“Telecom Security Issues”An overview of Key Threats & Actors, Case
Studies and Possible ScenariosRaoul Chiesa, UNICRI
Club Hack Conference, PuneDecember 4th, 2010
DisclaimerDisclaimer● The information contained within this
t ti d t i f i i t ll t lpresentation does not infringe on any intellectualproperty nor does it contain tools or recipe thatcould be in breach with known India laws (iscould be in breach with known India laws (isthere any lawyer in the room btw? ;)
● Quoted trademarks belongs to registeredowners.
● The views expressed are those of the author anddo not necessary reflect the views of UNICRI ordo not necessary reflect the views of UNICRI orothers United Nations agencies and institutes,nor the view of ENISA and its PSG (Permanent(Stakeholders Group).
The speaker – Raoul “nobody” ChiesaOn the underground scene since 1986
Senior Advisor on cybercrime at the UnitedyNations (UNICRI)
ENISA PSG Member (2010‐2012)
Founder, @ Mediaservice.net –Independent Security Advisory Company and @ PSS – a Digital Forensics Company
Founder, Board of Directors at: CLUSIT (It li I f ti S it A i ti )(Italian Information Security Association), ISECOM, OWASP Italian Chapter
TSTF net Associated MemberTSTF.net Associated Member
Member: ICANN, OPSI/AIP, EAST
3
About UNICRI
What is UNICRI?
United Nations Interregional Crime & Justice Research Institute
A United Nations entity established in 1968 to support countries worldwidein crime prevention and criminal justice
UNICRI carries out applied research, training, technical cooperation anddocumentation / information activities
UNICRI disseminates information and maintains contacts with professionalsand experts worldwide
Counter Human Trafficking and Emerging Crimes Unit: cyber crimes,counterfeiting, environmental crimes, trafficking in stolen works of art…
About ENISAWhat is ENISA?
About ENISA
• European Network & Information Security Agency• ENISA is the EU’s response to security issues of the European Union• “Securing Europe's Information Society” is our motto (27 Member States)Securing Europe s Information Society is our motto (27 Member States)• In order to accomplish our mission, we work with EU Institutions and Member States• ENISA came into being following the adoption of Regulation (EC) No 460/2004 of theEuropean Parliament and of the Council on 10 March 2004. Operations started on Septemberp p p2005, after moving from Brussels to Crete, and with the arrival of staff that were recruitedthrough EU25‐wide competitions with candidates coming from all over Europe.• ENISA is helping the European Commission, the Member States and the businesscommunity to address, respond and especially to prevent Network and Information Securityproblems.• The Agency also assists the European Commission in the technical preparatory work forupdating and developing Community legislation in the field of Network and InformationSecurity.• I’m a Member of ENISA’s PSG – Permanent Stakeholders Group.
About TSTF netAbout TSTF.net
W hi k k bli h d h 10• We are a think‐tank establishedmore than 10 years ago.• We know all of us (team members) since the 80’s.• Some names: Emmanuel Gadaix, Philippe Langlois, Stavroula “Venix” Ventouri, Fyodor Yarochkin (xprobe2), ….
• All of us we have pentested/audited more than 120 phone operators all over the worldphone operators all over the world.
• Huge experience, no sales pitches: we know our stuff.• Built the very first open source SS7 Scanner (SCTP)• Built the very first open‐source SS7 Scanner (SCTP).• Making R&D, everyday, every hour, every single minute ;)
More on TSTF netMore on TSTF.net
Wh ’ hWho’s who35 years combined GSM telecommunications experience;50 years combined information security experience;A unique view on telco security – nobody else does it;Active research (papers, tools, forums);Experience in Europe, Asia, USA;p p , , ;Self‐funded, no business cunts running it, no VCs.
Networked structureStructure similar to the Global Business Network (http://www.gbn.org/);No central office, global coverage;Leverage on each individual's skills and services;Leverage on network effect.
Our experiences (excerpt, 1999‐2004)(obviously, we’got much MORE ☺
1999: GSM Internet Data Access Penetration Tests1999: GSM Internet Data Access Penetration Tests
2000: GPRS Internet Data Access Penetration Tests
2000/2004: L.I.S./L.I.G. Security Audits on a +15 MLN subscribers
2000: SMS Spoofing PoC & Security Consulting
2001: Dealers’ shops Abuse Security Testing;
2001: SMSC Ethical Hacking Test
2001: SAP environments Security Audit
2001‐2004: VAS Security Audits and Pen‐testingsy g
2001‐2004: xIDS and Firewall tuning and configurations review
2002/2003: Wireless Penetration Tests on HQ and main branches (+10 MLN subscribers; +15 MLN subscribers)
2002: Wireless Security Policy (private and public hot‐spots)
2003 P t l W b A li ti S it T ti ( i t t th li ti d l d f th b ib )2003: Portals Web Applications Security Testing (various tests on the applications developed for the subscribers)
2003: Billing gateway process Full Security Audit & Pentests
2003: MMS environment Ethical Hacking tests
2004: Black Berry FE/BE Penetration Testing
2004: X.25 Security Audit Full Process (9 months)
2004: New mobile threaths R&D process (3 months)
2004: DoS incident handling policy (referred to the private WAN)
Topics for this sessionTopics for this session
• Introduction
• MSC hacking / the Vodafone Greece AffairMSC hacking / the Vodafone Greece Affair
• Data Network Elements hacking (i.e.. GPRS)
• Billing, Mediation, LIS/LIG hacking
• SS7 hackingSS7 hacking
• Web Applications’ suppliers standard issues
THE PROBLEMTHE PROBLEM
Telecommunications vendors (Nokia, Ericsson, Alcatel, etc.) are selling insecure software and systems to telcos.
Telecommunications operators have a very poor understanding of security issues.
Based on 10 years penetration testing experience, telco operators are themost vulnerable of all industry groups.are the most vulnerable of all industry groups.
Sophisticated hackers have an increased interest in telco security and phone hackingand phone hacking.
10
THE VENDORSTHE VENDORS
Some vendors have decided to take an active stance in security (e.g. Nokia), however such initiatives are isolated and do not address most telcos security yproblems.
Most vendors sell antiquated software full of bugs, running on old and unpatched version of operating systems and daemonsunpatched version of operating systems and daemons.
Operators cannot fix the identified security weaknesses because it would void their warranty.
⌧ The result of this ‘head in the sand’ approach is an increase in the threat: national and international critical infrastructures are at risknational and international critical infrastructures are at risk.
11
THE OPERATORSTHE OPERATORS
Operators rely on vendors for secure solutions.
Operators are primarily focused on network operations software upgradesOperators are primarily focused on network operations, software upgrades, network performance and other time‐consuming routine tasks.
Operators lack in‐house expertise on telco security.
Operators are usually divided between the IT and Engineering, departments, creating two separate security domains.
⌧Most telcos networks are open to attackers (I don’t say “hackers”!).
12
NETWORK OPS.
I TI.T.
GSM operators typically split their network between IT (the incompetent teami th il th d i th i t d th /fi ll) d E i irunning the mail, the domains, the printers and the proxy/firewall) and Engineering
(the telco side).Usually there is distrust between the two entities, poor communications andcertainly no common policy towards security.y p y yIT of course believe they are important, but in fact they just have a support role. Ifall IT systems stop working, you can still make phone calls.
(Emmanuel Gadaix, TSTF – Black Hat Asia Security Conference, 2001)
13
THE OPERATORSTHE OPERATORS
Based on a +10 years study encompassing 24 network operators in fourdifferent continents (EU, Asia, USA, Australia):
⌧ 100% could be hacked from the Internet via Web Apps
⌧ 90% could be hacked through PSTN X 25 ISDN orWi‐Fi⌧ 90% could be hacked through PSTN, X.25, ISDN or Wi‐Fi
⌧ 72% had a security incident in the last 2 years
⌧ 23% had appropriate perimeter security control
⌧⌧ 0% had all their mission‐critical hosts (really) secured
⌧ 0% had comprehensive database security in place
⌧ 0% had integrity measures protecting billing data, nor encryptiong y p g g , yp
14
THE ENEMYTHE ENEMYTelco fraud is still an attractive target:
Bypassing toll getting services without fees setting up premium numbers etc;Bypassing toll, getting services without fees, setting up premium numbers, etc;
Privacy invasions: interception of call‐related data (e.g. CDRs, SMS contents, signalling data, billing data; etc)
Eavesdropping and cloning: illegal interception and cloning of mobile phones.
⌧ Recently one underground group announced it was reverse engineering Nokia⌧ Recently one underground group announced it was reverse engineering Nokia and Symbian software;
⌧ A group of sophisticated hackers is working on abusing the SS7 protocol;
⌧⌧ Another group of international security researchers is working on VoIP attacks in telcos environments (Mobile, PSTN/ISDN, SS7, I.N.)
15
THE COMPETITIONTHE COMPETITION
⌧⌧ Traditional security shops: no knowledge of telcos, poor understanding of telcos procedures.
⌧ Traditional telcos consultancies: very poor knowledge of security issues.
⌧ “Big 4” audit firms: focused on policies, no real expertise (they outsource their jobs to us).(they outsource their jobs to us).
⌧ In‐house resources: very dangerous. Internal fraud is overlooked; interdepartmental ego problems; good security and bad security looks the same.
16
DOING DOING NOTHING…NOTHING…
… with yours telco infrastructures today is like doing nothing with the RAS accesses in the 80’snothing with the RAS accesses in the 80’s…
…with the X.25 networks in the 90’s…
….and with your Internet hosts during the Y2K:
⌧ it’s an open invitation for disaster.
17
“BUT..WHY SH0ULD WE C@4E ‘BOUT TH3S3 “BUT..WHY SH0ULD WE C@4E ‘BOUT TH3S3 L33T ATTACK3RS ?!?”L33T ATTACK3RS ?!?”
….BECAUSE….BECAUSE YOU YOU LOOSE YOUR MONEYLOOSE YOUR MONEY..
18
AND becauseAND, because….
• Hackers are speaking about, investigating, discussing, hacking telco‐related stuffg g(everything!) since a lot of time now (beganin the 70’s became a trend in the 80’s andin the 70 s, became a trend in the 80 s and 90’s, a standard from 2000 up to today).
l• ..Wanna see some examples??
20082008DEFCON 16 Taking Back your Cellphone Alexander LashDEFCON 16 ‐ Taking Back your Cellphone Alexander LashBH DC / BH Europe – Intercepting Mobile Phone/GSM Traffic David Hulton, Steve–BH Europe Mobile Phone Spying Tools Jarno NiemeläBH Europe ‐Mobile Phone Spying Tools Jarno Niemelä–BH USA ‐Mobile Phone Messaging Anti‐Forensics Zane Lackey, Luis MirasEkoparty Smartphones (in)security Nicolas Economou Alfredo OrtegaEkoparty ‐ Smartphones (in)security Nicolas Economou, Alfredo Ortega BH Japan ‐ Exploiting Symbian OS in mobile devices Collin Mulliner–GTS‐12 ‐ iPhone and iPod Touch Forensics Ivo Peixinho
ki h i h l d l b i25C3– Hacking the iPhone ‐MuscleNerd, pytey, planetbeing25C3 Locating Mobile Phones using SS7 – Tobias Engel– Anatomy of smartphone hardware Harald Welte25C3 R i GSM k H W l Di S25C3 Running your own GSM network – H. Welte, Dieter Spaar25C3 Attacking NFC mobile phones – Collin Mulliner
2009/12009/1ShmooCon Building an All Channel Bluetooth Monitor MichaelShmooCon Building an All-Channel Bluetooth Monitor Michael Ossmann and Dominic Spill ShmooCon Pulling a John Connor: Defeating Android Charlie MillerBH USA– Attacking SMS - Zane Lackey, Luis Miras –BH USA P i t YSTS 3 0 (BR)BH USA Premiere at YSTS 3.0 (BR)BH USA Fuzzing the Phone in your Phone - Charlie Miller, Collin MullinerBH USA Is Your Phone Pwned? - Kevin Mahaffey, Anthony Lineberry & y, y yJohn Hering–BH USA Post Exploitation Bliss –BH USA Loading Meterpreter on a Factory iPhone - Vincenzo Iozzo & Charlie Miller–C a e eBH USA Exploratory Android Surgery - Jesse BurnsDEFCON 17– Jailbreaking and the Law of Reversing - Fred Von Lohmann, Jennifer Granick–DEFCON 17 Hacking WITH the iPod Touch Thomas WilhelmDEFCON 17 Hacking WITH the iPod Touch - Thomas Wilhelm DEFCON 17 Attacking SMS. It's No Longer Your BFF - Brandon DixonDEFCON 17 Bluetooth, Smells Like Chicken - Dominic Spill, Michael Ossmann, Mark Steward
2009/22009/2BH Europe Fun and Games with Mac OS X and iPhone Payloads Charlie Miller andBH Europe– Fun and Games with Mac OS X and iPhone Payloads - Charlie Miller and Vincenzo Iozzo–BH Europe Hijacking Mobile Data Connections - Roberto Gassirà and Roberto Piccirillo–BH Europe Passports Reloaded Goes Mobile - Jeroen van BeekBH Europe Passports Reloaded Goes Mobile Jeroen van BeekCanSecWest– The Smart-Phones Nightmare Sergio 'shadown' Alvarez CanSecWest - A Look at a Modern Mobile Security Model: Google's Android Jon Oberheide–CanSecWest - Multiplatform iPhone/Android Shellcode and other smart phoneCanSecWest - Multiplatform iPhone/Android Shellcode, and other smart phone insecurities Alfredo Ortega and Nico EconomouEuSecWest - Pwning your grandmother's iPhone Charlie Miller–HITB Malaysia - Bugs and Kisses: Spying on Blackberry Users for FunSheranGunasekera– YSTS 3.0 /Gunasekera YSTS 3.0 / HITB Malaysia - Hacking from the Restroom Bruno Gonçalves de OliveiraPacSec - The Android Security Story: Challenges and Solutions for Secure Open Systems Rich Cannings & Alex StamosDeepSec - Security on the GSM Air Interface David Burgess Harald WelteDeepSec Security on the GSM Air Interface David Burgess, Harald WelteDeepSec - Cracking GSM Encryption Karsten Nohl–DeepSec - Hijacking Mobile Data Connections 2.0: Automated and Improved Roberto Piccirillo, Roberto Gassirà–DeepSec - A practical DOS attack to the GSM network Dieter SpaarDeepSec A practical DOS attack to the GSM network Dieter Spaar
O i kOverview on attacks
(then we’ll jump straightto a few, single topics)
ATTACKS & FRAUDS ATTACKS & FRAUDS IN MOBILE ENVIRONMENTSIN MOBILE ENVIRONMENTSIN MOBILE ENVIRONMENTSIN MOBILE ENVIRONMENTS
24
A MORE COMPLICATED A MORE COMPLICATED WORLD…WORLD…
Video ondemand
EMC
SES
Virtual Networks
Public safety
B-ISDN
SES
TFTSBRAN
yPTS
GSMDECT
VSAT
BRAN
GSMIntelligent Networks SEC
ISO/BSIATMUMTS
Teleworking STQ
DTV
Testing Methods Voice overInternet Protocol
DTVCTM ERM
25
Internet Protocol
...WITH DIFFERENT STANDARDS, BUT A ...WITH DIFFERENT STANDARDS, BUT A UNIQUE MARKETUNIQUE MARKETUNIQUE MARKETUNIQUE MARKET
26
...BUT THE THREAT IS ...BUT THE THREAT IS GLOBALGLOBAL
27
PHREAKING TELCOSPHREAKING TELCOSPhreaking is a slang term for the action of
making a telephone system do something thatit normally should not allow.
Why would anyone do this??Why would anyone do this??“ I do it for one reason and one reason only. I'm learning about a
system. The phone company is a System. A computer is a System, d d d? f d h d l ldo you understand? If I do what I do, it is only to explore a system. Computers, systems, that's my bag. The phone company is nothing but a computer. ”
Captain CrunchFrom Secrets of the Little Blue BoxFrom Secrets of the Little Blue Box
Esquire Magazine, October 1971
28
(pause) LOL!!(pause) LOL!!
A QUICK OVERVIEW: ATTACKS ON A QUICK OVERVIEW: ATTACKS ON MOBILE OPERATORS/1MOBILE OPERATORS/1MOBILE OPERATORS/1MOBILE OPERATORS/1
The “Phreaking” concept can be explained as “Hacking the phone line”;
Since the 60’s, phreaking exploded all around the world;p g p
From those times, intrusion stories in telcos environments became very common;
I th f ll i lid ill i f th i t fIn the following slides we will give you a resume of the various type of attacks that can be applied in Mobile Networks;
Many of these attacks have been practical tested and demonstrated by our Tiger Team during the years.
30
A QUICK OVERVIEW: ATTACKS ON A QUICK OVERVIEW: ATTACKS ON MOBILE OPERATORS/2MOBILE OPERATORS/2
Attacks have been classified into the following areas:
RAN Att k (R di A N t k)
MOBILE OPERATORS/2MOBILE OPERATORS/2
RAN Attacks (Radio Access Network)
TN Attacks (Transmission Network)
NSS Attacks (Network Switched Network)NSS Attacks (Network Switched Network)
IN Attacks (Intelligent Network)
SMS/Messaging Attacks (SMS, VMS)
MMS Attacks
NMS/OSS Attacks (Network Management System/Operations)
ME & Billi GW Att k (M di ti d Billi ) $$ME & Billing GW Attacks (Mediation and Billing)
LIS/LIG Attacks (Legal Interception System/Gateway)
SS7 Attacks (Signalling System # 7)
$$
SS7 Attacks (Signalling System # 7)
..not forgetting the “old school” PSTN, ISDN and X.25 attacks
31
THE NETWORK ELEMENTSTHE NETWORK ELEMENTS
Radio Access Network (BSS/RAN)Radio Access Network (BSS/RAN)
Mobile Switching Center (MSC/NSS)
Home Location Register (HLR/VLR)Home Location Register (HLR/VLR)
Intelligent Network (IN)
Messaging (SMSC, MMSC, USSD, VMS)g g ( , , , )
Packet data (GPRS, EDGE, 3G/UMTS)
Network Management (NMS, OMC, OSS)
Mediation, Billing, Customer Care, LIG
32
MSCMSC
• Mobile Switching Center
• Is probably the most important asset in aIs probably the most important asset in a Mobile Operator
W ill k b h V d f G• We will speak about the Vodafone Greececase shortly…
GGSNGGSN
• Ollie Whitehouse around 2002/2003successfully exploited Nokia GPRS‐relatedy pelements (GGSN, SGSN).
• Result? DoS on all of your Data connections• Result? DoS on all of your Data connections(Operator Level) if you run GPRS on Nokia’s
( h b l )HW (at that time, obviously).
• Is it only Nokia? NO! ALL of themmay beIs it only Nokia? NO! ALL of themmay bevulnerable.
Web Applications SecurityWeb Applications Security
’ d hi i h l i l i h• I’ve moved this in the last section, along with“evidences”.
• Basically, problem here is that the “standard players” (big 4, Accenture, etc etc) are oftenp y ( g , , )releasing insecure Web Applications.
• Exposed to:Exposed to:– XSS/CSRF /etcSQL I j ti ( )– SQL Injection(s)
– …whatever!
The “Vodafone Greece Affair”
In one shot ‐ Greece
• Basically, what the hell happened ?
+One hundreds “VIP” mobile subscribers have been eavesdropped: Government members, Defense officials mainly, including the Greek Prime Minister, Foreign, Defence, Public Order officials, etc.Calls from and to +100 SIMs were diverted to 14 “pay as you go” mobileCalls from and to +100 SIMs were diverted to 14 pay‐as‐you‐go mobile phones. Four BTS were “interested” by the area where these receiving SIMs wherelocated. “Incidentally”, Athens US Embassy is right in the middle of them☺This has been done via a high‐level hack to the Ericsson AXE GSM MSC; building a rootkit “parked” in the RAM area, since obviously the MSC was on “production” (!!!)production (!!!).“The Hack” was discovered on March 7th, 2005, by Ericsson technical staff. Oneyear later at least. Maybe longer….nobody knowsOn March 9th, a Vodafone “top technician” (KT) commited suicide. (Kostas, p ( ) (Tsalikidis, 39 y.o., Head of Network Design).EYP (Hellas National Intelligence Agency) began investigating at once.
Ri ht h id b t h did it d h× Right now, no‐one has no idea about who did it and why.
Profiling: Actors involvedActors involved
• Some elite hacker.– Retired Ericsson technical guy(s) ? g y( )
• Some seriously‐intentioned IA (CIA?).
• Some historical and geo‐political situation (Carpe Diem).
• Local politicians and National Secret Service
Th Ol i G ?• The Olympic Games ?
• The “best hack of 2005” prize. For sure.p
Targeted people (Vodafone Hellas/1)g p p ( / )
• GOVERNMENT TARGETS:• GOVERNMENT TARGETS:Karamanlis, Kostas Prime Minister of Greece (two phones of 20) Elef. 3Feb Molyviatis, Petros then Foreign Minister, a private phone Elef. 3Feb Spiliotopoulos Spilios thenMinister of Defense Elef 3Feb VoulgarakisSpiliotopoulos, Spilios thenMinister of Defense Elef. 3Feb Voulgarakis, Giorgos then Minister of Public Order Elef. 3Feb Papaligouras, AnastasiosMinister of Justice Elef. 3Feb Valinakis, Giannis Alternate Foreign MinisterElef. 3Feb Dimas, Stavros EU Commissioner Elef. 3Feb Bakoyianni, Dora h f h l f b ll d b d ithenMayor of Athens Elef. 3Feb Vallindas, Giorgos Ambassador, ForeignMinistry Mideast Division Director Elef. 3Feb Choreftaki, Glykeria ForeignMinistry employee Elef. 3Feb Papantoniou, Giannis PASOK MP, ex Minister of Defense Elef Apostolidis Pavlos then Head of GreekMinister of Defense Elef Apostolidis, Pavlos then Head of GreekIntelligence Service (EYP), his car phone Nea Karamanli, Natasha wife ofPrime Minister Nea eight unidentified foreign ministry officials Neaunnamed intelligence officials EYP operations officers Nea Korandis, Gi i EYP di h A b d T k hi iGiannis current EYP director, then Ambassador to Turkey, his private carphone Nea 3‐16 Molyviati, Lora daughter of former Foreign Minister Nea3‐16
Targeted people (Vodafone Hellas/2)g p p ( / )
• POLICE/SECURITY TARGETS:• POLICE/SECURITY TARGETS:Maravelis, Dimitris Police officer in Olympic Security Elef. 3Feb Maris, Giorgos lawyer, legal advisor to Public Order Ministry Elef. 3Feb Angelakis Dimitris Police in Olympic Security or EYP unionist Elef 3FebAngelakis, Dimitris Police in Olympic Security or EYP unionist Elef. 3Feb Sontis, Theodore U.S. Embassy Greek‐American, gave to security detailElef Kyriakakis, Evstratios Former Director, Criminological Service, GreekPolice Ta Nea Galiatsos, G. Director of Exercises, Athens Olympic Security
l hi f f ff i i f bli dTa Nea Mitropoulos, G. Chief of Staff, Ministry of Public Order Ta NeaKonstantinidis, V Olympic Games Security Director Ta Nea Nasiakos, FotisFormer Chief, Greek Police (phone given to another) Ta Nea Dimoschakis, An Chief of Staff Greek Police Ta Nea Syrros St Former director ofAn. Chief of Staff, Greek Police Ta Nea Syrros, St. Former director ofCounterterrorism division, Greek Police Ta Nea Galikas, D. Director ofCounterterrorism Division, Greek Police Ta Nea Angelakos, Giorgos Chiefof Greek Police Ta Nea seven senior military Senior officers in general
ff T N G l S ff C i i Di C i i Distaff Ta Nea General Staff Communications Dir Communications Director, chief of General Staff Defense Ministry staffer Defense Ministry staff company Eleft 2/5
Targeted people (Vodafone Hellas/3)g p p ( / )
FOREIGNER CITIZIENS TARGETS• FOREIGNER CITIZIENS TARGETS:Meim, Mohamad Pakistani Elef Moktar, RamziSudanese Elef Maloum Udin Elef Jamal AbdullahSudanese Elef Maloum, Udin Elef Jamal, Abdullah Lebanon radio reporter or Syrian journalist, now fast food operator Elef Sadik, Hussein Moh. Pakistani store
El f T k Ib hi Ah t I i El f K di A iowner Elef Tarek, Ibrahim Ahmet Iraqi Elef Kadir, Aris Kurd Elef Thair, Hermiz Iraqi Elef Ayoubi, ChadiLebanese al Jazeera reporter, Gr resident Elef Basari, p , ,Mohamed Iraqi immigrant Igoumenitsa, 3 years, furniture factory worker Nea 3‐16 Unnamed SyrianUnnamed Syrian 3 years Nea 3 16 Unnamed IraqiUnnamed Syrian, 3 years Nea 3‐16 Unnamed IraqiUnnamed Iraqi, 2 years Nea 3‐16
Targeted people (Vodafone Hellas/4)g p p ( / )
UNEXPLAINED TARGETS• UNEXPLAINED TARGETS:Fergadis, Theodoros businessman Elef. 3Feb Kakotaritis, Giorgos blanket factory? Elef. 3Feb Linardos, Nikolaosg y ,Pegasus financial co, underwear firm Nea 3‐16 Cretanbusinessman shipper of remote control airplanes, including Souda Bay Vima 3/25 Cretan refrigeration techincluding Souda Bay Vima 3/25 Cretan refrigeration techRefrigeration tech from Ag. Nikolaos Crete Vima 3/25 Koika, Katerina journalist Elef. 3Feb Psychogios, Giorgoscriminal lawyer Thebes mayor candidate Elef 3Febcriminal lawyer, Thebes mayor candidate Elef. 3Feb Makris, Kostas Elef. 3Feb Barbarousi, Dimitra Elef. 3Feb Notas, Anastasios Elef Pavlidis, Pavlos Elef Pnevmatikakis, A l El f k d h 6942 5447 A ti t dAngelos Elef unknown card phone 6942 5447.. Activated2/28/05 Vima 2/25
ConclusionsCo c us o s
• A “suicided” dead man here too…– Telecom Italia scandal (2005)( )
– KGB/CCC (1989)
A li ht ti i f V d f• A very light negative image of Vodafone Hellas: media didn’t hit that much the subjecton the news coverage.
• Obscure CIA links ?Obscure CIA links ?
• Rootkit Ericsson AXE MSC.
5 years later (2010)5 years later…. (2010)
• What’s going on?!?
• It happened that cybercrime organized gangsIt happened that cybercrime organized gangsbegan realizing, since 2005, that it’s all aboutmoneymoney…..
• And, that the end‐user it’s an easier hackrather than a Corporate Telco (depends on the Telco, tough! ;)Telco, tough! ;)
Upcoming issues: targetting the d i h bil di lend‐user with mobile dialers
Uh? How this happened??
“Playing games”, do ya??
Let’s pick up one…
..and its “hidden” code
The numbers
• +882346077 Antarctica
• +17675033611 Dominican republic
• +88213213214 EMSAT satellite prefix
• +25240221601 Somalia
• +2392283261 São Tomé and Príncipe +2392283261 São Tomé and Príncipe
• +881842011123 Globalstar satellite prefix
xxxxx
xxxxx
xxxxx
xxxxx
So…we’re talking about Billing, right?
Th t t t i ht l ithThat, to me, goes straight along withMediation☺Mediation☺
MEDIATION AND BILLINGMEDIATION AND BILLING
Mediation is the process that converts and transports raw CDR dataIt can also be used to translate provisioning commands to the NEI i i i l f h i i i d billi lIt is a critical part of the provisioning and billing cyclesMost convenient place to commit fraud
56
Not WCS
THE BILLING PROCESSTHE BILLING PROCESS
BANK CARDAUTHORISATION
DD paymentsDD Returns
Cardpayments
& authorisation
Card payments& authorisation
TAPCLEARING
HOUSE INPlatform
ISCPISCP
WAP
E-Wallet
MultipleFulfilmentVendors.
Information access,supply for Internet
information (APIs) andInteractive TV Security.
Certification andencryption
Reporting
SGSN
GGSN
Billing System & Golden Database
MediationSystem
C ll ti dService requestsand responses
SOGService activation
service requests,and responses
BANK I/F CARD PAYMENTS(EFT)
DD paymentsDD Returns Card payments
Roamingcall data VMS
SMC
AuC
IVRPortal.
Information accessdevice for Internetinformation (APIs)
Customer andsubscription data,
and real time billing
Customer and
subscription dataSmallPurchases
To WAP,SMSC, IN
etc.
WWW
External Billing forcontent supply
g Sys e & Go de a abaseCustomer and service administration, personalisation, content management,
tariffing, SIM and number management, provisioning requests, call datacollection, rating and billing (roaming, retail and interconnect), and payment
collection
Collection andnormalisation of calldata, and transfer ofservice requests to
GSM network
and responses
Normalisedcall data
gatewayp
ID & AddressValidation
CREDIT CHECKCustomer
Result of check
Customer
Customer detailsNormalised address
SIM orders, dispatched SIMS,Dealer codes, activation information, money back
deactivations,
BGWBilling gateway
Call data
HLR
Credit Scoringmanages integrationof billing system and
external validationagencies.
Customer details,Credit score result
Dispatch SIMSIM orders, dealers codesGL updates & Roaming
BANK I/F
MSC
and real time billingCRM Tool
CommissionsSales and Dealer
Data
PRINTINGBLACKLIST ?
Result of check
SAPSales support, logistics and finance processing, Human Resource, and Materials Management
general ledger updates
SIMManufacturer
Customer andsubscription changes
Financial/Inventory OutboundS
Bad DebtDatabase
Subscriber dataRated CDRs
Pre-pay CDRsUnrated CDRs
DocumentImaging
Dealer information
SAP
Ernie
DataWarehouse
IMSQuery
Site rental Assets
Screen Navigation
WCS Shops
Financial/InventoryMaterial master
-Outbound-Goods mvt inbound
-Picking conf. inbound-Change serial# kits
-Physical inv. inbound
LogisticsCompany
SIM + MSISDN numbers
including blacklisting IMEI
FRAUD
g g
Shops &Dealers
Retail OutletsMulti
Media
POSActivation
Electronic QueueManager
Service Centre Queuemeasurement tool
CRM ToolManage customer
tasks to completion
ACDDistribute customercalls in call centre
IVR
IsaacCase Based Reasoning
ToolDiagnose problems andrecommend solutions
Scholar
GIS(Geographical Information
System)Site, Dealer & Shops info
IMSSites administration, BTS build
provision and transmission,operations and network faults
logging
Customer call Call (CLI)Per call
Caller ID andPreference
Querytype
Recommendation
Screennavigation
Sites,faults
& Links
Signal strength and coverage
Caller ID,Service Level,
Preferred Language
IVR
57
IVRIdentify customer,
preference and satisfysimple queries
ScholarKnowledge SystemOn-line call centre
reference Radio planningtool
O/SOperator servicesDirectory inquiries
PredictiveDialler
ATTACKS ON MEDIATION / BILLINGATTACKS ON MEDIATION / BILLING
Raw database edit. Conveniently deletes selected records containing billing databilling data.Modification of the charging tables in the billing systemPatching of the rater application to eliminate certain CDR e.g. belonging to a given MSISDN Backdoors in mediation gateways to remove CDR dataConfidential information on subscribers activities (numbers called,Confidential information on subscribers activities (numbers called, received, SMS, data, etc.)Modification of CDR processing rulesModification of “test numbers” whitelistModification of test numbers whitelistLive patching of CDR data while in mediation queuePatching of mediation application (e.g. loading scripts)GPRS packet aggregation rules modification
58
L.I.G.L.I.G.//L.I.S.L.I.S. ATTACKSATTACKS
Legal Interception Gateway is used by police and intelligence agenciesLegal Interception Gateway is used by police and intelligence agencies.Connected to MSC though special interface. Very user‐friendly.Based on standard UNIX and TCP/IP so potentially open to common tt kattacksCompromise of a LIG would allow real‐time interception and call eavesdropping.Could compromise the agencies’ own facilities.RAOUL, don’t forget to tell ‘em about the “911 Pentest”…. ;)
59
SS7: the next nightmareSS7: the next nightmare
• A Signalling & Billing (inter‐operators) protocol build in the 70’s and developed in the p p80’s.
• Why? LOL• Why? LOL
• …….‘cause Captain Crunch invented blue‐boxing, that was running in‐band.
• So SS7 went “out‐of‐band”• So SS7 went out‐of‐band .
• Simple (KISS)!
SS7 SIGNALLINGSS7 SIGNALLING
Mobile networks primarily use signalling System no. 7 (SS7) for communication between networks for such activities as authentication, l i d d l i d ll l Thlocation update, and supplementary services and call control. The messages unique to mobile communications are MAP messages.
The security of the global SS7 network as a transport system for signallingThe security of the global SS7 network as a transport system for signallingmessages e.g. authentication and supplementary services such as call forwarding is open to major compromise.
The problem with the current SS7 system is that messages can be altered, injected or deleted into the global SS7 networks in an uncontrolled manner.
61
EXAMPLES OF SS7 ATTACKSEXAMPLES OF SS7 ATTACKS
Theft of service, interception of calling cards numbers, privacy concerns, p g , p yIntroduce harmful packets into the national and global SS7 networksGet control of call processing, get control of accounting reportsObtain credit card numbers non‐listed numbers etcObtain credit card numbers, non listed numbers, etc.Messages can be read, altered, injected or deletedDenial of service, security triplet replay to compromise authenticationAnnoyance calls free calls disruption of emergency servicesAnnoyance calls, free calls, disruption of emergency servicesCapture of gateways, rerouting of call trafficDisruption of service to large parts of the networkC ll i d h h Si li C l P lCall processing exposed through Signaling Control ProtocolAnnouncement service exposed to IP through RTPDisclosure of bearer channel traffic
62
SS7 ENTRY POINTSSS7 ENTRY POINTS
63
SS7: A CLOSED NETWORKSS7: A CLOSED NETWORK
With a limited number of carriers and limited points of interconnection, the operators could assume with fair certainty that all of the elements passing data p y p gwere trusted sources. Unlike IP protocols, security features like authentication and encryption were not built into the SS7 protocol. Rather, the focus has been placed on creating p , p gsecure physical environments for the network equipment rather than secure protocols. STPs, the routers of the SS7 network, perform gateway screening to prohibitSTPs, the routers of the SS7 network, perform gateway screening to prohibit inbound and outbound messages from unauthorized nodes. The addresses of individual nodes within a network are isolated. Global title translation (GTT) enables a network to receive messages fromGlobal title translation (GTT) enables a network to receive messages from other networks without disclosing the unique addresses, called point codes, of its own nodes.
64
SS7: ATTACK TAXONOMYSS7: ATTACK TAXONOMY
65
SOME REALSOME REAL--LIFE EVIDENCESLIFE EVIDENCES
66
WIWI--FI: HW TOOLS FOR PROACTIVE SECURITYFI: HW TOOLS FOR PROACTIVE SECURITYWIWI FI: HW TOOLS FOR PROACTIVE SECURITYFI: HW TOOLS FOR PROACTIVE SECURITY
67
CDR FILES FROM MEDIATION AREACDR FILES FROM MEDIATION AREA
XXX8557710<X81>^F<X81>3<X83>Uw^A<C/>^U<X80>^A^@<X81>^A^A<X82>^A^@<X83>XXX2199557<X83>^F<X81>3#<PU1>Yu<IND>^C^C^F<NEL>^C^O$<ESC><SSA>^A^A<ESA>^C^C^F<VT><HTS>^C^O$<ESC><HTJ>^B^@<PLU><VTS>^A^@<<<>^F<X80>^A^X<X81>^A^@<PLU>^A^@<SS2>^A^@<PU1>^B^A<o^><PU2>^A^B<3^>^U<X80>^A^@<X81>^A^A<X82>^A^@<X83>
68
SMSSMS--C UNAUTHORIZED ACCESSC UNAUTHORIZED ACCESS
69
SMS TRAFFIC LOG FROM SMSCSMS TRAFFIC LOG FROM SMSC
(c) 2004, @ Mediaservice.net Srl, DSDLAB 70
PROCESSED SMS: “FROM” & “TO”PROCESSED SMS: “FROM” & “TO”
(c) 2004, @ Mediaservice.net Srl, DSDLAB 71
SMS PROCESSING QUESMS PROCESSING QUE
(c) 2004, @ Mediaservice.net Srl, DSDLAB 72
SNIFFING ON “IN PROGRESS” SNIFFING ON “IN PROGRESS” SMSsSMSs
(c) 2004, @ Mediaservice.net Srl, DSDLAB 73
OBTAINING CUSTOMERS INFORMATIONOBTAINING CUSTOMERS INFORMATION
74
75
76
This can bescripted !
77
78
ContactsContacts
• Raoul Chiesa
Senior Advisor, Strategic Alliances &Senior Advisor, Strategic Alliances & Cybercrime Issues
UNICRI U i d N i I i l C i &UNICRI – United Nations Interregional Crime & Justice Research Institute
@ Mediaservice.net, Founder
E il hi @UNICRI it (UN)Email: [email protected] (UN)
[email protected] (business)
QUESTIONS?QUESTIONS?
THANKS FOR YOUR ATTENTION GUYS!!!!