1. “Telecom Security Issues”
An overview of Key Threats & Actors, Case
Studies and Possible Scenarios
Raoul Chiesa, UNICRI
Club Hack Conference, Pune
December 4th, 2010

2. Disclaimer
● The information contained within this
presentation d
t ti does not i f i
t infringe on any i t ll t l
intellectual
property nor does it contain tools or recipe that
could be in breach with known India laws (is
there any lawyer in the room btw? ;)
● Quoted trademarks belongs to registered
owners.
● The views expressed are those of the author and
do not necessary reflect the views of UNICRI or
others United Nations agencies and institutes,
nor the view of ENISA and its PSG (Permanent
(
Stakeholders Group).

3. The speaker – Raoul “nobody” Chiesa
On the underground scene since 1986
Senior Advisor on cybercrime at the United
y
Nations (UNICRI)
ENISA PSG Member (2010‐2012)
Founder, @ Mediaservice.net –
Independent Security Advisory Company
and @ PSS – a Digital Forensics Company
Founder, Board of Directors at: CLUSIT
(Italian Information Security Association),
(It li I f ti S it A i ti )
ISECOM, OWASP Italian Chapter
TSTF.net
TSTF net Associated Member
Member: ICANN, OPSI/AIP, EAST
3

4. About UNICRI
What is UNICRI?
United Nations Interregional Crime & Justice Research Institute
A United Nations entity established in 1968 to support countries worldwide
in crime prevention and criminal justice
UNICRI carries out applied research, training, technical cooperation and
documentation / information activities
UNICRI disseminates information and maintains contacts with professionals
and experts worldwide
Counter Human Trafficking and Emerging Crimes Unit: cyber crimes,
counterfeiting, environmental crimes, trafficking in stolen works of art…

5. About ENISA
What is ENISA?
• European Network & Information Security Agency
• ENISA is the EU’s response to security issues of the European Union
• “Securing Europe's Information Society” is our motto (27 Member States)
Securing Europe s Society
• In order to accomplish our mission, we work with EU Institutions and Member States
• ENISA came into being following the adoption of Regulation (EC) No 460/2004 of the
European Parliament and of the Council on 10 March 2004. Operations started on September
p p p
2005, after moving from Brussels to Crete, and with the arrival of staff that were recruited
through EU25‐wide competitions with candidates coming from all over Europe.
• ENISA is helping the European Commission, the Member States and the business
community to address, respond and especially to prevent Network and Information Security
problems.
• The Agency also assists the European Commission in the technical preparatory work for
updating and developing Community legislation in the field of Network and Information
Security.
• I’m a Member of ENISA’s PSG – Permanent Stakeholders Group.

6. About TSTF net
TSTF.net
• W are a think‐tank established more than 10
We hi k k bli h d h 10 years ago.
• We know all of us (team members) since the 80’s.
• Some names: Emmanuel Gadaix, Philippe Langlois,
Stavroula “Venix” Ventouri, Fyodor Yarochkin (xprobe2),
….
• All of us we have pentested/audited more than 120
phone operators all over the world
the world.
• Huge experience, no sales pitches: we know our stuff.
• Built the very first open source SS7 Scanner (SCTP)
the very first open‐source SS7 Scanner (SCTP).
• Making R&D, everyday, every hour, every single minute ;)

7. More on TSTF.net
More on TSTF net
Who’s who
Wh ’ h
35 years combined GSM telecommunications experience;
50 years combined information security experience;
A unique view on telco security – nobody else does it;
Active research (papers, tools, forums);
Experience in Europe, Asia, USA;
p p , , ;
Self‐funded, no business cunts running it, no VCs.
Networked structure
Structure similar to the Global Business Network
(http://www.gbn.org/);
No central office, global coverage;
Leverage on each individual's skills and services;
Leverage on network effect.

8. Our experiences (excerpt, 1999‐2004)
(obviously, we’got much MORE ☺
1999: GSM Internet Data Access Penetration Tests
2000: GPRS Internet Data Access Penetration Tests
2000/2004: L.I.S./L.I.G. Security Audits on a +15 MLN subscribers
2000: SMS Spoofing PoC & Security Consulting
2001: Dealers’ shops Abuse Security Testing;
2001: SMSC Ethical Hacking Test
2001: SAP environments Security Audit
2001‐2004: VAS Security Audits and Pen‐testings
y g
2001‐2004: xIDS and Firewall tuning and configurations review
2002/2003: Wireless Penetration Tests on HQ and main branches (+10 MLN subscribers; +15 MLN subscribers)
2002: Wireless Security Policy (private and public hot‐spots)
2003: Portals Web Applications S
2003 P t l W b A li ti Security T ti ( i
it Testing (various t t on th applications d l
tests the li ti developed f th subscribers)
d for the b ib )
2003: Billing gateway process Full Security Audit & Pentests
2003: MMS environment Ethical Hacking tests
2004: Black Berry FE/BE Penetration Testing
2004: X.25 Security Audit Full Process (9 months)
2004: New mobile threaths R&D process (3 months)
2004: DoS incident handling policy (referred to the private WAN)

9. Topics for this session
• Introduction
• MSC hacking / the Vodafone Greece
MSC hacking / the Vodafone Greece Affair
• Data Network Elements hacking (i.e.. GPRS)
• Billing, Mediation, LIS/LIG hacking
• SS7 hacking
SS7 hacking
• Web Applications’ suppliers standard issues

10. THE PROBLEM
Telecommunications vendors (Nokia, Ericsson, Alcatel, etc.) are
selling insecure software and systems to telcos.
Telecommunications operators have a very poor understanding of
security issues.
Based on 10 years penetration testing experience, telco operators
are the most vulnerable of all industry groups.
are the most vulnerable of all industry groups.
Sophisticated hackers have an increased interest in telco security
and phone hacking.
and phone hacking
10

11. THE VENDORS
Some vendors have decided to take an active stance in security (e.g. Nokia),
however such initiatives are isolated and do not address most telcos security
y
problems.
Most vendors sell antiquated software full of bugs, running on old and
unpatched version of operating systems and daemons
version of operating systems and daemons.
Operators cannot fix the identified security weaknesses because it would
void their warranty.
⌧ The result of this ‘head in the sand’ approach is an increase in the threat:
national and international critical infrastructures are at risk.
national and international critical infrastructures are at risk
11

12. THE OPERATORS
Operators rely on vendors for secure solutions.
Operators are primarily focused on network operations, software upgrades,
Operators are primarily focused on network operations software upgrades
network performance and other time‐consuming routine tasks.
Operators lack in‐house expertise on telco security.
Operators are usually divided between the IT and Engineering,
departments, creating two separate security domains.
⌧ Most telcos networks are open to attackers (I don’t say “hackers”!).
12

13. NETWORK OPS.
I.T.
IT
GSM operators typically split their network between IT (the incompetent team
running th mail, th d
i the il the domains, th printers and th proxy/firewall) and E i
i the i t d the /fi ll) d Engineering
i
(the telco side).
Usually there is distrust between the two entities, poor communications and
certainly no common policy towards security.
y p y y
IT of course believe they are important, but in fact they just have a support role. If
all IT systems stop working, you can still make phone calls.
(Emmanuel Gadaix, TSTF – Black Hat Asia Security Conference, 2001)
13

14. THE OPERATORS
Based on a +10 years study encompassing 24 network operators in four
different continents (EU, Asia, USA, Australia):
⌧ 100% could be hacked from the Internet via Web Apps
⌧ 90% could be hacked through PSTN X 25 ISDN or Wi‐Fi
could be hacked through PSTN, X.25, ISDN or Wi‐Fi
⌧ 72% had a security incident in the last 2 years
⌧ 23% had appropriate perimeter security control
⌧ 0% had all their mission‐critical hosts (really) secured
⌧ 0% had comprehensive database security in place
⌧ 0% had integrity measures protecting billing data, nor encryption
g y p g g , yp
14

15. THE ENEMY
Telco fraud is still an attractive target:
Bypassing toll, getting services without fees, setting up premium numbers, etc;
Bypassing toll getting services without fees setting up premium numbers etc;
Privacy invasions: interception of call‐related data (e.g. CDRs, SMS contents,
signalling data, billing data; etc)
Eavesdropping and cloning: illegal interception and cloning of mobile phones.
⌧ Recently one underground group announced it was reverse engineering Nokia
Recently one underground group announced it was reverse engineering Nokia
and Symbian software;
⌧ A group of sophisticated hackers is working on abusing the SS7 protocol;
⌧ Another group of international security researchers is working on VoIP attacks
in telcos environments (Mobile, PSTN/ISDN, SS7, I.N.)
15

16. THE COMPETITION
⌧ Traditional security shops: no knowledge of telcos, poor
understanding of telcos procedures.
⌧ Traditional telcos consultancies: very poor knowledge of
security issues.
⌧ “Big 4” audit firms: focused on policies, no real expertise
(they outsource their jobs to us).
(they outsource their jobs to us).
⌧ In‐house resources: very dangerous. Internal fraud is
overlooked; interdepartmental ego problems; good security
and bad security looks the same.
16

17. DOING NOTHING…
… with yours telco infrastructures today is like doing
nothing with the RAS accesses in the 80’s…
nothing with the RAS accesses in the 80’s
…with the X.25 networks in the 90’s…
….and with your Internet hosts during the Y2K:
⌧ it’s an open invitation for disaster.
17

18. “BUT..WHY SH0ULD WE C@4E ‘BOUT TH3S3
L33T ATTACK3RS ?!?”
….BECAUSE YOU LOOSE YOUR MONEY.
MONEY.
18

19. AND, because….
AND because
• Hackers are speaking about, investigating,
discussing, hacking telco‐related stuff
g g
(everything!) since a lot of time now (began
in the 70 s, became a trend in the 80 s and
in the 70’s became a trend in the 80’s and
90’s, a standard from 2000 up to today).
• ..Wanna see some examples??l

20. 2008
DEFCON 16 ‐ Taking Back your Cellphone Alexander Lash
DEFCON 16 Taking Back your Cellphone Alexander Lash
BH DC / BH Europe – Intercepting Mobile Phone/GSM Traffic David
Hulton, Steve–
BH Europe ‐ Mobile Phone Spying Tools Jarno Niemelä–
BH Europe Mobile Phone Spying Tools Jarno Niemelä
BH USA ‐ Mobile Phone Messaging Anti‐Forensics Zane Lackey, Luis
Miras
Ekoparty ‐ Smartphones (in)security Nicolas Economou Alfredo Ortega
(in)security Nicolas Economou, Alfredo Ortega
BH Japan ‐ Exploiting Symbian OS in mobile devices Collin Mulliner–
GTS‐12 ‐ iPhone and iPod Touch Forensics Ivo Peixinho
25C3– Hacking the iPhone ‐ MuscleNerd, pytey, planetbeing
ki h i h l d l b i
25C3 Locating Mobile Phones using SS7 – Tobias Engel– Anatomy of
smartphone hardware Harald Welte
25C3 Running your own GSM network – H W l Di
25C3 R i GSM k H. Welte, Dieter Spaar
S
25C3 Attacking NFC mobile phones – Collin Mulliner

21. 2009/1
ShmooCon Building an All Channel Bluetooth Monitor Michael
All-Channel
Ossmann and Dominic Spill
ShmooCon Pulling a John Connor: Defeating Android Charlie Miller
BH USA– Attacking SMS - Zane Lackey, Luis Miras –
BH USA P Premiere at YSTS 3.0 (BR)
i t 30
BH USA Fuzzing the Phone in your Phone - Charlie Miller, Collin
Mulliner
BH USA Is Your Phone Pwned? - Kevin Mahaffey, Anthony Lineberry &
y, y y
John Hering–
BH USA Post Exploitation Bliss –
BH USA Loading Meterpreter on a Factory iPhone - Vincenzo Iozzo &
C a e
Charlie Miller–
e
BH USA Exploratory Android Surgery - Jesse Burns
DEFCON 17– Jailbreaking and the Law of Reversing - Fred Von
Lohmann, Jennifer Granick–
DEFCON 17 Hacking WITH the iPod Touch - Thomas Wilhelm
DEFCON 17 Attacking SMS. It's No Longer Your BFF - Brandon Dixon
DEFCON 17 Bluetooth, Smells Like Chicken - Dominic Spill, Michael
Ossmann, Mark Steward

22. 2009/2
BH Europe Fun and Games with Mac OS X and iPhone Payloads - Charlie Miller and
Europe–
Vincenzo Iozzo–
BH Europe Hijacking Mobile Data Connections - Roberto Gassirà and Roberto
Piccirillo–
BH Europe Passports Reloaded Goes Mobile - Jeroen van Beek
CanSecWest– The Smart-Phones Nightmare Sergio 'shadown' Alvarez
CanSecWest - A Look at a Modern Mobile Security Model: Google's Android Jon
Oberheide–
CanSecWest - Multiplatform iPhone/Android Shellcode and other smart phone
Shellcode,
insecurities Alfredo Ortega and Nico Economou
EuSecWest - Pwning your grandmother's iPhone Charlie Miller–
HITB Malaysia - Bugs and Kisses: Spying on Blackberry Users for FunSheran
Gunasekera
Gunasekera– YSTS 3.0 /
HITB Malaysia - Hacking from the Restroom Bruno Gonçalves de Oliveira
PacSec - The Android Security Story: Challenges and Solutions for Secure Open
Systems Rich Cannings & Alex Stamos
DeepSec - Security on the GSM Air Interface David Burgess Harald Welte
Burgess,
DeepSec - Cracking GSM Encryption Karsten Nohl–
DeepSec - Hijacking Mobile Data Connections 2.0: Automated and Improved Roberto
Piccirillo, Roberto Gassirà–
DeepSec - A practical DOS attack to the GSM network Dieter Spaar

23. Overview on attacks
O i k
(then we’ll jump straight
to a few, single topics)

24. ATTACKS & FRAUDS
IN MOBILE ENVIRONMENTS
24

25. A MORE COMPLICATED WORLD…
EMC Virtual Networks
Video on
demand
SES y
Public safety
PTS
B-ISDN
TFTS
BRAN
DECT
VSAT
GSM
Intelligent Networks SEC
ISO/BSI
ATM
UMTS STQ
Teleworking
DTV ERM
CTM
Testing Methods Voice over
Internet Protocol
25

26. ...WITH DIFFERENT STANDARDS, BUT A
UNIQUE MARKET
26

27. ...BUT THE THREAT IS GLOBAL
27

28. PHREAKING TELCOS
Phreaking is a slang term for the action of
making a telephone system do something that
it normally should not allow.
Why would anyone do this??
Why would anyone do this??
“ I do it for one reason and one reason only. I'm learning about a
system. The phone company is a System. A computer is a System,
do you understand? If I do what I do, it is only to explore a system.
d d d? f d h d l l
Computers, systems, that's my bag. The phone company is
nothing but a computer. ”
Captain Crunch
From Secrets of the Little Blue Box
From Secrets of the Little Blue Box
Esquire Magazine, October 1971
28

29. (pause) LOL!!
(pause) LOL!!

30. A QUICK OVERVIEW: ATTACKS ON
MOBILE OPERATORS/1
The “Phreaking” concept can be explained as “Hacking the phone line”;
Since the 60’s, phreaking exploded all around the world;
p g p
From those times, intrusion stories in telcos environments became very
common;
In the following slides we will give you a resume of the various type of
I th f ll i lid ill i f th i t f
attacks that can be applied in Mobile Networks;
Many of these attacks have been practical tested and demonstrated by our
Tiger Team during the years.
30

31. A QUICK OVERVIEW: ATTACKS ON
MOBILE OPERATORS/2
Attacks have been classified into the following areas:
RAN Attacks (Radio Access Network)
RAN Att k (R di A N t k)
TN Attacks (Transmission Network)
NSS Attacks (Network Switched Network)
NSS Attacks (Network Switched Network)
IN Attacks (Intelligent Network)
SMS/Messaging Attacks (SMS, VMS)
MMS Attacks
NMS/OSS Attacks (Network Management System/Operations)
ME & Billing GW Attacks (Mediation and Billing)
ME & Billi GW Att k (M di ti d Billi ) $
LIS/LIG Attacks (Legal Interception System/Gateway)
SS7 Attacks (Signalling System # 7)
SS7 Attacks (Signalling System # 7)
..not forgetting the “old school” PSTN, ISDN and X.25 attacks
31

32. THE NETWORK ELEMENTS
Radio Access Network (BSS/RAN)
Radio Access Network (BSS/RAN)
Mobile Switching Center (MSC/NSS)
Home Location Register (HLR/VLR)
Home Location Register (HLR/VLR)
Intelligent Network (IN)
g g( , , ,
Messaging (SMSC, MMSC, USSD, VMS) )
Packet data (GPRS, EDGE, 3G/UMTS)
Network Management (NMS, OMC, OSS)
Mediation, Billing, Customer Care, LIG
32

33. MSC
• Mobile Switching Center
• Is probably the most important asset in a
the most in a
Mobile Operator
• W will speak about the Vodafone Greece
We ill k b h V d f G
case shortly…

34. GGSN
• Ollie Whitehouse around 2002/2003
successfully exploited Nokia GPRS‐related
y p
elements (GGSN, SGSN).
• Result? DoS on all of your Data connections
Result? DoS on all Data connections
(Operator Level) if you run GPRS on Nokia’s
HW (at that time, obviously).
( h b l )
• Is it only Nokia? NO! ALL of them may be
Nokia? NO! ALL of
vulnerable.

35. Web Applications
Web Applications Security
• I’ve moved this i h l
’ d hi in the last section, along with
i l ih
“evidences”.
• Basically, problem here is that the “standard
p y
players” (big 4, Accenture, etc etc) are often
( g , , )
releasing insecure Web Applications.
• Exposed to:
– XSS/CSRF /etc
– SQL I j ti ( )
SQL Injection(s)
– …whatever!

36. The “Vodafone Greece Affair”

37. In one shot ‐ Greece
• Basically, what the hell happened ?
+One hundreds “VIP” mobile subscribers have been eavesdropped:
Government members, Defense officials mainly, including the Greek Prime
Minister, Foreign, Defence, Public Order officials, etc.
Calls from and to +100 SIMs were diverted to 14 “pay as you go” mobile
and to +100 SIMs 14 pay‐as‐you‐go mobile
phones.
Four BTS were “interested” by the area where these receiving SIMs where
located.
“Incidentally”, Athens US Embassy is right in the middle of them ☺
This has been done via a high‐level hack to the Ericsson AXE GSM MSC; building
a rootkit “parked” in the RAM area, since obviously the MSC was on
“production” (!!!).
production (!!!)
“The Hack” was discovered on March 7th, 2005, by Ericsson technical staff. One
year later at least. Maybe longer….nobody knows
On March 9th, a Vodafone “top technician” (KT) commited suicide. (Kostas
, p ( ) (
Tsalikidis, 39 y.o., Head of Network Design).
EYP (Hellas National Intelligence Agency) began investigating at once.
× Ri ht
Right now, no‐one h no idea about who did it and why.
has id b t h d h

38. Profiling:
Actors involved
• Some elite hacker.
– Retired Ericsson technical guy(s) ?
g y( )
• Some seriously‐intentioned IA (CIA?).
• Some historical and geo‐political situation
(Carpe Diem).
• Local politicians and National Secret Service
• Th Ol
The Olympic Games ?
i G
• The “best hack of 2005” prize. For sure.
p

39. Targeted people (Vodafone Hellas/1)
g p p ( / )
• GOVERNMENT TARGETS:
GOVERNMENT TARGETS:
Karamanlis, Kostas Prime Minister of Greece (two phones of 20) Elef. 3Feb
Molyviatis, Petros then Foreign Minister, a private phone Elef. 3Feb
Spiliotopoulos, Spilios
Spiliotopoulos Spilios then Minister of Defense Elef 3Feb Voulgarakis
Elef. 3Feb Voulgarakis,
Giorgos then Minister of Public Order Elef. 3Feb Papaligouras, Anastasios
Minister of Justice Elef. 3Feb Valinakis, Giannis Alternate Foreign Minister
Elef. 3Feb Dimas, Stavros EU Commissioner Elef. 3Feb Bakoyianni, Dora
then Mayor of Athens Elef. 3Feb Vallindas, Giorgos Ambassador, Foreign
h f h l f b ll d b d i
Ministry Mideast Division Director Elef. 3Feb Choreftaki, Glykeria Foreign
Ministry employee Elef. 3Feb Papantoniou, Giannis PASOK MP, ex
Minister of Defense Elef Apostolidis Pavlos then Head of Greek
Apostolidis, Pavlos Head of
Intelligence Service (EYP), his car phone Nea Karamanli, Natasha wife of
Prime Minister Nea eight unidentified foreign ministry officials Nea
unnamed intelligence officials EYP operations officers Nea Korandis,
Giannis current EYP di
Gi i EYP director, then A b
h Ambassador to T k hi private car
d Turkey, his i
phone Nea 3‐16 Molyviati, Lora daughter of former Foreign Minister Nea
3‐16

40. Targeted people (Vodafone Hellas/2)
g p p ( / )
• POLICE/SECURITY TARGETS:
POLICE/SECURITY TARGETS:
Maravelis, Dimitris Police officer in Olympic Security Elef. 3Feb Maris,
Giorgos lawyer, legal advisor to Public Order Ministry Elef. 3Feb
Angelakis, Dimitris Police in Olympic Security or EYP unionist Elef. 3Feb
Angelakis Dimitris Police in Olympic Security or EYP unionist Elef 3Feb
Sontis, Theodore U.S. Embassy Greek‐American, gave to security detail
Elef Kyriakakis, Evstratios Former Director, Criminological Service, Greek
Police Ta Nea Galiatsos, G. Director of Exercises, Athens Olympic Security
Ta Nea Mitropoulos, G. Chief of Staff, Ministry of Public Order Ta Nea
l hi f f ff i i f bli d
Konstantinidis, V Olympic Games Security Director Ta Nea Nasiakos, Fotis
Former Chief, Greek Police (phone given to another) Ta Nea Dimoschakis,
An. Chief Staff, Greek Police Ta Nea Syrros, St. Former
An Chief of Staff Greek Police Ta Nea Syrros St Former director of
Counterterrorism division, Greek Police Ta Nea Galikas, D. Director of
Counterterrorism Division, Greek Police Ta Nea Angelakos, Giorgos Chief
of Greek Police Ta Nea seven senior military Senior officers in general
staff Ta Nea G
ff T N General S ff C
l Staff Communications Di C
i i Dir Communications Di
i i Director,
chief of General Staff Defense Ministry staffer Defense Ministry staff
company Eleft 2/5

41. Targeted people (Vodafone Hellas/3)
g p p ( / )
• FOREIGNER CITIZIENS TARGETS
FOREIGNER CITIZIENS TARGETS:
Meim, Mohamad Pakistani Elef Moktar, Ramzi
Sudanese Elef Maloum, Udin
Sudanese Elef Maloum Udin Elef Jamal Abdullah
Jamal, Abdullah
Lebanon radio reporter or Syrian journalist, now fast
food operator Elef Sadik, Hussein Moh. Pakistani store
owner El f T k Ib hi Ah t I i El f K di A i
Elef Tarek, Ibrahim Ahmet Iraqi Elef Kadir, Aris
Kurd Elef Thair, Hermiz Iraqi Elef Ayoubi, Chadi
Lebanese al Jazeera reporter, Gr resident Elef Basari,
p , ,
Mohamed Iraqi immigrant Igoumenitsa, 3 years,
furniture factory worker Nea 3‐16 Unnamed Syrian
Unnamed Syrian 3 years Nea 3 16 Unnamed Iraqi
Syrian, 3 years 3‐16 Unnamed
Unnamed Iraqi, 2 years Nea 3‐16

42. Targeted people (Vodafone Hellas/4)
g p p ( / )
• UNEXPLAINED TARGETS
UNEXPLAINED TARGETS:
Fergadis, Theodoros businessman Elef. 3Feb Kakotaritis,
Giorgos blanket factory? Elef. 3Feb Linardos, Nikolaos
g y ,
Pegasus financial co, underwear firm Nea 3‐16 Cretan
businessman shipper of remote control airplanes,
including Souda Bay Vima 3/25 Cretan refrigeration tech
Bay Vima 3/25 Cretan
Refrigeration tech from Ag. Nikolaos Crete Vima 3/25
Koika, Katerina journalist Elef. 3Feb Psychogios, Giorgos
criminal lawyer, Thebes
criminal lawyer Thebes mayor candidate Elef 3Feb
candidate Elef. 3Feb
Makris, Kostas Elef. 3Feb Barbarousi, Dimitra Elef. 3Feb
Notas, Anastasios Elef Pavlidis, Pavlos Elef Pnevmatikakis,
Angelos Elef k
A l El f unknown card phone 6942 5447 A ti t d
d h 6942 5447.. Activated
2/28/05 Vima 2/25

43. Co c us o s
Conclusions
• A “suicided” dead man here too…
– Telecom Italia scandal (2005)
( )
– KGB/CCC (1989)
• A
A very li ht negative image of V d f
light ti i f Vodafone
Hellas: media didn’t hit that much the subject
on the news coverage.
• Obscure CIA links ?
CIA links
• Rootkit Ericsson AXE MSC.

44. 5 years later…. (2010)
5 years later (2010)
• What’s going on?!?
• It happened that cybercrime organized gangs
cybercrime organized
began realizing, since 2005, that it’s all about
money…..
money
• And, that the end‐user it’s an easier hack
rather than a Corporate Telco (depends on the
Telco, tough! ;)
Telco, tough! ;)

45. Upcoming issues: targetting the
end‐user with mobile dialers
d ih bil di l

46. Uh? How this happened??

47. “Playing games”, do ya??

48. Let’s pick up one…

49. ..and its “hidden” code

50. The numbers
• +882346077 Antarctica
• +17675033611 Dominican republic
• +88213213214 EMSAT satellite prefix
• +25240221601 Somalia
• +2392283261 São Tomé and Príncipe
+2392283261 São Tomé and Príncipe
• +881842011123 Globalstar satellite prefix

51. xxxxx

52. xxxxx

53. xxxxx

54. xxxxx

55. So…we’re talking about Billing, right?
That, to
Th t t me, goes straight along with
t i ht l ith
Mediation ☺

56. MEDIATION AND BILLING
Mediation is the process that converts and transports raw CDR data
It can also be used to translate provisioning commands to the NE
It is
I i a critical part of the provisioning and billing cycles
ii l f h i i i d billi l
Most convenient place to commit fraud
56

57. THE BILLING PROCESS
Not WCS
Multiple
Card CARD
Fulfilment BANK payments
ISCP ISCP
Vendors. & authorisation AUTHORISATION SGSN
Information access,
TAP
supply for Internet Reporting E-Wallet CLEARING
information (APIs) and DD payments GGSN
Interactive TV DD Returns
Card payments HOUSE IN
Security. & authorisation Platform
Certification and
encryption
W AP
To WAP, BANK I/F
CARD PAYMENTS Small nd IVR
Roaming ra a
SMSC, IN (EFT) Purchases m e n da t
call data s to VMS
etc. Portal. Cu criptio
Information access su bs
DD payments
device for Internet DD Returns
External Billing for Card payments
information (APIs)
content supply SMC
WWW
Customer and
Mediation SOG AuC
service requests,
subscription data,
Billing Sys e & Go de Database
g System Golden a abase
Service requests System p
and responses Service activation
and real time billing and responses Collection d
C ll ti and gateway
CRM Tool
Customer and service administration, personalisation, content management, normalisation of call HLR
tariffing, SIM and number management, provisioning requests, call data
ID & Address collection, rating and billing (roaming, retail and interconnect), and payment
data, and transfer of
Normalised service requests to
Validation Customer details, collection call data BGW
Customer details Credit score result
GSM network Call data
Billing gateway
MSC
Normalised address Credit Scoring
manages integration
Customer of billing system and
Result of check external validation SIM orders, dispatched SIMS,
CREDIT CHECK agencies. Dealer codes, activation Dispatch SIM Commissions BANK I/F
information, money back SIM orders, dealers codes Sales and Dealer
Customer deactivations, GL updates & Roaming Data
Result of check general ledger updates
Subscriber data Warehouse
Bad Debt Rated CDRs
Pre-pay CDRs
Database Unrated CDRs
Ernie PRINTING
BLACKLIST ?
SIM SAP
SAP
Manufacturer Sales support, logistics and finance processing, Human Resource, and Materials Management
Customer and
subscription changes
Document Dealer information
Imaging
g g S Financial/Inve ntory -Outbound
Outbound
Electronic Queue inc IM
lud + M Material master -Goods mvt inbound
Manager POS FRAUD ing S I -Picking conf. inbound
b l a SD N
Service Centre Queue Activation ck n WCS Shops
-Change serial# kits
-Physical inv. inbound
measurement tool lis um
tin b Site rental Assets
g e rs
IM
EI Retail Outlets Logistics Shops &
Multi Company Dealers
Media Screen Navigation
Query
type Isaac IMS
Call (CLI) ACD Caller ID, CRM Tool Case Based Reasoning
Sites,
Sites administration, BTS build
Customer call
Per call Distribute customer Service Level, Manage customer Tool GIS faults
provision and transmission,
Preferred Language tasks to completion (Geographical Information operations and network faults
calls in call centre Diagnose problems and & Links
Recommendation System) logging
recommend solutions
Site, Dealer & Shops info
IVR Caller ID and
Screen
Preference
navigation Signal strength and coverage
IVR O/S Scholar
Predictive Knowledge System
Identify customer, Operator services
preference and satisfy Dialler Directory inquiries
On-line call centre
Radio planning
reference
simple queries
tool
57

58. ATTACKS ON MEDIATION / BILLING
Raw database edit. Conveniently deletes selected records containing
billing data.
billing data
Modification of the charging tables in the billing system
Patching of the rater application to eliminate certain CDR e.g.
belonging to a given MSISDN
Backdoors in mediation gateways to remove CDR data
Confidential information on subscribers activities (numbers called,
Confidential information on subscribers activities (numbers called,
received, SMS, data, etc.)
Modification of CDR processing rules
Modification of test numbers whitelist
Modification of “test numbers” whitelist
Live patching of CDR data while in mediation queue
Patching of mediation application (e.g. loading scripts)
GPRS packet aggregation rules modification
58

59. L.I.G./
L.I.G./L.I.S. ATTACKS
Legal Interception Gateway is used by police and intelligence agencies.
Legal Interception Gateway is used by police and intelligence agencies
Connected to MSC though special interface. Very user‐friendly.
Based on standard UNIX and TCP/IP so potentially open to common
attacks
tt k
Compromise of a LIG would allow real‐time interception and call
eavesdropping.
Could compromise the agencies’ own facilities.
RAOUL, don’t forget to tell ‘em about the “911 Pentest”…. ;)
59

60. SS7: the next
SS7: the next nightmare
• A Signalling & Billing (inter‐operators)
p
protocol build in the 70’s and developed in the
p
80’s.
• Why? LOL
Why? LOL
• …….‘cause Captain Crunch invented blue‐
boxing, that was running in‐band.
• So SS7 went “out‐of‐band”.
So SS7 went out‐of‐band
• Simple (KISS)!

61. SS7 SIGNALLING
Mobile networks primarily use signalling System no. 7 (SS7) for
communication between networks for such activities as authentication,
location update, and supplementary services and call control. The
l i d d l i d ll l Th
messages unique to mobile communications are MAP messages.
The security of the global SS7 network as a transport system for signalling
The security of the global SS7 network as a transport system for signalling
messages e.g. authentication and supplementary services such as call
forwarding is open to major compromise.
The problem with the current SS7 system is that messages can be altered,
injected or deleted into the global SS7 networks in an uncontrolled
manner.
61

62. EXAMPLES OF SS7 ATTACKS
Theft of service, interception of calling cards numbers, privacy concerns
, p g ,p y
Introduce harmful packets into the national and global SS7 networks
Get control of call processing, get control of accounting reports
Obtain credit card numbers, non listed numbers, etc.
Obtain credit card numbers non‐listed numbers etc
Messages can be read, altered, injected or deleted
Denial of service, security triplet replay to compromise authentication
Annoyance calls, free calls, disruption of emergency services
Annoyance calls free calls disruption of emergency services
Capture of gateways, rerouting of call traffic
Disruption of service to large parts of the network
Call processing exposed through Signaling C
C ll i d h h Si li Control Protocol
lP l
Announcement service exposed to IP through RTP
Disclosure of bearer channel traffic
62

63. SS7 ENTRY POINTS
63

64. SS7: A CLOSED NETWORK
With a limited number of carriers and limited points of interconnection, the
p y p g
operators could assume with fair certainty that all of the elements passing data
were trusted sources.
Unlike IP protocols, security features like authentication and encryption were
not built into the SS7 protocol. Rather, the focus has been placed on creating
p , p g
secure physical environments for the network equipment rather than secure
protocols.
STPs, the routers of the SS7 network, perform gateway screening to prohibit
STPs, the routers of the SS7 network, perform gateway screening to prohibit
inbound and outbound messages from unauthorized nodes. The addresses of
individual nodes within a network are isolated.
Global title translation (GTT) enables a network to receive messages from
Global title translation (GTT) enables a network to receive messages from
other networks without disclosing the unique addresses, called point codes, of
its own nodes.
64

65. SS7: ATTACK TAXONOMY
65

66. SOME REAL-LIFE EVIDENCES
REAL-
66

67. WI-
WI-FI: HW TOOLS FOR PROACTIVE SECURITY
67

68. CDR FILES FROM MEDIATION AREA
XXX8557710<X81>^F<X81>3<X83>Uw^A<C/>^U<X80>^A^@<X81>^A^A<X82>^A^
@<X83>
XXX2199557<X83>^F<X81>3#<PU1>Yu<IND>^C^C^F
<NEL>^C^O$<ESC><SSA>^A^A<ESA>^C^C^F<VT><HTS>^C^O$<ESC><HTJ>^B^@<PL
U><VTS>^A^@<<<>^F<X80>^A^X<X81>^A^@<PLU>^A^@
<SS2>^A^@<PU1>^B^A<o^><PU2>^A^B<3^>^U<X80>^A^@<X81>^A^A<X82>^A^@
<X83>
68

69. SMS-
SMS-C UNAUTHORIZED ACCESS
69

70. SMS TRAFFIC LOG FROM SMSC
(c) 2004, @ Mediaservice.net Srl, DSDLAB 70

71. PROCESSED SMS: “FROM” & “TO”
(c) 2004, @ Mediaservice.net Srl, DSDLAB 71

72. SMS PROCESSING QUE
(c) 2004, @ Mediaservice.net Srl, DSDLAB 72

73. SNIFFING ON “IN PROGRESS” SMSs
(c) 2004, @ Mediaservice.net Srl, DSDLAB 73

74. OBTAINING CUSTOMERS INFORMATION
OBTAINING CUSTOMERS INFORMATION
74

75. 75

76. 76

77. This can be
scripted !
77

78. 78

79. Contacts
• Raoul Chiesa
Senior Advisor, Strategic
Senior Advisor, Strategic Alliances &
&
Cybercrime Issues
UNICRI – U i d N i
United Nations IInterregional C i
i l Crime &
&
Justice Research Institute
@ Mediaservice.net, Founder
Email:
E il chiesa@UNICRI.it (UN)
hi @UNICRI it
raoul@mediaservice.net (business)

80. QUESTIONS?
THANKS FOR YOUR ATTENTION GUYS!!!!