TAG | 4G
Hello Everybody and greetings from Sao Paulo,
We’re currently enjoying the Brazilian sunshine, waiting for H2H2 11’s closing remarks and decided to give you a few details on the past three days. The conference was opened by a short welcome by our fellow Trooper Rodrigo Rubira Branco and stuffed with loads of great talks. This year’s keynotes came from Daniel J. Bernstein and Halvar Flake and gave yet another insight into the ever changing world of InfoSec. The international lineup also included Travis Goodspeed, Sergej Bratus and Fernando Gont. H2HC was a great chance for us to talk to various Hackers from around the world and share our opinions and knowledge. (more…)
As we continue our research in the 3GPP protocol world, there is a new tool for you to play with. It is called s1ap_enum and thats also what it does
The tool itself is written in erlang, as i found no other free ASN.1 parser that is able to parse those fancy 3GPP protocol specs. It connects to an MME on sctp/36412 and tries to initiate a S1AP session by sending an S1SetupRequest PDU. To establish a S1AP session with an MME the right MCC and MNC are needed in the PLMNIdentity. The tool tries to guess the right MCC/MNC combinations. It comes with a preset of known MCC/MNC pairs from mcc-mnc.com, but can try all other combinations as well.
Greetings from Heidelberg to Paris,
and thanks for a great time at HES14! A nice venue (a museum), sweet talks and stacks of spirit carried us through the three day con. It all set off with a keynote byTROOPERs veteran Edmond ‘bigezy’ Rogers, who stuck to a quite simple principle: “People do stupid things” and I guess every single one of you has quite a few examples for that on offer. Next to every speaker referenced that statement at some point during her/his talk. Furthermore we presented an updated version of our talk LTE vs. Darwin, covering our research of security in LTE networks and potential upcoming problems.
For those who missed HES2014, we prepared a short summary of some of the talks that inspired us.
as some of you may have noticed, just recently at ShmooCon we gave our talk “LTE vs. Darwin” (Slides here). There we presented some results of our research in 4G telco network security. Some of those originate from our research contribution to ASMONIA, but we expanded the scope and also took a look at the air interface. Both the air interface and the backend links & protocols must be secured appropriately; otherwise communication may be eavesdropped or sensitive information may be compromised. In the following we want to provide an overview of LTE main components and potential attack vectors.
As there has been some public demand for that, here we go with the final agenda for the Troopers “TelcoSecDay“. The workshop is meant to provide a platform for research exchange between operators, vendors and researchers. The slides of the talks will potentially be made available as well.
- 8:30: Opening Remarks & Introduction
- 9:00: Sebastian Schrittwieser (SBA Research): Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
- 10:00: Peter Schneider (NSN): How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
- 10:45: Break
- 11:00: Kevin Redon (T-Labs): Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
- 11:45: Christian Kagerhuber (Group IT Security, Deutsche Telekom AG): Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
- 12:30: Lunch
- 13:45: Philipp Langlois (P1 Security): Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
- 15:00: Break
- 15:15: Harald Welte (sysmocom): Structural deficits in telecom security
- 16:30: Closing Remarks
- 17:00: End of workshop
- 19:00: Joint dinner (hosted by ERNW) in Heidelberg Altstadt for those interested and/or staying for the main conference
Synopses & Bios
Sebastian Schrittwieser: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
Synopsis: Recently, a new generation of Internet-based messaging applications for smartphones was introduced. While user numbers are estimated in the millions, little attention has so far been paid to the security of these applications. In this talk, we present our experimental results, which revealed major security flaws, allowing attackers to hijack accounts, spoof sender-IDs, and enumerate subscribers.
Bio: Sebastian Schrittwieser is a PhD candidate at the Vienna University of Technology and a researcher at SBA Research. His research interests include, among others, digital forensics, software protection, code obfuscation, and digital fingerprinting. Sebastian received a Dipl.-Ing. (equivalent to MSc) degree in Business Informatics with focus on IT security from the Vienna University of Technology in 2010.
Peter Schneider: How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
Synopsis: This talk briefly introduces the security architecture of an LTE mobile network as specified by 3GPP and shows which threats it mitigates and which not. It discusses additional, not-standardized security measures and how they can contribute to making mobile networks as secure as they need to be.
Bio: After many years of research, prototyping and systems engineering in the area of communication technologies, Peter works currently as a senior expert for mobile network security in the Security Technologies Team at Nokia Siemens Networks Research. He is author of various mobile network related security concepts. He is also active in the 3GPP security standardization and in several security research projects.
Kevin Redon: Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
Synopsis: Mobile phones and carriers trust the traditional base stations which serve as the interface between the mobile devices and the fixed-line communication network. Femtocells, miniature cellular base stations installed in homes and businesses, are equally trusted yet are placed in possibly untrustworthy hands. By making several modifications to a commercially available femtocell, we evaluate the impact of attacks originating from a compromised device. We show that such a rogue device can violate all the important aspects of security for mobile subscribers, including tracking phones, intercepting communication and even modifying and impersonating traffic. The specification also enables femtocells to directly communicate with other femtocells over a VPN and the carrier we examined had no filtering on such communication, enabling a single rogue femtocell to directly communicate with (and thus potentially attack) all other femtocells within the carrier’s network.
Bio: Kevin Redon does his master of computing at the Technische Universitaet Berlin. He also works for “Security in Telecommunication” (SecT), a research group of the university.
Christian Kagerhuber: Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
Synopsis: Today, Service Providers are in need of comprehensive information relevant to effective security management. Service Providers have to evaluate and verify the compliance of their infrastructure and services to corporate security directives and legal guidelines. This includes being able to retrace OSS Operators’ behavior on OSS systems via standardized log messages. But to answer all necessary security compliance questions, log data alone appears not to be sufficient.
Service Providers need configuration data and telemetry data centralized at hand without manual, time-consuming OSS Operator activity. Even interactive polling of their devices is not sufficient because Service Providers must track down changes in the environment and the effective date/period. The talk is about what to solve this problem.
Bio: Christian is a Senior Security Expert at Deutsche Telekom (DT), responsible for the security of DT’s NGOSS system (called NGSSM) and BNG/SCRAT project. He build up T-Online’s Identity Management and CERT and is the author of various Deutsche Telekom security standards, e.g. on platform virtualisation and SSH.
Philippe Langlois: Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
Synopsis: GRX is the global private network where Telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system. GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was being to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
We’ll see how this infrastructure is protected and can be attacked, and we’ll discover the issues with the specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see its implication with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several typical vulnerabilities that we will be showed in this speech. We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Bio: Philippe Langlois is a leading security researcher and expert in the domain of telecom and network security. He founded internationally recognized security companies (Qualys, WaveSecurity, INTRINsec, P1 Security) as well as led technical, development and research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France. His founded his first business, Worldnet, France’s first public Internet service provider, in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB, Hack.lu). Previously professor at Ecole de Guerre Economique and various universities in France (Amiens, Marne La Vallée) and internationally (FUSR-U, EERCI). He is a FUSR-U (Free University for Security Research) collaborator and founding member. Philippe is providing industry associations (GSM Association Security Group, several national organizations) and governmental officials with Critical Infrastructure advisory conferences in Telecom and Network security. Now Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner & auditor which help telecom companies, operator and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at: http://www.p1security.com
He has presented previously at these security/hacking conferences: Hack.lu, Hack in the Box (HITB), Blackhat, Hackito Ergo Sum (paris, France), SOURCE, Chaos Communication Congress (Berlin, Germany), ekoparty (bueos aires, argentina), H2HC (sao paulo, brazil), SYSCAN (Hong Kong; Thailand), Bellua (Jakarta, Indonesia), INT (Mauritius), Interop… (some events listed there http://www.p1sec.com/corp/about/events/ )
Harald Welte: Structural deficits in telecom security
Synopsis: Especially in recent years, numerous practical attacks and tools have been developed and released. The attack patterns and methods from the dynamic Internet world have finally caught up with the dinosaur of the Telecom world. So far, the industry has failed to demonstrate sufficient interest in developing proper responses. The changes so far have been superficial. Are they a sufficient response for what is to come? Has the telecom industry realized the true implications of having left the “walled garden”? The talk will leave the field of actual attacks behind in order to talk about what at least the author perceives as structural deficits in terms of IT security at operators and equipment vendors.
Bio: Harald Welte is communications security consultalt for more than a decade. He was co-author of tne netfilter/iptables packet filter in the Linux kernel and has since then been involved in a variety of Free Software based implementations of protocol stacks for RFID, GSM, GPRS, and TETRA. His main interest is to look at security of communication systems beyond the IP-centric mainstream. Besides his consulting work, he is the general manager of Sysmocom GmbH, providing custom tailored communications solutions to customers world-wide.
Have a great Sunday everybody, see you soon at Troopers
So, after having a completely new release yesterday, we will stay with already known but updated software today. You might have heard of gtp_scan before, which is a small python script for scanning mainly 3G and 4G devices and detecting GTP (GPRS Tunneling Protocol) enabled ports. As GTP is transported via UDP and we all know, UDP scanning is a pain, the tool uses the GTP build-in echo mechanism to detect GTP speaking ports. Since the last version I’ve implemented some new features:
- Support of complete GTP spectrum (GTP-C, GTP-U, GTP’)
- Support for scanning on SCTP
- Improved result output, including validity check of response packages
Find the sources here (bbdcc8888ebb4739025395f8c1c253fa5fd2bb15).
have a nice one.
gtp_scan is a small python script that scans for GTP (GPRS tunneling protocol) speaking hosts. To discover those hosts it uses the GTP build in PING mechanism, it sends a GTP packet of the type ECHO_REQUEST and listens for an incoming GTP ECHO_REPLY. Its capable of generating ECHO_REQUESTS for GTP version 1 and GTP version 2. Also the script can scan for both, GTP-C and GTP-U (the control channel and the user data channel), only the port differs here.
In the output the received packet is displayed and the basic GTP header is dissected so one can see a GTP version 1 host answering a GTP version 2 ECHO_REQUEST with the ‘version not supported’ message.
Tests have shown that there are some strange services around, which answer to an GTP ECHO_REQUEST with a lot of weird data, which leads to ‘kind of’ false positive results but they can easily be discovered by checking the output data with your brain (eg. there is no GTP version 12)
download it here gtp_scan-0.5.tar.gz