“Telecom Security Issues”An overview of Key Threats & Actors, Case 

Studies and Possible ScenariosRaoul Chiesa, UNICRI

Club Hack Conference, PuneDecember 4th, 2010

DisclaimerDisclaimer● The information contained within this

t ti d t i f i i t ll t lpresentation does not infringe on any intellectualproperty nor does it contain tools or recipe thatcould be in breach with known India laws (iscould be in breach with known India laws (isthere any lawyer in the room btw? ;)

● Quoted trademarks belongs to registeredowners.

● The views expressed are those of the author anddo not necessary reflect the views of UNICRI ordo not necessary reflect the views of UNICRI orothers United Nations agencies and institutes,nor the view of ENISA and its PSG (Permanent(Stakeholders Group).

The speaker – Raoul “nobody” ChiesaOn the underground scene since 1986

Senior Advisor on cybercrime at the UnitedyNations (UNICRI)

ENISA PSG Member (2010‐2012)

Founder, @ Mediaservice.net –Independent Security Advisory Company and @ PSS – a Digital Forensics Company

Founder, Board of Directors at: CLUSIT (It li I f ti S it A i ti )(Italian Information Security Association), ISECOM, OWASP Italian Chapter

TSTF net Associated MemberTSTF.net Associated Member

Member: ICANN, OPSI/AIP, EAST

3

About UNICRI

What is UNICRI?

United Nations Interregional Crime & Justice Research Institute

A United Nations entity established in 1968 to support countries worldwidein crime prevention and criminal justice

UNICRI carries out applied research, training, technical cooperation anddocumentation / information activities

UNICRI disseminates information and maintains contacts with professionalsand experts worldwide

Counter Human Trafficking and Emerging Crimes Unit: cyber crimes,counterfeiting, environmental crimes, trafficking in stolen works of art…

About ENISAWhat is ENISA?

About ENISA

• European Network & Information Security Agency• ENISA is the EU’s response to security issues of the European Union• “Securing Europe's Information Society” is our motto (27 Member States)Securing Europe s Information Society is our motto (27 Member States)• In order to accomplish our mission, we work with EU Institutions and Member States• ENISA came into being following the adoption of Regulation (EC) No 460/2004 of theEuropean Parliament and of the Council on 10 March 2004. Operations started on Septemberp p p2005, after moving from Brussels to Crete, and with the arrival of staff that were recruitedthrough EU25‐wide competitions with candidates coming from all over Europe.• ENISA is helping the European Commission, the Member States and the businesscommunity to address, respond and especially to prevent Network and Information Securityproblems.• The Agency also assists the European Commission in the technical preparatory work forupdating and developing Community legislation in the field of Network and InformationSecurity.• I’m a Member of ENISA’s PSG – Permanent Stakeholders Group.

About TSTF netAbout TSTF.net

W hi k k bli h d h 10• We are a think‐tank establishedmore than 10 years ago.• We know all of us (team members) since the 80’s.• Some names: Emmanuel Gadaix, Philippe Langlois, Stavroula “Venix” Ventouri, Fyodor Yarochkin (xprobe2), ….

• All of us we have pentested/audited more than 120 phone operators all over the worldphone operators all over the world.

• Huge experience, no sales pitches: we know our stuff.• Built the very first open source SS7 Scanner (SCTP)• Built the very first open‐source SS7 Scanner (SCTP).• Making R&D, everyday, every hour, every single minute ;)

More on TSTF netMore on TSTF.net

Wh ’ hWho’s who35 years combined GSM telecommunications experience;50 years combined information security experience;A unique view on telco security – nobody else does it;Active research (papers, tools, forums);Experience in Europe, Asia, USA;p p , , ;Self‐funded, no business cunts running it, no VCs.

Networked structureStructure similar to the Global Business Network (http://www.gbn.org/);No central office, global coverage;Leverage on each individual's skills and services;Leverage on network effect.

Our experiences (excerpt, 1999‐2004)(obviously, we’got much MORE ☺

1999: GSM Internet Data Access Penetration Tests1999: GSM Internet Data Access Penetration Tests

2000: GPRS Internet Data Access Penetration Tests

2000/2004: L.I.S./L.I.G. Security Audits on a +15 MLN subscribers

2000: SMS Spoofing PoC & Security Consulting

2001: Dealers’ shops Abuse Security Testing;

2001: SMSC Ethical Hacking Test

2001: SAP environments Security Audit

2001‐2004: VAS Security Audits and Pen‐testingsy g

2001‐2004: xIDS and Firewall tuning and configurations review

2002/2003: Wireless Penetration Tests on HQ and main branches (+10 MLN subscribers; +15 MLN subscribers)

2002: Wireless Security Policy (private and public hot‐spots)

2003 P t l W b A li ti S it T ti ( i t t th li ti d l d f th b ib )2003: Portals Web Applications Security Testing (various tests on the applications developed for the subscribers)

2003: Billing gateway process Full Security Audit & Pentests

2003: MMS environment Ethical Hacking tests

2004: Black Berry FE/BE Penetration Testing

2004: X.25 Security Audit Full Process (9 months)

2004: New mobile threaths R&D process (3 months)

2004: DoS incident handling policy (referred to the private WAN)

Topics for this sessionTopics for this session

• Introduction

• MSC hacking / the Vodafone Greece AffairMSC hacking / the Vodafone Greece Affair

• Data Network Elements hacking (i.e.. GPRS)

• Billing, Mediation, LIS/LIG hacking

• SS7 hackingSS7 hacking

• Web Applications’ suppliers standard issues

THE PROBLEMTHE PROBLEM

Telecommunications vendors (Nokia, Ericsson, Alcatel, etc.) are selling insecure software and systems to telcos.

Telecommunications operators have a very poor understanding of security issues.

Based on 10 years penetration testing experience, telco operators are themost vulnerable of all industry groups.are the most vulnerable of all industry groups.

Sophisticated hackers have an increased interest in telco security and phone hackingand phone hacking.

10

THE VENDORSTHE VENDORS

Some vendors have decided to take an active stance in security (e.g. Nokia), however such initiatives are isolated and do not address most telcos security yproblems.

Most vendors sell antiquated software full of bugs, running on old and unpatched version of operating systems and daemonsunpatched version of operating systems and daemons.

Operators cannot fix the identified security weaknesses because it would void their warranty.

⌧ The result of this ‘head in the sand’ approach is an increase in the threat: national and international critical infrastructures are at risknational and international critical infrastructures are at risk.

11

THE OPERATORSTHE OPERATORS

Operators rely on vendors for secure solutions.

Operators are primarily focused on network operations software upgradesOperators are primarily focused on network operations, software upgrades, network performance and other time‐consuming routine tasks.

Operators lack in‐house expertise on telco security.

Operators are usually divided between the IT and Engineering, departments, creating two separate security domains.

⌧Most telcos networks are open to attackers (I don’t say “hackers”!).

12

NETWORK OPS.

I TI.T.

GSM operators typically split their network between IT (the incompetent teami th il th d i th i t d th /fi ll) d E i irunning the mail, the domains, the printers and the proxy/firewall) and Engineering

(the telco side).Usually there is distrust between the two entities, poor communications andcertainly no common policy towards security.y p y yIT of course believe they are important, but in fact they just have a support role. Ifall IT systems stop working, you can still make phone calls.

(Emmanuel Gadaix, TSTF – Black Hat Asia Security Conference, 2001)

13

THE OPERATORSTHE OPERATORS

Based on a +10 years study encompassing 24 network operators in fourdifferent continents (EU, Asia, USA, Australia):

⌧ 100% could be hacked from the Internet via Web Apps

⌧ 90% could be hacked through PSTN X 25 ISDN orWi‐Fi⌧ 90% could be hacked through PSTN, X.25, ISDN or Wi‐Fi

⌧ 72% had a security incident in the last 2 years

⌧ 23% had appropriate perimeter security control

⌧⌧ 0% had all their mission‐critical hosts (really) secured

⌧ 0% had comprehensive database security in place

⌧ 0% had integrity measures protecting billing data, nor encryptiong y p g g , yp

14

THE ENEMYTHE ENEMYTelco fraud is still an attractive target:

Bypassing toll getting services without fees setting up premium numbers etc;Bypassing toll, getting services without fees, setting up premium numbers, etc;

Privacy invasions: interception of call‐related data (e.g. CDRs, SMS contents, signalling data, billing data; etc)

Eavesdropping and cloning: illegal interception and cloning of mobile phones.

⌧ Recently one underground group announced it was reverse engineering Nokia⌧ Recently one underground group announced it was reverse engineering Nokia and Symbian software;

⌧ A group of sophisticated hackers is working on abusing the SS7 protocol;

⌧⌧ Another group of international security researchers is working on VoIP attacks in telcos environments (Mobile, PSTN/ISDN, SS7, I.N.)

15

THE COMPETITIONTHE COMPETITION

⌧⌧ Traditional security shops: no knowledge of telcos, poor  understanding of telcos procedures.

⌧ Traditional telcos consultancies: very poor knowledge of security issues.

⌧ “Big 4” audit firms: focused on policies, no real expertise (they outsource their jobs to us).(they outsource their jobs to us).

⌧ In‐house resources: very dangerous. Internal fraud is overlooked; interdepartmental ego problems; good security and bad security looks the same.

16

DOING DOING NOTHING…NOTHING…

… with yours telco infrastructures today is like doing nothing with the RAS accesses in the 80’snothing with the RAS accesses in the 80’s…

…with the X.25 networks in the 90’s…

….and with your Internet hosts during the Y2K:

⌧ it’s an open invitation for disaster.

17

“BUT..WHY SH0ULD WE C@4E ‘BOUT TH3S3 “BUT..WHY SH0ULD WE C@4E ‘BOUT TH3S3 L33T ATTACK3RS ?!?”L33T ATTACK3RS ?!?”

….BECAUSE….BECAUSE YOU YOU LOOSE YOUR MONEYLOOSE YOUR MONEY..

18

AND becauseAND, because….

• Hackers are speaking about, investigating, discussing, hacking telco‐related stuffg g(everything!) since a lot of time now (beganin the 70’s became a trend in the 80’s andin the 70 s, became a trend in the 80 s and 90’s, a standard from 2000 up to today).

l• ..Wanna see some examples??

20082008DEFCON 16 Taking Back your Cellphone Alexander LashDEFCON 16 ‐ Taking Back your Cellphone Alexander LashBH DC / BH Europe – Intercepting Mobile Phone/GSM Traffic David Hulton, Steve–BH Europe Mobile Phone Spying Tools Jarno NiemeläBH Europe ‐Mobile Phone Spying Tools Jarno Niemelä–BH USA ‐Mobile Phone Messaging Anti‐Forensics Zane Lackey, Luis MirasEkoparty Smartphones (in)security Nicolas Economou Alfredo OrtegaEkoparty ‐ Smartphones (in)security Nicolas Economou, Alfredo Ortega BH Japan ‐ Exploiting Symbian OS in mobile devices Collin Mulliner–GTS‐12 ‐ iPhone and iPod Touch Forensics Ivo Peixinho

ki h i h l d l b i25C3– Hacking the iPhone ‐MuscleNerd, pytey, planetbeing25C3 Locating Mobile Phones using SS7 – Tobias Engel– Anatomy of smartphone hardware Harald Welte25C3 R i GSM k H W l Di S25C3 Running your own GSM network – H. Welte, Dieter Spaar25C3 Attacking NFC mobile phones – Collin Mulliner

2009/12009/1ShmooCon Building an All Channel Bluetooth Monitor MichaelShmooCon Building an All-Channel Bluetooth Monitor Michael Ossmann and Dominic Spill ShmooCon Pulling a John Connor: Defeating Android Charlie MillerBH USA– Attacking SMS - Zane Lackey, Luis Miras –BH USA P i t YSTS 3 0 (BR)BH USA Premiere at YSTS 3.0 (BR)BH USA Fuzzing the Phone in your Phone - Charlie Miller, Collin MullinerBH USA Is Your Phone Pwned? - Kevin Mahaffey, Anthony Lineberry & y, y yJohn Hering–BH USA Post Exploitation Bliss –BH USA Loading Meterpreter on a Factory iPhone - Vincenzo Iozzo & Charlie Miller–C a e eBH USA Exploratory Android Surgery - Jesse BurnsDEFCON 17– Jailbreaking and the Law of Reversing - Fred Von Lohmann, Jennifer Granick–DEFCON 17 Hacking WITH the iPod Touch Thomas WilhelmDEFCON 17 Hacking WITH the iPod Touch - Thomas Wilhelm DEFCON 17 Attacking SMS. It's No Longer Your BFF - Brandon DixonDEFCON 17 Bluetooth, Smells Like Chicken - Dominic Spill, Michael Ossmann, Mark Steward

2009/22009/2BH Europe Fun and Games with Mac OS X and iPhone Payloads Charlie Miller andBH Europe– Fun and Games with Mac OS X and iPhone Payloads - Charlie Miller and Vincenzo Iozzo–BH Europe Hijacking Mobile Data Connections - Roberto Gassirà and Roberto Piccirillo–BH Europe Passports Reloaded Goes Mobile - Jeroen van BeekBH Europe Passports Reloaded Goes Mobile Jeroen van BeekCanSecWest– The Smart-Phones Nightmare Sergio 'shadown' Alvarez CanSecWest - A Look at a Modern Mobile Security Model: Google's Android Jon Oberheide–CanSecWest - Multiplatform iPhone/Android Shellcode and other smart phoneCanSecWest - Multiplatform iPhone/Android Shellcode, and other smart phone insecurities Alfredo Ortega and Nico EconomouEuSecWest - Pwning your grandmother's iPhone Charlie Miller–HITB Malaysia - Bugs and Kisses: Spying on Blackberry Users for FunSheranGunasekera– YSTS 3.0 /Gunasekera YSTS 3.0 / HITB Malaysia - Hacking from the Restroom Bruno Gonçalves de OliveiraPacSec - The Android Security Story: Challenges and Solutions for Secure Open Systems Rich Cannings & Alex StamosDeepSec - Security on the GSM Air Interface David Burgess Harald WelteDeepSec Security on the GSM Air Interface David Burgess, Harald WelteDeepSec - Cracking GSM Encryption Karsten Nohl–DeepSec - Hijacking Mobile Data Connections 2.0: Automated and Improved Roberto Piccirillo, Roberto Gassirà–DeepSec - A practical DOS attack to the GSM network Dieter SpaarDeepSec A practical DOS attack to the GSM network Dieter Spaar

O i kOverview on attacks

(then we’ll jump straightto a few, single topics)

ATTACKS & FRAUDS ATTACKS & FRAUDS IN MOBILE ENVIRONMENTSIN MOBILE ENVIRONMENTSIN MOBILE ENVIRONMENTSIN MOBILE ENVIRONMENTS

24

A MORE COMPLICATED A MORE COMPLICATED WORLD…WORLD…

Video ondemand

EMC

SES

Virtual Networks

Public safety

B-ISDN

SES

TFTSBRAN

yPTS

GSMDECT

VSAT

BRAN

GSMIntelligent Networks SEC

ISO/BSIATMUMTS

Teleworking STQ

DTV

Testing Methods Voice overInternet Protocol

DTVCTM ERM

25

Internet Protocol

...WITH DIFFERENT STANDARDS, BUT A ...WITH DIFFERENT STANDARDS, BUT A UNIQUE MARKETUNIQUE MARKETUNIQUE MARKETUNIQUE MARKET

26

...BUT THE THREAT IS ...BUT THE THREAT IS GLOBALGLOBAL

27

PHREAKING TELCOSPHREAKING TELCOSPhreaking is a slang term for the action of

making a telephone system do something thatit normally should not allow.

Why would anyone do this??Why would anyone do this??“  I do it for one reason and one reason only. I'm learning about a 

system. The phone company is a System. A computer is a System, d d d? f d h d l ldo you understand? If I do what I do, it is only to explore a system. Computers, systems, that's my bag. The phone company is nothing but a computer.  ” 

Captain CrunchFrom Secrets of the Little Blue BoxFrom Secrets of the Little Blue Box

Esquire Magazine, October 1971

28

(pause) LOL!!(pause) LOL!!

A QUICK OVERVIEW: ATTACKS ON A QUICK OVERVIEW: ATTACKS ON MOBILE OPERATORS/1MOBILE OPERATORS/1MOBILE OPERATORS/1MOBILE OPERATORS/1

The “Phreaking” concept can be explained as “Hacking the phone line”;

Since the 60’s, phreaking exploded all around the world;p g p

From those times, intrusion stories in telcos environments became very common;

I th f ll i lid ill i f th i t fIn the following slides we will give you a resume of the various type of attacks that can be applied in Mobile Networks; 

Many of these attacks have been practical tested and demonstrated by our Tiger Team during the years.

30

A QUICK OVERVIEW: ATTACKS ON A QUICK OVERVIEW: ATTACKS ON MOBILE OPERATORS/2MOBILE OPERATORS/2

Attacks have been classified into the following areas:

RAN Att k (R di A N t k)

MOBILE OPERATORS/2MOBILE OPERATORS/2

RAN Attacks (Radio Access Network)

TN Attacks (Transmission Network)

NSS Attacks (Network Switched Network)NSS Attacks (Network Switched Network)

IN Attacks (Intelligent Network)

SMS/Messaging Attacks (SMS, VMS)

MMS Attacks

NMS/OSS Attacks (Network Management System/Operations)

ME & Billi GW Att k (M di ti d Billi ) $$ME & Billing GW Attacks (Mediation and Billing)

LIS/LIG Attacks (Legal Interception System/Gateway)

SS7 Attacks (Signalling System # 7)

$$

SS7 Attacks (Signalling System # 7)

..not forgetting the “old school” PSTN, ISDN and X.25 attacks

31

THE NETWORK ELEMENTSTHE NETWORK ELEMENTS

Radio Access Network (BSS/RAN)Radio Access Network (BSS/RAN)

Mobile Switching Center (MSC/NSS)

Home Location Register (HLR/VLR)Home Location Register (HLR/VLR)

Intelligent Network (IN)

Messaging (SMSC, MMSC, USSD, VMS)g g ( , , , )

Packet data (GPRS, EDGE, 3G/UMTS)

Network Management (NMS, OMC, OSS)

Mediation, Billing, Customer Care, LIG

32

MSCMSC

• Mobile Switching Center

• Is probably the most important asset in aIs probably the most important asset in a Mobile Operator

W ill k b h V d f G• We will speak about the Vodafone Greececase shortly…

GGSNGGSN

• Ollie Whitehouse around 2002/2003successfully exploited Nokia GPRS‐relatedy pelements (GGSN, SGSN).

• Result? DoS on all of your Data connections• Result? DoS on all of your Data connections(Operator Level) if you run GPRS on Nokia’s 

( h b l )HW (at that time, obviously).

• Is it only Nokia? NO! ALL of themmay beIs it only Nokia? NO! ALL of themmay bevulnerable.

Web Applications SecurityWeb Applications Security

’ d hi i h l i l i h• I’ve moved this in the last section, along with“evidences”.

• Basically, problem here is that the “standard players” (big 4, Accenture, etc etc) are oftenp y ( g , , )releasing insecure Web Applications.

• Exposed to:Exposed to:– XSS/CSRF /etcSQL I j ti ( )– SQL Injection(s)

– …whatever! 

The “Vodafone Greece Affair”

In one shot ‐ Greece

• Basically, what the hell happened ?

+One hundreds “VIP” mobile subscribers have been eavesdropped: Government members, Defense officials mainly, including the Greek Prime Minister, Foreign, Defence, Public Order officials, etc.Calls from and to +100 SIMs were diverted to 14 “pay as you go” mobileCalls from and to +100 SIMs were diverted to 14  pay‐as‐you‐go  mobile phones. Four BTS were “interested” by the area where these receiving SIMs wherelocated. “Incidentally”, Athens US Embassy is right in the middle of them☺This has been done via a high‐level hack to the Ericsson AXE GSM MSC; building a rootkit “parked” in the RAM area, since obviously the MSC was on  “production” (!!!)production  (!!!).“The Hack” was discovered on March 7th, 2005, by Ericsson technical staff. Oneyear later at least. Maybe longer….nobody knowsOn March 9th, a Vodafone “top technician” (KT) commited suicide. (Kostas, p ( ) (Tsalikidis, 39 y.o., Head of Network Design).EYP (Hellas National Intelligence Agency) began investigating at once.

Ri ht h id b t h did it d h× Right now, no‐one has no idea about who did it and why.

Profiling: Actors involvedActors involved

• Some elite hacker.– Retired Ericsson technical guy(s) ? g y( )

• Some seriously‐intentioned IA (CIA?).

• Some historical and geo‐political situation (Carpe Diem).

• Local politicians and National Secret Service

Th Ol i G ?• The Olympic Games ?

• The “best hack of 2005” prize. For sure.p

Targeted people (Vodafone Hellas/1)g p p ( / )

• GOVERNMENT TARGETS:• GOVERNMENT TARGETS:Karamanlis, Kostas Prime Minister of Greece (two phones of 20) Elef. 3Feb Molyviatis, Petros then Foreign Minister, a private phone Elef. 3Feb Spiliotopoulos Spilios thenMinister of Defense Elef 3Feb VoulgarakisSpiliotopoulos, Spilios thenMinister of Defense Elef. 3Feb Voulgarakis, Giorgos then Minister of Public Order Elef. 3Feb Papaligouras, AnastasiosMinister of Justice Elef. 3Feb Valinakis, Giannis Alternate Foreign MinisterElef. 3Feb Dimas, Stavros EU Commissioner Elef. 3Feb Bakoyianni, Dora h f h l f b ll d b d ithenMayor of Athens Elef. 3Feb Vallindas, Giorgos Ambassador, ForeignMinistry Mideast Division Director Elef. 3Feb Choreftaki, Glykeria ForeignMinistry employee Elef. 3Feb Papantoniou, Giannis PASOK MP, ex Minister of Defense Elef Apostolidis Pavlos then Head of GreekMinister of Defense Elef Apostolidis, Pavlos then Head of GreekIntelligence Service (EYP), his car phone Nea Karamanli, Natasha wife ofPrime Minister Nea eight unidentified foreign ministry officials Neaunnamed intelligence officials EYP operations officers Nea Korandis, Gi i EYP di h A b d T k hi iGiannis current EYP director, then Ambassador to Turkey, his private carphone Nea 3‐16 Molyviati, Lora daughter of former Foreign Minister Nea3‐16

Targeted people (Vodafone Hellas/2)g p p ( / )

• POLICE/SECURITY TARGETS:• POLICE/SECURITY TARGETS:Maravelis, Dimitris Police officer in Olympic Security Elef. 3Feb Maris, Giorgos lawyer, legal advisor to Public Order Ministry Elef. 3Feb Angelakis Dimitris Police in Olympic Security or EYP unionist Elef 3FebAngelakis, Dimitris Police in Olympic Security or EYP unionist Elef. 3Feb Sontis, Theodore U.S. Embassy Greek‐American, gave to security detailElef Kyriakakis, Evstratios Former Director, Criminological Service, GreekPolice Ta Nea Galiatsos, G. Director of Exercises, Athens Olympic Security 

l hi f f ff i i f bli dTa Nea Mitropoulos, G. Chief of Staff, Ministry of Public Order Ta NeaKonstantinidis, V Olympic Games Security Director Ta Nea Nasiakos, FotisFormer Chief, Greek Police (phone given to another) Ta Nea Dimoschakis, An Chief of Staff Greek Police Ta Nea Syrros St Former director ofAn. Chief of Staff, Greek Police Ta Nea Syrros, St. Former director ofCounterterrorism division, Greek Police Ta Nea Galikas, D. Director ofCounterterrorism Division, Greek Police Ta Nea Angelakos, Giorgos Chiefof Greek Police Ta Nea seven senior military Senior officers in general

ff T N G l S ff C i i Di C i i Distaff Ta Nea General Staff Communications Dir Communications Director, chief of General Staff Defense Ministry staffer Defense Ministry staff company Eleft 2/5

Targeted people (Vodafone Hellas/3)g p p ( / )

FOREIGNER CITIZIENS TARGETS• FOREIGNER CITIZIENS TARGETS:Meim, Mohamad Pakistani Elef Moktar, RamziSudanese Elef Maloum Udin Elef Jamal AbdullahSudanese Elef Maloum, Udin Elef Jamal, Abdullah Lebanon radio reporter or Syrian journalist, now fast food operator Elef Sadik, Hussein Moh. Pakistani store

El f T k Ib hi Ah t I i El f K di A iowner Elef Tarek, Ibrahim Ahmet Iraqi Elef Kadir, Aris Kurd Elef Thair, Hermiz Iraqi Elef Ayoubi, ChadiLebanese al Jazeera reporter, Gr resident Elef Basari, p , ,Mohamed Iraqi immigrant Igoumenitsa, 3 years, furniture factory worker Nea 3‐16 Unnamed SyrianUnnamed Syrian 3 years Nea 3 16 Unnamed IraqiUnnamed Syrian, 3 years Nea 3‐16 Unnamed IraqiUnnamed Iraqi, 2 years Nea 3‐16

Targeted people (Vodafone Hellas/4)g p p ( / )

UNEXPLAINED TARGETS• UNEXPLAINED TARGETS:Fergadis, Theodoros businessman Elef. 3Feb Kakotaritis, Giorgos blanket factory? Elef. 3Feb Linardos, Nikolaosg y ,Pegasus financial co, underwear firm Nea 3‐16 Cretanbusinessman shipper of remote control airplanes, including Souda Bay Vima 3/25 Cretan refrigeration techincluding Souda Bay Vima 3/25 Cretan refrigeration techRefrigeration tech from Ag. Nikolaos Crete Vima 3/25 Koika, Katerina journalist Elef. 3Feb Psychogios, Giorgoscriminal lawyer Thebes mayor candidate Elef 3Febcriminal lawyer, Thebes mayor candidate Elef. 3Feb Makris, Kostas Elef. 3Feb Barbarousi, Dimitra Elef. 3Feb Notas, Anastasios Elef Pavlidis, Pavlos Elef Pnevmatikakis, A l El f k d h 6942 5447 A ti t dAngelos Elef unknown card phone 6942 5447.. Activated2/28/05 Vima 2/25

ConclusionsCo c us o s

• A “suicided” dead man here too…– Telecom Italia scandal (2005)( )

– KGB/CCC (1989)

A li ht ti i f V d f• A very light negative image of Vodafone Hellas: media didn’t hit that much the subjecton the news coverage.

• Obscure CIA links ?Obscure CIA links ?

• Rootkit Ericsson AXE MSC.

5 years later (2010)5 years later…. (2010)

• What’s going on?!?

• It happened that cybercrime organized gangsIt happened that cybercrime organized gangsbegan realizing, since 2005, that it’s all aboutmoneymoney…..

• And, that the end‐user it’s an easier hackrather than a Corporate Telco (depends on the Telco, tough! ;)Telco, tough! ;)

Upcoming issues: targetting the d i h bil di lend‐user with mobile dialers

Uh? How this happened??

“Playing games”, do ya??

Let’s pick up one…

..and its “hidden” code

The numbers

• +882346077 Antarctica

• +17675033611 Dominican republic

• +88213213214 EMSAT satellite prefix

• +25240221601 Somalia

• +2392283261 São Tomé and Príncipe +2392283261 São Tomé and Príncipe

• +881842011123 Globalstar satellite prefix

xxxxx

xxxxx

xxxxx

xxxxx

So…we’re talking about Billing, right? 

Th t t t i ht l ithThat, to me, goes straight along withMediation☺Mediation☺

MEDIATION AND BILLINGMEDIATION AND BILLING

Mediation is the process that converts and transports raw CDR dataIt can also be used to translate provisioning commands to the NEI i i i l f h i i i d billi lIt is a critical part of the provisioning and billing cyclesMost convenient place to commit fraud

56

Not WCS

THE BILLING PROCESSTHE BILLING PROCESS

BANK CARDAUTHORISATION

DD paymentsDD Returns

Cardpayments

& authorisation

Card payments& authorisation

TAPCLEARING

HOUSE INPlatform

ISCPISCP

WAP

E-Wallet

MultipleFulfilmentVendors.

Information access,supply for Internet

information (APIs) andInteractive TV Security.

Certification andencryption

Reporting

SGSN

GGSN

Billing System & Golden Database

MediationSystem

C ll ti dService requestsand responses

SOGService activation

service requests,and responses

BANK I/F CARD PAYMENTS(EFT)

DD paymentsDD Returns Card payments

Roamingcall data VMS

SMC

AuC

IVRPortal.

Information accessdevice for Internetinformation (APIs)

Customer andsubscription data,

and real time billing

Customer and

subscription dataSmallPurchases

To WAP,SMSC, IN

etc.

WWW

External Billing forcontent supply

g Sys e & Go de a abaseCustomer and service administration, personalisation, content management,

tariffing, SIM and number management, provisioning requests, call datacollection, rating and billing (roaming, retail and interconnect), and payment

collection

Collection andnormalisation of calldata, and transfer ofservice requests to

GSM network

and responses

Normalisedcall data

gatewayp

ID & AddressValidation

CREDIT CHECKCustomer

Result of check

Customer

Customer detailsNormalised address

SIM orders, dispatched SIMS,Dealer codes, activation information, money back

deactivations,

BGWBilling gateway

Call data

HLR

Credit Scoringmanages integrationof billing system and

external validationagencies.

Customer details,Credit score result

Dispatch SIMSIM orders, dealers codesGL updates & Roaming

BANK I/F

MSC

and real time billingCRM Tool

CommissionsSales and Dealer

Data

PRINTINGBLACKLIST ?

Result of check

SAPSales support, logistics and finance processing, Human Resource, and Materials Management

general ledger updates

SIMManufacturer

Customer andsubscription changes

Financial/Inventory OutboundS

Bad DebtDatabase

Subscriber dataRated CDRs

Pre-pay CDRsUnrated CDRs

DocumentImaging

Dealer information

SAP

Ernie

DataWarehouse

IMSQuery

Site rental Assets

Screen Navigation

WCS Shops

Financial/InventoryMaterial master

-Outbound-Goods mvt inbound

-Picking conf. inbound-Change serial# kits

-Physical inv. inbound

LogisticsCompany

SIM + MSISDN numbers

including blacklisting IMEI

FRAUD

g g

Shops &Dealers

Retail OutletsMulti

Media

POSActivation

Electronic QueueManager

Service Centre Queuemeasurement tool

CRM ToolManage customer

tasks to completion

ACDDistribute customercalls in call centre

IVR

IsaacCase Based Reasoning

ToolDiagnose problems andrecommend solutions

Scholar

GIS(Geographical Information

System)Site, Dealer & Shops info

IMSSites administration, BTS build

provision and transmission,operations and network faults

logging

Customer call Call (CLI)Per call

Caller ID andPreference

Querytype

Recommendation

Screennavigation

Sites,faults

& Links

Signal strength and coverage

Caller ID,Service Level,

Preferred Language

IVR

57

IVRIdentify customer,

preference and satisfysimple queries

ScholarKnowledge SystemOn-line call centre

reference Radio planningtool

O/SOperator servicesDirectory inquiries

PredictiveDialler

ATTACKS ON MEDIATION / BILLINGATTACKS ON MEDIATION / BILLING

Raw database edit. Conveniently deletes selected records containing billing databilling data.Modification of the charging tables in the billing systemPatching of the rater application to eliminate certain CDR e.g. belonging to a given MSISDN Backdoors in mediation gateways to remove CDR dataConfidential information on subscribers activities (numbers called,Confidential information on subscribers activities (numbers called, received, SMS, data, etc.)Modification of CDR processing rulesModification of “test numbers” whitelistModification of  test numbers  whitelistLive patching of CDR data while in mediation queuePatching of mediation application (e.g. loading scripts)GPRS packet aggregation rules modification

58

L.I.G.L.I.G.//L.I.S.L.I.S. ATTACKSATTACKS

Legal Interception Gateway is used by police and intelligence agenciesLegal Interception Gateway is used by police and intelligence agencies.Connected to MSC though special interface. Very user‐friendly.Based on standard UNIX and TCP/IP so potentially open to common tt kattacksCompromise of a LIG would allow real‐time interception and call eavesdropping.Could compromise the agencies’ own facilities.RAOUL, don’t forget to tell ‘em about the “911 Pentest”…. ;)

59

SS7: the next nightmareSS7: the next nightmare

• A Signalling & Billing (inter‐operators) protocol build in the 70’s and developed in the p p80’s.

• Why? LOL• Why? LOL

• …….‘cause Captain Crunch invented blue‐boxing, that was running in‐band.

• So SS7 went “out‐of‐band”• So SS7 went out‐of‐band .

• Simple (KISS)!

SS7 SIGNALLINGSS7 SIGNALLING

Mobile networks primarily use signalling System no. 7 (SS7) for communication between networks for such activities as authentication, l i d d l i d ll l Thlocation update, and supplementary services and call control.  The messages unique to mobile communications are MAP messages.

The security of the global SS7 network as a transport system for signallingThe security of the global SS7 network as a transport system for signallingmessages e.g. authentication and supplementary services such as call forwarding is open to major compromise. 

The problem with the current SS7 system is that messages can be altered, injected or deleted into the global SS7 networks in an uncontrolled manner.

61

EXAMPLES OF SS7 ATTACKSEXAMPLES OF SS7 ATTACKS

Theft of service, interception of calling cards numbers, privacy concerns, p g , p yIntroduce harmful packets into the national and global SS7 networksGet control of call processing, get control of accounting reportsObtain credit card numbers non‐listed numbers etcObtain credit card numbers, non listed numbers, etc.Messages can be read, altered, injected or deletedDenial of service, security triplet replay to compromise authenticationAnnoyance calls free calls disruption of emergency servicesAnnoyance calls, free calls, disruption of emergency servicesCapture of gateways, rerouting of call trafficDisruption of service to large parts of the networkC ll i d h h Si li C l P lCall processing exposed through Signaling Control ProtocolAnnouncement service exposed to IP through RTPDisclosure of bearer channel traffic

62

SS7 ENTRY POINTSSS7 ENTRY POINTS

63

SS7: A CLOSED NETWORKSS7: A CLOSED NETWORK

With a limited number of carriers and limited points of interconnection, the operators could assume with fair certainty that all of the elements passing data p y p gwere trusted sources. Unlike IP protocols, security features like authentication and encryption were not built into the SS7 protocol. Rather, the focus has been placed on creating p , p gsecure physical environments for the network equipment rather than secure protocols. STPs, the routers of the SS7 network, perform gateway screening to prohibitSTPs, the routers of the SS7 network, perform gateway screening to prohibit inbound and outbound messages from unauthorized nodes. The addresses of individual nodes within a network are isolated. Global title translation (GTT) enables a network to receive messages fromGlobal title translation (GTT) enables a network to receive messages from other networks without disclosing the unique addresses, called point codes, of its own nodes. 

64

SS7: ATTACK TAXONOMYSS7: ATTACK TAXONOMY

65

SOME REALSOME REAL--LIFE EVIDENCESLIFE EVIDENCES

66

WIWI--FI: HW TOOLS FOR PROACTIVE SECURITYFI: HW TOOLS FOR PROACTIVE SECURITYWIWI FI: HW TOOLS FOR PROACTIVE SECURITYFI: HW TOOLS FOR PROACTIVE SECURITY

67

CDR FILES FROM MEDIATION AREACDR FILES FROM MEDIATION AREA

XXX8557710<X81>^F<X81>3<X83>Uw^A<C/>^U<X80>^A^@<X81>^A^A<X82>^A^@<X83>XXX2199557<X83>^F<X81>3#<PU1>Yu<IND>^C^C^F<NEL>^C^O$<ESC><SSA>^A^A<ESA>^C^C^F<VT><HTS>^C^O$<ESC><HTJ>^B^@<PLU><VTS>^A^@<<<>^F<X80>^A^X<X81>^A^@<PLU>^A^@<SS2>^A^@<PU1>^B^A<o^><PU2>^A^B<3^>^U<X80>^A^@<X81>^A^A<X82>^A^@<X83>

68

SMSSMS--C UNAUTHORIZED ACCESSC UNAUTHORIZED ACCESS

69

SMS TRAFFIC LOG FROM SMSCSMS TRAFFIC LOG FROM SMSC

(c) 2004, @ Mediaservice.net Srl, DSDLAB 70

PROCESSED SMS: “FROM” & “TO”PROCESSED SMS: “FROM” & “TO”

(c) 2004, @ Mediaservice.net Srl, DSDLAB 71

SMS PROCESSING QUESMS PROCESSING QUE

(c) 2004, @ Mediaservice.net Srl, DSDLAB 72

SNIFFING ON “IN PROGRESS” SNIFFING ON “IN PROGRESS” SMSsSMSs

(c) 2004, @ Mediaservice.net Srl, DSDLAB 73

OBTAINING CUSTOMERS INFORMATIONOBTAINING CUSTOMERS INFORMATION

74

75

76

This can bescripted !

77

78

ContactsContacts

• Raoul Chiesa

Senior Advisor, Strategic Alliances &Senior Advisor, Strategic Alliances & Cybercrime Issues

UNICRI U i d N i I i l C i &UNICRI – United Nations Interregional Crime & Justice Research Institute

@ Mediaservice.net, Founder

E il hi @UNICRI it (UN)Email:  chiesa@UNICRI.it (UN)

raoul@mediaservice.net (business)

QUESTIONS?QUESTIONS?

THANKS FOR YOUR ATTENTION GUYS!!!!