Upload
positive-hack-days
View
514
Download
2
Embed Size (px)
Citation preview
Mobile Telephony is Unsafe ptsecurity.com
Arguments backed up
by facts
Mobile Telephony is Unsafe
Sergey Puzankov
Dmitry Kurbatov
Telecommunications security [email protected]@ptsecurity.com
Argumentsbacked up
by facts
Contents
ptsecurity.com
• Main Problems
• Heritage of the SS7 Design
• Unsafe Protocols
• Deployment Errors
• Demo
ptsecurity.com
Heritage of the SS7 Design
ptsecurity.com
SS7 Design: 20th Century
ptsecurity.com
Trusted environment
PSTN
STP STP
STPSTP
SSP
SCP
SSP
SSP
SCP
SS7 Evolution
ptsecurity.com
• SS7 network was developed in 1980s and was meant for a trusted environment, so no security mechanisms were provided in the protocol stack.
• SIGTRAN – SS7 over IP – was introduced in 2000. Security mechanisms are still missing.
• Growing number of operators with SS7 connection: MNO, MVNO, VAS-providers, etc.
SS7 Design: Nowadays
ptsecurity.com
PSTN
Enterprise Network
PSTN
BTS
NodeB
AuCGMSC
HLRVLRSGSNRNC
BSC
WDM
WDMWDM
MSC
SCP
SoftSwitch
WDM
GGSN
Router
PBX
MGW
STP
STP
SigGW
STP
STP
SCP
SSP
International SS7
STP
STP
SS7
SS7SS7
SS7
SS7
SS7
SS7SS7SS7
SS7
SS7SS7 SS7
SS7
IP Domain
Wireless Domain
Fixed Domain
SS7 Design Outcome
ptsecurity.com
• Growing number of participants: more than 1,000 large operators
• Growing number of SS7 interconnections: a few dozens per operator
• Growing amount of SS7 traffic: billions of messages daily
• Growing number of technical specialists
• No security policies or restrictions
No more trusted environment
Unsafe Protocols
ptsecurity.com
SS7 Protocols
ptsecurity.com
• No encryption
• No node authentication
• No strict filtering rules
SS7 Security Audits. Statistics
ptsecurity.com
• During 2015, we performed 16 SS7 security audits
• Mobile operators in EMEA and APAC regions
• Different operator size: from less than 10M to more than 50M
Conclusion: No Invulnerable Networks
SS7 Statistics. Threats
ptsecurity.com
Service Disruption
Data Leakage
Fraud
SS7 Statistics. Fraud
ptsecurity.com
Terminating Call Redirection
Money Transfer via USSD
Subscriber Profile Change
Originating Call Redirection
SS7 Statistics. Data Leakage: IMSI Disclosure
ptsecurity.com
SS7 Statistics. Data Leakage
ptsecurity.com
Subscriber’s Balance Disclosure
Terminating SMS Interception
Subscriber Location Discovery
Voice Call Interception
Subscriber’s Data Leakage
SS7 Statistics. Data Leakage
ptsecurity.com
Subscriber’s Balance Disclosure
Terminating SMS Interception
Subscriber Location Discovery
Voice Call Interception
Subscriber’s Data Leakage
Deployment Errors
ptsecurity.com
Deployment Features: RJ-45 in the BS
ptsecurity.com
Deployment Features: No Password Policy
ptsecurity.com
• Too many devices
• Equal/weak passwords
• Default accounts
Deployment Features: Subscriber Location Discovery
ptsecurity.com
Deployment Features: Subscriber Location Discovery
ptsecurity.com
…of Mobile Operator Employees only!
SMS Interception and Its Consequences
ptsecurity.com
SMS Interception and Its Consequences
ptsecurity.com
SMS Interception and Its Consequences
ptsecurity.com
• OTP for online banking
• Access to the subscriber account
• Password recovery for e-mail and social networks
• A new device registering for messengers
SMS Interception and Its Consequences
ptsecurity.com
Demo
Questions?
Sergey Puzankov
Dmitry Kurbatov
Telecommunications security [email protected]@ptsecurity.com
Mobile Telephony is Unsafe
Argumentsbacked up
by facts
ptsecurity.com
Thank you!
Mobile Telephony is UnsafeArguments backed up
by facts