Turner.issa la.mobile vulns.150604

1www.iansresearch.com©2014 IANS

Cellular Network AttacksWhat the latest vulnerabilities mean for businesses and individuals

Aaron Turner – CEO, IntegriCellIANS Research Faculty


At a Glance

Every network humans have constructed has vulnerabilities

Why should cellular networks be any different?

The base station problem

Localized attacks with significant impacts

The SS7 problem

Global attacks with enormous consequences

How MDM/EMM/MAM are essentially useless playthings when it

comes to these vulnerabilities

We’ve got a lot of work to do


Cellular network architecture overviewOperator 1

Operator 2

Operator 3

SS7

Ne

two

rk


A quick cellular network lesson

BTS – Base Transceiver Station

A ‘cell tower’, the point where the cellular network moves from fiber to RF

HLR – Home Location Register

The ‘billing database’ for non-roaming users – what services you’re entitled to

VLR – Visitor Location Register

The ‘billing database’ for roaming users – what services the home operator tells the roaming operator it can offer

SS7 – Signaling System #7

Packet-like network, relies on SIGTRAN (IETF protocol) to transmit messages between Operators

MSC – Mobile Switching Center

Handles the functions of cell-handoff, SS7 interchange (for cell-to-landline calls), SMS services, voice conferencing and billing/charging


Remember when…

We used to create passive

network sniffers?

Just a matter of double-

connecting the TX and RX

pairs

In the OSI Model – ‘Physical’

attack


Back to the Future

Imagine cellular RF signals as

the new physical attack layer

As copper was to CAT V cable,

RF is to cellular

Unfortunately…

Cell phones do not have the

integrity controls to assure

connection to authorized BTS’

Most cellular subscribers have

no idea what the state of their

network connection is


What does this mean?

Your cell phone will gladly connect to any BTS that says it wants to

talk to it

The BTS instructs the phone what level of protection the

communications must have

Weak or no encryption? Sure thing!

The BTS can terminate, capture, replay or otherwise manipulate

anything flowing through the BTS

Yes, even if the BTS is not owned by the authorized operator, an

attacker can capture all of the traffic

Voice, SMS & Data


False BTS Scenario

Theory: Attackers would put their BTS in a cargo van, drive

around the attack target and stay mobile

Reality: Attackers are placing their BTS inside of the building, and

conducting persistent attacks


What data can be stolen?

London: Media company’s offices targeted for pre-market access

to financial information

Earnings report ‘heads up’ SMS sent to financial reporter

Financial reporter’s service intercepted

Attacker able to gain an advantage in commodities or equities

US: Engineering facilities targeted for product development

information

Rapid prototyping teams rely more on their mobile devices than IT

infrastructure

Attackers able to gather product development details & scheduling

information


15 total areas of interest in DC

Over 40 alerts in those areas

4 research devices

Washington DC Findings


Bay Area Findings

5 total areas of interest

Over 30 firewall alerts

3 research devices

2 networks

2 locations where full intercept capabilities were underway


BTS Vulnerabilities Bottom Line

Cellular network communications can be easily intercepted

Intercept is a localized attack

Limited to a particular area, based on the strength of the false BTS’

signal

Not necessarily scalable for large-scale attacks

Intercept can be universal or targeted

All devices in a particular area or interceptors can ‘shed’ non-

targeted devices and only focus on those of interest

What controls exist?

Baseband firewalls are the best option for false BTS awareness

Beware of software-only offerings, true promiscuous-mode

monitoring requires kernel- and driver-level modification of cellular

radios


What’s this SS7 thing?

SS7 is like DNS and SMTP rolled into one system

Allows carriers to perform lookups on subscribers’ status AND

Allows carriers to deliver content to each other on subscriber activity

What could possibly go wrong?

SS7 high-profile examples:

Number portability

SMS one-time-use codes

Subscriber geolocation (criminal investigation, etc.)


SS7 – Vulnerabilities Overview

Every network operator has SS7 nodes which they have

configured as Service Control Points (SCP) and Signaling

Gateways (SG)

Perimeter-based

protections &

controls

Have security

perimeters failed in

the past?


What attacks can be run today?

International Roaming Fraud

SIM vendor in country X sells an ‘unlimited roaming’ SIM for country Y

SIM vendor colludes with attackers to toggle the SIM from post-paid to

pre-paid and back again

Essentially allows for a free month of roaming

SIM vendor profits, operator in country loses revenues

Bad news for operators… what about for

enterprises?


Subscriber Tracking & Information Disclosure

What if I wanted to track your company’s executives in real time?

Use the information for potential deal-making intelligence

M&A opportunities, etc.

Operators say, “Can’t happen!”

VLR/

MSCHLR

SS7

interconnectX


But, the perimeter fails…

Just like with perimeters of the past, they can be bypassed

HLRVLR/

MSC

SS7

interconnect


VLR Query Example

Even if the HLR filters request, most of the time the VLR is

vulnerable

Operators have hardened their SG’s and HLR’s but not their VLR’s

IMEI and subscriber state (currently in a phone call or not?) can be

requested


SMS Intercept

electronic banking & SMS MFA fraud, made possible by forced re-

routing of authentication SMS messages and/or calls to the

attacker

SS7

interconnect

1

4

HLR XVLR/

MSC

SMSC

2. Bank sends text

message with

mTAN to

subscriber A

1. Attacker tells HLR that

subscriber A is now logged

on to his “network”

(updateLocation)

4. SMS is

delivered to

attacker (mt-

ForwardSM)

3. SMSC gets referred to

attacker’s “VLR” as

destination by HLR

(sendRoutingInfoForSM)

2

3

A


Root cause analysis

Attackers are likely exploiting common cybersecurity vulnerabilities

to gain access to SS7 Interconnects

As long as the attacker does not get too greedy or send too many commands through the roaming partner’s SS7 Interconnect, it is very difficult to detect these types of attacks

Attack surface is surprising large: 800 operators in 220 countrieshttp://www.gsma.com/membership/who-are-our-gsma-members/full-membership/

1. Attacker identifies vulnerable

international roaming partner and

runs APT-style operation

2. Exploited SS7 Interconnect

then used to send commands

to target

3. Attacker exploits target

SS7 network for fraud or

information gathering

http://www.gsma.com/membership/who-are-our-gsma-members/full-membership/


Cellular Network VulnerabilitiesThe Bottom Line

BTS Vulns:

Enterprises are left with very little control

Deploy baseband firewalls and monitor

SS7 Vulns:

Shift away from SMS-driven authentication

Train executives to leave primary phones behind on sensitive trips

Vendors like Payfone are going to be in a rough situation


Questions & Comments?

Aaron Turner

[email protected]

Or – connect with me on LinkedIn

https://www.linkedin.com/in/aaronrturner

mailto:[email protected]

https://www.linkedin.com/in/aaronrturner

Turner.issa la.mobile vulns.150604

Technology

Transcript of Turner.issa la.mobile vulns.150604