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
82/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality: Extensively used in communication and entertainmentsystems such as telephony, video conferenceapplications etc,. RTP is used in conjunction with RTCP RTP is originated and received on even port numbersand the associated RTCP communication uses the next
higher odd port number.
Security Challenges: Call tampering Man-in-the middle attacks DoS attacks
Description: Real-time Transport Protocol (RTP) definesa standardized packet format for delivering audio andvideo over IP networks. MEGACO
MGCP
RTP
Protocols MTP
MTPD i ti M di T i ti P i t MTP b id th
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
83/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality: Passes streaming data to other connection MTP trancodes a-law to mu-law (and vice versa) andadjusts packet sizes as required by the two connections MTPs extend supplementary services, such as callhold, call transfer, call park, and conferencing
Security Challenges:
SCCP
ISUP
TCAP
INAP
ISDN
MAP
Description: Media Termination Point. MTPs bridge themedia streams between two connections.
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
84/96
Protocols ISUP
Description: ISDN User Part (ISUP) is part of SS7 whichMTP
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
85/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality:Common messages transmitted in ISUP areInitial Address Message (IAM) Subsequent Address Message (SAM) Address Complete Message (ACM) Answer Message (ANM) Release (REL)
Release complete (RLC)
Security Challenges: Eavesdropping Man-in-the-middle attacks ARP spoofing attacks
Caller id spoofing SIP registration hacking
Description: ISDN User Part (ISUP) is part of SS7 whichis used to set up calls in Public Switched TelephoneNetworks. SCCP
ISUP
TCAP
INAP
ISDN
MAP
Protocols TCAP
Description: Transaction Capabilities Application PartMTP
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
86/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality:
Supports non-circuit related information exchangebetween signaling points using the Signalling ConnectionControl Part (SCCP) connectionless service TCAP also supports ability to invoke features in anotherremote network switch
Security Challenges:
Description: Transaction Capabilities Application Part(TCAP) is a protocol in the SS7 suite
SCCP
ISUP
TCAP
INAP
ISDN
MAP
Protocols INAP
Description: The Intelligent Network Application PartMTP
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
87/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality:
Part of SS7 protocol suite Typically layered on top of TCAP Provides logic for controlling telecommunicationservices migrated from traditional switching points tocomputer based service
Security Challenges:
Description: The Intelligent Network Application Part(INAP) is a signalling protocol used in the intelligentnetwork architecture. SCCP
ISUP
TCAP
INAP
ISDN
MAP
Protocols ISDN
Description: Integrated Services Digital Network (ISDN)MTP
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
88/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Functionality:
Circuit switched telephone network Comprises of BRI and PRI BRI 2B + 1D (192 Kbps) PRI T1 (23B + 1D), E1 (30B + 1D)
Security Challenges:
Description: Integrated Services Digital Network (ISDN)is a communication standard for simultaneoustransmission of voice, data and other network services
over traditional circuits.
SCCP
ISUP
TCAP
INAP
ISDN
MAP
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
89/96
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
90/96
Protocol Analyzers and
Tools
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
91/96
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
92/96
P1 Telecom Auditor
Description: P1 Telecom Auditor is a SS7 andSIGTRAN vulnerability scanner and security
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
93/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
SIGTRAN vulnerability scanner and securityauditor. Today, the security situation of SS7 andSIGTRAN is identical.
P1 Telecom Auditor offers Telecom and Mobileoperators the capability to assess and analyzetheir security in their core network and signalingperimeters, continuously.
Deployment: Easily deployed with a single lightweight Virtual
Appliance using VMware technology and aweb-based control and reporting server usingSaaS technology.
Integrates seamlessly in the SignallingInfrastructure
Requires an IP address and a Signalling PointCode
Ready for deployment in both legacy SS7 andstate-of-the-art SIGTRAN, UMTS/CDMA 3G,IMS and LTE environments.
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
94/96
Technology, Protocols and Equipment(Quick View)
Native SS7 and SIGTRAN security auditing solutionMission-based and Permanent scanning
Elements STP MSC, MGW MMSC, SMSC, FDA HLR, HSS, AUC, EIR IN, VAS, Billing Platforms
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
95/96
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliatedwith KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
gSS7 Interconnect security analysisNetwork Element, DPC and SSN exposure tests from an external perspectiveTelecom Network Elements vulnerability analysisExternal and Internal security auditTelecom product analysisSS7 external information gatheringWeb based admin, campaign control and reportingReliable, repeatable scanner results, clear deliverablesProtection methods against DoSAudit staging for controlled environment assessmentMultiple Signalling Point Code supportCDR tagging to prevent charging
Protocols SS7 Message Transfer Part 3 (mtp3), SCCP,
TCAP, ISUP, TUP, MAP, OMAP, INAP, BICC,CAMEL, BSSAP, RANAP, UMA SIGTRAN SCTP, M3UA, M2PA, M2UA, IUA
(ISDN, Q.931), SUA, V5UA GPRS GTP-U, GTP-C, GTP, GPX DNS AAA Radius, Diameter VoIP / ToIP SIP, H323, Skinny / SCCP, H248,
MGCP, MEGACO Core network protocols MPLS, LDP, BGP,
VPLS, L2TP, GRE, IPsec, SAAL, LDP, BGP
g FMS, LIG GGSN, SGSN SG, AS, ASP, SN GRX and IPX routers, GRX, 3G and IPX DNS,
SGW, PGW / PDG / PDN GW, ePDG, GPRSbilling gateways
Internet Gateways, PS domain routers,Proxies, Legacy PS equipment, WAP GW
ATM switches
Billing Centre, Billing systems, reconciliationsystems
IN, AIN, CAP and CAMEL systems BSC, BTS, Node B, RNC, LTE e-Node B SBC, SIP AS, SIP gateways Call Session Control Function equipment: P-
CSCF, I-CSCF, S-CSCF
HNB, eHNB, UMA Femtocells, UMA supportsystem, BRAS-AC, PDC
Legacy equipment, X25, XOT Circuit Switched (CS) / Packet Switched (PS)
networks and interfaces
7/31/2019 Session1 Telecom Security a Primer v6 SonyRevise
96/96
Thank You
(2010) KPMG, an Indian Partnership and a member f irm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (KPMG
International), a Swiss entity. All rights reserved.
The KPMG name, logo and "cutting through complexity" are registeredtrademarks or trademarks of KPMG International Cooperative ("KPMGInternational").
Recommended