Red Team Village - Bypassing in Mobile Network from Red Team Points Of View
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 374 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/49180 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
RechnernetzMobiles InternetPunktSichtenkonzeptATMInformationTelekommunikationHackerSoftwaretestEindeutigkeitZahlenbereichFlächeninhaltNichtlinearer OperatorComputersicherheitProxy ServerCybersexSoftwareschwachstelleMobiles InternetPerspektiveSelbst organisierendes SystemSoftwareCoxeter-GruppeURLComputeranimation
01:24
Regulärer GraphATMBereichsschätzungRegulärer GraphProgrammfehlerDatenfeldComputersicherheitVarietät <Mathematik>Cybersex
02:13
RechnernetzMobiles InternetHackerATMHöhere ProgrammierspracheBenutzerfreundlichkeitInformationSelbst organisierendes SystemTelekommunikationHackerInzidenzalgebraCASE <Informatik>ATMComputersicherheitProtokoll <Datenverarbeitungssystem>AutorisierungSoftwareschwachstelleMessage-PassingRechter WinkelStrahlensätzeTwitter <Softwareplattform>
03:56
RechnernetzStellenringDatenmissbrauchATMSimulationSoftwareInformation RetrievalTypentheorieProfil <Aerodynamik>Kategorie <Mathematik>SoftwaretestMaschinencodeMereologieSpeicherabzugZellularer AutomatFlächeninhaltSystemaufrufCASE <Informatik>Komplexe EbenePlastikkarteImaginäre ZahlHoaxSoftwareschwachstelleURLStrahlensätzeMobiles InternetSpezialrechnerProxy ServerIdentifizierbarkeit
06:05
RechnernetzArchitektur <Informatik>Mobiles InternetATMSoftwareTypentheorieEinfach zusammenhängender RaumMereologieSpeicherabzugZellularer AutomatTurm <Mathematik>DifferenteComputeranimation
06:56
ATMRechnernetzArchitektur <Informatik>Mobiles InternetComputerarchitekturSoftwareHackerGenerator <Informatik>ComputersicherheitPunktSichtenkonzeptElement <Gruppentheorie>SoftwareschwachstelleComputeranimation
07:32
PunktMobiles InternetRechnernetzVektor <Datentyp>ATMRegistrierung <Bildverarbeitung>ComputersicherheitHöhere ProgrammierspracheAlgorithmusHardwareSoftwareRechnernetzVektorraumGruppenoperationSpeicherabzugQuick-SortInternetworkingDatenfeldComputersicherheitPunktService providerRegistrierung <Bildverarbeitung>ZweiBenutzerbeteiligungStrahlensätzeMobiles InternetMechanismus-Design-TheorieDesign by ContractMetropolitan area networkComputeranimation
09:14
ATMArchitektur <Informatik>SoftwareGenerator <Informatik>SpeicherabzugInterface <Schaltung>Twitter <Softwareplattform>Computeranimation
09:51
Mobiles InternetProxy ServerRegistrierung <Bildverarbeitung>ATMFontRechnernetzSoftwareMathematikSoftwareSoftwaretestGesetz <Physik>SystemaufrufComputersicherheitHilfesystemProxy ServerRegistrierung <Bildverarbeitung>Mobiles InternetIdentitätsverwaltung
10:48
Registrierung <Bildverarbeitung>Mobiles InternetIdentitätsverwaltungATMSoftwareTypentheorieIdentitätsverwaltungSchnittmenge
11:10
Proxy ServerRegistrierung <Bildverarbeitung>Mobiles InternetATMRechnernetzSchlüsselverwaltungSoftwareAlgorithmische ProgrammierspracheDatenbankTypentheorieSpeicherabzugZufallsgeneratorZusammenhängender GraphAuthentifikationSchlüsselverwaltungHome location register
12:04
ATMSchlüsselverwaltungVektorrechnungInformationSoftwareMAPAuthentifikationHome location registerSpeicherabzug
12:47
NP-hartes ProblemATMSpeicherabzugTeilbarkeitComputersicherheitRadiusDatenmissbrauchSpannungsmessung <Mechanik>Mechanismus-Design-Theorie
13:11
ATMUnrundheitDigitaltechnikSoftwareComputersicherheitComputeranimation
13:40
ATMHöhere ProgrammierspracheDigitaltechnikSoftwareComputersicherheitFirewallProxy ServerZweiComputeranimation
14:00
Proxy ServerMessage sequence chartZufallszahlenExogene VariableInstant MessagingInformationSpeicherabzugATMRoutingInformationPerspektiveZahlenbereichReelle ZahlExogene VariableRouterProxy ServerHome location register
14:36
MAPMessage-PassingExogene VariableDifferenteMessage sequence chartATMInformationMathematikSoftwaretestReelle ZahlExogene VariableCASE <Informatik>RouterMultiplikationsoperatorMessage-PassingHome location register
15:44
TypentheorieMessage sequence chartRoutingProxy ServerInstant MessagingHome location registerATMInformationSoftwareTelekommunikationValiditätTypentheorieMaschinencodeZahlenbereichRandomisierungNetzadresseMobiles InternetNichtlinearer OperatorFlussdiagramm
16:29
Message-PassingATMNichtlinearer OperatorFirewallMailing-ListeMobiles InternetSchreiben <Datenverarbeitung>
17:07
Protokoll <Datenverarbeitungssystem>ATMDatenbankInformationOrdnung <Mathematik>SoftwareInformation RetrievalArithmetisches MittelEinfach zusammenhängender RaumIntelligentes NetzNichtlinearer OperatorRPCPunktProtokoll <Datenverarbeitungssystem>Framework <Informatik>Dienst <Informatik>Office-PaketInterface <Schaltung>
18:06
Message-PassingFirewallATMDialektDelisches ProblemExogene VariableNichtlinearer OperatorAusnahmebehandlungZusammenhängender GraphKugelkappeKartesische KoordinatenProxy ServerKontextbezogenes SystemMessage-PassingBefehlscodeComputeranimation
19:29
Kontextbezogenes SystemGarbentheorieMessage-PassingMAPAdressraumFirewallATMMAPAlgorithmische ProgrammierspracheGarbentheorieMereologieKartesische KoordinatenKontextbezogenes SystemMessage-PassingApp <Programm>Proxy Server
20:06
Message-PassingMAPFirewallBefehlscodeATMTypentheorieDelisches ProblemZahlenbereichNichtlinearer OperatorFirewallp-BlockProxy ServerMessage-PassingZweiBefehlscodeComputeranimation
20:39
GruppoidMessage-PassingAdressraumBefehlscodeFirewallMAPATMInformationSoftwareMAPMaschinencodeSpeicherabzugZahlenbereichReelle ZahlNichtlinearer OperatorZusammenhängender GraphPunktFirewallRetimingMessage-PassingBefehlscodeHome location register
22:18
RechnernetzComputersicherheitMobiles InternetProxy ServerAnalysisStetige FunktionATMAnalysisSoftwareTelekommunikationAnalytische FortsetzungNichtlinearer OperatorComputersicherheitService providerDatenmissbrauchProxy ServerMobiles InternetMechanismus-Design-TheorieGrenzschichtablösung
23:10
ATMMaschinenschreibenComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
hope you're doing great and safe. First of all, before starting my presentation, I would thank the organizer, sponsors, Omar Santos, and yet another security community, Yas, for their support. This is my honor to speak at DevCon
00:23
writing village and I'm really excited about this. So, this talk, I think, is really interesting because we are going to take a look at the mobile network, which is used by mobile operators and many other entities all around the
00:41
world. This area of test contains many, many valuable information like user location, user unique information, and phone number related data. The important thing in this talk is that we're going to review all possible bypassing methods
01:03
because I think you may hear much about telecom and SS7 vulnerabilities and hacking. So, the purposes of this talk are to address all those bypassing techniques from a Red Teamer perspective. If you're ready, let's get
01:22
started. So, first, I want to introduce myself. I'm Ali Abdoulahi, a cyber security enthusiast with over eight years of experience in a variety of fields, trying to make the world a safer place. I'm an instructor at
01:44
Hacking9 and an active researcher and bug hunter. I'm a regular speaker and trainer at famous cyber security and hacking global conferences like Cocone, TyphoonCon, Texas Cyber Summit, OS AppSec Days, Confidence, and
02:03
this year proudly announced that except Red Team Village, I'm a speaker and trainer at Aerospace and AppSec villages. As you can see, there are many security incidents and news about vulnerabilities and hacking mobile
02:24
infrastructure, including protocols, communications, and interconnections. In the top left corner, there is a news regarding attacking financial organizations and the ATM infection by exploiting SS7 protocol. In this case,
02:47
hackers tried to intercept authorized payment phone, SMS, to exploit them. So, because one of the most usable attacks in SMS interception and spoofing,
03:03
in the lower left corner, you can see a news about using telecom protocol to target UK Metro Bank in 2019. In this scenario, hackers tracked and intercepted text messages to gain unauthorized access to banking accounts.
03:25
In the top right corner, you can find another news regarding fixing SS7 and telecom vulnerabilities in US, which would be very helpful to secure the communications and subscribers' private info. So, the last one is news about
03:43
sending tweets via SMS, which patched by Twitter to avoid unwanted and harmful tweets and combating malicious actors. So, now, the question is that what types of attacks and vulnerabilities threaten mobile networks and subscribers,
04:07
and why they are important to retiners? So, the first possible attack category is subscriber data leakage. Actually, subscriber data leakage is a vital
04:23
part for retiners to set up their next steps and scenarios. In this part of the scenario, they will retrieve subscribers in the number and other stuff. Next one is network data leakage, which is very important for retainer to understand what's happening inside mobile core network and what
04:48
kind of devices are in place there. Finding mobile subscribers' location is one of the most critical issue. So, based on this attack, criminal can
05:02
retrieve subscribers' CGI or cell global identifier and convert it to MCC mobile country code, MNC mobile network code, and LAC or LAC location area code, and cell ID or CID to find the actual sector which the subscriber
05:23
connected to. Sniffing is the next scenario which points to voice and SMS interceptions. Spoofing is another test case, which is very interesting because if you want to take advantage of it as a retainer, you may perform
05:43
a call with fake caller ID or send an SMS via fake number. The last attack category is fraud. Retiners can perform malicious usage to requests, call redirection, SIM card profile swapping, etc., to done fraud attack categories. Now, we are starting our bypassing journey
06:10
one by one. So, first of all, we are going to talk about radio segment, which is the most accessible part of a mobile network. As you can see here, we have a big picture of a radio access network or RAN in different
06:26
technologies, BTS in 2G or GSM, Node-B in 3G or UMTS technology, and eNode-B in 4G or LTE networks. So, there is a connection between cell
06:41
towers to the core networks, and based on your traffic type, means voice or data, the data pass through to CS core or circuit switch network or packet switch network. In this picture, we have 5G architecture.
07:05
Most of elements are different, but from a retainer point of view, security flaws and opportunities in traditional technologies still available here. Please note that 5G has its own vulnerabilities and because of IP backbone
07:24
and software usage in this generation, many other doors open to hackers. Now, we are going to review all possible vectors for a retainer when facing
07:42
with a mobile network. First is mobile RAN radio access network. So, retainer needs to be in radio field and needs to have some sort of tools like hardware and software. Second is signaling network or CS.
08:01
So, to do this, retainer needs to have access to the signaling network. Retainer can buy the access from dark web even or officially from telco providers all around the world or based on the contract retrieved from the network owner. Data network is more easier because most of attacks can
08:25
perform from the internet and some of them from a signaling point. Okay. Now, we are going to review security mechanisms in radio access
08:44
network or radio security. The first one is mobile device registration using IMEI. Second is enabling ciphering algorithm to fight against interception and man in the middle. Third item is using only LTE or LTE
09:02
advanced or some other advanced mobile technologies instead of traditional mobile core networks in 2G and UMTS. So, as you can see here, this is the big picture of a radio access network and you can see it is in LTE
09:27
generation, fourth generation. Radio access network in this technology called eUTRAN or eWOLV eUTRAN and the eNodeBeads are here.
09:41
They are connected to each other using each two interfaces and connected to the core network using S1 interfaces. Okay. Why using IMEI policies?
10:02
Actually, to fight against phone smuggling, lawful and security monitoring, tracking stolen devices, and criminals are the most usage of mobile device registration or IMEI-based policies. Okay. Now, with the help of Motorola
10:27
phone C115 and 118 and OsmoCon BB software, we can set an invalid or fake or even duplicate IMEI and set up a call to test network reactions.
10:43
So, this is the bypass, the first bypass in radio access network. According to this screenshot here, network sends identity requests to my phone and the type of identity was IMEI. So, I replied to it using an invalid IMEI set to all zero.
11:13
So, the network accepted my invalid IMEI because ciphering procedure is completed.
11:30
So, there are some types of ciphering keys like KC, address, and random number. In radio access network, which harden the radio network to avoid active sniffing and they always
11:46
store in HLR or HSS in core network. HLR or HSS as subscriber database has components called AUC or authentication center which responsible for ciphering and authentication
12:03
procedures. To bypass and get this information, we are going to target AUC in HLR or HSS by abusing SS7 and signaling access as a running partner. As you can see, I sent a malicious SS7
12:25
map, SAI or send authentication info to targeted core network from SS7 network to retrieve ciphering information and the network respond me via RAND, SRS, and KC values in clear text.
12:50
Another security mechanism is using advanced technologies to bring highest quality and performance, having more security and privacy in core and radio segments and other factors
13:05
like voice-over LT, VLT, flexibility, etc. Okay, so what's reviewing first-round-up
13:23
bypassing method? Totally, there is a general way and it is downgrading subscribers to traditional technologies like 3G and 2G which are vulnerable. To perform downgrading, we need to use a signal jammer. Security in circuit siege network. There are two main security
13:49
solutions in this segment of network and the first is using SMS homeroating and second one is signaling firewall. Homeroating acts as a proxy and the definition of homeroater
14:06
is to hiding subscriber MC number which is very valuable information to perform other hacking scenarios from a red teamer perspective. As you can see, a red teamer requests to
14:23
receive MC number from HLR HSS and the HSS respond with real value. However, homeroater changed the value with a fake one. So the main issue is that how we can detect if homeroating
14:44
is enabled or not. Just need to send two or more malicious SS7 messages like send routing info for SM or SRI for SM. If we receive different responses, it means that SMS
15:01
homeroating is in place. As you can see here, red teamer or our tester send two different messages or the same message two times and responses are different as you
15:24
can see. And the main issue is SMS router here because in both cases, HLR HSS respond with a real number. However, SMS router change the actual values. In telecommunications,
15:50
we have three types of GTs or global title which act as IP address. MS ISDN consist of MCC or mobile country code, NDC and SN. EMC consist of MCC, MNC or mobile network
16:08
code and MSIN. MGT consist of MCC, NDC and MSIN. As you can see, red teamer can use MGT number and a valid random EMC number to request other information regarding the
16:24
targeted mobile number and it's really easy. Signaling firewall. Mobile operators use signaling firewall to protect their signaling infrastructure. Signal packet inspection,
16:45
filtering, write and blacklisting. Bypassing signaling firewall. So, to bypass these
17:02
kind of firewalls, we need just to playing with TCAP. What is TCAP? TCAP is essentially SS7 sub-protocol and it's like TCP. TCAP enables the deployment of advanced intelligent network services by supporting non-circuit related information exchange between signaling
17:27
points using the SSCP connectionless service. TCAP provides the framework to retrieve information or invoke remote operations and offers the means for end users in the SS7 network to
17:44
query another end office and acts as the software interface between an SS7 point and database services in order to obtain data from the SS7 network. To perform bypassing,
18:13
we need to remove application context name from TCAP or sending double operation message.
18:24
The application context name or ACN is used for all supported ITU TCAP messages except abort, abort message. No attempt to retrieve the ACN is made for abort messages. All other supported messages may have a dialog portion containing dialog request, unidirectional
18:46
dialog and dialog response PDU from which the ACN is retrieved. If no dialog portion is detected, then the ACN is assumed to be none. The TCAP opcode based routing feature
19:03
attempts to find the opcode in all supported TCAP messages except abort. These messages must contain invoke or return results, stand for last or not last as the first component.
19:25
If not, the opcode is assumed to be none. So removing application context name from TCAP message. To start the procedure, we need to remove dialog request section from
19:46
our malicious SS7 message. Then there will not application context name to point to malicious SS7 map message or mobile application part message. So this is the second bypassing
20:10
method, sending double operation message. Actually, most of signaling firewall block or accept a message based on message type. So each signaling message has its own opcode
20:31
and it's a vital number. According to the picture, red teamers trying to put a legitimate
20:47
SS7 map message opcode in the first step and so it seems a legitimate one. And then put a malicious SS7 map message. So signaling firewall check just the first
21:05
operation code which is pointing to a legitimate operation. After that, the component inside the core network replied to signaling firewall or actually a red teamer here in this scenario
21:26
and trying to keep session which is legitimate and valid and ask to send the message again. So our red teamer says thanks and this is what he wants. And still the whole session
21:51
is still available and legitimate as well. So hlr, hss are all available and legitimate
22:02
signaling point inside our core network will respond with real subscriber in the number and network information. And this is what actually a red teamer wants. As I mentioned, in past several years, mobile network operator and telecom providers turn
22:26
against telecom and especially SS7 attacks and enable many security mechanisms. In this talk, I tried to explain all possible bypassing techniques in all network segments
22:42
in telecom infrastructures. We must consider that red teaming is very important because in these networks, we are dealing with millions of user private data. Be careful that it's blind hardening and buying security appliances or software because they are not
23:02
fair enough. We must have behavior analysis and continuous monitoring as complementary solutions. Thank you very much for your attention. I'm still available for any questions. I hope you enjoyed this talk and please in touch with me.