SlideShare uma empresa Scribd logo

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis

P
P1Security

HLR and HSS are the most important Telecom Equipment in an Operator Core Network. We are going to see that this so-called “Critical Infrastructure” is not as robust as you could think, by exploring the some weaknesses of the HLR/HSS equipment. Plan: * Virtualization of HLR/HSS, for instrumentation purposes * HLR/HSS system analysis * SS7/Diameter network fuzzing * HLR/HSS binaries reverse

TecnologiaNotícias e política
1 de 59
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security What are we talking about ? A mobile network operator Core Network Network passive capture showing Global Titles
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Mobile Operators • Conveys the majority of voice communications worldwide • Conveys our data • Conveys growing M2M traffic • Emergency systems notifications uses it => We now rely on it and we have some security expectations
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Mobile Operators and governance • In Europe
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Mobile Operators and governance • In France Lets check the reality …
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HSS Front End HLR Front End AuC HSM Provisioning DSA 3 Back Ends Provisioning Gateway Install Server Admin Routing DSA The Witness : An HLR/HSS Typical HLR/HSS in use in operator Core Network
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network A mobile network operator Core Network Network passive capture showing Global Titles
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network • HLR is used in all 2G Operator Network • HSS is used in all 3G/4G Operator Network • Stores customer data – Subscriber identifier (IMSI) – Subscriber encryption keys – Subscriber approximate location – Subscriber SIM plan options • Critical to the operator – HLR down == Network down, no calls possible
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network HLR/HSS receiving subscriber location update from the operator SS7/Diameter signaling links
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Lets make it talk …
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Plan HLR/HSS Robustness assessment • Virtualization – Virtualization and instrumentation • System Analysis – Localroot, Framework complexity • Network Fuzzing – SS7 Protocols • Binaries Reverse – More vulns
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS Virtualization No, it’s not ATCA / NFV
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security An HLR/HSS is an ecosystem
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security An HLR/HSS is an ecosystem • HLR + HSS Front-end • HLR Administration server • Application/Database routing servers • HLR Backend/Database (multiple) • HSM (Hardware Security Module) for keys
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS is never alone
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Where to start • Most exposed from the outside => HLR/HSS Front-end – Receives SS7/Diameter traffic • Telecom network stacks – Receives provisioning requests – Connected to the HSM
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HSS Front End HLR Front End AuC HSM Provisioning DSA 3 Back Ends Provisioning Gateway Install Server Admin Routing DSA Where to start Typical HLR/HSS in use in operator Core Network
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Virtualization of HLR/HSS Frontend
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Original Equipment Manufacturer • Specs of the real equipment – i386 / x64 / Sparc – Solaris / CentOS – 32 GB of RAM – CPU 16 Cores – TB hard drive + External SAN
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Qemu/KVM • Faster than VirtualBox • More flexible • Tweak code to add more network interfaces • VDE Switch for networking
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Qemu/KVM qemu-system-x86_64 -machine type=pc,accel=kvm:tcg -pidfile ./myhlr.pid -m 7.2g -smp 4 -drive file=/dev/mapper/lvm-vm--myhlr,cache=none -vnc 127.0.0.1:2,password,tls,lossy -display curses -rtc base=localtime,driftfix=slew -net vde,vlan=1,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=1,macaddr=52:54:00:00:10:01 -net vde,vlan=2,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=2,macaddr=52:54:00:00:10:02 -net vde,vlan=3,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=3,macaddr=52:54:00:00:10:02 -net vde,vlan=4, sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=4,macaddr=52:54:00:00:10:02 -net vde,vlan=5,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=5,macaddr=52:54:00:00:10:02 -net vde,vlan=6,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=6,macaddr=52:54:00:00:10:02 -net vde,vlan=7,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=7,macaddr=52:54:00:00:10:02 -net vde,vlan=8,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=8,macaddr=52:54:00:00:10:02 -net vde,vlan=9,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=9,macaddr=52:54:00:00:10:02 -net vde,vlan=10,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=10,macaddr=52:54:00:00:10:02 -net vde,vlan=11,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=11,macaddr=52:54:00:00:10:02 -net vde,vlan=12,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=12,macaddr=52:54:00:00:10:02 • Physical partition for disk – Do not use disk file on host btrfs • super slow • ext4 is ok – http://www.linux-kvm.org/page/Tuning_KVM • Curses output • Improvements: serial terminal
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Qemu/KVM • Solaris 10 – Qemu/KVM ok for x64 – Fails for SPARC • Stock kernel – /kernel – /usr/kernel • Custom kernel modules – For Telecom Signaling [Signalware] • Uses grub • Failsafe mode
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Inside the machine • ZFS filesystem • Solaris 10 • Everything is installed via packages • Multiple Oracle databases – Even on HLR/HSS Front-end only • A lot of Middleware framework to start the actual network stacks / applications • Telco stacks: based on Ulticom Signalware • The OS expects its precious network cards
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security System Analysis
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security The filesystem • ZFS = Filesystem + Volume manager • ZFS pool (often mirrored) – ZFS root pool • 100-200GB usually enough • Prepare free space for system/processes dump – ZFS Dump pool • Should be more than size of your RAM – ZFS SWAP pool • Should be more that size of your RAM
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security The filesystem • ZFS offers good resilience against data corruption, and is very picky when there is too much corruption – You can’t recover when filesystem is too much broken – You can try $ zdb -e -p /dev/dsk/c0t3d0p0 -F -X -AAA -dd rpool 1 $ zpool import -f -F -X 19485729304958623456 mypool $ zpool import -o readonly=on -o autoreplace=on -o failmode-continue -m -N -f -F -X 19485729304958623456 mypool • If it fails – Code your own tool by modifying ZOL http://zfsonlinux.org/
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Filesystem /advdata/ autoinstmnt/ bin@ boot/ cust_data/ dump@ environment.txt* etc/ export/ false/ global@ home/ installmnt/ kernel/ lib/ mnt/ net/ nsr/ opt/ patchmnt/ platform/ root/ rpool/ rtp_environ.txt sbin/ tftpboot/ ti_var/ tmp/ TspAcc@ TspAccBackup@ TspCore@ tspinst/ TspTickets@ updateSW/ usr/ var/ vol/ Grub/platform + failsafe Applications data Kernel Telco specific apps Home + Applications data + Telco specific apps Crashdumps from Telco specific apps
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Some packages installed application SMAWrtp Telecommunication Service Platform (TSP) Base Package application OMNI Signalware System application S6U-4 Signalware System application OMNI-C7X Signalware C7 Extensions application INTPahacu AC Utimaco HSM
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Low hanging fruits • SUID executables – SUID Total: 162 (155 binaries, 7 scripts) – SUID Root: 142 (137 binaries, 5 scripts) • Signalware Boot process “becoming root” by Design
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Local roots • Of course, we often find multiple local roots • Some are really too easy (one command):
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Example of Telco network stack: NSN TSP / RTP + Ulticom Signalware • TSP + RTP framework are found on NSN NT- HLR – Found in many European and Worldwide operators – Very similar to Apertio OneHLR • TSP: Telco Server Platform (Ericsson) / Telco Service Platform (NSN, others, generic name) • RTP: Resilient Telco Platform (NSN)
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Example of Telco network stack: NSN TSP / RTP + Ulticom Signalware • SS7 Protocol handling Reminder: SS7 stack
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Network Fuzzing
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing SS7: M3UA • Example: Flooding badly handled – Leads to alerts flooding in OSS – Leads to loss of previous alerts ! – P1VID#799
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing SS7: SCCP • Example result: 1 specific MSU repeated 2 times causes DoS of all Signaling Interconnections – HLR is down during 2 minutes – Total Denial of Service of the network – Nobody can receive calls in the whole country core 'core.xxx' of 15477: /export/home/xxx 01 msu_processing () 02 msg_distribution () 03 main () 04 _start () – If the attack is repeated, the DoS is permanent during the attack – P1VID#773 So long for the critical infrastructure …
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing SS7: SCCP
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing SS7: MAP • Example results: 1 specific MSU causes MAP process crashes – 5 MSU/second makes HLR totally unresponsive to any other MAP Query • Total Denial of Service of the network • Nobody can receive calls in the whole country – 1 MSU/second makes HLR totally drop 50% of other MAP Queries • Network is highly perturbed • 50% of the called in the whole country are failing – P1VID#772
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing Diameter • Process Crash with 1 specific manually crafted MSU Logs do not even report process crash. Neither the OSS Alerts. Application logs: Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx UTC Tue Sep 3 01:20:44 2013 Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx Behind that, process core dumps are created… P1VID#718
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Does redundancy saves you ? • No ! • Same N front-ends == same crashes • Messages just needs to be sent N times
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Binaries reverse
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Often, too much help… • Binaries not stripped – Debug symbols / function names / … available • No anti-debug mechanism • Libraries headers on production machines – Great help in understanding the internals • Large documentation about internals on production machines – Great help in understanding the internals • Updated binaries and previous binaries both on production machines – Binary diff to track issues fixed
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Signalware Kernel modules • Example: Parsing of SCCP header
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Signalware Kernel modules • Kernel modules signaling parsing is robust • IPC to communicate with userland binaries • Complexity leads to other type of errors – Logic errors – Race conditions – Slow handling of some types of MSUs
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Signalware userland binaries • Parsing less robust (less tested) • Example logic error due to IPC / Framework complexity: Can be triggered from the International SS7 network Null pointer dereference
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security So verdict ?
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security So verdict ? • Misconceptions! – No crashes on a Critical Core Network Element • FAIL – Robustness against network attacks • FAIL • Redundancy != Robust, attack kills Front-end one by one – Modern • Depends, but from what we see there is much room for improvement
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Mobile Operators and governance • Reality on Threats analysis: Maybe • Reality of Telco equipment security: Very bad • Public information: Very bad • Telco private sector information: Didn’t see impact
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Consequences • Mobile Network crashes for unknown publicly available reason • Spying on phone calls / customer activities from a single point (Core Network) is relatively easy • Fraud
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Recommendations • Secure SDLC (Secure Software Development Life Cycle) – Design – Implementation – Testing • Especially for vendors custom stacks/services TCAP/MAP parsing bugs leading to overflows, … • Vendors security audits (HLR isolated) – System audit – Network audit • Testbed audits (HLR in environment) – System audit – Network audit – Before deploying to production
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Recommendations: securing the OS • Use Solaris Zones to split services: P1VID#764 • Use Solaris Audit mechanism: P1VID#765 • Authenticate the hardware – To prevent emulation • Use the latest OS protections against exploitation – Solaris 11 has ASLR – Use custom Linux kernel • Use a firewall by default on the machine itself • …
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Recommendations: OSS • Make it faster ! – People should be able to use it to react when under attack – E.g. NSN @vantage commander • Need access to all low-level network traffic for forensics
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Recommendations: For the operators • Push the vendors to fix the bugs • Some of the attacks we discovered can be filtered – Operators do not have to wait for bugs to be fixed – Filter at perimeter boundaries (typically STP / Router) – Depends on STP / Router models and security “features” • Sometime filtering options are charged by vendor • It is possible to filter also at the SCCP provider level
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security To be continued • Telecom Network Elements security is low – We tested multiple Network Element types/models, from different vendors • Vendors, Governments and security researchers have work to do • Vulnerability disclosure in security critical infrastructure is scarce – Dangerous ? – Not if there is collaboration
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Other aspects of Telecom Security • We talked here about equipment security – It’s a work in progress, and only HLR/HSS – Mainly Network Equipment Vendor responsibility • Also consider – Other Network Elements security – GRX / IPX / SCCP Providers security – Deployment security (passwords policies, filtering…), Operator responsability – Telecom Network Fraud (SS7 spoofing, Call/SMS Spoofing, …), Operator responsability
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security References Governance literature on critical infrastructure: • European level – 2007: http://www.nato-pa.int/default.asp?COM=1165&LNG=0 – 2012 http://www.nato.int/cps/en/natolive/news_88054.htm?selectedLocale=en – 2013 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/crisis-and- terrorism/critical-infrastructure/index_en.htm http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/crisis-and- terrorism/critical-infrastructure/docs/swd_2013_318_on_epcip_en.pdf • France – 2012 http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000026638421 &dateTexte=&categorieLien=id – 2013 http://www.gouvernement.fr/gouvernement/livre-blanc-2013-de-la-defense-et- de-la-securite-nationale
2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security That’s it, please react. Thank you laurent@p1sec.com http://www.p1sec.com

Recomendados

How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
Lte outbound roaming_session
Lte outbound roaming_sessionLte outbound roaming_session
Lte outbound roaming_session
Samir Mohanty
 
Lte protocols
Lte protocolsLte protocols
Lte protocols
ece_narender
 
Paging in LTE
Paging in LTEPaging in LTE
Paging in LTE
Surya Munda
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Advanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive StateAdvanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive State
3G4G
 

Recomendados

How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
Lte outbound roaming_session
Lte outbound roaming_sessionLte outbound roaming_session
Lte outbound roaming_session
Samir Mohanty
 
Lte protocols
Lte protocolsLte protocols
Lte protocols
ece_narender
 
Paging in LTE
Paging in LTEPaging in LTE
Paging in LTE
Surya Munda
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Advanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive StateAdvanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive State
3G4G
 
wireless communication and networking Chapter 1
wireless communication and networking Chapter 1wireless communication and networking Chapter 1
wireless communication and networking Chapter 1
Senthil Kanth
 
Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...
Zorays Solar Pakistan
 
GSM - Addresses and Identifiers
GSM - Addresses and IdentifiersGSM - Addresses and Identifiers
GSM - Addresses and Identifiers
Salman Khan
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
PositiveTechnologies
 
EC8702 adhoc and wireless sensor networks iv ece
EC8702 adhoc and wireless sensor networks iv eceEC8702 adhoc and wireless sensor networks iv ece
EC8702 adhoc and wireless sensor networks iv ece
GOWTHAMMS6
 
Mobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple WordsMobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple Words
Assim Mubder
 
RF Optimization Engineer Resume.docx
RF Optimization Engineer Resume.docxRF Optimization Engineer Resume.docx
RF Optimization Engineer Resume.docx
Monsuru Okekunle
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
PositiveTechnologies
 
1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil
Satish Jadav
 
3GPP SON Series: Minimization of Drive Testing (MDT)
3GPP SON Series: Minimization of Drive Testing (MDT)3GPP SON Series: Minimization of Drive Testing (MDT)
3GPP SON Series: Minimization of Drive Testing (MDT)
3G4G
 
3GPP SON Series: Mobility Load Balancing (MLB)
3GPP SON Series: Mobility Load Balancing (MLB)3GPP SON Series: Mobility Load Balancing (MLB)
3GPP SON Series: Mobility Load Balancing (MLB)
3G4G
 
Lte power control
Lte power controlLte power control
Lte power control
Pranay Akul
 
GSM CALL FLOW
GSM CALL FLOWGSM CALL FLOW
GSM CALL FLOW
SugamTripathi1
 
It6601 mobile computing unit2
It6601 mobile computing unit2It6601 mobile computing unit2
It6601 mobile computing unit2
RMK ENGINEERING COLLEGE, CHENNAI
 
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
3G4G
 
LTE RF Optimization.pdf
LTE RF Optimization.pdf LTE RF Optimization.pdf
LTE RF Optimization.pdf
RakhiJadav1
 
5G RAN fundamentals
5G RAN fundamentals5G RAN fundamentals
5G RAN fundamentals
Ravi Sharma
 
Lte rrc-connection-setup-messaging
Lte rrc-connection-setup-messagingLte rrc-connection-setup-messaging
Lte rrc-connection-setup-messaging
Prashant Sengar
 
ACS-2010
ACS-2010ACS-2010
ACS-2010
Bob Radvanovsky
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 

Mais conteúdo relacionado

Mais procurados

wireless communication and networking Chapter 1
wireless communication and networking Chapter 1wireless communication and networking Chapter 1
wireless communication and networking Chapter 1
Senthil Kanth
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
RF Optimization Engineer Resume.docx
RF Optimization Engineer Resume.docxRF Optimization Engineer Resume.docx
RF Optimization Engineer Resume.docx
Monsuru Okekunle
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
PositiveTechnologies
 
1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil
Satish Jadav
 
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
3G4G
 

Mais procurados (20)

wireless communication and networking Chapter 1
wireless communication and networking Chapter 1wireless communication and networking Chapter 1
wireless communication and networking Chapter 1
 
Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...
 
GSM - Addresses and Identifiers
GSM - Addresses and IdentifiersGSM - Addresses and Identifiers
GSM - Addresses and Identifiers
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
EC8702 adhoc and wireless sensor networks iv ece
EC8702 adhoc and wireless sensor networks iv eceEC8702 adhoc and wireless sensor networks iv ece
EC8702 adhoc and wireless sensor networks iv ece
 
Mobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple WordsMobile Originated Call Process in Simple Words
Mobile Originated Call Process in Simple Words
 
RF Optimization Engineer Resume.docx
RF Optimization Engineer Resume.docxRF Optimization Engineer Resume.docx
RF Optimization Engineer Resume.docx
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
 
1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil
 
3GPP SON Series: Minimization of Drive Testing (MDT)
3GPP SON Series: Minimization of Drive Testing (MDT)3GPP SON Series: Minimization of Drive Testing (MDT)
3GPP SON Series: Minimization of Drive Testing (MDT)
 
3GPP SON Series: Mobility Load Balancing (MLB)
3GPP SON Series: Mobility Load Balancing (MLB)3GPP SON Series: Mobility Load Balancing (MLB)
3GPP SON Series: Mobility Load Balancing (MLB)
 
Lte power control
Lte power controlLte power control
Lte power control
 
GSM CALL FLOW
GSM CALL FLOWGSM CALL FLOW
GSM CALL FLOW
 
It6601 mobile computing unit2
It6601 mobile computing unit2It6601 mobile computing unit2
It6601 mobile computing unit2
 
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
 
LTE RF Optimization.pdf
LTE RF Optimization.pdf LTE RF Optimization.pdf
LTE RF Optimization.pdf
 
5G RAN fundamentals
5G RAN fundamentals5G RAN fundamentals
5G RAN fundamentals
 
Lte rrc-connection-setup-messaging
Lte rrc-connection-setup-messagingLte rrc-connection-setup-messaging
Lte rrc-connection-setup-messaging
 

Semelhante a Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis

D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
Giuseppe Paterno'
 
Alexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)securityAlexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)security
DefconRussia
 

Semelhante a Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis (20)

ACS-2010
ACS-2010ACS-2010
ACS-2010
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
adm6: ip6tables, pf.conf, ipf mit python in deutsch
adm6: ip6tables, pf.conf, ipf mit python in deutschadm6: ip6tables, pf.conf, ipf mit python in deutsch
adm6: ip6tables, pf.conf, ipf mit python in deutsch
 
RenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypots
 
Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017
Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017
Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response Time
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
 
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux Systems
 
Advanced Log Processing
Advanced Log ProcessingAdvanced Log Processing
Advanced Log Processing
 
Redteaming HID attacks
Redteaming HID attacksRedteaming HID attacks
Redteaming HID attacks
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
Alexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)securityAlexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)security
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Último (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis

  • 1. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security
  • 2. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security What are we talking about ? A mobile network operator Core Network Network passive capture showing Global Titles
  • 3. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Mobile Operators • Conveys the majority of voice communications worldwide • Conveys our data • Conveys growing M2M traffic • Emergency systems notifications uses it => We now rely on it and we have some security expectations
  • 4. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Mobile Operators and governance • In Europe
  • 5. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Mobile Operators and governance • In France Lets check the reality …
  • 6. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HSS Front End HLR Front End AuC HSM Provisioning DSA 3 Back Ends Provisioning Gateway Install Server Admin Routing DSA The Witness : An HLR/HSS Typical HLR/HSS in use in operator Core Network
  • 7. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network A mobile network operator Core Network Network passive capture showing Global Titles
  • 8. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network
  • 9. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network
  • 10. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network • HLR is used in all 2G Operator Network • HSS is used in all 3G/4G Operator Network • Stores customer data – Subscriber identifier (IMSI) – Subscriber encryption keys – Subscriber approximate location – Subscriber SIM plan options • Critical to the operator – HLR down == Network down, no calls possible
  • 11. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS in Mobile Core Network HLR/HSS receiving subscriber location update from the operator SS7/Diameter signaling links
  • 12. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Lets make it talk …
  • 13. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security
  • 14. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Plan HLR/HSS Robustness assessment • Virtualization – Virtualization and instrumentation • System Analysis – Localroot, Framework complexity • Network Fuzzing – SS7 Protocols • Binaries Reverse – More vulns
  • 15. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS Virtualization No, it’s not ATCA / NFV
  • 16. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security An HLR/HSS is an ecosystem
  • 17. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security An HLR/HSS is an ecosystem • HLR + HSS Front-end • HLR Administration server • Application/Database routing servers • HLR Backend/Database (multiple) • HSM (Hardware Security Module) for keys
  • 18. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HLR/HSS is never alone
  • 19. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Where to start • Most exposed from the outside => HLR/HSS Front-end – Receives SS7/Diameter traffic • Telecom network stacks – Receives provisioning requests – Connected to the HSM
  • 20. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security HSS Front End HLR Front End AuC HSM Provisioning DSA 3 Back Ends Provisioning Gateway Install Server Admin Routing DSA Where to start Typical HLR/HSS in use in operator Core Network
  • 21. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Virtualization of HLR/HSS Frontend
  • 22. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Original Equipment Manufacturer • Specs of the real equipment – i386 / x64 / Sparc – Solaris / CentOS – 32 GB of RAM – CPU 16 Cores – TB hard drive + External SAN
  • 23. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Qemu/KVM • Faster than VirtualBox • More flexible • Tweak code to add more network interfaces • VDE Switch for networking
  • 24. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Qemu/KVM qemu-system-x86_64 -machine type=pc,accel=kvm:tcg -pidfile ./myhlr.pid -m 7.2g -smp 4 -drive file=/dev/mapper/lvm-vm--myhlr,cache=none -vnc 127.0.0.1:2,password,tls,lossy -display curses -rtc base=localtime,driftfix=slew -net vde,vlan=1,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=1,macaddr=52:54:00:00:10:01 -net vde,vlan=2,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=2,macaddr=52:54:00:00:10:02 -net vde,vlan=3,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=3,macaddr=52:54:00:00:10:02 -net vde,vlan=4, sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=4,macaddr=52:54:00:00:10:02 -net vde,vlan=5,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=5,macaddr=52:54:00:00:10:02 -net vde,vlan=6,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=6,macaddr=52:54:00:00:10:02 -net vde,vlan=7,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=7,macaddr=52:54:00:00:10:02 -net vde,vlan=8,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=8,macaddr=52:54:00:00:10:02 -net vde,vlan=9,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=9,macaddr=52:54:00:00:10:02 -net vde,vlan=10,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=10,macaddr=52:54:00:00:10:02 -net vde,vlan=11,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=11,macaddr=52:54:00:00:10:02 -net vde,vlan=12,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=12,macaddr=52:54:00:00:10:02 • Physical partition for disk – Do not use disk file on host btrfs • super slow • ext4 is ok – http://www.linux-kvm.org/page/Tuning_KVM • Curses output • Improvements: serial terminal
  • 25. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Qemu/KVM • Solaris 10 – Qemu/KVM ok for x64 – Fails for SPARC • Stock kernel – /kernel – /usr/kernel • Custom kernel modules – For Telecom Signaling [Signalware] • Uses grub • Failsafe mode
  • 26. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Inside the machine • ZFS filesystem • Solaris 10 • Everything is installed via packages • Multiple Oracle databases – Even on HLR/HSS Front-end only • A lot of Middleware framework to start the actual network stacks / applications • Telco stacks: based on Ulticom Signalware • The OS expects its precious network cards
  • 27. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security System Analysis
  • 28. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security The filesystem • ZFS = Filesystem + Volume manager • ZFS pool (often mirrored) – ZFS root pool • 100-200GB usually enough • Prepare free space for system/processes dump – ZFS Dump pool • Should be more than size of your RAM – ZFS SWAP pool • Should be more that size of your RAM
  • 29. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security The filesystem • ZFS offers good resilience against data corruption, and is very picky when there is too much corruption – You can’t recover when filesystem is too much broken – You can try $ zdb -e -p /dev/dsk/c0t3d0p0 -F -X -AAA -dd rpool 1 $ zpool import -f -F -X 19485729304958623456 mypool $ zpool import -o readonly=on -o autoreplace=on -o failmode-continue -m -N -f -F -X 19485729304958623456 mypool • If it fails – Code your own tool by modifying ZOL http://zfsonlinux.org/
  • 30. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Filesystem /advdata/ autoinstmnt/ bin@ boot/ cust_data/ dump@ environment.txt* etc/ export/ false/ global@ home/ installmnt/ kernel/ lib/ mnt/ net/ nsr/ opt/ patchmnt/ platform/ root/ rpool/ rtp_environ.txt sbin/ tftpboot/ ti_var/ tmp/ TspAcc@ TspAccBackup@ TspCore@ tspinst/ TspTickets@ updateSW/ usr/ var/ vol/ Grub/platform + failsafe Applications data Kernel Telco specific apps Home + Applications data + Telco specific apps Crashdumps from Telco specific apps
  • 31. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Some packages installed application SMAWrtp Telecommunication Service Platform (TSP) Base Package application OMNI Signalware System application S6U-4 Signalware System application OMNI-C7X Signalware C7 Extensions application INTPahacu AC Utimaco HSM
  • 32. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Low hanging fruits • SUID executables – SUID Total: 162 (155 binaries, 7 scripts) – SUID Root: 142 (137 binaries, 5 scripts) • Signalware Boot process “becoming root” by Design
  • 33. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Local roots • Of course, we often find multiple local roots • Some are really too easy (one command):
  • 34. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Example of Telco network stack: NSN TSP / RTP + Ulticom Signalware • TSP + RTP framework are found on NSN NT- HLR – Found in many European and Worldwide operators – Very similar to Apertio OneHLR • TSP: Telco Server Platform (Ericsson) / Telco Service Platform (NSN, others, generic name) • RTP: Resilient Telco Platform (NSN)
  • 35. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Example of Telco network stack: NSN TSP / RTP + Ulticom Signalware • SS7 Protocol handling Reminder: SS7 stack
  • 36. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Network Fuzzing
  • 37. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing SS7: M3UA • Example: Flooding badly handled – Leads to alerts flooding in OSS – Leads to loss of previous alerts ! – P1VID#799
  • 38. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing SS7: SCCP • Example result: 1 specific MSU repeated 2 times causes DoS of all Signaling Interconnections – HLR is down during 2 minutes – Total Denial of Service of the network – Nobody can receive calls in the whole country core 'core.xxx' of 15477: /export/home/xxx 01 msu_processing () 02 msg_distribution () 03 main () 04 _start () – If the attack is repeated, the DoS is permanent during the attack – P1VID#773 So long for the critical infrastructure …
  • 39. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing SS7: SCCP
  • 40. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing SS7: MAP • Example results: 1 specific MSU causes MAP process crashes – 5 MSU/second makes HLR totally unresponsive to any other MAP Query • Total Denial of Service of the network • Nobody can receive calls in the whole country – 1 MSU/second makes HLR totally drop 50% of other MAP Queries • Network is highly perturbed • 50% of the called in the whole country are failing – P1VID#772
  • 41. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Fuzzing Diameter • Process Crash with 1 specific manually crafted MSU Logs do not even report process crash. Neither the OSS Alerts. Application logs: Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx UTC Tue Sep 3 01:20:44 2013 Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx Behind that, process core dumps are created… P1VID#718
  • 42. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Does redundancy saves you ? • No ! • Same N front-ends == same crashes • Messages just needs to be sent N times
  • 43. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Binaries reverse
  • 44. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Often, too much help… • Binaries not stripped – Debug symbols / function names / … available • No anti-debug mechanism • Libraries headers on production machines – Great help in understanding the internals • Large documentation about internals on production machines – Great help in understanding the internals • Updated binaries and previous binaries both on production machines – Binary diff to track issues fixed
  • 45. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Signalware Kernel modules • Example: Parsing of SCCP header
  • 46. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Signalware Kernel modules • Kernel modules signaling parsing is robust • IPC to communicate with userland binaries • Complexity leads to other type of errors – Logic errors – Race conditions – Slow handling of some types of MSUs
  • 47. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Signalware userland binaries • Parsing less robust (less tested) • Example logic error due to IPC / Framework complexity: Can be triggered from the International SS7 network Null pointer dereference
  • 48. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security So verdict ?
  • 49. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security So verdict ? • Misconceptions! – No crashes on a Critical Core Network Element • FAIL – Robustness against network attacks • FAIL • Redundancy != Robust, attack kills Front-end one by one – Modern • Depends, but from what we see there is much room for improvement
  • 50. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Mobile Operators and governance • Reality on Threats analysis: Maybe • Reality of Telco equipment security: Very bad • Public information: Very bad • Telco private sector information: Didn’t see impact
  • 51. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Consequences • Mobile Network crashes for unknown publicly available reason • Spying on phone calls / customer activities from a single point (Core Network) is relatively easy • Fraud
  • 52. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Recommendations • Secure SDLC (Secure Software Development Life Cycle) – Design – Implementation – Testing • Especially for vendors custom stacks/services TCAP/MAP parsing bugs leading to overflows, … • Vendors security audits (HLR isolated) – System audit – Network audit • Testbed audits (HLR in environment) – System audit – Network audit – Before deploying to production
  • 53. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Recommendations: securing the OS • Use Solaris Zones to split services: P1VID#764 • Use Solaris Audit mechanism: P1VID#765 • Authenticate the hardware – To prevent emulation • Use the latest OS protections against exploitation – Solaris 11 has ASLR – Use custom Linux kernel • Use a firewall by default on the machine itself • …
  • 54. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Recommendations: OSS • Make it faster ! – People should be able to use it to react when under attack – E.g. NSN @vantage commander • Need access to all low-level network traffic for forensics
  • 55. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Recommendations: For the operators • Push the vendors to fix the bugs • Some of the attacks we discovered can be filtered – Operators do not have to wait for bugs to be fixed – Filter at perimeter boundaries (typically STP / Router) – Depends on STP / Router models and security “features” • Sometime filtering options are charged by vendor • It is possible to filter also at the SCCP provider level
  • 56. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security To be continued • Telecom Network Elements security is low – We tested multiple Network Element types/models, from different vendors • Vendors, Governments and security researchers have work to do • Vulnerability disclosure in security critical infrastructure is scarce – Dangerous ? – Not if there is collaboration
  • 57. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security Other aspects of Telecom Security • We talked here about equipment security – It’s a work in progress, and only HLR/HSS – Mainly Network Equipment Vendor responsibility • Also consider – Other Network Elements security – GRX / IPX / SCCP Providers security – Deployment security (passwords policies, filtering…), Operator responsability – Telecom Network Fraud (SS7 spoofing, Call/SMS Spoofing, …), Operator responsability
  • 58. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security References Governance literature on critical infrastructure: • European level – 2007: http://www.nato-pa.int/default.asp?COM=1165&LNG=0 – 2012 http://www.nato.int/cps/en/natolive/news_88054.htm?selectedLocale=en – 2013 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/crisis-and- terrorism/critical-infrastructure/index_en.htm http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/crisis-and- terrorism/critical-infrastructure/docs/swd_2013_318_on_epcip_en.pdf • France – 2012 http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000026638421 &dateTexte=&categorieLien=id – 2013 http://www.gouvernement.fr/gouvernement/livre-blanc-2013-de-la-defense-et- de-la-securite-nationale
  • 59. 2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security That’s it, please react. Thank you laurent@p1sec.com http://www.p1sec.com