Hacking Communication System Akib Sayyed akibsayyed@gmail.com

About Me Telecom Security Researcher Spoke at NullCon 2012 Works on SDR ,GNURADIO Certified Psycho 

About Company Payatu Technologies Pvt. Ltd. Boutique Security Testing Company Blackbox/Product/Web/Mobile Audits Security Trainings Organizers of nullcon Security Conference

What are we looking at Hacking GSM Hacking Core Telecom Network

Hacking GSM

What can we do with GSM Listen Call Impersonate some1’s Identity Track Location

Listening to Calls More like a Rocket Science Till 2006 People built own crackers and interceptors Some of them are open source Easy to build Open Source Software and Hardware available to receive data and Crack encryption.

Cost for 1 Interceptor 1500 Rs Phone 20000 Rs hard disk with rainbow tables 20000 Rs worth Computer Home Made Software + Open Source Code And your interceptor is ready

Protecting Calls Upgrade encryption Standard Allow A5/3 Randomize SI and Padding End to End Call encryption Use 3G :P

Impersonating Use some’1s identity while making request to network This allows one to impersonate identity of some1else. Can Make/ Receive Calls Send/Receive SMS Divert Calls

Protection Against Impersonating End User Cannot do anything Operator Need to work on same Authenticate Calls Authenticate SMS Authenticate USSD Request

Hacking Core Network (SS7 and SIGTRAN)

Core Network in Telco Image Credits : http://www.gl.com

Core Network 2G /3G Based on SS7/SIGTRAN and IP In simple words Either TDM(T1/E1) or IP (SCTP/TCP IP) No authentication (No User Name and Password) (on SS7)

SS7 is used for Carry Voice SMS USSD (Unstructured Supplementary Service Data ) Call Handling Operation and Maintenance Mobility Services Location Management ......

SS7 /SIGTRAN Stack Image Credit : Mobicents

Protocols in SS7/Sigtran MTP1/2/3,M3UA SCCP -> Signalling Connection Control Part TCAP -> Transaction Capability Application Part ISUP -> ISDN User Part MAP -> Mobile Application Part CAP ->Camel Application Part INAP-> Intelligent Network Application Part

MTP1/2/3 And M3UA Provides physical , data link layer and Network layer MTP1 = Message Transfer part 1 MTP2 = Message Transfer part 2 MTP3 = Message Transfer part 3 M3UA = MTP3 User Adaption Layer

SCCP /TCAP Signalling Connection Control Part Provides Extended Routing , Flow Control ,Connection Oriented /Connection less Relies on MTP for basic routing and error correction Transaction Capability Application Part Facilitate Multiple Concurrent dialog Between Same SSN More like session handler

MAP Mobile Application Part SMS USSD Call Handling , Routing Location Management

CAP Camel Application Part Intelligent Network Application Part Used when subscriber is roaming Allow home network to monitor and control calls made by subscriber Intelligent Network Application Part

Routing in SS7 Based on PC (Point Code) == LAN IP Based on GT (Global Title) == WAN IP SSN (Sub System Number) == Port Number STP(Signalling Transfer Point) == Router SSP (Service Switching Point) SCP (Service control point)

Routing based on Point Code Image Credit : Cisco

Routing Based on GTT Image Credit : Cisco

Routing based on GTT Image Credit : Cisco

Where we can attack SCCP- Signalling Connection Control Part TCAP- Transaction Capabilities Application Part ISUP – ISDN user part MAP – Mobile application part CAP - Camel Application part INAP- Intelligent network application part

Some Example of Attacks Purging MS from HLR Insert Subscriber Data Delete Subscriber Data Send Authentication info Flood Send Routing info Exposes IMSI of subscriber Hostile Location Update Cancel Location Update MAP ATI exposes Location of subscriber

How to protect network Check if network is vulnerable to such attack We have our own proprietary tool for doing same Perform filtering of non required message at point code level or STP level Use SS7 Firewall /IDS

DEMO

Thanks Questions