Mobile Data Interception from the Interconnection Link
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 167 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/34799 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
34th Chaos Communication Congress155 / 167
1
2
3
4
5
6
7
10
11
12
14
15
25
26
29
30
31
33
34
39
40
42
43
45
46
49
50
53
58
59
61
63
65
68
69
71
73
77
78
79
81
82
83
85
86
87
88
91
92
94
99
100
101
102
108
109
110
113
114
115
116
118
119
122
124
125
126
127
129
130
131
132
133
134
136
138
139
140
141
145
147
148
150
151
152
153
154
157
159
160
161
163
164
165
166
167
00:00
Client (computing)CodeFiber bundleDifferenz <Mathematik>Forcing (mathematics)Mobile WebCommunications protocolDiameterInformation securityIntercept theoremDifferent (Kate Ryan album)Electronic mailing listComputer animationUML
00:54
Design of experimentsInformation securityIntercept theoremMobile WebAdaptive behaviorMalwareComputer networkCrash (computing)Operator (mathematics)Software testingComputer network
02:01
Computer networkMobile WebOperator (mathematics)FamilyInternetworkingVerbindungsstrukturComputer networkConnected spaceInformation securityAuthenticationSource codeCommunications protocolService (economics)DiameterComputing platformInternetworkingComputer networkPhysical systemFamilyBitComputer networkCASE <Informatik>Computer hardwareQuicksortClassical physicsConnected spaceDifferent (Kate Ryan album)Greatest elementComa BerenicesMathematical optimizationTelecommunicationPoint (geometry)Android (robot)Tablet computerOperator (mathematics)System callPlastikkarteLattice (order)Function (mathematics)Pay televisionInformation securityMobile WebFinite differenceMultiplication signWordCartesian coordinate systemCommunications protocolGoodness of fitCellular automatonNumberComputer animationEngineering drawing
06:26
Core dumpComputer networkData structureQuicksortData structureBitComputer networkInformation securityRoundness (object)Cellular automatonReal number
07:25
Associative propertyRevision controlSoftwareService (economics)Operator (mathematics)Power (physics)NumberComputer networkMobile WebFacebookHacker (term)AuthenticationSpywareExploit (computer security)HypermediaVideo trackingPasswordTelecommunicationLine (geometry)Data compressionInternet service providerOperator (mathematics)Set (mathematics)Multiplication signUniform resource locatorCommunications protocolCASE <Informatik>PlastikkarteComputer networkSimulationCartesian coordinate systemHecke operatorGreatest elementDenial-of-service attackPoint (geometry)EstimatorRow (database)Mobile WebOffice suiteBitArithmetic meanPhysical systemCodeDiameterInformation securityYouTubeIntercept theoremKey (cryptography)TrailPasswordHypothesisTraffic reportingEmailLogical constantVirtualizationAngleProper mapPay televisionService (economics)Level (video gaming)Social engineering (security)Power (physics)InternetworkingSource codeBusiness modelComputer networkNumberAuthenticationQuicksortPosition operatorNetzwerkverwaltungImplementation1 (number)Latent heatTelnetVideo gameSystem callCellular automatonTouchscreenSystem administratorProgram flowchartComputer animation
13:20
Communications protocolVertex (graph theory)Operator (mathematics)Directed setInformation securityData integrityAuthenticationSource codeLevel (video gaming)MereologyMessage passingFirewall (computing)Transport Layer SecurityIPSecElectric currentComputer networkOperator (mathematics)Firewall (computing)AuthenticationInformation securityINTEGRALLevel (video gaming)Product (business)Presentation of a groupSystem callLatent heatTelecommunicationSource codeNegative numberLetterpress printingTransport Layer SecurityComputer animation
14:54
Information securityDiameterGame theoryPoint (geometry)Communications protocolRule of inferenceComputer fontLogicData managementProfil (magazine)QuicksortDifferent (Kate Ryan album)Computer animation
15:43
Non-standard analysisInferenceComputer-generated imageryLocal ringService (economics)Communications protocolLimit (category theory)Mobile WebTracing (software)QuicksortHecke operatorComputer networkSystem callMathematical analysisComputer networkIntercept theoremSource codeXML
17:51
Video trackingInfinite conjugacy class propertyPasswordPhysical systemInformation securityComputer networkService (economics)Information retrievalDiameterComputer clusterDenial-of-service attackTrailTranslation (relic)QuicksortMessage passingCuboidSimilarity (geometry)Office suiteUniform resource locatorObservational studyInformation retrievalCommunications protocolNumberDiameterPasswordSource codeService (economics)Operator (mathematics)Intercept theoremComputer networkProfil (magazine)LinearizationDatabaseBitMassSpacetimeData managementComputer networkInformation securityPosition operatorComputer animation
21:00
Vector potentialConstraint (mathematics)Adaptive behaviorCommunications protocolDiameterSimilarity (geometry)Configuration spaceInstant MessagingOperator (mathematics)RWE DeaComputer networkInternet service providerLevel (video gaming)SubsetQuicksortCrash (computing)Intercept theoremDigitizingInformation securityCommunications protocolMobile WebComputer networkComputer networkError messageAreaDiameterField (computer science)Scaling (geometry)Form (programming)Pay televisionTelecommunicationInterface (computing)Cartesian coordinate systemCellular automatonPoint (geometry)Moving averageSoftware testingSatelliteConfiguration spaceConstraint (mathematics)Direction (geometry)Revision controlInternet service providerOperator (mathematics)Multiplication signCASE <Informatik>Video gameProfil (magazine)Self-organizationConnected spaceGroup actionVector potentialDatabaseArithmetic meanMetropolitan area networkServer (computing)CuboidData managementAdaptive behaviorVulnerability (computing)DialectComputer hardwareSet (mathematics)Point cloudComputer animationDiagramProgram flowchart
27:17
Interface (computing)Local GroupOperator (mathematics)Server (computing)Web serviceMessage passingCodeRWE DeaForcePressureInstant MessagingConfiguration spaceImage resolutionDirect numerical simulationInterface (computing)Array data structureComputer networkOperator (mathematics)Server (computing)CuboidService (economics)Direct numerical simulationInternetworkingPressureConfiguration spaceDifferent (Kate Ryan album)Image resolutionSet (mathematics)Cartesian coordinate systemCore dumpVulnerability (computing)Computer networkMobile WebComputer animation
29:04
Vertex (graph theory)Digital signal processingInterface (computing)Identity managementMultilaterationQuicksortMessage passingClassical physicsComputer networkData acquisitionNumberSubset
29:47
Instant MessagingServer (computing)Operator (mathematics)Focus (optics)QuicksortInterface (computing)Cartesian coordinate systemPoint (geometry)Wireless LANAxiom of choiceEndliche ModelltheorieProfil (magazine)SynchronizationBitInformationComputer networkCASE <Informatik>Message passingOperator (mathematics)Uniform resource locatorSource codeComputer animation
31:38
Server (computing)Operator (mathematics)Profil (magazine)Tap (transformer)Level (video gaming)Interface (computing)Core dumpComputer networkPoint (geometry)Electronic mailing listMobile WebLogicCASE <Informatik>Set (mathematics)Message passingSynchronizationConnected spaceComputer animation
33:42
Game theorySynchronizationAddress spaceAuthenticationGUI widgetRWE DeaDirect numerical simulationImage resolutionRadical (chemistry)Set (mathematics)Constraint (mathematics)Multiplication signSynchronizationComputer animationDiagram
34:39
DiameterVertex (graph theory)Information securityRootPublic key certificateOperator (mathematics)Internet service providerFirewall (computing)Direct numerical simulationImage resolutionDigital filterComputer networkBlock (periodic table)VelocityAddress spaceFlow separationInterface (computing)RootUniform resource locatorProper mapService (economics)Interface (computing)Key (cryptography)Similarity (geometry)Public key certificateVelocityBlock (periodic table)Order (biology)Information securityGoodness of fitComputer networkLevel (video gaming)Direct numerical simulationElectric generatorMultiplication signExpert systemOperator (mathematics)Image resolutionInternetworkingIPSecDiameterHacker (term)Source codeComputer animation
36:45
Operator (mathematics)StatisticsLevel (video gaming)Message passingService (economics)BitInformation securityExecution unitArray data structureMetric systemComputer networkScheduling (computing)Rule of inferenceInformationQuicksortArithmetic meanHecke operatorMultiplication signProcedural programmingComputer networkShared memoryRoutingComputer file
38:25
Configuration spaceUniqueness quantificationComputer networkElectric currentFocus (optics)Function (mathematics)Similarity (geometry)DiameterComputing platformIndependence (probability theory)EvoluteInternetworking1 (number)GSM-Software-Management AGMereologyBitGame controllerConnected spaceType theoryDialectQuicksortInformation securityInternet service providerIntercept theoremOperator (mathematics)Computer networkMobile WebComputing platformIndependence (probability theory)Firewall (computing)Computer networkNumberTrailInternet der DingePay televisionRemote procedure callScheduling (computing)Multiplication sign2 (number)Open setCASE <Informatik>Flow separationLogicTelecommunicationDiameterService (economics)CodeWhiteboardUniform resource locatorChemical equationARPANETProcess (computing)Level (video gaming)Configuration spaceProfil (magazine)DistanceSystem callComputer configurationWeightArray data structurePoint (geometry)SatelliteDenial-of-service attackDependent and independent variablesPasswordOcean currentMachine visionDefault (computer science)Group actionPulse (signal processing)SummierbarkeitPressureForm (programming)EncryptionMathematicsElectronic mailing listMusical ensembleProduct (business)Key (cryptography)ACIDSet (mathematics)Computer animation
47:59
Computer animationJSONXMLUML
Transcript: English(auto-generated)
00:15
So, our first speaker of today is Dr. Silke Holtmans. She has an impressive amount of
00:24
publications actually. I stopped counting at the 45th and the list was going on and on and on. Pretty impressive. She also was previously a speaker at many different and other conferences including the Black Hat Conference. And today she's going to
00:41
speak about SS7 and diameter and the security aspects of both of these LTE protocols. The title of her talk is Mobile Data Interception from the Interconnection Link. Please welcome her with a lot of applause. Thanks a lot. As I said, my name is Silke Holtmans. I work
01:09
for Nokia Bell Labs. That's the research brand of Nokia. I've been doing mobile security for 17 years. So everybody of you sitting here who has an LTE-enabled phone has a piece
01:22
of something I designed in it. That's quite a nice feeling actually. But this is not only my work. It's also from my colleague Jani Ekman who works in our testing department who sets up test networks so that we don't crash accidentally operator's networks when
01:44
we make an update. And actually with our competitor, Kassel McDade from Adaptive Mobile. So we have been working together on this one. I will explain later how that has happened. So I will talk about mobile data interception from the interconnection link. And well, let's
02:04
start with the practicalities. So this is something that's not so visible in public. Some of you might have been in 2014 here or 2008 when Tobias Engel or Karsten Knoll presented their attacks. So for those who have not been there, we are here in Leipzig.
02:22
You are connected now to Vodafone, Deutsche Telekom or Telefónica. And the meeting attendees here are international. So you will also have people from UK connected from usually have a subscription from three, from France, from Orange, from Poland, maybe from
02:41
Plus or MTS when they are coming from Russia. I'm from Finland. Well, I live nowadays in Finland. So my colleagues and family, they have Eliza, Telia or DNA subscription. And there's a big difference to credit card system. In the credit card world, there's
03:04
But for telecommunication operators, these are different legal entities in different countries. And still, you can just pop up in their network, switch your phone on and you can get data or make voice calls or SMS and you're charged to your home and it works.
03:22
So that's actually something to think about because that's not happening automatically. And the reason why this is actually working is because there's something called interconnection link or IPX network. It's not the internet. It has touching points with the internet. But it's a private separate network which enables mobile data communication or in general
03:45
mobile telecommunication. So and actually why this is such an important network because we are all connected to it. Everybody here who has a switched on phone is connected to it. And not just your phones. It's also tablets which if they are cellular enabled,
04:04
for example, there's a tablet with Android, let's say, to AT&T in Anchorage. There's a connected scale, let's say, to Verizon in US. Or there we have a car which can connect to a car which may be from Telefonica in South America. In the bottom you see there
04:21
a gas meter from British Telecom which is also cellular enabled. Then we have there a fire alarm from Telstra. I heard they might need a fire alarm in case of a burning platform arrives there at their shores. I heard something like that has arrived there. Our industrial optimization sort of assembly lines which might have connectivity, cellular
04:44
connectivity and of course classical phones. So you see there are all kind of different operating system, all kind of different hardware. And they are connected to a local operator and while that they are connected to the interconnection network. So they can be reached from the interconnection network in case something arrives for them.
05:05
To understand the security of interconnection, we need to go back a bit. So 1981, the interconnection network was established between four countries, Nordic countries. And you see there a beautiful picture of the Nordic mobile telephony of the Nordic dogman, as we Finns used to say.
05:24
So it's sort of this size and we weighed about 5 kilograms so I didn't bring it. Very beautiful piece of hardware. And it was a closed and private network. So that was the main security feature of that network. It was closed and private and nobody could get in, only the people that know each other. It was running the signaling system
05:44
number 7 protocol. And that was a huge success and they extended and extended it and more and more operators joined Latvia and so on, Estonia. And nowadays we have all kinds of applications using it. You get your SMS reminder for your dentist or
06:01
whatever, sort of your banking times, whatever. And now we move towards the LTE diaries protocols. And so just to give you an idea, sort of that's how it started. Probably Finland, Sweden, Norway, Denmark and that's how they started. They probably went together in a sauna having some good beer and say, hey, let's do it. And they managed to do it.
06:27
That's how it nowadays looks like. Sort of more, it has grown a bit. So we have, that's 2G and 2.5G. Then we had 3G, bit of 4G. And now we have also 5G. So it has
06:43
gotten a bit more complex. And it's a sort of organically grown structures. And the thing is everything is connected with everything else. So you see GSM networks, really old networks connect to LTE networks and the other way around. So sometimes there are nodes in the middle, sometimes not. So it's very, very sort of inhomogeneous
07:07
to call it that way. So back to security. I mean the main security feature of this jungle was that it's closed in private. Now let's revisit this assumption sort of 35 years
07:23
later and see what has happened. Is it still closed in private? I'm afraid to say no. There are different angles to close in private. On the top you see there are three. I could have chosen any European operator. That's not particular to three. It's just
07:44
in the European Union, the European Union wanted to encourage competition so that mobile virtual network operator have very easy to establish their business. So for example, supermarkets chains are now selling here subscriptions, for example, in Germany. So they rent their
08:02
services from a traditional operator. And all operators in the European Union are forced to rent out the services that they have themselves, which includes roaming, to anybody who has basically come and asked and has a proper business model. That makes it also
08:24
very, or it makes it easier for nasty guys to buy the interconnection access. In the middle there are cell phone reports, cell phone interception. These are from the dark net from a company called interceptor, but they have a horrible service, so I wouldn't
08:44
recommend that company. They are not answering to emails or anything, but they are claiming to rent out these kind of services. So the access can also gain from the dark net by just buying it. Here on the bottom we see a screen shot from Shoden. You see here
09:03
this GGSN. You might not know which node this is, but I can tell you a GGSN has no reason to be on the internet. It shouldn't be there. I don't know why it is there. Maybe it's a honey pot, so I don't suggest to hack that, so you never know what comes back. Then we have on the right-hand side here a GPRS air cell. Air cell is a big
09:29
operator in India, and they seem to have their GPRS nodes on the internet. The protocol here is SMMP. That's a simple network management protocol, and it's used, and above that
09:45
there's a telnet lock-in. My personal assumption is that somebody was on call duty to fix the network and didn't want to go into office, so he just set himself up this telnet access so he could easily configure the stuff from home. But these things happen. That's life.
10:02
But of course, telnet lock-in, you throw on a sort of password cracker and see what you have. Admin, admin is always worth a try. Then there this map is a bit older. That's from the WikiLeaks, from the Snowden leaks, and it's showing the countries which the NSA says they have access to the phone network. It's probably no longer up to date.
10:27
I think the situation, particularly in Europe, has improved substantially since then. On the top, there's an article from The Intercept where the GCHQ, basically a British spy, hacked BelgaCom, but that was the GPRS transport protocol.
10:46
So I think it's fair to say that there are points where the network is no longer that closed and private, so hackers, they may just rent a service, they hack their way in. Having power, in some countries the line between government and telecommunication
11:05
providers, not so strict, let's call it that way. And if the government wants to have access, they just get access. Of course, there's a classical bribing of an employee that always works, just amount of money. You can become an operator, or you can do social engineering that has also
11:25
been seen, but that's a quite rare case, actually. Social engineering is not so common. But the other ones are sort of more likely. So, let's do a brief recap. SS7, that's the old protocol. And there were attacks, these
11:44
are the attacks that exist for the old signal system number 7, which is still most commonly used on the interconnection link. We have the location tracking that was published I think in 2008, very coarse granularity by Tobias. Then we have eavesdropping, fraud, denial of service on the user network. Credentials theft that are the cryptographic keys that
12:07
are stored also on your SIM card that are used for confidentiality and authentication. Data session hijacking, but that's not SS7, that's actually GTP protocol. Unblocking of stolen phones, that is an implementation specific attack not from our notes, I'm
12:24
happy to say. SMS interception, basically that's pretty risky because of all the one-time passwords theft, because nowadays many password reset systems send you one-time code, and
12:41
the attacker can actually trigger the sending of the one-time code. So, depending on the system used, it's more or less vulnerable to it. And there are even on YouTube videos how that works, so this is basically a situation for SS7. Those attacks were sort of done
13:03
by P1, positive technologies, cast null, Tobias Engel, and these are sort of some, I'm focusing more on diameter security. So that's basically the SS7, the old protocol.
13:21
And that's the status of the security for the IPX network. The SS7 is still most commonly used, but things slowly move forward. The communication is sometimes direct, sometimes intermediate notes involved, depending, for example, we are here now in Germany. I don't
13:42
think there exists a specific cable from Germany, let's say to Tuvalu, that's a Pacific island, I think of 2,000 people living there, something like that, but they have their own operator. So I don't think there exists an explicit cable from here to there, so there
14:03
are probably some intermediate notes involved if you make a phone call to Tuvalu. But some operators also have direct personal pipes with their most common partners, for example in Frankfurt, such a big hub. Also nowadays some deploy SS7 firewalls, I think that was
14:21
a big achievement of the presentation done here in 2014, that really something happened afterwards. The first firewall products came up and also operators started to deploy it, so not all have them, but it's better now. But there's no form of transport security, no IPsec, no TLS, no DTLS, no map security, no source authentication or confidentiality
14:45
protection and no integrity. That's how it is. No fun, but that's it. So, diameter, new rule, new protocol, new game, everything is better, let's see. All will be better
15:06
with LTE and diameter, I've heard that from one company, I'm not going to say which company that was. Well, all will be different. We have a different protocol, but it's doing roughly the same things. As the user, you still move from A to place B, you move
15:26
from one antenna to the next antenna. So the logic for handover and subscriber profile management and things like that, they're pretty similar, they're not exactly the same, but they're pretty similar. So it's possible that some things are just sort of converted,
15:42
let's call it that way. Attacks, they are reality. I've seen myself some attacks, quite many actually. I've been doing traces analysis, looking at the traces and trying to figure out what the heck is that. And there's one important question one needs to
16:01
ask, why should attackers stop just because we have a different protocol? Come on. They make money with it, or they are governments, intelligence communities. This is all you can eat data, give me all your data. They track VIPs, I don't know. And there are these kind of service companies, basically you have to know that some governments have
16:25
their own agencies which do stuff, and other governments, they just hire service companies, because it's cheaper. Because the service companies sell to several governments, that means they can offer per government the things cheaper. Also governments have budgets.
16:41
So there are these kind of service companies, also they are just entities which make money from it, fraud. And also military uses mobile network data for target localization. For example, in The Intercept it was published that, I think they called it drones paper,
17:03
that about 70% of the data for target localization for the drones, where they use their drone strikes, comes from mobile telephone networks. Which I find pretty, coming from the telco industry, sort of pretty, makes me a bit upset, because they weren't designed
17:24
for it, they were designed for user mobility and making phone calls. They are not a military weapon, but they are used for it. Yeah, even the German Bundeswehr was observed
17:40
doing something with the Afghan phone network. So, attacks are moving forward. Let's see how the status is with diameter. I'm from research, and when I started looking into interconnection attacks, my manager said, SS7 is old stuff, don't look at it,
18:05
look forward. Okay, I'm research, I look forward. I studied first, how does SS7 work, and then I looked forward. In particularly, I looked at the diameter protocol as a successor of SS7, and then we looked at sort of where are similarities for attacks, and we started
18:25
basically with location tracking. It's sort of relatively easily done. Then you have downgrading attacks that basically, because as I said, they are old networks and new networks, and they have to talk to each other. So basically, the attacker comes to
18:40
say, hey, I'm an old network, I only speak SS7, can you please translate this stuff for me? And actually, then there are translation boxes which translate the whole attack into the new protocol, very convenient for an attacker. So the attacker doesn't even have to learn the new protocol. It's very nice if you have a translator. I hope I don't
19:00
speak too fast for the translators. Then we have denial of service attacks and fraud. Denial of service attacks are also, in that sense, very easy, because denial of service attack, the attacker can just push the attack towards networks, and he doesn't care if the answer message is correctly routed. So he can spoof the origin. He can
19:25
use the origin of a partner, because he can just push the message and doesn't care, and just sees, okay, things go down, worked. So denial of service attacks are very easy in that sense that you can spoof the sources. SMS and one-time password interception is
19:43
very sound because of this kind of password usage. SMS was just a few bits of space in the protocol. Somebody said, okay, let's use it for texting. And it was never designed for security, and yeah, well, there we go. And then we have subscriber profile modification.
20:02
So the subscriber profile is basically an entry in the database, in the main database of the operator, which says if you have prepaid, postpaid, if you are GPRS, if you are allowed to roam, what's your phone number, what's your identity, and so on. So if you meddle with that, you can imagine that it can cause quite some hiccup. Then there was by positive
20:27
technology on denial of service and IMSI retrieval, and also at the black hat, Hendrik and Daniel presented, denial of service, I think Daniel presented, because Hendrik had
20:40
a car accident. But he's okay. And now we are presenting basically data interception for GPRS and LTE. Just as a reminder, there are usually some restrictions when things work and when they not work. So that's important. Not all networks are vulnerable. That's very important to understand. So to the talk now to data interception, and I'm afraid
21:07
I have to give you a very tiny crash course for LTE networks, but I keep it really to a sort of acceptable level. Let's go that way. So the background, as I said, this was done together with one of our competitors, Adaptive Mobile, and the GSMA is the operator
21:26
organization which enables basically roaming, where we also have a security group and then we discuss the security and what can we do to improve it and so on. And Adaptive Mobile reported on a GPRS traffic interception attack that they saw in live network. And
21:44
then at the same time I was working with some colleagues on subscriber profile modification using the diameter protocol. And then we discussed it. I was thinking, hey, we could combine those attacks, the ideas of those attacks, and get a potential data interception for
22:01
LTE. But we weren't 100% sure about the constraints. It was clear for us from the beginning that there are probably some constraints and it only works in some configuration. So what I did then, I called my colleague, Jani, because we have a test network. As a big network company, we roll out updates for the operators. And as updates have the
22:28
tendency sometimes to screw up things, we have a test network where we basically copy the exact network of the operator where we go to roll out the software. And we also copy the configurations. So Jani knew the configurations, so what are typical configurations
22:45
and so on. And there we also tested those attacks. And there we sort of figured out what are the constraints so that these attacks could work. So GPRS, basically how
23:03
it worked, that the attacker was modifying in the SGSN, saying sort of to the home network, please check if there's a new access point network. And when the user then requests a session, what then happens that this gray cloud there connects to the attacker and
23:23
asks for the access point. It gets us back and then the user connects to the access point provided. So that's the basic idea. You don't need to understand all the detailed command codes, but that was the idea. So now a crash course in mobile networks.
23:40
So that's you. Well, you're behind that phone, but somewhere there. You connect to an operator, antenna, radio access network. Okay, you have friends and you have gadgets. These are your friends and gadgets. Okay. You move from, let's say, from one antenna
24:02
area to another antenna area. So you need somebody to take care of your mobility. You don't need to remember the whole abbreviation. Just remember M like mobility. So this guy is basically taking care of tracking your mobility, where you move, and so on. So it's a mobility management entity. Then we have a database where it's stored, prepaid, postpaid,
24:30
all the little details. And the application server. The application server you need when you want to make voice over LTE calls. And here's the database where your subscriber.
24:44
The HSS. I put there the HSS because if that thing is down, then the whole network is down. That's the most important box in an operator network. The MME, there are several of them and they are sort of for regional level. So if an MME goes down, some region is affected. But if the HSS goes down, the whole network is dead. Meaning
25:06
that the operator has no income and he's pretty upset. The network has an edge. That's diameter edge node. So we have the E in the middle. And then there are other operators
25:21
that look basically the same. So we make this assumption that we have two LTE networks talking to each other. We are not going on all the interworking cases with GSMN or whatever. So let's keep it easy. That's the easy version, believe me. So as explained with the Tuvalu example, those two networks might have a direct cable. Let's say if they
25:43
are sort of sitting very close to each other. But there might also be one or more of the interconnection providers sitting in between. So now we have all the hardware together and then there are interfaces, as they are called. So we have the most important
26:01
and most busy interface is the S6A interface. That's between the mobility and the database. Because the mobility node needs to know what's allowed to grant to you, what kind of network connectivity you are allowed, are you allowed to use LTE, are you not allowed to use LTE, what are your constraints, what are your credentials, and so on. So that's
26:26
a lot of data traffic on that one. And then there's the S8 interface, which is usually internal, but I come to that. And of course you also have that enrollment case. So when you are, let's say, here now and have a subscription from, if you have a subscription,
26:45
let's say, from Germany, and you are then connected to an MME, let's say, in France, then the S6A will be used, for example, to fetch your cryptographic credentials to provide your confidentiality also while you are traveling in France. Somewhere the French network
27:01
needs to get your cryptographic keys so that they can protect your communication on the interface. The S8 interface, in some scenarios, some configuration scenarios, it might also go over the interconnection link, and I will come back to that. So, configuration vulnerabilities. Settings that are not uncommon and have been observed.
27:26
The price pressure on the mobile network market, it's pretty tough. And so what they do, operators, which make, they use equipment for different purposes, and they're opening up interface and so on. And one typical scenario is if you have a big operator which
27:43
has subsidiaries in many countries, they buy first one box, they place it in one country, and then they use it from all countries just to see if the service flies, if the user likes it, and so on. And then if it's running well, it's also deployed in
28:03
other networks. Makes sense. Business-wise, that makes perfect sense. If it doesn't fly, it can just swap one server and the investment was not so big. But that also means that they open up the link to the server over the interconnection link. And that has
28:21
been seen for application servers. And similarly, there's the problem of the DNS resolution. Of course, it's cheaper to have one box instead of two boxes. So we have internal traffic which is for the core network internal, and then we have external traffic like internet traffic DNS resolution. And some operators just put it on the same node because it's
28:45
cheaper. Also actually that's not the configuration vulnerability, but I thought I mentioned that anyway. There's the assumption that the attacker is able to set up an EPC APN,
29:00
so that's more an assumption on the attacker. The attack that I'm going to present has several steps. Step one, classical data acquisition. This can be quite sort of done well before, it can be done half a year before, you don't need to do it directly beforehand. So you can do it just before, you can do it now and then do it in the attack
29:23
half a year later. The EMZ, you know each other by phone numbers, but the EMZ is the subscriber identity that's used by the telephone network. So the phone network usually doesn't use the MSISDN, your phone number, it uses EMZ for all the messages. So the
29:43
attacker needs EMZ to get things running. So we focus on the SIH interface. There's something called user data request. It just gives you a profile back. And the profile contains the EMZ, the EMP, the whole subscriber profile, all the details the attacker needs.
30:03
Easy. It's a standard feature, it just requires that the attacker impersonates an application. And that's actually how it looks like on Wireshark. So just for your information. I'm not going through the details of the Wireshark, I don't do it.
30:23
In case the SIH interface is not open, we can also use the S6C interface, but not many operators actually using that one either. So the attacker has a choice of attack possibilities
30:41
and actually this attack works the same way for SS7. So the attacker might also do basically the same stuff in SS7. So I presented the details of that in Paris in May. And also the attacker can do other things, S6A, but they also really need the EMZ. It can make
31:04
an update location request. This is the most common message over the interconnection. For synchronization purposes, you impersonate an MME and say please send me a subscriber profile, I need an update. Well, the network is so nice. And this is all possible because
31:22
there is no source authentication. Other way to get the EMZ than this SMS attack is, for example, that you set up a fault base station or a wireless LAN access point and I need to speed up a bit, sorry. So, APN placing. The attack works that you place
31:44
in the subscriber profile your fake bad APN and then the user connects to it. That's the basic idea. So how to get the APN there? One way is, again, using the SIH interface, profile update requests. The network nodes synchronize with each other and there is
32:04
a message called profile update request and with that you can update the APN in that case. So because you know from the previous step how the subscriber profile looks like, then you can update it because you know how it looks like. You just change some values, tiny bit value. APN details. Let me say you can change the APNs for GPRS or for
32:31
packet core EPC. That's how this kind of update looks like in Wireshark.
32:41
And also you can use the S6A interface which is a bit bothersome because you cannot stop the SIH interface. There is a sort of little trick. If the HSS has reset, then to avoid that somebody needs to manually update all access points network after HSS reset, it
33:06
basically the MMEs can update the APN data. But they should only do that after reset. So there is a logic behind that how you could detect this kind of attack. So this
33:23
is also possible. So the attacker is actually a set of possibilities. And also you can update the subscriber profile in the MME, that's the mobility node. So there are several points where you can update the profile. And then the user connects. So how does
33:43
that happen? So user connects at the UE, that's the user equipment, that's the GP terminal. It attaches to the HSS, update location, and then with or without synchronization. That has the attacker basically try an error. You don't know. And then if he has updated
34:04
basically in the HSS and the MME, what happens then that the MME connects the user to the fake APN. And this only works for under the constraints I explained before.
34:21
And actually you say, hey, I have an APN setting in my phone. Why is that not used? Well, that comes from the old times when you still had to configure your APN settings manually. So the MME just assumes you made the typo and you are wrong. These are the legacy stuff. So it sometimes pops up. So as industrial research, I cannot just
34:42
complain this is bad. I also have to fix it. You're from the IT community, most of you. Hey, it's easy. Let's use IPsec and we have source authentication. Everybody is happy. Well, I wish it would be so easy. IPsec is even standardized for diameter. But it's not all IP. Who remembers the third transport protocol, SCCP? Yeah,
35:10
we still have it living there. And there's the political question. We talk about an international network all across the world. Who would be trustworthy enough to host the
35:21
root certificate and the key generation worldwide? I know who. Banco Vaticano. Seriously. I mean, you name one country, I name you another country that says no, no, no, no, no. So no way we are going to have a, maybe we get something on a regional level one day that's possible. And then there are operators that just don't have the money
35:43
or expertise. In Tuvalu, which I mentioned before, they have something 47 employees. They don't have a security expert, I'm pretty sure. Maybe they have one. I don't know. Also still, it's no protection against some governments or renting out to service companies or hack notes or things like that. But IPsec would still be a good idea
36:04
if there's not already a secure pipe in place. But it's also important that the partners have a similar understanding on hardening and so on. So that's also. For this specific attack, the SH interface, it's an internal network interface. You
36:22
shouldn't open it up on the interconnection. At the nodes in between, you can also filter out SH traffic if you really need to do it secured properly. DNS, proper internal resolution and for the update location stuff, the S6A potentially block or velocity check,
36:43
so how fast the user can travel. I'm nearly done. Countermeasures on general level. Monitor what's going on. Pentest the network. It's not very common that mobile phone networks are pentested. Tenant monitoring. What are those mobile virtual operators really doing in your network?
37:01
Do you really know? Do they stick to the service? It's like this I accept. And then you just hope they do what they're supposed to do. Share your experiences. That's a bit critical because network operators are always afraid that they might get into trouble with their license. So when they disclose, they have been somehow hacked. They're always a bit afraid, sort of okay, what does that
37:24
mean for my license next year and so on. Some things can already be done with business rules. So if you have partners which send you a lot of bad messages, you might want to increase the fees for those partners. So some stuff can be done with business rules.
37:41
Filter, filter, filter on the network side. Signaling file on SMS home routing. Not everybody is doing that. I hope the operator knows which one I mean. A very specific one there in mind. Then we have the TSMA documents which describe explicitly what you can do and lay out security
38:00
from user level. So don't necessarily assume that the pipe is secure. If you can add some security on top of it, do it. I mean, if you have app-based security, even if it's not good, it might help somewhat. And note-hardening procedures. They exist, so let's use them.
38:26
Summary. All networks are attacked if I ever saw, but not all are equally vulnerable. Some are a bit more, some are a bit less. The attacks are reality, but still mostly SS7, but diameter is sort of popping up slowly. It's independent of phone or platform.
38:43
The interception attacks that are presented depends strongly on what actually is really configured in the network and how it works. But there are networks that are vulnerable. On the general question, sort of if diameter is better or worse than SS7, if nothing is done, well, it's bad. But I think we have now a unique opportunity to do things better,
39:03
and I think now it's actually on the right track. So I know that last week several operators called the IPX provider and asking, do you filter SH traffic? So this conference here really did some improvement to the security. So to all of you and also to the people here and to all these guys working here,
39:24
so thank you a lot. This really sort of kicked off something in the operator tech community. And basically it's questions. Open floor.
39:46
Thank you for the very nice talk. I think we can actually give a thank you back for some more applause. Thanks a lot.
40:02
All right. We have lots of time for questions. Please lie upon the microphones if you have a question. Microphone number one. Hi. Are there any other legitimate uses of remote arrays or HSS profiles? I guess it's like setting code bearing and code weighting options.
40:21
Are there legitimate options? What updates are used for them? From hearing partners? In the subscriber profiles, everything relates to your subscription. There is also, there is call bearing, there is special services which you are allowed to use.
40:43
If you have postpaid, if you have prepaid, your phone number is there. If you have proximity security, which bearers you are allowed to use. So it's all kind of technical details in there. But basically you can do easy denial of service, you can do fraud with meddling there. So the subscriber profile offers a lot of opportunities, let's call it that way, for attackers.
41:06
So basically the question is, is there legitimate uses for visiting networks to update your profile at home? Yes, of course. I mean, if you, for example, are in the foreign network and want to change your subscription
41:22
or your location update, it also changes your subscriber profile. But actually the visited network doesn't need your whole subscriber profile, that's the point. At least you shouldn't change your APN, for example. Yeah, it might be that you want to have local connectivity because that might be better.
41:42
So there might be a good reason for giving you this new APN so that your traffic doesn't need to be routed over the ocean and back. So there are good reasons for doing it. But you might want to keep a control of who is doing what on your network. Alright, thank you. Microphone number two, your question.
42:03
Hey, there's a bit of a gap in public knowledge about SS7 attacks in the wild. Can you just talk about how frequently you see these attacks and in what parts of the world? They are everywhere in the world, so we are doing as a company,
42:23
we also do sort of assessments of network and we see operates all the world under attack. It's not bound to a geographical region. Some regions have this type of attack a bit more, some others have a bit other types of attack a bit more, but they all, the most commonly observed attack is usually location tracking
42:46
followed by credential theft. So these are everywhere in the world, but not as said, we see them at the board of the network and they are filtered then out, so not all of those attacks. When people monitor it, they also filter in the same go.
43:04
So you see them all over the world. And every operator has some chunk of attack traffic. We noted that actually that operators that deploy signaling firewalls have much less malicious traffic, for example,
43:22
than operators that just look the first time into that traffic, let's call it that way. So also attackers seem to sort of more or less, I wouldn't say give up, but well. So filtering really helps in several levels.
43:40
And there is one question from the IRC. Yes, thank you. The IRC wants to know how many years do you expect will be needed to prevent these attacks? Well, the internet is not safe today. I think mobile networks are going through the same evolution process as the internet went. So beginning with the internet was the ARPANET
44:02
where you have username, password, and then you were in. And I think this network is basically rushing through the same steps. So how to say? I mean, I just do what I can. And it's also an investment question. I mean, security costs money.
44:22
And obviously everybody expects security to come for free, also users. So there has to be a balance somewhere. So I don't think, for example, that these 2,000 people in Tuvalu are willing to pay, let's say, 50 bucks more for their subscription per month.
44:41
That's just not feasible. And still, people there want to be able to call out. So we must find solution also for these kind of cases. So it's been pretty hard. So if you face reality in that sense, you also have to think about budgets and so on. So I don't think we will ever have 100% secure networks.
45:01
As we don't have 100% secure internet, even with HTTPS and whatever, we have IP second. Microphone number six, what's your question? I see that there's a big problem of backward compatibility. Do you have a schedule when you will turn off old GSM infrastructure, like 2G?
45:23
Or doesn't it exist? Well, mobile network nodes, for example, from countries which are more progressive, which roll out newest technologies, these nodes are sometimes not scrapped, those radio towers that you see on the roofs.
45:40
They are sometimes sold, for example, to Africa, second-hand equipment. There's a big second-hand equipment market. And because there, look at how much an African subscriber can pay for their subscription per month. So the infrastructure is just not allowed to cost much money. So the GSM will live for a while.
46:01
It will continue for a while. Also, there are operators which see GSM as a very cheap way to offer IoT connectivity. Because if you have to pay as much for a subscription for, let's say, your tablet, your scale, your car, and so on, you don't want to pay for everything of that,
46:20
let's say, 30 bucks per month. So these should have a cheaper subscription. But how can you offer as an operator a cheaper subscription, which basically means you reuse your old stuff? Especially if it's not time-critical communication. So you recycle your GSM return of investment as much as possible.
46:40
That's just business logic on both sides. So I suppose we will live with GSM for a while. Microphone number 4, what's your question? Are there practical documentation and configuration examples for smaller providers
47:02
who might not have the resources you have, and which are publicly accessible? We discussed in GSM how to do things for them, and one that the IPX providers might take more responsibility, because very often those very tiny islands are connected to one satellite operator,
47:21
and then it basically goes into the IPX network. And basically, if you just have this link then from this IPX provider, the IPX provider then takes care of the security. Security as a service, basically. Thank you.
47:41
Okay, I'm seeing no one else lined up anymore. So thanks a lot for answering all the questions. And thanks a lot for your talk.