Akib Sayyed akibsayyedgmailcom About Me Telecom Security Researcher Spoke at NullCon 2012 Works on SDR GNURADIO Certified Psycho About Company Payatu Technologies Pvt Ltd Boutique ID: 313302
Download Presentation The PPT/PDF document "Hacking Communication System" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Hacking Communication System
Akib Sayyed
akibsayyed@gmail.comSlide2
About Me
Telecom Security Researcher
Spoke at NullCon 2012
Works on SDR ,GNURADIO
Certified Psycho
Slide3
About Company
Payatu
Technologies Pvt. Ltd.
Boutique
Security Testing Company
Blackbox
/Product/Web/Mobile
Audits
Security
Trainings
Organizers
of
nullcon
Security
Conference Slide4
What are we looking at
Hacking GSM
Hacking Core Telecom NetworkSlide5
Hacking GSMSlide6
What can we do with GSM
Listen Call
Impersonate some1’s Identity
Track LocationSlide7
Listening to Calls
More like a Rocket Science Till 2006
People built own crackers and
interceptors
Some of them are open source
Easy to build
Open Source Software and Hardware available to receive data and Crack encryption.Slide8
Cost for 1 Interceptor
1500 Rs Phone
20000 Rs hard disk with rainbow tables
20000 Rs worth Computer
Home Made Software + Open Source Code
And your interceptor is readySlide9
Protecting Calls
Upgrade encryption Standard
Allow A5/3
Randomize SI and Padding
End to End Call encryption
Use 3G :PSlide10
Impersonating
Use some’1s identity while making
request
to network
This allows one to impersonate identity
of
some1else.
Can
Make/ Receive Calls
Send/Receive SMS
Divert CallsSlide11
Protection Against Impersonating
End User Cannot do anything
Operator Need to work on same
Authenticate Calls
Authenticate SMS
Authenticate USSD RequestSlide12
Hacking Core Network
(SS7 and SIGTRAN)Slide13
Core Network in Telco
Image Credits : http://www.gl.comSlide14
Core Network 2G /3G
Based on SS7/SIGTRAN and IP
In simple words Either TDM(T1/E1) or IP (SCTP/TCP IP)
No authentication (No User Name and Password) (on SS7)Slide15
SS7 is used for
Carry Voice
SMS
USSD
(Unstructured Supplementary Service Data )
Call Handling
Operation and Maintenance
Mobility Services
Location Management
......Slide16
SS7 /SIGTRAN Stack
Image Credit : MobicentsSlide17
Protocols in SS7/Sigtran
MTP1/2/3,M3UA
SCCP -> Signalling Connection Control Part
TCAP -> Transaction Capability Application Part
ISUP -> ISDN User Part
MAP -> Mobile Application Part
CAP ->Camel Application Part
INAP-> Intelligent Network Application PartSlide18
MTP1/2/3 And M3UA
Provides physical , data link layer and Network layer
MTP1 = Message Transfer part 1
MTP2 = Message Transfer part 2
MTP3 = Message Transfer part 3
M3UA = MTP3 User Adaption LayerSlide19
SCCP /TCAP
Signalling Connection Control Part
Provides Extended Routing , Flow Control ,Connection Oriented /Connection less
Relies on MTP for basic routing and error correction
Transaction Capability Application Part
Facilitate Multiple Concurrent dialog
Between
Same SSN
More like session handlerSlide20
MAP
Mobile Application Part
SMS
USSD
Call Handling , Routing
Location ManagementSlide21
CAP
Camel Application Part
Used when subscriber is roaming
Allow home network to monitor and control calls made by subscriber
Intelligent Network Application PartSlide22
Routing in SS7
Based on PC (Point Code) == LAN IP
Based on GT (Global Title) == WAN IP
SSN (Sub System Number) == Port Number
STP(Signalling
Transfer
Point)
== Router
SSP (Service Switching Point)
SCP (Service control point)Slide23
Routing based on Point Code
Image Credit : Cisco Slide24
Routing Based on GTT
Image Credit : Cisco Slide25
Routing based on GTT
Image Credit : Cisco Slide26
Where we can attack
SCCP- Signalling Connection Control Part
TCAP- Transaction Capabilities Application Part
ISUP – ISDN user part
MAP – Mobile application part
CAP - Camel Application part
INAP- Intelligent network application partSlide27
Some Example of Attacks
Purging MS from HLR
Insert Subscriber Data
Delete Subscriber Data
Send Authentication info Flood
Send Routing info Exposes IMSI of subscriber
Hostile Location Update
Cancel Location Update
MAP ATI exposes Location of subscriberSlide28
How to protect network
Check if network is vulnerable to such attack
We have our own proprietary tool for doing same
Perform filtering of non required message at point code level or STP level
Use SS7 Firewall /IDSSlide29
DEMOSlide30
Thanks
Questions