attacking nextgen roaming networks · 2018. 5. 11. · roaming network provider a provider c...
TRANSCRIPT
![Page 1: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/1.jpg)
1
Attacking NextGen Roaming Networks
![Page 2: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/2.jpg)
22
Agenda
o
o
o
![Page 3: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/3.jpg)
3
What is SS7?
o
o
o
o
o
o
![Page 4: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/4.jpg)
4
Roaming Network
Provider A Provider C
Provider B
BobAlice
The Most Simple Situation:
Alice has a contract with Provider A
Bob has a contract with Provider B
![Page 5: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/5.jpg)
5
The roaming situation:
Alice has a contract with Provider A
Bob has a contract with Provider B
Alice is connected to Network of Provider C
Roaming Network
Provider A Provider C
Provider B
Bob
Alice
![Page 6: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/6.jpg)
6
The roaming situation:
Alice has a contract with Provider A
Bob has a contract with Provider B
Alice is connected to Network of Provider C
Roaming Network
Provider A Provider C
Provider B
Bob
Alice
Interaction with Provider of Alice
![Page 7: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/7.jpg)
7
Typical Roaming Interaction
o
o
o
o
![Page 8: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/8.jpg)
8
SS7 Weaknesses
o
o
o
o
o
![Page 9: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/9.jpg)
9
Vulnerability Classification
o
o
o
o
Source: SANS Institute - The Fall of SS7 How Can the Critical Security Controls Help?
![Page 10: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/10.jpg)
10
SS7-MAP Message Classification
![Page 11: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/11.jpg)
11
Tool
o
o
o
o
o
o
![Page 12: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/12.jpg)
12
![Page 13: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/13.jpg)
13
Roaming in 4G/LTE Networks
o
o
o
o
o
![Page 14: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/14.jpg)
14
Diameter Networks
o
o
o
o
![Page 15: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/15.jpg)
15
LTE Roaming
Provider A Provider B
Diameter
SIP & RTP
IPX
![Page 16: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/16.jpg)
16
DRA DRA
Provider A
MME
HSS
PCRF
OCS
Provider C
DRAMME
Alice
IPX
SGW
DEA DEADRA
IMSPGW
Method 1: Home Routed IMS
![Page 17: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/17.jpg)
17
Method 2: Local Breakout
DRA DRA
Provider A
MME
HSS
PCRF
OCS
Provider C
MME
Alice
IPX
DEA DEADRA
IMSSGW/PGW
DRA
IMS
![Page 18: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/18.jpg)
18
Some Diameter Interfaces
o
o
o
o
o
o
o
o
![Page 19: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/19.jpg)
19
Diameter – The Base Protocol
Source: RFC 6733
![Page 20: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/20.jpg)
20
Used to match answer with response
Which application is used? (S6a, Sh, …)
Host which is initiating the request
Realm which is initiating the request
![Page 21: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/21.jpg)
21
Diameter Messages (S6a)
o
o
o
o
o
o
o
o
![Page 22: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/22.jpg)
22
![Page 23: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/23.jpg)
23
Let‘s do some Attacker Modeling
o
o
o
o
o
o
o
o
o
o
![Page 24: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/24.jpg)
24
Tracking
o
o
![Page 25: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/25.jpg)
25
Interception Attacks
o
o
o
![Page 26: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/26.jpg)
26
Message/Call Interception
o
o
o
o
o
o
o
![Page 27: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/27.jpg)
27
Fraud
o
o
o
![Page 28: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/28.jpg)
28
Denial of Service
o
o
![Page 29: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/29.jpg)
29
Limitations
o
o
![Page 30: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/30.jpg)
30
Summary (aka. let there be attacks)
![Page 31: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/31.jpg)
31
Topology & Topology Hiding
o
o
o
o
![Page 32: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/32.jpg)
32
Spoofing? Yes!
o
o
![Page 33: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/33.jpg)
33
Cross-Checking of PLMNs and Identities
o
o
o
o
![Page 34: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/34.jpg)
34
Tool!
o
o
o
o
o
![Page 35: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/35.jpg)
35
Tool (cont.)
o
o
o
![Page 36: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/36.jpg)
36
Tool (cont.)
o
o
![Page 37: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/37.jpg)
37
diameter_enum config file[DEFAULT]
origin-host: vanir
origin-realm: vanir
destination-host: fd.ernw.net
destination-realm: fd.ernw.net
host-ip-address: 10.11.12.1
vendor-id: 0
product-name: denum
inband-security-id: 0
mnc: 001
mcc: 001
imsi: 0010012345678
plmnid: 12f345
msisdn: 12345678
imei: 9876543210
![Page 38: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/38.jpg)
3838
LIVE DEMO!
o
![Page 39: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/39.jpg)
39
Penetration Testing of Interconnect Technologies
o
o
o
o
o
![Page 40: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/40.jpg)
40
What’s in There / Recommendations
o
o
o
o
o
o
o
o
o
o
o
![Page 41: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/41.jpg)
41
Controls from Our Perspective
o
o
o
o
o
![Page 42: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/42.jpg)
42
Summary & Outlook
o
o
o
o
o
![Page 43: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/43.jpg)
43
There’s never enough time…
THANK YOU… ...for yours!
@Enno_Insinuator
![Page 44: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction](https://reader036.vdocument.in/reader036/viewer/2022071010/5fc8ae4f00cc2d33f1029157/html5/thumbnails/44.jpg)
44
Thank you!