lte pwnage hacking hlr hss and mme core network elements
DESCRIPTION
Hacking HLR/HSS and MME Core Network ElementsTRANSCRIPT
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
1/119
!"# %&'()*+ ,(-./') ,!01,22 ('3
44# 567* 8*9&67. #:*;*'97/9?
1
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
2/119
!"# #%&'()%*#%"
2
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
3/119
!"# 8*9&67. @A*7A/*&
3
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
4/119
567B67(9* C 46D/:* E(9( 7/:'*7(D:*L
2B*(7M%N/< T*7? F(;/:/(7 (7-N/9*-9>7* F67 (G(-.*7
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
5/119
XY ZY 96 !"#+ 0*(:/9? ('3 !*)(-?
+, -, !"#
O"2 863* O *863* O
O25 ;*7)*3 /'96 863* O ;*7)*3 /'96 *863* O
425 1 T!0 085 44#U 425 %76V?
,!0 ,!0U J42 ,22U ,# !"# 2I# ,22U 2E012E4
2"% 2"%U 2Y !*)(-? 2"%
YY28 YY28 %E8 Y[
2Y28 2Y28 44#12Y[J8 J81%50P %50P
0I8 P/7*&(:: 0I8 P/7*&(:: 2*Y[5
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
6/119
\
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
7/119
!"# 8*9&67. IG(-. 2>7F(-*
P>:: J% 6':?L 86+ F>:: J% 36>D:* *VB67*
%(-.*9< ]%2 E6;(/'^ XV (G(-. 7F(-*
Y"%
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
8/119
ZY ('3 !"# 96)*9N*7
8
0I8 #%5
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
9/119
52PO A
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
10/119
J2\% /'Q*-H6' /' 2J% 9N76>)N T@!"#
d*9bJ'9*7'*9 2J% e 22_ J2\% cc 2J%MJ ('3 2J%M" cc J2\% J'Q*-H6' f
RemoteCore
Network
DoS SS7
compromise External
signaling
injection Spoofing ofISUP
messages Fake billing Ouch!
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
11/119
11
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
12/119
52PO IG(-. 7F(-* 9N76>)N 425 %76V?
('3 22_ e 2JY"0I8
I:: 2JY"0I8 (G(-. 7F(-* *VB6
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
13/119
Severity CriticalDescription NGHLR SS7 stack software is not robust and suffers
from Remote Denial of Service.
Impact Enables any person sending malicious SCCP traffic tothe HLR to crash it. This includes the wholeinternational SS7 network as HLRs need always to be
globally reachable.
P1vid#148 - https://saas.p1sec.com/vulns/148
0*:/(D/:/9? F67 9*:-6 ID/:/9? 96 -6B* &/9N W ;/::/6' 6F 7*j>*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
14/119
Y24 4I% B7/;/HA* 4I%kP@0[I0EkI55#22k2JY8I!!J8Y
*'(D:*< 0I8
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
15/119
P>' I'HMF67*'
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
16/119
ZY ('3 !"# 96)*9N*7
16
0I8 #%5
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
17/119
%**7 96 %**7 0(3/6 I--*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
18/119
18
\
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
19/119
!"# 0I8 @A*7A/*&
19
Typically a
common
physical
connection
X2
Mul
Mul S1
IP/Ethernet transport
MMEOSS-RC
LTE RAN
X2Mul
S1 UP
X2Mul S1
S1
Evolved Packet Network (EPC)
SGW
S1 CP
SeGW
Typically a
common
physical
connection
X2
Mul
Mul S1
IP/Ethernet transport
MMEOSS-RC
LTE RAN
X2Mul
S1 UP
X2Mul S1
S1
Evolved Packet Network (EPC)
SGW
S1 CP
SeGW
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
20/119
%&'/') @22+
!X '*9&67. ;/:HB:* 6A*7:(BB/') 1h
'*9&67.96;(9*f
P76; ('? *863*O 96 9N* 842 P76; ('? *863*O 96 ('? *863*O
d6> -(' D*9 6' /'7* B76A/7(H6'
20
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
21/119
*863*O ,(73&(7* IG(-.'-H6'(: B:('*U '6 @I4
32
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
33/119
I33 @I4+ -6;B:*V/9? *VB:6
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
34/119
I>3/967 D/(< gZ+
4('>(: A/(::? d6> 5I88@" 36 /9 &/9N6>9
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
35/119
%&'/') 44#+ ,(73-63*3 *'-7?BH6' .*?BB679< ('3 :/
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
41/119
!"# #%5 E82
2(;* (< J42 E82 D>9 *V9*'3*3 2>BB679< ('3 :/
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
42/119
%&'/') F76; !"# ;6D/:*
J'F7(-9>7* 0*A*77* (--*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
43/119
%&'/') F76; *V9*7'(:+
E/7*-9 44! (--*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
44/119
I>3/967 D/(< ga+
"*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
45/119
I>3/967 D/(< ga+
"*'9*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
46/119
"*-N'/-(: 5(B(-/9? C m'6&:*3)* /
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
47/119
56'-:>/B;*'9 T*'367< (7*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
48/119
"./%012
1## 3)4 /"5
./60'") #(,) 14* 7 */3 +89 +:;-
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
49/119
?/604< 1!'@#1
49
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
50/119
J'9*7F(-*3/9
,>(&*/ !"# #%5 567* 8*9&67. (>3/9 CA>:'*7(D/:/9? 7*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
53/119
!"# (>3/9 ;/:*3/9 44# 2MY[ C %E8 Y[ ,22 %50P
a` 4O22 K 4/'/;>; O(
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
54/119
'%"#(>/6#1
54
J F
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
55/119
J'9*7F(-** 44# JE
Y\44#J c 485 e 455 e 44#J 44#J c 44#YJ e 44#5 44#YJ c 44# Y76>B JE
44#5 c 44# 563* 4M"42J cc 44# "42J
Y%021\4"2 %M"42J Mv !"# 4M"42J 2M"42J c 44#5 e 4M"42J
59
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
60/119
Y\"J /' %/-9>7*9 *V9*'3*3 2>BB6799*7
80
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
81/119
81
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
82/119
82
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
83/119
83
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
84/119
2*->7/9? /;B:/-(H6'
25"% p:9*7/') 96 D* )*'*7(:/o*3 O*'*p9
25"% /< l-6'p) p7
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
85/119
E/(;*9*7 06(;/')
85
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
86/119
2*->7/9? 76>H') ('3 p:9*7/') /' E/(;*9*7
E20 E*p'* 76>H') C p:9*7/') 7>:*9>7* E/(;*9*7 06>H') C P/:9*7/')
87
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
88/119
2*->7/9? C T>:'*7(D/:/9? 6F #%5 06(;/')
P/:9*7/') *A*' ;67* /;B679('9 E20 p:9*7/') /< '69 ;(9>7*
Y0W B76D:*;< (;B:/p*3 J;B(-9 6F 9N* Y0W1J%W1J4212I# #%5 E82 /'F7(-9>7*/' J'F67;(H6' Y(9N*7/')
\'/j>* J3*'Hp*7 :*(.< ;>-N *(
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
89/119
"#1"'%,
89
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
90/119
"*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
91/119
!"# "*7/9? 9*-H6' 9*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
92/119
0*:(H6'(::? B7*A*'9 (>3/9 O? :/;/H') /'F67;(H6' O? :/;/H') (--*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
93/119
/4@'"1
93
Y"%
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
94/119
Y"%
#'3B6/'9 3/
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
95/119
WXI% I>3/9
#'3B6/'9 3/
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
96/119
2=I% I>3/9
#'3B6/'9 3/
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
97/119
!"# #%5 E82 I>3/9
#%5 E82 /< /;B679('9 #%5 E82
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
98/119
/""/601
98
\
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
99/119
\9*F67-/') J% 2*);*'9(H6' (--*
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
100/119
"))!1
100
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
101/119
O(3/9 966:(:/o(H6'
104
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
105/119
,>(&*/ I"5I A
-
5/26/2018 LTE Pwnage Hacking HLR HSS and MME Core Network Elements
106/119
,(73 B76D:*;