SlideShare a Scribd company logo

Attacking GRX - GPRS Roaming eXchange

P
P1Security

GRX is the global private network where telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system. GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was beginning to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols. In this presentation, we’ll see how this infrastructure is protected and how it can be attacked. We’ll discover the issues with specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see the implications of this with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several vulnerabilities that we will be showing in this speech. We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.

Technology
1 of 46
Download to read offline
Attacking GRX Attacking The GPRS Roaming eXchange (GRX) Philippe.Langlois@p1sec.com V1.5
GPRS architecture •  “PS” Domain in context •  Successor to GSM 9600 baud modem (CSD or HSCSD) •  PDP context = GPRS session •  2G/3G: SGSN, GGSN •  4G: MGW, PDGW/PGW •  But also many more machines (LI, DNS, Billing…) •  GPRS backbone = GRX
Example: UPS management •  M2M example •  management of UPS •  Access the devices… •  And the management console too (Java, vulnerable) •  Usually on corporate network •  IP bastion or router
2G •  IP was new in telco •  Billing is a big issue in GPRS •  Many GGSNs •  SGSN & GGSN to CGF not shown •  Proxies, security filters not shown •  Typical of telco
GPRS Radio security in 2G •  Many GPRS implementations in clear text (Italy, Denmark) ! •  OsmocomBB with 4 receptors (and HW mod) http://bb.osmocom.org •  Radio encryption algorithm GEA1 and GEA2 broken •  By Karsten Nohl, Mate Soos, Sylvain Munaut •  At CCC Camp 2011 (August) •  Big state (1500 byte MTU), many known point in the equation system •  Linearization, gaussian solving, not even SAT solving
3G •  UMTS •  No open source hw receptor for 3G •  Only “client” access through USB dongles or 3G phones. •  GEA3 (Kasumi KLEN=64 bits) and GEA4 (Kasumi KLEN=128 bits)
GPRS uses cases •  APN •  internet •  mms •  *.corp APNs •  M2M APNs •  special APNs (OAM, billing, ...) •  Telco internal APNs !
Getting access: " The SIM card! •  Obtaining an anonymous SIM card for GPRS hacking •  Varying level of ID checking depending on the country •  Malaysia checks a lot (mandatory passport or ID) •  Thailand MNOs give them out for free at airport •  France doesn't check well anymore (MVNOs arrival) •  MVNOs check less •  Prepaid SIMs with no credit •  SIM roaming gives interesting results (billing, routing errors)
Buy second-hand ! •  Second hand hardware •  Guess what's still in it? •  SIM card! •  Old BB, Cheap PCMCIA cards •  Sometime in laptops •  Company gets rid of previous “mobility” fleet •  CUG access to network •  1 out of 3 equipment !
Typical GPRS hacking methods •  Now you’ve got your SIM then… •  APN bruteforcing (modem perspective) •  “In GPRS network” attack of peers / other client devices •  X25 GPRS network hunting •  Covert channels / unaccounted IP use •  “In GPRS network” attack of server devices •  GPS tracker M2M gives access to LEA management server !
In the beginning there was the APN •  Know parameters •  GPRS APN •  username + password •  Dial number •  More difficult parameters •  MSISDN / IMSI (hard), IN profile •  USSD setup (for example *136# on Maxis) •  These pipes are clean!
GPRS hacking from the air •  RFC1918 network, reach your peers •  Paris “Velib” M2M network •  Win based •  Worm ! •  Contaminated Velib stations over the air •  Enter GPRSdroid (automate!) •  It gets worse with MNOs…
Telco GPRS hacking •  A tale from Indonesia •  GPRS normal connection •  Lack of network segmentation from “Internet” •  Seize control of NSS / OAM and Routers (MPLS CE and PE) •  APN “mms” or “wap” •  Access to MMSC and other Core Network infrastructure •  Ports not firewalled •  Telecom Operators (MNO) lack proper automated tools to check network segmentation
But GPRS current " (recognized) major issue is... •  iodine ! •  Bills (CDR) generated on proxy •  Traffic possibly not billed (SGSN or GGSN CDR?) •  Why Telecom operators (MNO) are lagging so bad? •  Telecom Culture •  If it does not create costs, it’s not detected by Fraud Management Systems •  Contrast with previous, more severe problems
Toward IMS / 4G: Full IP Hint: a) SBC is not far away b) RTP is rarely inspected
Here comes GRX •  Your national network, from abroad. •  GPRS roaming •  Tunnels (GTP) •  One to one vs. one to many •  From SGSNs to GGSNs
What do Amsterdam and " Singapore share? •  NOPE! Not what you’re thinking! ? •  Inter GRX exchanges •  AMS-IX & Singapore Equinix •  No need to go there to access GRX •  Many companies operating on GRX (Comfone, Aicent, Synniverse, …)
GRX technologies •  GTP – GPRS Tunnelling Protocol •  DNS •  <APN>.mncYYY.mccZZZ.gprs! •  SFR in France : internet.010.208.gprs •  “Segmented” from the internet… right.
DNS - Do Not Share? •  Internet technology MADE FOR sharing •  Hard to split
GPRS Dialogue
A story of split DNS •  Of course it’s not a valid IANA TLD $ host -t ANY gprs.! Host gprs. not found: 3(NXDOMAIN)! •  “.gprs” is considered crown jewel, to be protected •  Direct connectivity to all SGSN and GGSN •  Big machines, one crash == thousands of disconnected •  Well… let’s try from inside a GPRS session?
And from inside? •  From a GPRS session, most of the time, same thing: $ host -t ANY gprs.! Host gprs. not found: 3(NXDOMAIN)! •  Some problem happens sometime (APN, IMSI, user/pw, ..) $ host -t ANY gprs.! gprs has SOA record dns1.GRXOPERATOR.com. info.GRXOPERATOR.com. 2 gprs has address 10.XX.20.1! gprs name server dns5.GRXOPERATOR.com.! •  W00t! •  Then the whole hierarchy is accessible •  Because you’re a SGSN!
Triple play, four way •  Access Networks •  GPRS APNs •  VoIP network (VLAN and MPLS plane) •  ADSL / FTTH network / IPTV •  WLANs ! (recent case, GAN) •  Customer traffic •  VLANs / MPLS planes everywhere, connecting to so many services •  DNS resolution •  Everything for the application, Network is considered "necessary evil, make it just work” •  Management cares only about new services roll out
Enter GRXdroid •  Bruteforce resolving of GPRS DNS (and more) •  Horrible UI for now (want to help? :-) But does the Job •  Soon on the Android market •  Send me an email, I’ll send you the APK •  Future •  APN automation? •  USSD?
When, not if •  Wait, wait, wait, win! •  Here comes the sentinel, a tale of an old finger trick •  Pentest from the 90s in Thailand •  DNSsentinel •  Keep trying till it succeeds •  Organization hack – one day, the service will suck •  And we’ll be there
Inside the GRX •  From DNS leaks to " route/packets leaks •  Firewalling issues •  You're a SGSN ! GTP to all " GGSNs •  SGSN should contact GGSN… filter? Anyone? •  Way too many services exposed •  From Solaris RPC down to SIGTRAN services (SS7! Wow!) •  MNO says: “Protect? Well, it’s restricted to operators right?”
Evolution of GRX: 3gppnetwork.org •  A bit like ENUM (cf. e164.arpa zone) but for Core Network •  Many different subdomains •  APN !<APN name>.apn.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  IMS !ims.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  SGSN !sgsnXXXX.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  LTE EPC !epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  LTE MME !mmegiXXX.mme.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  Used for identities, many RAN / RAT User-Name = "1208012000584533@wlan.mnc001.mcc208.3gppnetwork.org" ! •  Diameter enabled servers (scan for port 3868)
Getting the map ! $ORIGIN epc.mnc111.mcc222.3gppnetwork.org.! $TTL 1800! @ IN SOA ns root (! 1 ; Serial! 3600 ; Refresh! 30 ; Retry! 3600 ; Expire! 600 ) ; Negative Cache TTL! ! @ IN NS ns! ns IN A 4.4.4.4! ! Zone transfer powahh
Detailed… per protocol testapn1.apn IN NAPTR 10 10 "a" "x-3gpp-pgw:x-s5-gtp" "" serv.s5.pgw.north! testapn2.apn IN NAPTR 10 10 "a" "x-3gpp-pgw:x-s5-gtp" "" serv.s5.pgw.south! testapn3.apn IN NAPTR 10 10 "a" "x-3gpp-pgw:x-s5-gtp" "" serv.s5.pgw.east! testapn4.apn IN NAPTR 10 10 "a" "x-3gpp-pgw:x-s5-gtp" "" serv.s5.pgw.west! testapn.apn IN NAPTR 10 10 "s" "x-3gpp-pgw:x-s5-gtp" "" _nodes._pgw! tac-lb01.tac-hb00.tac IN NAPTR 10 10 "s" "x-3gpp-sgw:x-s5-gtp" "" _sgw._north! tac-lb02.tac-hb00.tac IN NAPTR 10 10 "s" "x-3gpp-sgw:x-s5-gtp" "" _sgw._south! tac-lb03.tac-hb00.tac IN NAPTR 10 10 "s" "x-3gpp-sgw:x-s5-gtp" "" _sgw._east! tac-lb04.tac-hb00.tac IN NAPTR 10 10 "s" "x-3gpp-sgw:x-s5-gtp" "" _sgw._west! _nodes._pgw 1800 IN SRV 10 10 2123 serv.s5.pgw.north! [...]! _nodes._pgw 1800 IN SRV 10 10 2123 serv.s5.pgw.west! _sgw._north 1800 IN SRV 10 10 2123 serv.s5.sgw.north! [...]! _sgw._south 1800 IN SRV 20 10 2123 serv.s5.sgw.north! [...]! _sgw._south 1800 IN SRV 20 10 2123 serv.s5.sgw.west! _sgw._east 1800 IN SRV 20 10 2123 serv.s5.sgw.south! _sgw._west 1800 IN SRV 20 10 2123 serv.s5.sgw.north! [...]! _sgw._west 1800 IN SRV 10 10 2123 serv.s5.sgw.west!
NOW WE HAVE THE MAP, WHAT CAN WE DO?
First, GTP basics •  From SGSN (client) •  To GGSN (server) •  Many “commands” " possible in Message Type •  Extended a lot •  GTP v0 •  GTP v1 •  GTP v2
GTP scanning in GRX •  Daniel Mende did it on the Internet, here is GRX MNO •  Way too many open GTP service on the Internet •  Higher ratio on GRX of course •  Easily scanned with GTP Echo Request •  UDP ports 2123, 2152, 3386, Super fast positive scanning
GTP in GTP attack GRX MNO •  Free Internet surfing •  Access directly the GGSN from another GGSN •  Not supposed to happen… but happens! •  Just use sgsnemu / OpenGGSN to create new interface and route your traffic through it •  Sometime, GTP in GTP is not supported by GGSN… at all •  Crash and unavailability •  Super fast scanning on GRX: covers the whole planet!
GPRS CUG accesses attacks GRX MNO •  CUG = Closed User Group •  At GTP level, you’re either a SGSN or GGSN •  Since you are a SGSN (client), you control •  APN you’re going to use for the tunnel and •  MSISDN / IMSI you are impersonating. •  CUG are based on these parameters •  Bank networks, Operator networks, Administration, etc… •  Straight from the Net or from an existing PDP with unfiltered GGSN GTP ports.
GTP Tunnel disconnection " DoS attack GRX MNO •  TEID bruteforce •  Disconnect Message Type (Delete Session Request. Delete PDP, …) + spoof SGSN (really?) •  2^32 would be a problem… if TEID were not sequential :-) [...]! 00 00 17 04 Delete PDP Context: Request Accepted! 00 00 17 44 Delete PDP Context: Request Accepted! 00 00 17 A1 Delete PDP Context: Request Accepted! 00 00 17 BF Delete PDP Context: Request Accepted! 00 00 17 D8 Delete PDP Context: Request Accepted! 00 00 17 E8 Delete PDP Context: Request Accepted! [...]!
Fake charging attacks •  Normal GTP 2 traffic GRX MNO •  But with Charging ID and Charging GW (CGF) address specified •  Creates fake CDRs (Call Detail Records or Charging Data Records) for any customer •  Not necessary to get free connection anyway :-)
GRX Subscriber Information Leak GRX MNO •  SGSN and GGSN need to communicate with many Network Elements in 3G and 4G networks •  GTP v2 enables many requests to these equipment directly over GTP. •  Think “HLR Request” over UDP •  No authentication •  Much more available than an SS7 interconnection :-) •  And you’re GLOBAL ! Thanks GRX. That is, any operator in the world that is connected to any GRX.
Relocation Cancel attack •  Basically tell one SGSN that the user it is serving should come back to you •  User is effectively disconnected (or hangs), no more packets. •  Targer user by IMSI •  But you already got that by the Info leak of previous attack GRX MNO •  Shoule be Intra-operator, but does work over GRX!
GGSN DoS attack GRX MNO •  Another magic packet •  “Oh, I’m a bit congested and about to crash, it would be good for you to relocate to another GGSN to continue your service” •  Result: GGSN deserted, users don’t get any other GGSN, users loose service. •  Per APN impact (i.e. “internet” or “*.corp”) •  Exercise to the ****er
SGSN DoS attack - Ouch GRX MNO •  More rare because by their nature (client), SGSN are " rarely reachable through IP •  Same attack as previous (Hey, you should really switch to another node, this one is going down) •  Much more impact: •  Targets a region rather than a network, •  Repeat on GRX == Disconnect many countries •  Both these are caused by “evolved GTP” i.e. GTP on LTE Advanced networks.
A tube in a tube in a tube •  Air -> GTP -> SIGTRAN M3UA SCTP -> SS7 GRX MNO •  Oh My Goat, SS7 from the GPRS network •  Script: 1) Connect to APN 2) Scan for SCTP M3UA (port 2905) 3) Establish M3UA connection to say 10.27.1.30 4) Send SS7 over GPRS ;-) for example, SSP (SubSystem Prohibited) or MSC Reset !!! (disconnect all users from MSC) •  It’s Core Network access from GRX !
As an operator: Protecting " your GRX connection •  Filter smartly your GGSN •  Beware of spaghetti tunnel (i.e. tunnel in a tunnel, tunnel chainings, ...) •  Hard, even impossible to predict routing and filtering results (GTP + GRE + MPLS + VLAN + Filtering + Routing + Load Balancing + HA + Multihoming) •  You need to TEST ! •  You are responsible of all entries on GRX through your GRX interconnection!
Go massive •  “A tube in a tube in a tube” •  With many access network technologies •  Very difficult to get right •  To test •  To protect •  Automation is key! •  10 000 hosts to scan, reliably, without causing crash •  LTE fuzzing story and size/breadth of network
GRX: In the end, the customer •  Banks, Transportation, Smart grid, smart meters •  Worm on the CUG? •  Bills of the other side of the planet •  Nice little global network •  Globally accessible with the right APN and GTP tunneling •  Consequences •  Operators security maturity, security is not for Internet only •  India DoT leading the way in telecom regulation: $11M fine, license kill
Questions? Or join us for the workshop Send email for the APKs Hackito Ergo Sum, Paris, 12-14 April 2012.
THANK YOU! Philippe.Langlois@p1sec.com

Recommended

Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
Initial LTE call Setup Flow
Initial LTE call Setup FlowInitial LTE call Setup Flow
Initial LTE call Setup Flowassinha
 
Evolution of Core Networks
Evolution of Core NetworksEvolution of Core Networks
Evolution of Core NetworksSarp Köksal
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
IMS + VoLTE Overview
IMS + VoLTE OverviewIMS + VoLTE Overview
IMS + VoLTE OverviewHamidreza Bolhasani
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basicsKarel Berkovec
 

Recommended

Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
Initial LTE call Setup Flow
Initial LTE call Setup FlowInitial LTE call Setup Flow
Initial LTE call Setup Flowassinha
 
Evolution of Core Networks
Evolution of Core NetworksEvolution of Core Networks
Evolution of Core NetworksSarp Köksal
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
IMS + VoLTE Overview
IMS + VoLTE OverviewIMS + VoLTE Overview
IMS + VoLTE OverviewHamidreza Bolhasani
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basicsKarel Berkovec
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVikas Shokeen
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...Vikas Shokeen
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
VoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVikas Shokeen
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...Vikas Shokeen
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Csfb (circuit switch fall back)
Csfb (circuit switch fall back)Csfb (circuit switch fall back)
Csfb (circuit switch fall back)Rishi Mahajan
 
volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained Vikas Shokeen
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sipVikas Shokeen
 
IMS Core Elements
IMS Core ElementsIMS Core Elements
IMS Core ElementsKent Loh
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Hamidreza Bolhasani
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li Inmhaviv
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 

More Related Content

What's hot

VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVikas Shokeen
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...Vikas Shokeen
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
VoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVikas Shokeen
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...Vikas Shokeen
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Csfb (circuit switch fall back)
Csfb (circuit switch fall back)Csfb (circuit switch fall back)
Csfb (circuit switch fall back)Rishi Mahajan
 
volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained Vikas Shokeen
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sipVikas Shokeen
 
IMS Core Elements
IMS Core ElementsIMS Core Elements
IMS Core ElementsKent Loh
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Hamidreza Bolhasani
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li Inmhaviv
 

What's hot (20)

VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS Stack
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architecture
 
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
 
VoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack Explained
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
 
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
 
Csfb (circuit switch fall back)
Csfb (circuit switch fall back)Csfb (circuit switch fall back)
Csfb (circuit switch fall back)
 
volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sip
 
IMS Core Elements
IMS Core ElementsIMS Core Elements
IMS Core Elements
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
 
Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
 

Viewers also liked

InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?Stephen Kho
 

Viewers also liked (6)

InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?
 

Similar to Attacking GRX - GPRS Roaming eXchange

Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...DefconRussia
 
Data Packet Evolution - Mobinil
Data Packet Evolution - MobinilData Packet Evolution - Mobinil
Data Packet Evolution - MobinilMohamed Sahl
 
A million little tracking devices - Don Bailey
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Baileyidsecconf
 
Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveDefconRussia
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 
Multimax HSPA+ Dual Port M2M Router - Maxon Solutions
Multimax HSPA+ Dual Port M2M Router - Maxon SolutionsMultimax HSPA+ Dual Port M2M Router - Maxon Solutions
Multimax HSPA+ Dual Port M2M Router - Maxon SolutionsMaxon Data Communications
 
Internet 101
Internet 101Internet 101
Internet 101lzeltzer
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & TroubleshootingAPNIC
 
100G Networking Berlin.pdf
100G Networking Berlin.pdf100G Networking Berlin.pdf
100G Networking Berlin.pdfJunZhao68
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHungWei Chiu
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 

Similar to Attacking GRX - GPRS Roaming eXchange (20)

Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking Devices
 
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
 
Data Packet Evolution - Mobinil
Data Packet Evolution - MobinilData Packet Evolution - Mobinil
Data Packet Evolution - Mobinil
 
A million little tracking devices - Don Bailey
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Bailey
 
Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
100 M pps on PC.
100 M pps on PC.100 M pps on PC.
100 M pps on PC.
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
Multimax HSPA+ Dual Port M2M Router - Maxon Solutions
Multimax HSPA+ Dual Port M2M Router - Maxon SolutionsMultimax HSPA+ Dual Port M2M Router - Maxon Solutions
Multimax HSPA+ Dual Port M2M Router - Maxon Solutions
 
Internet 101
Internet 101Internet 101
Internet 101
 
Telecom seminar
Telecom seminarTelecom seminar
Telecom seminar
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
4G Introduction
4G Introduction4G Introduction
4G Introduction
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
100G Networking Berlin.pdf
100G Networking Berlin.pdf100G Networking Berlin.pdf
100G Networking Berlin.pdf
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User Group
 
LTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GPLTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GP
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 

Recently uploaded

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 

Attacking GRX - GPRS Roaming eXchange

  • 1. Attacking GRX Attacking The GPRS Roaming eXchange (GRX) Philippe.Langlois@p1sec.com V1.5
  • 2. GPRS architecture •  “PS” Domain in context •  Successor to GSM 9600 baud modem (CSD or HSCSD) •  PDP context = GPRS session •  2G/3G: SGSN, GGSN •  4G: MGW, PDGW/PGW •  But also many more machines (LI, DNS, Billing…) •  GPRS backbone = GRX
  • 3. Example: UPS management •  M2M example •  management of UPS •  Access the devices… •  And the management console too (Java, vulnerable) •  Usually on corporate network •  IP bastion or router
  • 4. 2G •  IP was new in telco •  Billing is a big issue in GPRS •  Many GGSNs •  SGSN & GGSN to CGF not shown •  Proxies, security filters not shown •  Typical of telco
  • 5. GPRS Radio security in 2G •  Many GPRS implementations in clear text (Italy, Denmark) ! •  OsmocomBB with 4 receptors (and HW mod) http://bb.osmocom.org •  Radio encryption algorithm GEA1 and GEA2 broken •  By Karsten Nohl, Mate Soos, Sylvain Munaut •  At CCC Camp 2011 (August) •  Big state (1500 byte MTU), many known point in the equation system •  Linearization, gaussian solving, not even SAT solving
  • 6. 3G •  UMTS •  No open source hw receptor for 3G •  Only “client” access through USB dongles or 3G phones. •  GEA3 (Kasumi KLEN=64 bits) and GEA4 (Kasumi KLEN=128 bits)
  • 7. GPRS uses cases •  APN •  internet •  mms •  *.corp APNs •  M2M APNs •  special APNs (OAM, billing, ...) •  Telco internal APNs !
  • 8. Getting access: " The SIM card! •  Obtaining an anonymous SIM card for GPRS hacking •  Varying level of ID checking depending on the country •  Malaysia checks a lot (mandatory passport or ID) •  Thailand MNOs give them out for free at airport •  France doesn't check well anymore (MVNOs arrival) •  MVNOs check less •  Prepaid SIMs with no credit •  SIM roaming gives interesting results (billing, routing errors)
  • 9. Buy second-hand ! •  Second hand hardware •  Guess what's still in it? •  SIM card! •  Old BB, Cheap PCMCIA cards •  Sometime in laptops •  Company gets rid of previous “mobility” fleet •  CUG access to network •  1 out of 3 equipment !
  • 10. Typical GPRS hacking methods •  Now you’ve got your SIM then… •  APN bruteforcing (modem perspective) •  “In GPRS network” attack of peers / other client devices •  X25 GPRS network hunting •  Covert channels / unaccounted IP use •  “In GPRS network” attack of server devices •  GPS tracker M2M gives access to LEA management server !
  • 11. In the beginning there was the APN •  Know parameters •  GPRS APN •  username + password •  Dial number •  More difficult parameters •  MSISDN / IMSI (hard), IN profile •  USSD setup (for example *136# on Maxis) •  These pipes are clean!
  • 12. GPRS hacking from the air •  RFC1918 network, reach your peers •  Paris “Velib” M2M network •  Win based •  Worm ! •  Contaminated Velib stations over the air •  Enter GPRSdroid (automate!) •  It gets worse with MNOs…
  • 13. Telco GPRS hacking •  A tale from Indonesia •  GPRS normal connection •  Lack of network segmentation from “Internet” •  Seize control of NSS / OAM and Routers (MPLS CE and PE) •  APN “mms” or “wap” •  Access to MMSC and other Core Network infrastructure •  Ports not firewalled •  Telecom Operators (MNO) lack proper automated tools to check network segmentation
  • 14. But GPRS current " (recognized) major issue is... •  iodine ! •  Bills (CDR) generated on proxy •  Traffic possibly not billed (SGSN or GGSN CDR?) •  Why Telecom operators (MNO) are lagging so bad? •  Telecom Culture •  If it does not create costs, it’s not detected by Fraud Management Systems •  Contrast with previous, more severe problems
  • 15. Toward IMS / 4G: Full IP Hint: a) SBC is not far away b) RTP is rarely inspected
  • 16. Here comes GRX •  Your national network, from abroad. •  GPRS roaming •  Tunnels (GTP) •  One to one vs. one to many •  From SGSNs to GGSNs
  • 17. What do Amsterdam and " Singapore share? •  NOPE! Not what you’re thinking! ? •  Inter GRX exchanges •  AMS-IX & Singapore Equinix •  No need to go there to access GRX •  Many companies operating on GRX (Comfone, Aicent, Synniverse, …)
  • 18. GRX technologies •  GTP – GPRS Tunnelling Protocol •  DNS •  <APN>.mncYYY.mccZZZ.gprs! •  SFR in France : internet.010.208.gprs •  “Segmented” from the internet… right.
  • 19. DNS - Do Not Share? •  Internet technology MADE FOR sharing •  Hard to split
  • 21. A story of split DNS •  Of course it’s not a valid IANA TLD $ host -t ANY gprs.! Host gprs. not found: 3(NXDOMAIN)! •  “.gprs” is considered crown jewel, to be protected •  Direct connectivity to all SGSN and GGSN •  Big machines, one crash == thousands of disconnected •  Well… let’s try from inside a GPRS session?
  • 22. And from inside? •  From a GPRS session, most of the time, same thing: $ host -t ANY gprs.! Host gprs. not found: 3(NXDOMAIN)! •  Some problem happens sometime (APN, IMSI, user/pw, ..) $ host -t ANY gprs.! gprs has SOA record dns1.GRXOPERATOR.com. info.GRXOPERATOR.com. 2 gprs has address 10.XX.20.1! gprs name server dns5.GRXOPERATOR.com.! •  W00t! •  Then the whole hierarchy is accessible •  Because you’re a SGSN!
  • 23. Triple play, four way •  Access Networks •  GPRS APNs •  VoIP network (VLAN and MPLS plane) •  ADSL / FTTH network / IPTV •  WLANs ! (recent case, GAN) •  Customer traffic •  VLANs / MPLS planes everywhere, connecting to so many services •  DNS resolution •  Everything for the application, Network is considered "necessary evil, make it just work” •  Management cares only about new services roll out
  • 24. Enter GRXdroid •  Bruteforce resolving of GPRS DNS (and more) •  Horrible UI for now (want to help? :-) But does the Job •  Soon on the Android market •  Send me an email, I’ll send you the APK •  Future •  APN automation? •  USSD?
  • 25. When, not if •  Wait, wait, wait, win! •  Here comes the sentinel, a tale of an old finger trick •  Pentest from the 90s in Thailand •  DNSsentinel •  Keep trying till it succeeds •  Organization hack – one day, the service will suck •  And we’ll be there
  • 26. Inside the GRX •  From DNS leaks to " route/packets leaks •  Firewalling issues •  You're a SGSN ! GTP to all " GGSNs •  SGSN should contact GGSN… filter? Anyone? •  Way too many services exposed •  From Solaris RPC down to SIGTRAN services (SS7! Wow!) •  MNO says: “Protect? Well, it’s restricted to operators right?”
  • 27. Evolution of GRX: 3gppnetwork.org •  A bit like ENUM (cf. e164.arpa zone) but for Core Network •  Many different subdomains •  APN !<APN name>.apn.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  IMS !ims.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  SGSN !sgsnXXXX.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  LTE EPC !epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  LTE MME !mmegiXXX.mme.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org.! •  Used for identities, many RAN / RAT User-Name = "1208012000584533@wlan.mnc001.mcc208.3gppnetwork.org" ! •  Diameter enabled servers (scan for port 3868)
  • 28. Getting the map ! $ORIGIN epc.mnc111.mcc222.3gppnetwork.org.! $TTL 1800! @ IN SOA ns root (! 1 ; Serial! 3600 ; Refresh! 30 ; Retry! 3600 ; Expire! 600 ) ; Negative Cache TTL! ! @ IN NS ns! ns IN A 4.4.4.4! ! Zone transfer powahh
  • 29. Detailed… per protocol testapn1.apn IN NAPTR 10 10 "a" "x-3gpp-pgw:x-s5-gtp" "" serv.s5.pgw.north! testapn2.apn IN NAPTR 10 10 "a" "x-3gpp-pgw:x-s5-gtp" "" serv.s5.pgw.south! testapn3.apn IN NAPTR 10 10 "a" "x-3gpp-pgw:x-s5-gtp" "" serv.s5.pgw.east! testapn4.apn IN NAPTR 10 10 "a" "x-3gpp-pgw:x-s5-gtp" "" serv.s5.pgw.west! testapn.apn IN NAPTR 10 10 "s" "x-3gpp-pgw:x-s5-gtp" "" _nodes._pgw! tac-lb01.tac-hb00.tac IN NAPTR 10 10 "s" "x-3gpp-sgw:x-s5-gtp" "" _sgw._north! tac-lb02.tac-hb00.tac IN NAPTR 10 10 "s" "x-3gpp-sgw:x-s5-gtp" "" _sgw._south! tac-lb03.tac-hb00.tac IN NAPTR 10 10 "s" "x-3gpp-sgw:x-s5-gtp" "" _sgw._east! tac-lb04.tac-hb00.tac IN NAPTR 10 10 "s" "x-3gpp-sgw:x-s5-gtp" "" _sgw._west! _nodes._pgw 1800 IN SRV 10 10 2123 serv.s5.pgw.north! [...]! _nodes._pgw 1800 IN SRV 10 10 2123 serv.s5.pgw.west! _sgw._north 1800 IN SRV 10 10 2123 serv.s5.sgw.north! [...]! _sgw._south 1800 IN SRV 20 10 2123 serv.s5.sgw.north! [...]! _sgw._south 1800 IN SRV 20 10 2123 serv.s5.sgw.west! _sgw._east 1800 IN SRV 20 10 2123 serv.s5.sgw.south! _sgw._west 1800 IN SRV 20 10 2123 serv.s5.sgw.north! [...]! _sgw._west 1800 IN SRV 10 10 2123 serv.s5.sgw.west!
  • 30. NOW WE HAVE THE MAP, WHAT CAN WE DO?
  • 31. First, GTP basics •  From SGSN (client) •  To GGSN (server) •  Many “commands” " possible in Message Type •  Extended a lot •  GTP v0 •  GTP v1 •  GTP v2
  • 32. GTP scanning in GRX •  Daniel Mende did it on the Internet, here is GRX MNO •  Way too many open GTP service on the Internet •  Higher ratio on GRX of course •  Easily scanned with GTP Echo Request •  UDP ports 2123, 2152, 3386, Super fast positive scanning
  • 33. GTP in GTP attack GRX MNO •  Free Internet surfing •  Access directly the GGSN from another GGSN •  Not supposed to happen… but happens! •  Just use sgsnemu / OpenGGSN to create new interface and route your traffic through it •  Sometime, GTP in GTP is not supported by GGSN… at all •  Crash and unavailability •  Super fast scanning on GRX: covers the whole planet!
  • 34. GPRS CUG accesses attacks GRX MNO •  CUG = Closed User Group •  At GTP level, you’re either a SGSN or GGSN •  Since you are a SGSN (client), you control •  APN you’re going to use for the tunnel and •  MSISDN / IMSI you are impersonating. •  CUG are based on these parameters •  Bank networks, Operator networks, Administration, etc… •  Straight from the Net or from an existing PDP with unfiltered GGSN GTP ports.
  • 35. GTP Tunnel disconnection " DoS attack GRX MNO •  TEID bruteforce •  Disconnect Message Type (Delete Session Request. Delete PDP, …) + spoof SGSN (really?) •  2^32 would be a problem… if TEID were not sequential :-) [...]! 00 00 17 04 Delete PDP Context: Request Accepted! 00 00 17 44 Delete PDP Context: Request Accepted! 00 00 17 A1 Delete PDP Context: Request Accepted! 00 00 17 BF Delete PDP Context: Request Accepted! 00 00 17 D8 Delete PDP Context: Request Accepted! 00 00 17 E8 Delete PDP Context: Request Accepted! [...]!
  • 36. Fake charging attacks •  Normal GTP 2 traffic GRX MNO •  But with Charging ID and Charging GW (CGF) address specified •  Creates fake CDRs (Call Detail Records or Charging Data Records) for any customer •  Not necessary to get free connection anyway :-)
  • 37. GRX Subscriber Information Leak GRX MNO •  SGSN and GGSN need to communicate with many Network Elements in 3G and 4G networks •  GTP v2 enables many requests to these equipment directly over GTP. •  Think “HLR Request” over UDP •  No authentication •  Much more available than an SS7 interconnection :-) •  And you’re GLOBAL ! Thanks GRX. That is, any operator in the world that is connected to any GRX.
  • 38. Relocation Cancel attack •  Basically tell one SGSN that the user it is serving should come back to you •  User is effectively disconnected (or hangs), no more packets. •  Targer user by IMSI •  But you already got that by the Info leak of previous attack GRX MNO •  Shoule be Intra-operator, but does work over GRX!
  • 39. GGSN DoS attack GRX MNO •  Another magic packet •  “Oh, I’m a bit congested and about to crash, it would be good for you to relocate to another GGSN to continue your service” •  Result: GGSN deserted, users don’t get any other GGSN, users loose service. •  Per APN impact (i.e. “internet” or “*.corp”) •  Exercise to the ****er
  • 40. SGSN DoS attack - Ouch GRX MNO •  More rare because by their nature (client), SGSN are " rarely reachable through IP •  Same attack as previous (Hey, you should really switch to another node, this one is going down) •  Much more impact: •  Targets a region rather than a network, •  Repeat on GRX == Disconnect many countries •  Both these are caused by “evolved GTP” i.e. GTP on LTE Advanced networks.
  • 41. A tube in a tube in a tube •  Air -> GTP -> SIGTRAN M3UA SCTP -> SS7 GRX MNO •  Oh My Goat, SS7 from the GPRS network •  Script: 1) Connect to APN 2) Scan for SCTP M3UA (port 2905) 3) Establish M3UA connection to say 10.27.1.30 4) Send SS7 over GPRS ;-) for example, SSP (SubSystem Prohibited) or MSC Reset !!! (disconnect all users from MSC) •  It’s Core Network access from GRX !
  • 42. As an operator: Protecting " your GRX connection •  Filter smartly your GGSN •  Beware of spaghetti tunnel (i.e. tunnel in a tunnel, tunnel chainings, ...) •  Hard, even impossible to predict routing and filtering results (GTP + GRE + MPLS + VLAN + Filtering + Routing + Load Balancing + HA + Multihoming) •  You need to TEST ! •  You are responsible of all entries on GRX through your GRX interconnection!
  • 43. Go massive •  “A tube in a tube in a tube” •  With many access network technologies •  Very difficult to get right •  To test •  To protect •  Automation is key! •  10 000 hosts to scan, reliably, without causing crash •  LTE fuzzing story and size/breadth of network
  • 44. GRX: In the end, the customer •  Banks, Transportation, Smart grid, smart meters •  Worm on the CUG? •  Bills of the other side of the planet •  Nice little global network •  Globally accessible with the right APN and GTP tunneling •  Consequences •  Operators security maturity, security is not for Internet only •  India DoT leading the way in telecom regulation: $11M fine, license kill
  • 45. Questions? Or join us for the workshop Send email for the APKs Hackito Ergo Sum, Paris, 12-14 April 2012.