Defending, monitoring & detecting exploits on my telecom network

Transcript

1. Defending, Monitoring & Detecting exploits on my telecom network Telco

   Security Day 2017

2. Why I’m here ? • Enhance visibility possibilities of telecom

   operators • Defend against who ? • Fraudsters, Criminals, States • Troopers is amazing 

3. Luxembourg – Heart of Europe • A lot of European

   institutions − ESM, BEI, Court of Justice, Court of Auditors • NATO Support and Procurement Agency • Banks, banks, really a lot of them • Government of Luxembourg

4. Operators in mutation

5. Diameter Monitoring - Actual setup IPX DEA DEA IPX Internal

   Network TIDS

6. TIDS – Telecom IDS • Supports Diameter only for the

   moment • Parsing diameter traffic, extracting fields, exporting on JSON format • Two type of information extracted − All messages for data analytics in Splunk and later analysis − Detectors such as Location tracking, Spoofing, unwanted Application-Id • Minimize « intelligence » efforts on TIDS – not stateful • Splunk is used to do this stateful / correlation intelligence

7. Why building it

8. Actual issues Interface Diameter Message Target Attack goal S6a ULR

   HSS Sub DoS S6a CLR MME Sub DoS S6a PUR HSS Sub DoS S6a RSR MME Network DoS S6a IDR MME Fraud (Profile injection) S6a IDR MME Tracking S6a * * Spoofing S6a * * Scanning SLh RIR HSS Tracking / Info gath SLg PLR MME Tracking Sh UDR HSS Tracking S6c SRR HSS Info gathering S9 (S9/Rx) CCR / RAR PCRF Fraud ? S6m SIR HSS Info gathering

9. Who is in my network ?

10. Monitored issues Interface Diameter Message Target Attack goal S6a ULR

    HSS Sub DoS S6a CLR MME Sub DoS S6a PUR HSS Sub DoS S6a RSR MME Network DoS S6a IDR MME Fraud (Profile injection) S6a IDR MME Tracking S6a * * Spoofing S6a * * Scanning Particialy Monitored

11. IDR – Location tracking • Mainly operators asking for location

    of their subscribers • Not so commun on the network ~50 messages per day • Luxembourg as a lot of international interesting roamers

12. IDR – Location tracking • One month statistics • Seems

    like people are getting tracked…

13. Looks like your gov loves you • Constant IDR loc

    requests at fixed timings

14. Another one • Fixed pattern hours are not so commun

    • More about several IDR location after every UpdateLocation

15. I’m also monitoring your network • How could we do

    it passively ? • S6a Reset • Could appear when HSS crashed, got upgraded

16. S6a Reset – Upgrade in progress FE9 18/01 6:50AM FE9

    31/01 6:30AM FE1,2,3,4,5,6,7,8,9 07/02 1:50AM – 3:40AM 89 RSR eachtime

17. Spoofing – Topology hidding • Usually misconfiguration • Found several

    spoofing of realm – never on host • Never on host – topology hidding ? − Random host outside of my network − Impossible to directly reach real internal hosts • IDR location with direct host target – trying to bypass topology hidding

18. Data analytics • We are robots • Let’s do predictive

    analysis • Detects misconfigured roaming equipments • Frauds with traffic peak • We are still learning

19. Monitoring traffic rerouting • AVP Route-Record − Loop detection if

    Network Element see itself in the Record − Path authorisation, check in the taken path respects the agreements • Using it to detect rerouting of traffic over the Network

20. Legacy Again • SS7/SIGTRAN is known to be broken for

    years • Allows Call/SMS interception, tracking, Info gathering, Denial of Service

21. Monitoring the SS7 network • Operator main concerns are availability

    and fraud • Fighting against fraud it’s an everyday if you don’t automate • Main frauds: − Call forwarding to premium numbers − SMS Spam – Call me back to premium numbers − SMS Spam – Usual Ads

22. Measures already taken • SMS Anti-Spam engine • Continous improvement

    with vendor after bypass is found • CDR injection in Splunk to detect frauds in early stages • Call forwarding is denied by default for everyone • Activation is done after request and checks − Less than 100 actives on the network • Fraud on call forwarding should not be possible

23. Exploiting the HLR from the phone • Call forwarding requests

    are dropped by default by HLR • HLR is controlling everything related to profiles • Exploiting HLR from a phone at the signaling level to bypass protections • How it was discovered ? − FRAUD obviously

24. About the fraud • 2 postpaid sim card bought with

    fake ids • Fraudsters did some tests on Wednesday which were detected but not as fraud but misconfiguration • As usual they started on Friday night • Exploit enabled them to bypass all the security measure of the HLR with a « magic packet » • Was discovered and blocked on Saturday morning

25. Fraud concequenses • Fraudsters were abroad, not possible to catch

    them in Luxembourg • Immediate counter measure was taken by dropping all signaling packets containing the « magic packet » • 500k fraud of forwarded calls to premium numbers in Africa • Was a good exercise of coordination, Legal, Security, Mobile teams • We contacted all intermediate parties and finally dropped all CDR • Vendor patched after 2 months

26. Learnt about it • Vendor considered it as security issue

    but not critical • Attackers had access to this HLR for reverse • Vulnerability looks really like a backdoor… • Any hint is now taken seriously and investigated • Collaboration between teams was improved

27. Operators should just try to • Speak with their vendors

    • Help them understand and implement security features and needs • We collaborated with Ericsson for SS7 and Diameter security • E/// DSC are now running a diameter FW and IDS, MSC has a SS7 partially stateful FW (Version 17A)

28. TIDS – Telecom IDS • I need other operators to

    test it ! • Private Beta • Just contact me or just come talk to me  [email protected] • Will help you to setup TIDS & adapt it to your network • I’m running it on a old HP Gen5 server – 10% CPU max

29. Questions ?

30. Thank you • POST Security CSE team • POST operationnal

    teams • Troopers & Telco Security Day amazing organisation !