1. Five Nightmares for a Telecom
Dmitry Kurbatov
Information security specialist
Positive Technologies
Positive Hack Days III
2. Agenda
― Physical access to a base station network
― OSS vulnerabilities
― Attacks on GGSN, something about GRX
― How to lose 1,5 million with VoIP in a DAY
― VAS vulnerabilities
20. Operation support subsystem
― Are vulnerable as other software
― Are there patch management?
Vulnerability
detected
Fixes developed Vulnerability and
fixes issued
? ?
137
114
46
3 6
28
12
22 26
13
5
Vulnerabilities by type
Denial of Service
Code Execution
Buffer Overflow
Memory Errors
SQL Injection
Cross-Site Scripting
Directory Traversal
Restriction Bypass
Information Disclosure
Priviledge-Escalation
Cross-Site Request Forgery
25. GRX. Basics
• Open for all providers
• High quality (QoS)
• All in IP– easy support for SIP, RTP, GTP, SMTP, SIGTRAN
• ….. something more
• Secure, it means fully separated from the Internet, both
physically and logically.
37. Investigation goes further
― Software was updated
― There were deb packets on the server
Script to LOAD “some” DATA INTO Auth_table
Here is default administrator
39. Questions still remain
― Who created this deb packet?
― Who was able to understand the routing table?
― How many providers suffer?
IS audit required?
48. Summary
― Telecom provider is a huge and complex system
― Only 5 hack incidents
― How many more options?
49. Optimistically
― Open Source solutions and research capabilities
― More audits
― Vulnerability databases
― Scanners and compliance management systems
50. Thank you for your attention!
Dmitry Kurbatov
dkurbatov@ptsecurity.ru
Information security specialist
Positive Technologies