TELECOM SYSTEM SECURITY

Ross Anderson’s book “Security Engineering” -

Chapter 20

Computer Security Seminar

Presenter: Boris Krush

31/05/2016

Abusing the System

■ Letters

■ Heliograph

■ Telegraph

2Telecom System SecurityBoris Krush

Getting creative

■ Phone Operators

– Payment verification

– Caller identification

■ Tools To Hack

– A piece of metal

– Call forwarding

– Magic button

3Telecom System SecurityBoris Krush

Getting creative

■ Clip-on

– Students

– Criminals

4Telecom System SecurityBoris Krush

Getting creative

■ Phone phreaking

– Joe Engresia - whistle

– Blue Box

5Telecom System SecurityBoris Krush

We are not alone

■ Fight the “Man”

– Signaling codes

– Switch features

6Telecom System SecurityBoris Krush

Social engineering

■ Calling Cards

– Pay phones

– Long distance calls

■ Premium numbers

7Telecom System SecurityBoris Krush

Unsecured systems

■ Switching and Configuration

– Getting unlisted numbers

– Auto forwarding calls

■ Kevin Poulsen 1985-1988

– Free calling

– Wiretapping and espionage

– Obtaining unlisted numbers

– Winning a Porsche

8Telecom System SecurityBoris Krush

Unsecured systems

■ Insiders

– Fixing the odds

■ Kevin Mitnick

’Companies can spend millions of dollars

toward technological protections and that’s wasted if

somebody can basically

call someone on the telephone and either convince

them to do something on

the computer that lowers the computer’s defenses or

reveals the information

they were seeking’

9Telecom System SecurityBoris Krush

Unsecured systems

■ PBX - private branch exchange

– Dial-through

– Backdoors

■ Attacks examples

– Scotland Yard

– Chinese Gang

– Moldova Scam

– Red Browser Worm

*Kabul

10Telecom System SecurityBoris Krush

Features and services

■ Voicemails and answering machines

– Voicemail

■ Is it Broken?

– Multilingual options

■ Holla!

– Calling without dialing

■ Hide Me

– Call forwarding

■ Skip the bank

– Ringback

■ I'm not Paying

– Conference calls

■ I’m here

11Telecom System SecurityBoris Krush

Mobile Phones Analog (1G)

■ Used analog signals with no real authentication

– The headset sent two serial numbers

■ Equipment serial number

■ Subscriber serial number

– The signal was sent in clear over the air link

■ Almost immediately were created devices to capture and emit this signal

– Call-Sell operation

– Tumblers - multiple identity phones

– Fake base station

12Telecom System SecurityBoris Krush

GSM - Global System for Mobile Communications (2G)

■ Digital technology

– International roaming

– No more cloning

– Securing and protecting the line

■ SIM –Subscriber Identity Module

– PIN - personal identification number

– IMSI - international mobile subscriber identification

– Ki -subscriber authentication key

13Telecom System SecurityBoris Krush

GSM - Global System for Mobile Communications (2G)

■ Vulnerabilities in this protocol

– Unencrypted transmission between BSC and VLR

– Foreign networks can replay the info

– Cramming

■ GSM after effects

– Almost no cloning

– Increase in stealing phones, credit cards and identities

– Prepaid based fraud

– IMSI-catcher

14Telecom System SecurityBoris Krush

Long arm of the low

■ Weakening of encryptions in smaller countries

■ Demanding access to private information and location

■ Deals between phone companies and the government

15Telecom System SecurityBoris Krush

UMTS – Universal Mobile Telecommunications (3G)

■ A few upgrades to the GSM vulnerabilities

– Use of the A5/3 cipher block also known as “Kasumi” instead of the less

secure A5/1,A5/2 cipher blocks witch were used in the GSM security

– Increase in bandwidth from 10kKbit/sec of GSM to 7.2Mbit/sec of 3G

– Two way authentication ,ending the IMSI-catcher vulnerability

16Telecom System SecurityBoris Krush

Billing Mechanisms and their vulnerabilities

■ CDR – Call Detail Record

– Generated only after finishing the call

– Vulnerable to conference call over prepaid fraud

– Dealt by dropping a long lasting call

■ Billing and accounting systems

– Weren’t built to handle real money transactions

– Easy to abuse from the inside

– No appropriate regulations

17Telecom System SecurityBoris Krush

Summery

■ The art of getting paid services for free is an ancient one

■ If security isn’t one of the building blocks, implementing it later will be hard and sometimes useless

■ Sometimes security and government prevent technological improvement

■ As long as human interaction is part of the process ,social engendering can bypass all kinds of security measures

■ Closed and private solutions are easier to break than solutions molded and scrutinized by the public

■ There are two kinds of fools. One says, ‘‘This is old, therefore it is good.’’ The other says, ‘‘This is new, therefore it is better’’

— Dean William Inge

18Telecom System SecurityBoris Krush