TAG | 3G
Greetings from Heidelberg to Paris,
and thanks for a great time at HES14! A nice venue (a museum), sweet talks and stacks of spirit carried us through the three day con. It all set off with a keynote byTROOPERs veteran Edmond ‘bigezy’ Rogers, who stuck to a quite simple principle: “People do stupid things” and I guess every single one of you has quite a few examples for that on offer. Next to every speaker referenced that statement at some point during her/his talk. Furthermore we presented an updated version of our talk LTE vs. Darwin, covering our research of security in LTE networks and potential upcoming problems.
For those who missed HES2014, we prepared a short summary of some of the talks that inspired us.
as some of you may have noticed, just recently at ShmooCon we gave our talk “LTE vs. Darwin” (Slides here). There we presented some results of our research in 4G telco network security. Some of those originate from our research contribution to ASMONIA, but we expanded the scope and also took a look at the air interface. Both the air interface and the backend links & protocols must be secured appropriately; otherwise communication may be eavesdropped or sensitive information may be compromised. In the following we want to provide an overview of LTE main components and potential attack vectors.
As there has been some public demand for that, here we go with the final agenda for the Troopers “TelcoSecDay“. The workshop is meant to provide a platform for research exchange between operators, vendors and researchers. The slides of the talks will potentially be made available as well.
- 8:30: Opening Remarks & Introduction
- 9:00: Sebastian Schrittwieser (SBA Research): Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
- 10:00: Peter Schneider (NSN): How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
- 10:45: Break
- 11:00: Kevin Redon (T-Labs): Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
- 11:45: Christian Kagerhuber (Group IT Security, Deutsche Telekom AG): Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
- 12:30: Lunch
- 13:45: Philipp Langlois (P1 Security): Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
- 15:00: Break
- 15:15: Harald Welte (sysmocom): Structural deficits in telecom security
- 16:30: Closing Remarks
- 17:00: End of workshop
- 19:00: Joint dinner (hosted by ERNW) in Heidelberg Altstadt for those interested and/or staying for the main conference
Synopses & Bios
Sebastian Schrittwieser: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
Synopsis: Recently, a new generation of Internet-based messaging applications for smartphones was introduced. While user numbers are estimated in the millions, little attention has so far been paid to the security of these applications. In this talk, we present our experimental results, which revealed major security flaws, allowing attackers to hijack accounts, spoof sender-IDs, and enumerate subscribers.
Bio: Sebastian Schrittwieser is a PhD candidate at the Vienna University of Technology and a researcher at SBA Research. His research interests include, among others, digital forensics, software protection, code obfuscation, and digital fingerprinting. Sebastian received a Dipl.-Ing. (equivalent to MSc) degree in Business Informatics with focus on IT security from the Vienna University of Technology in 2010.
Peter Schneider: How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
Synopsis: This talk briefly introduces the security architecture of an LTE mobile network as specified by 3GPP and shows which threats it mitigates and which not. It discusses additional, not-standardized security measures and how they can contribute to making mobile networks as secure as they need to be.
Bio: After many years of research, prototyping and systems engineering in the area of communication technologies, Peter works currently as a senior expert for mobile network security in the Security Technologies Team at Nokia Siemens Networks Research. He is author of various mobile network related security concepts. He is also active in the 3GPP security standardization and in several security research projects.
Kevin Redon: Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
Synopsis: Mobile phones and carriers trust the traditional base stations which serve as the interface between the mobile devices and the fixed-line communication network. Femtocells, miniature cellular base stations installed in homes and businesses, are equally trusted yet are placed in possibly untrustworthy hands. By making several modifications to a commercially available femtocell, we evaluate the impact of attacks originating from a compromised device. We show that such a rogue device can violate all the important aspects of security for mobile subscribers, including tracking phones, intercepting communication and even modifying and impersonating traffic. The specification also enables femtocells to directly communicate with other femtocells over a VPN and the carrier we examined had no filtering on such communication, enabling a single rogue femtocell to directly communicate with (and thus potentially attack) all other femtocells within the carrier’s network.
Bio: Kevin Redon does his master of computing at the Technische Universitaet Berlin. He also works for “Security in Telecommunication” (SecT), a research group of the university.
Christian Kagerhuber: Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
Synopsis: Today, Service Providers are in need of comprehensive information relevant to effective security management. Service Providers have to evaluate and verify the compliance of their infrastructure and services to corporate security directives and legal guidelines. This includes being able to retrace OSS Operators’ behavior on OSS systems via standardized log messages. But to answer all necessary security compliance questions, log data alone appears not to be sufficient.
Service Providers need configuration data and telemetry data centralized at hand without manual, time-consuming OSS Operator activity. Even interactive polling of their devices is not sufficient because Service Providers must track down changes in the environment and the effective date/period. The talk is about what to solve this problem.
Bio: Christian is a Senior Security Expert at Deutsche Telekom (DT), responsible for the security of DT’s NGOSS system (called NGSSM) and BNG/SCRAT project. He build up T-Online’s Identity Management and CERT and is the author of various Deutsche Telekom security standards, e.g. on platform virtualisation and SSH.
Philippe Langlois: Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
Synopsis: GRX is the global private network where Telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system. GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was being to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
We’ll see how this infrastructure is protected and can be attacked, and we’ll discover the issues with the specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see its implication with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several typical vulnerabilities that we will be showed in this speech. We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Bio: Philippe Langlois is a leading security researcher and expert in the domain of telecom and network security. He founded internationally recognized security companies (Qualys, WaveSecurity, INTRINsec, P1 Security) as well as led technical, development and research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France. His founded his first business, Worldnet, France’s first public Internet service provider, in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB, Hack.lu). Previously professor at Ecole de Guerre Economique and various universities in France (Amiens, Marne La Vallée) and internationally (FUSR-U, EERCI). He is a FUSR-U (Free University for Security Research) collaborator and founding member. Philippe is providing industry associations (GSM Association Security Group, several national organizations) and governmental officials with Critical Infrastructure advisory conferences in Telecom and Network security. Now Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner & auditor which help telecom companies, operator and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at: http://www.p1security.com
He has presented previously at these security/hacking conferences: Hack.lu, Hack in the Box (HITB), Blackhat, Hackito Ergo Sum (paris, France), SOURCE, Chaos Communication Congress (Berlin, Germany), ekoparty (bueos aires, argentina), H2HC (sao paulo, brazil), SYSCAN (Hong Kong; Thailand), Bellua (Jakarta, Indonesia), INT (Mauritius), Interop… (some events listed there http://www.p1sec.com/corp/about/events/ )
Harald Welte: Structural deficits in telecom security
Synopsis: Especially in recent years, numerous practical attacks and tools have been developed and released. The attack patterns and methods from the dynamic Internet world have finally caught up with the dinosaur of the Telecom world. So far, the industry has failed to demonstrate sufficient interest in developing proper responses. The changes so far have been superficial. Are they a sufficient response for what is to come? Has the telecom industry realized the true implications of having left the “walled garden”? The talk will leave the field of actual attacks behind in order to talk about what at least the author perceives as structural deficits in terms of IT security at operators and equipment vendors.
Bio: Harald Welte is communications security consultalt for more than a decade. He was co-author of tne netfilter/iptables packet filter in the Linux kernel and has since then been involved in a variety of Free Software based implementations of protocol stacks for RFID, GSM, GPRS, and TETRA. His main interest is to look at security of communication systems beyond the IP-centric mainstream. Besides his consulting work, he is the general manager of Sysmocom GmbH, providing custom tailored communications solutions to customers world-wide.
Have a great Sunday everybody, see you soon at Troopers
Another day, another tool
Today I’m proudly releasing the first version of apnbf, a small python script designed for enumerating valid APNs (Access Point Name) on a GTP-C speaking device. It tries to establish a new PDP session with the endpoint via sending a createPDPContextRequest. This request needs to include a valid APN, so one can easily distinguish from a valid APN (which will be answered with a createPDPContextResponse) and an invalid APN (which will be answered with an error indication message). In addition the tool also parses the error indication and displays the reason (which should be “Missing or unknown APN” in case of an invalid APN).
Don’t waste time, get the source here (5a122f198ea35b1501bc3859fd7e87aa57ef853a)
So, after having a completely new release yesterday, we will stay with already known but updated software today. You might have heard of gtp_scan before, which is a small python script for scanning mainly 3G and 4G devices and detecting GTP (GPRS Tunneling Protocol) enabled ports. As GTP is transported via UDP and we all know, UDP scanning is a pain, the tool uses the GTP build-in echo mechanism to detect GTP speaking ports. Since the last version I’ve implemented some new features:
- Support of complete GTP spectrum (GTP-C, GTP-U, GTP’)
- Support for scanning on SCTP
- Improved result output, including validity check of response packages
Find the sources here (bbdcc8888ebb4739025395f8c1c253fa5fd2bb15).
have a nice one.
gtp_scan is a small python script that scans for GTP (GPRS tunneling protocol) speaking hosts. To discover those hosts it uses the GTP build in PING mechanism, it sends a GTP packet of the type ECHO_REQUEST and listens for an incoming GTP ECHO_REPLY. Its capable of generating ECHO_REQUESTS for GTP version 1 and GTP version 2. Also the script can scan for both, GTP-C and GTP-U (the control channel and the user data channel), only the port differs here.
In the output the received packet is displayed and the basic GTP header is dissected so one can see a GTP version 1 host answering a GTP version 2 ECHO_REQUEST with the ‘version not supported’ message.
Tests have shown that there are some strange services around, which answer to an GTP ECHO_REQUEST with a lot of weird data, which leads to ‘kind of’ false positive results but they can easily be discovered by checking the output data with your brain (eg. there is no GTP version 12)
download it here gtp_scan-0.5.tar.gz