Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defending, monitoring & detecting exploits on m...

Defending, monitoring & detecting exploits on my telecom network

Nowadays, operators are handling daily frauds, signaling attacks on 2G,3G and 4G networks, with a special mention to attackers starting frauds on Friday night, thank you guys!

Since several years now I always have been on the offensive side regarding telecom core networks signalisation, that’s why I started to try to catch the Friday night bad guys. During this talk I will share my experience on building monitoring solutions in an ISP playground and how you can to it by yourself with everything you already have on your network. I will also share the different interesting fraud cases and 0days I have been catching during this years and how we are handling it in my ISP.

https://troopers.de/troopers17/talks/823-defending-monitoring-detecting-exploits-on-my-telecom-network/

Alexandre De Oliveira

March 21, 2017
Tweet

More Decks by Alexandre De Oliveira

Other Decks in Technology

Transcript

  1. Why I’m here ? • Enhance visibility possibilities of telecom

    operators • Defend against who ? • Fraudsters, Criminals, States • Troopers is amazing 
  2. Luxembourg – Heart of Europe • A lot of European

    institutions − ESM, BEI, Court of Justice, Court of Auditors • NATO Support and Procurement Agency • Banks, banks, really a lot of them • Government of Luxembourg
  3. TIDS – Telecom IDS • Supports Diameter only for the

    moment • Parsing diameter traffic, extracting fields, exporting on JSON format • Two type of information extracted − All messages for data analytics in Splunk and later analysis − Detectors such as Location tracking, Spoofing, unwanted Application-Id • Minimize « intelligence » efforts on TIDS – not stateful • Splunk is used to do this stateful / correlation intelligence
  4. Actual issues Interface Diameter Message Target Attack goal S6a ULR

    HSS Sub DoS S6a CLR MME Sub DoS S6a PUR HSS Sub DoS S6a RSR MME Network DoS S6a IDR MME Fraud (Profile injection) S6a IDR MME Tracking S6a * * Spoofing S6a * * Scanning SLh RIR HSS Tracking / Info gath SLg PLR MME Tracking Sh UDR HSS Tracking S6c SRR HSS Info gathering S9 (S9/Rx) CCR / RAR PCRF Fraud ? S6m SIR HSS Info gathering
  5. Monitored issues Interface Diameter Message Target Attack goal S6a ULR

    HSS Sub DoS S6a CLR MME Sub DoS S6a PUR HSS Sub DoS S6a RSR MME Network DoS S6a IDR MME Fraud (Profile injection) S6a IDR MME Tracking S6a * * Spoofing S6a * * Scanning Particialy Monitored
  6. IDR – Location tracking • Mainly operators asking for location

    of their subscribers • Not so commun on the network ~50 messages per day • Luxembourg as a lot of international interesting roamers
  7. Another one • Fixed pattern hours are not so commun

    • More about several IDR location after every UpdateLocation
  8. I’m also monitoring your network • How could we do

    it passively ? • S6a Reset • Could appear when HSS crashed, got upgraded
  9. S6a Reset – Upgrade in progress FE9 18/01 6:50AM FE9

    31/01 6:30AM FE1,2,3,4,5,6,7,8,9 07/02 1:50AM – 3:40AM 89 RSR eachtime
  10. Spoofing – Topology hidding • Usually misconfiguration • Found several

    spoofing of realm – never on host • Never on host – topology hidding ? − Random host outside of my network − Impossible to directly reach real internal hosts • IDR location with direct host target – trying to bypass topology hidding
  11. Data analytics • We are robots • Let’s do predictive

    analysis • Detects misconfigured roaming equipments • Frauds with traffic peak • We are still learning
  12. Monitoring traffic rerouting • AVP Route-Record − Loop detection if

    Network Element see itself in the Record − Path authorisation, check in the taken path respects the agreements • Using it to detect rerouting of traffic over the Network
  13. Legacy Again • SS7/SIGTRAN is known to be broken for

    years • Allows Call/SMS interception, tracking, Info gathering, Denial of Service
  14. Monitoring the SS7 network • Operator main concerns are availability

    and fraud • Fighting against fraud it’s an everyday if you don’t automate • Main frauds: − Call forwarding to premium numbers − SMS Spam – Call me back to premium numbers − SMS Spam – Usual Ads
  15. Measures already taken • SMS Anti-Spam engine • Continous improvement

    with vendor after bypass is found • CDR injection in Splunk to detect frauds in early stages • Call forwarding is denied by default for everyone • Activation is done after request and checks − Less than 100 actives on the network • Fraud on call forwarding should not be possible
  16. Exploiting the HLR from the phone • Call forwarding requests

    are dropped by default by HLR • HLR is controlling everything related to profiles • Exploiting HLR from a phone at the signaling level to bypass protections • How it was discovered ? − FRAUD obviously
  17. About the fraud • 2 postpaid sim card bought with

    fake ids • Fraudsters did some tests on Wednesday which were detected but not as fraud but misconfiguration • As usual they started on Friday night • Exploit enabled them to bypass all the security measure of the HLR with a « magic packet » • Was discovered and blocked on Saturday morning
  18. Fraud concequenses • Fraudsters were abroad, not possible to catch

    them in Luxembourg • Immediate counter measure was taken by dropping all signaling packets containing the « magic packet » • 500k fraud of forwarded calls to premium numbers in Africa • Was a good exercise of coordination, Legal, Security, Mobile teams • We contacted all intermediate parties and finally dropped all CDR • Vendor patched after 2 months
  19. Learnt about it • Vendor considered it as security issue

    but not critical • Attackers had access to this HLR for reverse • Vulnerability looks really like a backdoor… • Any hint is now taken seriously and investigated • Collaboration between teams was improved
  20. Operators should just try to • Speak with their vendors

    • Help them understand and implement security features and needs • We collaborated with Ericsson for SS7 and Diameter security • E/// DSC are now running a diameter FW and IDS, MSC has a SS7 partially stateful FW (Version 17A)
  21. TIDS – Telecom IDS • I need other operators to

    test it ! • Private Beta • Just contact me or just come talk to me  [email protected] • Will help you to setup TIDS & adapt it to your network • I’m running it on a old HP Gen5 server – 10% CPU max
  22. Thank you • POST Security CSE team • POST operationnal

    teams • Troopers & Telco Security Day amazing organisation !