Hackers of India

COMMSEC: Taking Over Telecom Networks

By  Hardik Mehta  , Loay Hassan Abdelrazek  on 27 Nov 2018 @ Hitb Sec Conf

Presentation Material

Abstract

There are ongoing attacks on telecom operators and other major organizations using telecom networks. Such attacks include the usage of signaling protocols, take use of exposed nodes on the Internet or core nodes reachable from the user side.

Attackers are not only using the well-known signaling protocol vulnerabilities to perform attacks on organizations, but it is even possible to gain access to the operator’s core network by violating traffic policies and performing signaling protocol exploitation. Telecom operators need to level up in implementing end-to-end security by design.

In this talk, we will go through a high-level Telecom network architecture and understanding various critical nodes with their respective functionalities. We will discuss various ways to access telecom networks and explain the methodology to gain an initial foothold inside the telecom network.

We will be speaking about examples of how a complex attack to a telco would look like, including mapping the core network components and exploiting protocol level vulnerabilities in SS7 and GTPv2.

We will also include live demonstrations of attacks using SigPloit a signaling exploitation framework authored by us and will discuss best practices in reducing the attack surface.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker discusses a potential attack scenario on mobile networks using GTP (GPRS Tunneling Protocol) version 2, which is used in 4G/LTE networks. The attacker can generate a fake GTP request to send traffic to the PGW (Packet Gateway), leading to an overbilling attack. The speaker highlights that mobile operators often neglect to implement security measures, such as segregating network traffic, hardening nodes, and implementing basic filtering.

To mitigate these attacks, the speaker recommends several best practices:

  1. Net traffic segregation: Separate subscriber traffic from core network traffic.
  2. Segregate management interfaces: Limit access to management interfaces to authorized personnel only.
  3. Configuration reviews: Regularly review configurations to ensure security.
  4. Node hardening: Implement strong password policies and limit access to nodes.
  5. Basic filtering: Implement filtering on core routers to prevent unauthorized traffic.
  6. Monitoring: Monitor network traffic for anomalies and suspicious behavior.
  7. Threat modeling: Consider potential threats when designing and integrating new solutions.

The speaker also answers a question about establishing a GTP session, explaining that tunnel endpoint identifiers (TEIDs) are assigned by the receiving node, in this case, the PGW.