SlideShare a Scribd company logo

Dmitry Kurbatov. Five Nightmares for a Telecom

Positive Hack Days
Positive Hack Days

This document discusses five potential nightmares for telecom companies: 1) Gaining physical access to base station networks which could allow accessing clear text login credentials; 2) Exploiting vulnerabilities in Operation Support Systems to retrieve password hashes or gain administrative access; 3) Spoofing GTP packets to activate or delete PDP contexts and potentially steal money; 4) Losing over $1.5 million in a single day by exploiting a VoIP vulnerability to make calls to Cuba; 5) Bypassing CAPTCHAs and installing unauthorized services on user accounts through a self-service portal vulnerability. The document emphasizes that telecom systems are huge and complex with many possible security issues.

Related slideshows

DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
1 of 50
Five Nightmares for a Telecom Dmitry Kurbatov Information security specialist Positive Technologies Positive Hack Days III
Agenda ― Physical access to a base station network ― OSS vulnerabilities ― Attacks on GGSN, something about GRX ― How to lose 1,5 million with VoIP in a DAY ― VAS vulnerabilities
Physical access to a base station network
Access networks for base stations ― Before: from ATM to SDH/SONET, DSL Access network
Access networks for base stations ― Now: IP/MPLS, metro Ethernet
In the same wire ― Voice and data ― Device management channel HTTP/HTTPS,Telnet/SSH, MML
Device management protocols ― Insecure HTTP, Telnet ― MML (man-machine language) ~ Telnet Clear text: logins/passwords
Physical access ― How to get access and what to do next?
Attacks in Ethernet networks ― ARP spoofing ― No protection against gratuitous ARP
Results Clear text: login/password Command execution
Go further A single IP subnet
BSC/RNC ― Radio resources management ― mobility ― User data encryption OS Windows Linux Services RDP SSH MML/telnet No patches With Defaults
Real life ― Too many devices ― Equal/weak passwords ― Default accounts
OSS vulnerabilities
Operation support subsystem Web interface Client application
XML External Entity Injection ― “XML Data retrieval” by Yunusov and Osipov on ― Data retrieval
“All like it”
Example Request for OSS etc/shadow in response
Go further ― Bruteforce hashes from etc/shadow ― OSS access with administrative privileges
Operation support subsystem ― Are vulnerable as other software ― Are there patch management? Vulnerability detected Fixes developed Vulnerability and fixes issued ? ? 137 114 46 3 6 28 12 22 26 13 5 Vulnerabilities by type Denial of Service Code Execution Buffer Overflow Memory Errors SQL Injection Cross-Site Scripting Directory Traversal Restriction Bypass Information Disclosure Priviledge-Escalation Cross-Site Request Forgery
Attacks on GGSN, something about GRX
Theory Service deliveryMobility
Firewalling VPN for a corporate client ACL inspect ???
GRX
GRX. Basics • Open for all providers • High quality (QoS) • All in IP– easy support for SIP, RTP, GTP, SMTP, SIGTRAN • ….. something more • Secure, it means fully separated from the Internet, both physically and logically.
Real life
Arguments
GTP ― no embedded security functions ― no integrity ― no data encryption
Spoofed GTP PDP Context Activate/Delete PDP Context Activate/Delete PDP Context Activate/Delete
What is to be done? ― Monitor perimeter ― Configure GGSN correctly
Results ― Has no time for “usual” security? ― Useful functions are often ignored
How to lose 1,5 million with VoIP in a DAY
True story SoftSwitch • call service managements • signalling • etc. VoIP Anywhere
Fraud VoIP to Cuba To Cuba $$$
Investigation To Cuba VoIP to Cuba Additional IP in Client profile
Investigation ― Company’s engineer? Web interface Account: admin Pass: default Web access
Investigation goes further ― Software was updated ― There were deb packets on the server Script to LOAD “some” DATA INTO Auth_table Here is default administrator
Scheme 1) Information 2) Experience 3) Business ability 4) $$$ Vulnerability after updating Configuration modification To Cuba VoIP to Cuba
Questions still remain ― Who created this deb packet? ― Who was able to understand the routing table? ― How many providers suffer? IS audit required?
VAS vulnerabilities
Additional services ― Good ideas ― Joy for clients ― Low quality ― Vulnerabilities ― Possibility to steal money
Incident ― Attack against self-service portal ― Account bruteforce ― Service installation
Investigation ― Analysis of a web server event log Attacker’s IP address
Investigation ― Source and used scripts are found Service installation Service confirmation Log in the portal with the account
CAPTCHA Bypass ― The self-service portal incorrectly uses CAPTCHA ― CAPTCHA is not implemented in similar mobile applications
Scheme
Insufficient Authentication
Summary ― Telecom provider is a huge and complex system ― Only 5 hack incidents ― How many more options?
Optimistically ― Open Source solutions and research capabilities ― More audits ― Vulnerability databases ― Scanners and compliance management systems
Thank you for your attention! Dmitry Kurbatov dkurbatov@ptsecurity.ru Information security specialist Positive Technologies

More Related Content

Dmitry Kurbatov. Five Nightmares for a Telecom