hacking communication system akib sayyed [email protected]
TRANSCRIPT
About Me
• Telecom Security Researcher• Spoke at NullCon 2012 • Works on SDR ,GNURADIO• Certified Psycho
About Company
• Payatu Technologies Pvt. Ltd. • Boutique Security Testing Company • Blackbox/Product/Web/Mobile Audits • Security Trainings • Organizers of nullcon Security
Conference
What are we looking at
• Hacking GSM• Hacking Core Telecom Network
Hacking GSM
What can we do with GSM
• Listen Call• Impersonate some1’s Identity• Track Location
Listening to Calls
• More like a Rocket Science Till 2006• People built own crackers and
interceptors– Some of them are open source– Easy to build
• Open Source Software and Hardware available to receive data and Crack encryption.
Cost for 1 Interceptor
• 1500 Rs Phone• 20000 Rs hard disk with rainbow tables• 20000 Rs worth Computer• Home Made Software + Open Source
Code• And your interceptor is ready
Protecting Calls
• Upgrade encryption Standard– Allow A5/3– Randomize SI and Padding
• End to End Call encryption• Use 3G :P
Impersonating
• Use some’1s identity while making
request to network• This allows one to impersonate identity
of some1else.• Can
– Make/ Receive Calls– Send/Receive SMS– Divert Calls
Protection Against Impersonating
• End User Cannot do anything• Operator Need to work on same
– Authenticate Calls– Authenticate SMS– Authenticate USSD Request
Hacking Core Network (SS7 and SIGTRAN)
Core Network in Telco
Image Credits : http://www.gl.com
Core Network 2G /3G
• Based on SS7/SIGTRAN and IP• In simple words Either TDM(T1/E1) or IP
(SCTP/TCP IP)• No authentication (No User Name and
Password) (on SS7)
SS7 is used for
• Carry Voice• SMS• USSD (Unstructured Supplementary Service Data )
• Call Handling• Operation and Maintenance• Mobility Services• Location Management• ......
SS7 /SIGTRAN Stack
Image Credit : Mobicents
Protocols in SS7/Sigtran
• MTP1/2/3,M3UA• SCCP -> Signalling Connection Control Part• TCAP -> Transaction Capability Application
Part• ISUP -> ISDN User Part• MAP -> Mobile Application Part• CAP ->Camel Application Part• INAP-> Intelligent Network Application Part
MTP1/2/3 And M3UA
• Provides physical , data link layer and Network layer
• MTP1 = Message Transfer part 1• MTP2 = Message Transfer part 2• MTP3 = Message Transfer part 3• M3UA = MTP3 User Adaption Layer
SCCP /TCAP
• Signalling Connection Control Part– Provides Extended Routing , Flow
Control ,Connection Oriented /Connection less
– Relies on MTP for basic routing and error correction
• Transaction Capability Application Part– Facilitate Multiple Concurrent dialog
Between Same SSN– More like session handler
MAP
• Mobile Application Part– SMS – USSD– Call Handling , Routing – Location Management
CAP
• Camel Application Part– Used when subscriber is roaming– Allow home network to monitor and control
calls made by subscriber• Intelligent Network Application Part
Routing in SS7
• Based on PC (Point Code) == LAN IP• Based on GT (Global Title) == WAN IP• SSN (Sub System Number) == Port
Number• STP(Signalling Transfer Point) == Router• SSP (Service Switching Point)• SCP (Service control point)
Routing based on Point Code
Image Credit : Cisco
Routing Based on GTT
Image Credit : Cisco
Routing based on GTT
Image Credit : Cisco
Where we can attack
• SCCP- Signalling Connection Control Part• TCAP- Transaction Capabilities Application Part• ISUP – ISDN user part• MAP – Mobile application part • CAP - Camel Application part• INAP- Intelligent network application part
Some Example of Attacks
• Purging MS from HLR• Insert Subscriber Data• Delete Subscriber Data• Send Authentication info Flood• Send Routing info Exposes IMSI of subscriber • Hostile Location Update • Cancel Location Update• MAP ATI exposes Location of subscriber
How to protect network
• Check if network is vulnerable to such attack– We have our own proprietary tool for doing
same• Perform filtering of non required message
at point code level or STP level• Use SS7 Firewall /IDS
DEMO
Thanks
• Questions