hacking telco equipment
play

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security - PowerPoint PPT Presentation

Jul 12, 2023 •124 likes •724 views

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS Laurent Ghigonis P1 Security 2014, Hackito Ergo Sum - Security Conference What are we talking about ? A mobile

  1. Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  2. What are we talking about ? A mobile network operator Core Network Network passive capture showing Global Titles Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  3. Mobile Operators • Conveys the majority of voice communications worldwide • Conveys our data • Conveys growing M2M traffic • Emergency systems notifications uses it => We now rely on it and we have some security expectations Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  4. Mobile Operators and governance • In Europe Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  5. Mobile Operators and governance • In France Lets check the reality … Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  6. The Witness : An HLR/HSS AuC HSM HLR Front End HSS Front End Provisioning DSA Routing DSA Install Server Admin Provisioning Gateway 3 Back Ends Typical HLR/HSS in use in operator Core Network Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  7. HLR/HSS in Mobile Core Network A mobile network operator Core Network Network passive capture showing Global Titles Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  8. HLR/HSS in Mobile Core Network Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  9. HLR/HSS in Mobile Core Network Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  10. HLR/HSS in Mobile Core Network • HLR is used in all 2G Operator Network • HSS is used in all 3G/4G Operator Network • Stores customer data – Subscriber identifier (IMSI) – Subscriber encryption keys – Subscriber approximate location – Subscriber SIM plan options • Critical to the operator – HLR down == Network down, no calls possible Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  11. HLR/HSS in Mobile Core Network HLR/HSS receiving subscriber location update from the operator SS7/Diameter signaling links Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  12. Lets make it talk … Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  13. Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  14. Plan HLR/HSS Robustness assessment • Virtualization – Virtualization and instrumentation • System Analysis – Localroot, Framework complexity • Network Fuzzing – SS7 Protocols • Binaries Reverse – More vulns Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  15. HLR/HSS Virtualization No, it’s not ATCA / NFV Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  16. An HLR/HSS is an ecosystem Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  17. An HLR/HSS is an ecosystem • HLR + HSS Front-end • HLR Administration server • Application/Database routing servers • HLR Backend/Database (multiple) • HSM (Hardware Security Module) for keys Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  18. HLR/HSS is never alone Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  19. Where to start • Most exposed from the outside => HLR/HSS Front-end – Receives SS7/Diameter traffic • Telecom network stacks – Receives provisioning requests – Connected to the HSM Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  20. Where to start AuC HSM HLR Front End HSS Front End Provisioning DSA Routing DSA Install Server Admin Provisioning Gateway 3 Back Ends Typical HLR/HSS in use in operator Core Network Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  21. Virtualization of HLR/HSS Frontend Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  22. Original Equipment Manufacturer • Specs of the real equipment – i386 / x64 / Sparc – Solaris / CentOS – 32 GB of RAM – CPU 16 Cores – TB hard drive + External SAN Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  23. Qemu/KVM • Faster than VirtualBox • More flexible • Tweak code to add more network interfaces • VDE Switch for networking Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  24. Qemu/KVM qemu-system-x86_64 \ -machine type=pc,accel=kvm:tcg -pidfile ./myhlr.pid \ -m 7.2g -smp 4 -drive file=/dev/mapper/lvm-vm--myhlr,cache=none \ -vnc 127.0.0.1:2,password,tls,lossy -display curses -rtc base=localtime,driftfix=slew \ -net vde,vlan=1,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=1,macaddr=52:54:00:00:10:01 \ -net vde,vlan=2,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=2,macaddr=52:54:00:00:10:02 \ -net vde,vlan=3,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=3,macaddr=52:54:00:00:10:02 \ -net vde,vlan=4, sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=4,macaddr=52:54:00:00:10:02 \ -net vde,vlan=5,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=5,macaddr=52:54:00:00:10:02 \ -net vde,vlan=6,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=6,macaddr=52:54:00:00:10:02 \ -net vde,vlan=7,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=7,macaddr=52:54:00:00:10:02 \ -net vde,vlan=8,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=8,macaddr=52:54:00:00:10:02 \ -net vde,vlan=9,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=9,macaddr=52:54:00:00:10:02 \ -net vde,vlan=10,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=10,macaddr=52:54:00:00:10:02 \ -net vde,vlan=11,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=11,macaddr=52:54:00:00:10:02 \ -net vde,vlan=12,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=12,macaddr=52:54:00:00:10:02 • Physical partition for disk – Do not use disk file on host btrfs • super slow • ext4 is ok – http://www.linux-kvm.org/page/Tuning_KVM • Curses output • Improvements: serial terminal Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  25. Qemu/KVM • Solaris 10 – Qemu/KVM ok for x64 – Fails for SPARC • Stock kernel – /kernel – /usr/kernel • Custom kernel modules – For Telecom Signaling [Signalware] • Uses grub • Failsafe mode Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  26. Inside the machine • ZFS filesystem • Solaris 10 • Everything is installed via packages • Multiple Oracle databases – Even on HLR/HSS Front-end only • A lot of Middleware framework to start the actual network stacks / applications • Telco stacks: based on Ulticom Signalware • The OS expects its precious network cards Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  27. System Analysis Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  28. The filesystem • ZFS = Filesystem + Volume manager • ZFS pool (often mirrored) – ZFS root pool • 100-200GB usually enough • Prepare free space for system/processes dump – ZFS Dump pool • Should be more than size of your RAM – ZFS SWAP pool • Should be more that size of your RAM Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  29. The filesystem • ZFS offers good resilience against data corruption, and is very picky when there is too much corruption – You can’t recover when filesystem is too much broken – You can try $ zdb -e -p /dev/dsk/c0t3d0p0 -F -X -AAA -dd rpool 1 $ zpool import -f -F -X 19485729304958623456 mypool $ zpool import -o readonly=on -o autoreplace=on -o failmode-continue -m -N -f -F -X 19485729304958623456 mypool • If it fails – Code your own tool by modifying ZOL http://zfsonlinux.org/ Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Towards an Economic Valuation of Telco-based Valuation of Telco based Identity

Towards an Economic Valuation of Telco-based Valuation of Telco based Identity

Towards an Economic Valuation of Telco-based Valuation of Telco based Identity Management Enablers Enablers PrimeLife/IFIP Summer School 2010 Helsingborg, 2010-08-04 Kai Rannenberg, S ascha Koschinat, Andreas Albers, Gkhan

1.07k views • 60 slides
VAS Management Platform. Solution from TELCO to TELCO Powered by 1Click The fastest payment

VAS Management Platform. Solution from TELCO to TELCO Powered by 1Click The fastest payment

VAS Management Platform. Solution from TELCO to TELCO Powered by 1Click The fastest payment tool mVAS services can 4 Times 1Click payment conversion rate is higher generate than the standard flow credit card payment up to 5% of total

1.07k views • 18 slides
Agenda Telco and 5G Network Functions Virtualization OPNFV and Software Defined

Agenda Telco and 5G Network Functions Virtualization OPNFV and Software Defined

Agenda Telco and 5G Network Functions Virtualization OPNFV and Software Defined Everything with SUSE Realizing NFVI requirements Performance Demo Telco and 5G LTE Network Architecture Telco functions The infrastructure

748 views • 39 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
OPEN PLATFORM BaSED 5g On the road to THE Software telco Alex Jinsung Choi, Deutsche Telekom

OPEN PLATFORM BaSED 5g On the road to THE Software telco Alex Jinsung Choi, Deutsche Telekom

OPEN PLATFORM BaSED 5g On the road to THE Software telco Alex Jinsung Choi, Deutsche Telekom ONF Spotlight, Sept 2020 internal We observe accelerating market dynamics Altogether having the potential to disrupt the telco sector

277 views • 11 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
PREPARE FOR EDGE SERVICES BY VIRTUALIZING YOUR CENTRAL OFFICE Ian Hood Hanen Garcia Chief

PREPARE FOR EDGE SERVICES BY VIRTUALIZING YOUR CENTRAL OFFICE Ian Hood Hanen Garcia Chief

PREPARE FOR EDGE SERVICES BY VIRTUALIZING YOUR CENTRAL OFFICE Ian Hood Hanen Garcia Chief Technologist Telco Solutions Manager Global Service Providers Red Hat Red Hat TELCO TRANSFORMATION IN THE ERA OF DIGITAL DISRUPTION Telco

312 views • 29 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

485 views • 27 slides
Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack Tree for Cheating On-line Poker Bots Denial of Service Collusion Software Exploits Conclusion Importance Out-of-band market for virtual equipment

1.07k views • 63 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
How to build a telco in the cloud Why are we here? Currently, telcos... are seen merely as a

How to build a telco in the cloud Why are we here? Currently, telcos... are seen merely as a

How to build a telco in the cloud Why are we here? Currently, telcos... are seen merely as a wire-provider . o offer a few products, tightly coupled to their infrastructure. o aren't seen as tech-leaders in the cloud/software world.

316 views • 17 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
The Challenge: Telco-grade Dependability with Extreme Agility Telecommunications Business

The Challenge: Telco-grade Dependability with Extreme Agility Telecommunications Business

ModelTalk : A Framework for Developing Domain Specific Executable Models Atzmon Hen-tov and Lior Schachter Pontis Ltd., Israel Joint Work With: David H. Lorenz The Open University of Israel The Challenge: Telco-grade Dependability with

431 views • 21 slides
Formal Methods for Database Application Evolution I l Dillig University of Texas at Austin

Formal Methods for Database Application Evolution I l Dillig University of Texas at Austin

Formal Methods for Database Application Evolution I l Dillig University of Texas at Austin VSTTE 2020 1 Database Applications DB application: program that interacts with underlying database Database applications are ubiquitous

1.07k views • 49 slides
9-month 2011 results 15 November 2011 Q3 2011 results 15 November 2011 2 This presentation

9-month 2011 results 15 November 2011 Q3 2011 results 15 November 2011 2 This presentation

15/11/2011 1 9-month 2011 results 15 November 2011 Q3 2011 results 15 November 2011 2 This presentation contains projections and forecasts. They express objectives based on the current assessments and estimates of the Groups senior

345 views • 17 slides
Thurs. Mar. 29 University of Houston Law Center D. C. Toedt III Z&B Chapter 5D Legal

Thurs. Mar. 29 University of Houston Law Center D. C. Toedt III Z&B Chapter 5D Legal

Contract Drafting Class 20 Thurs. Mar. 29 University of Houston Law Center D. C. Toedt III Z&B Chapter 5D Legal opinions Legal opinions takeaways: 1. Third parties might rely on it sue the lawyer if things go wrong 2. Limitations

628 views • 29 slides
of benefits (DOB) What is a DOB? A duplication occurs when a beneficiary receives assistance

of benefits (DOB) What is a DOB? A duplication occurs when a beneficiary receives assistance

Procedures & Tools for Reviewing and Preventing Duplication of Benefits Overview of duplication of benefits (DOB) What is a DOB? A duplication occurs when a beneficiary receives assistance from multiple sources for a cumulative amount

708 views • 31 slides
IM-5 Drilling Update 22 nd February 2013 1 22 ND FEBRUARY 2013 IM-5 Drilling Update Disclaimer

IM-5 Drilling Update 22 nd February 2013 1 22 ND FEBRUARY 2013 IM-5 Drilling Update Disclaimer

IM-5 Drilling Update 22 nd February 2013 1 22 ND FEBRUARY 2013 IM-5 Drilling Update Disclaimer Important Notice Nothing in this presentation or in any accompanying management discussion of this presentation (the " Presentation ")

394 views • 5 slides
A Quantitative Analysis of Subsidy Competition in the U.S. Ralph Ossa University of Zurich and

A Quantitative Analysis of Subsidy Competition in the U.S. Ralph Ossa University of Zurich and

A Quantitative Analysis of Subsidy Competition in the U.S. Ralph Ossa University of Zurich and CEPR January 2019 Ralph Ossa (UZH) Subsidy Competition January 2019 1 / 29 Motivation and objectives Motivation US cities, counties, and states

629 views • 52 slides
New England Colonies

New England Colonies

10/1/2013 New England Colonies

159 views • 5 slides
1 Christianity Not all Hoodoo Voodoo ! Employed divinity in pest control up until 15th !

1 Christianity Not all Hoodoo Voodoo ! Employed divinity in pest control up until 15th !

History of Pesticide Use History of Pest Control ! Many pests plague humans: Rats, mice, cockroaches, termites, beetles, moths/caterpillars, ants, lice, fleas, mosquitoes, spiders, mites, ticks, pigeons, raccoons, coyotes, deer, woodchucks,

372 views • 6 slides

More recommend