root canal
play

Root Canal A new class of SS7 vulnerabilities Agenda SS7 - PowerPoint PPT Presentation

Dec 05, 2023 •238 likes •787 views

Outstanding Communications Solutions Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design Acknowledged signalling vulnerabilities The root problem Mitigation The signaling band-aid A new class

  1. Outstanding Communications Solutions Root Canal A new class of SS7 vulnerabilities

  2. Agenda • SS7 – Vulnerable by design • Acknowledged signalling vulnerabilities • The root problem • Mitigation – The signaling band-aid • A new class of SS7 vulnerabilities • Malformed Packets • Prerequisites • Attacking and Tunneling • Multi stage exploit • Proposed mitigation and limits 2

  3. Introduction • Presenter – Fredrik Söderlund • Symsoft – Software and Systems Security Advisor • Background in • Reverse engineering • Debug tools development • Telecom security • Security researcher and contributor to the GSMA CVD program • Worked on multiple SS7 firewall designs both for SMS and full spectrum SS7 3

  4. Introduction • Symsoft – CLX Communications • Communications Solutions for Operators • 75+ Mobile Operator Customers • 1000+ Enterprise Customers • IoT and MVNO Platforms • Fraud & Security • Real-Time BSS • Value Added Services 4

  5. SS7 – Vulnerable by design Signaling Vulnerabilities 5

  6. Acknowledged vulnerabilities • Signaling based attacks • Location tracking – ATI, PSI • Spying on subscribers or VIPs • Profile manipulation – ISD, registerSS • Fraud, call redirection or denial of service • Subscriber hijacking, DoS – UL, DSD • Eavesdropping, fraud or denial of service 6

  7. Acknowledged vulnerabilities • Yes they are dangerous, costly and indicates the network is vulnerable • But they are also perfectly normal and the expected functionality of an SS7 network • The network is doing exactly what is intended • Attacks or misuse? These attacks have been known for a long time and were easy to predict. 7

  8. Acknowledged vulnerabilities • The root problem is always the same… • Subscriber tracking • Lack of authentication (who is reading?) • Profile manipulation • Lack of authentication (who is writing?) • Location update • Lack of authentication (who is moving?) 8

  9. The root problem • Everyone trusts everyone • If you’re on the network you’re a friend • Anyone can impersonate anyone • If you’re on the network we assume you are who you say you are 9

  10. Mitigation - The signaling band-aid • The obvious answer to signaling problems: • Introduce authentication! • Let’s not do that… • Instead we will: • Cat 1 - Filter network edge for unexpected or unwanted operations • Cat 2 - Verify fields across stack layers without 1:1 match of components (CC+NNGT : MCC+MNC) • Cat 3 - Verify subscriber location by last known location or plausibility of movement 10

  11. Mitigation - The signaling band-aid • In addition to filtering we can also configure our networks better • Whitelist roaming partners, known nodes/peers • Introduce home routing • Whitelist exceptions based on origin and opcode • The result is a reasonably secure network • The Signaling band-aid works pretty good 11

  12. Mitigation - The signaling band-aid • So what is the problem? 12

  13. A new class of SS7 vulnerabilities Malformed Packets 13

  14. Well formed Packet 14

  15. Malformed Packet 15

  16. Malformed Packets Non signaling based attacks in malformed packets • Routable attacks using malformed ASN.1 or SCCP layer data • Crafted payloads targeting known firmware vulnerable to encoding based attacks • Sophisticated attacks most likely using hijacked infrastructure • Potential attackers include APTs such as nation states or criminal networks 16

  17. Malformed Packets ▪ Denial of Service Aim is to crash the targeted network element either to influence network performance or steer traffic to alternative links where attacker may have better visibility • Methods include for example: buffer overflows, null pointers, stack depletion, memory corruption, infinite nesting ▪ Remote Code Execution Aims to take control of the targeted network element in order to exfiltrate data, scan network, generate traffic, commit fraud or eavesdrop on network traffic or subscribers • Methods include the same as Denial of Service attacks but with the goal of executing code via controllable crash. • Once code execution has been achieved the attacker is likely to proceed with privilege escalation and full compromise of the network element 17

  18. Malformed Packets • Compare a normal packet to a letter • A letter flows by country, city, street and finally reaches a person • In a malformed packet the attacker attempts to interrupt this flow or even trap it in an infinite loop & ultimately crash the application 18

  19. Malformed Packets • Malformed data can also point to sections of code or data outside the actual packet • Such pointers can redirect the flow and introduce a predictable and reproduceable crash of the application 19

  20. Malformed Packets • Most dangerous is Remote Code Execution • The predictable crash is exploited to run code • The code installs a Command & Control server • Attacker can scan and control the network • Worst case - The attack is totally transparent 20

  21. A new class of SS7 vulnerabilities Prerequisites 21

  22. Prerequisites • What we need to launch this attack • A vulnerable ASN.1 parser in the target node • Some type of UE registered in the target network • To act as a known recipient in the target network • The ability to send a routable SCCP packet carrying a 500 byte payload 22

  23. Prerequisites • A vulnerable ASN.1 parser, does it exist? 23

  24. Prerequisites • Get a handset into the target network should be doable 24

  25. Prerequisites • Sending a 500 byte payload over SS7 • Over M3UA it seems that most nodes accept payloads above 500 byte size without question • Over MTP3 there is a physical limit of 272 bytes • This limitation may carry over to M2PA • This could be a bottleneck... 25

  26. Prerequisites • Full length or concatenated SMS are larger than 272 bytes • They usually consist of an empty TCAP Begin followed by the payload in a TCAP Continue • Payloads larger than 272 bytes can be sent divided into multiple parts • This means that also SS7 has ways of passing larger packets to the application layer 26

  27. Prerequisites • SCCP UDT (Unitdata) has a size limitation (still however well above what an attacker needs) • If a packet however exceeds the size limit of 272 bytes it may be transported over XUDT to accommodate the legacy size limit • SCCP XUDT (Extended Unitdata) offers fragmentation and can therefore encapsulate larger packets also over MTP3 and M2PA • Fragmented packets are reassembled on arrival and passed in original form to the application 27

  28. Prerequisites • We have a method of delivery • Regular SCCP UDT over M3UA appears to be widely accepted with larger packets sizes • XUDT over MTP3/M2PA offers a fragmented alternative to overcome physical barrier of legacy technology 28

  29. A new class of SS7 vulnerabilities Attacking and Tunneling 29

  30. Attacking and Tunneling • Crafting the attack • We are still subject to some limits with regards to size of the attacks. No hard cap, but an attacker needs to limit size of initial infection for better chance of success • This means crafting a multi stage attack • Characteristics of the ideal MAP operation for initial infection: • Spoofable (we don’t need the returnResult) • Variable size • Optional parameters 30

  31. Attacking and Tunneling • MAP reset – Fits the description • Spoofable and contains a variable size hlr-List of IMSI:s as optional parameter… 31

  32. Multi stage exploit • Primary infection: 500 bytes carried in the optional list parameter of MAP reset • Trigger vulnerability, start execution • Allocate space for hook procedures • Adjust memory protection of 1 page of code • Patch recv function and install hook 1 • Hook 1 filters all incoming SMS traffic towards the attacker UE registered in the target network • Chunks of executable code are delivered and assembled into second stage of infection • When all chunks have been delivered, hook 1 is replaced by hook 2 32

  33. Multi stage exploit • Secondary infection: 2000 bytes of PoC code • Does not need to connect back to original attacker GT - The Primary infection may be spoofed • Offers the ability to execute commands on target • Has the ability to report back to attacker • Data is tunneled to target using MT SMS • Data is tunneled from target using MO SMS • Infection is transparent to target node and leaves no stains on the file system. 33

  34. Call Flow • Multiple stage attack using MAP reset and MT SMS • Delivers exploit, installs Command & Control (C2) • Attacker can proceed to control network remotely • Scan, cross infect, commit fraud, deny service 34

  35. Call Flow • First stage attacks encoding at ASN.1 or SCCP • Crashes the MSC in a predictable way • Installs hook procedure to filter incoming MT SMS • Returns control to application and starts filtering 35

  36. Call Flow • Second Stage is built using MT SMS • MT SMS contain code for C2 in TPDU User-Data • Hook detects incoming MT SMS by known UE IMSI • Reassembles MT SMS chunks to build C2 server 36

  37. Call Flow • C2 server acts as attacker inside network • Attacker send commands using MT SMS • C2 executes attacker commands • C2 functionality can be extended if required • 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Whats In Store For ROOT I/O Philippe Canal March 22nd, 2012 Whats new in ROOT

Whats In Store For ROOT I/O Philippe Canal March 22nd, 2012 Whats new in ROOT

Whats In Store For ROOT I/O Philippe Canal March 22nd, 2012 Whats new in ROOT I/O Automatic support for more than one TTreeCache per file (Thanks to Peter) TTree::SetCacheSize(Long64_t) no longer override/delete

960 views • 33 slides
TIP Modification Highland - Canal Blvd | SLIDE Highland-Canal Blvd Canal Blvd (Murdock

TIP Modification Highland - Canal Blvd | SLIDE Highland-Canal Blvd Canal Blvd (Murdock

TIP Modification Highland - Canal Blvd | SLIDE Highland-Canal Blvd Canal Blvd (Murdock Connector) added to the TIP 2008 $4,170,000 County Trans Tax Delayed by several issues Ready to go to bid. | SLIDE 2 Highland-Canal

324 views • 14 slides
Navigation Dredging in the Navigation Dredging in the Champlain Canal Champlain Canal Canal

Navigation Dredging in the Navigation Dredging in the Champlain Canal Champlain Canal Canal

Navigation Dredging in the Navigation Dredging in the Champlain Canal Champlain Canal Canal System Overview The Canal System is comprised of four waterways: The Erie Canal 338 miles long The Champlain Canal 60 miles long

536 views • 17 slides
I Want To Do Root Canals! Better! Faster! Safer! Endodontics and The Other Face of

I Want To Do Root Canals! Better! Faster! Safer! Endodontics and The Other Face of

I Want To Do Root Canals! Better! Faster! Safer! Endodontics and The Other Face of the Moon Buccal clinical view often leads one to believe that the canal is round in cross section throughout its length CLINICAL

817 views • 44 slides
LANDMARKS PRESERVATION COMMISSION 343 CANAL STREET NEW YORK, NY JULY 24 TH , 2018 343 CANAL

LANDMARKS PRESERVATION COMMISSION 343 CANAL STREET NEW YORK, NY JULY 24 TH , 2018 343 CANAL

LANDMARKS PRESERVATION COMMISSION 343 CANAL STREET NEW YORK, NY JULY 24 TH , 2018 343 CANAL STREET AREA OF WORK NEW CONSTRUCTION Aerial View The 5-story building is located on a 2,275 sf lot along Canal Street in the SoHo Cast Iron

846 views • 36 slides
Canal Corridor: whats wrong wi the current scheme and how cou it be done better? Tim

Canal Corridor: whats wrong wi the current scheme and how cou it be done better? Tim

Canal Corridor: whats wrong wi the current scheme and how cou it be done better? Tim Hamilton-Cox and Nick Wilkinson (Green Party city councillors) 17/03/18 Overview of the Canal Corridor Site Sugar House Canal Corridor boundary St

476 views • 31 slides
2018 The High Line Canal History The 71-mile High Line Canal was a commercial idea to bring

2018 The High Line Canal History The 71-mile High Line Canal was a commercial idea to bring

2018 The High Line Canal History The 71-mile High Line Canal was a commercial idea to bring water to settlers and farmers near the confluence of the South Platte and Cherry Creek following a gold rush in 1859. 1883: Canal construction

169 views • 12 slides
The Canal Steward Program is designed to engage groups and individuals in a long-term volunteer

The Canal Steward Program is designed to engage groups and individuals in a long-term volunteer

National Park Service Park Resources Canal Steward U.S. Department of the Interior Chesapeake and Ohio Canal Program National Historical Park What is the Canal Steward Program? The Canal Steward Program is designed to engage groups

388 views • 16 slides
PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

Mario Vuksan & Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO CONTINUE: CONTINUE: CONTINUE: CONTINUE:

690 views • 45 slides
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2

347 views • 19 slides
Bloomfield Morris Canal Greenway Goals Preserve the right-of-way of the historic canal

Bloomfield Morris Canal Greenway Goals Preserve the right-of-way of the historic canal

Bloomfield Morris Canal Greenway Goals Preserve the right-of-way of the historic canal Bloomfields project should compliment the statewide project Connect BMCG to 7 existing municipal/county parks, BOEs fields, and nearby

576 views • 24 slides
St. Mary Siphon Tubes North of Babb, MT Halls Coulee Siphon St. Mary Canal St. Mary Canal

St. Mary Siphon Tubes North of Babb, MT Halls Coulee Siphon St. Mary Canal St. Mary Canal

St. Mary Siphon Tubes North of Babb, MT Halls Coulee Siphon St. Mary Canal St. Mary Canal Slide Area St. Mary Canal Slide Area St Mary Canal Typical Drop Structure Stilling Basin (one of 5 Drop structures) St. Mary Canal Drop

332 views • 8 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
Conten ents 1 Canal 2 PCCP pipe 3 Tunnel 1 Canal The middle route runs from Danjiangkou

Conten ents 1 Canal 2 PCCP pipe 3 Tunnel 1 Canal The middle route runs from Danjiangkou

South South-to to-No North rth Water Dive ivers rsion ion mid iddle dle r rout oute e China Institute of Water Resources and Hydropower Research IWHR Conten ents 1 Canal 2 PCCP pipe 3 Tunnel 1 Canal The middle route

503 views • 27 slides
Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to address a problem or non-conformance, in order to get to the root cause of the problem. It is used so we can correct or eliminate the cause,

389 views • 28 slides
PUBLIC HEARING US 69 WIDENING Phase 1 (IH-10 to LNVA Canal) Phase 2 (LNVA Canal to Tram Road)

PUBLIC HEARING US 69 WIDENING Phase 1 (IH-10 to LNVA Canal) Phase 2 (LNVA Canal to Tram Road)

PUBLIC HEARING US 69 WIDENING Phase 1 (IH-10 to LNVA Canal) Phase 2 (LNVA Canal to Tram Road) Jefferson County, Texas CSJs: 0065-07-062 and 0200-11-095 Thurs rsday, A Apri ril 26, 26, 20 2018 Date Footer Text ELEC LECTED & PUBLIC

374 views • 25 slides
Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest

Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest

Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest Massachusetts Institute of Technology ANTS IX Andreas Enge and Andrew Sutherland Class invariants by the CRT method 1 of 17 Constructing an

308 views • 18 slides
Lecture 15: Dependency Parsing Kai-Wei Chang CS @ University of Virginia kw@kwchang.net Couse

Lecture 15: Dependency Parsing Kai-Wei Chang CS @ University of Virginia kw@kwchang.net Couse

Lecture 15: Dependency Parsing Kai-Wei Chang CS @ University of Virginia kw@kwchang.net Couse webpage: http://kwchang.net/teaching/NLP16 CS6501: NLP 1 How to represent the structure CS6501: NLP 2 Dependency trees v Dependency grammar

703 views • 51 slides
mLSM : Making Authenticated Storage Faster in Ethereum Pandian Raju 1 , Soujanya Ponnapalli 1 ,

mLSM : Making Authenticated Storage Faster in Ethereum Pandian Raju 1 , Soujanya Ponnapalli 1 ,

mLSM mLSM : Making Authenticated Storage Faster in Ethereum Pandian Raju 1 , Soujanya Ponnapalli 1 , Evan Kaminsky 1 , Gilad Oved 1 , Zachary Keener 1 Vijay Chidambaram 1,2 , Ittai Abraham 2 1 The University of Texas at Austin; 2 VMware Research 1

1.34k views • 92 slides
Moderator: Brienne J. Meyer bmeyer@cid-inc.com Application Scientist Also Joining Us from CID

Moderator: Brienne J. Meyer bmeyer@cid-inc.com Application Scientist Also Joining Us from CID

Moderator: Brienne J. Meyer bmeyer@cid-inc.com Application Scientist Also Joining Us from CID Bio-Science: Andrea Melnychenko amelnychenko@cid-inc.com Application Scientist Root Imaging with the CI-600 CID Bio-Science, Inc. Image Credit:

882 views • 32 slides
Tree-StructuredIndexes Chapter9

Tree-StructuredIndexes Chapter9

Tree-StructuredIndexes Chapter9 DatabaseManagementSystems3ed,R.RamakrishnanandJ.Gehrke 1 Introduction

336 views • 9 slides
A Generative Model for Punctuation in Dependency Parsing Xiang Lisa Li*, Dingquan Wang*, and

A Generative Model for Punctuation in Dependency Parsing Xiang Lisa Li*, Dingquan Wang*, and

A Generative Model for Punctuation in Dependency Parsing Xiang Lisa Li*, Dingquan Wang*, and Jason Eisner * Equal Contribution 1 NLP has neglected punctuation T reebanks treat punctuation marks as ordinary tokens, but ARE THEY? The

896 views • 41 slides
Dont forget your roots: constant-time root finding over F 2 m Douglas Martins 1 Gustavo Banegas

Dont forget your roots: constant-time root finding over F 2 m Douglas Martins 1 Gustavo Banegas

Dont forget your roots: constant-time root finding over F 2 m Douglas Martins 1 Gustavo Banegas 2 , 3 Ricardo Custdio 1 1 Departamento de Informtica e Estatstica, Universidade Federal de Santa Catarina 2 Department of Mathematics and

401 views • 22 slides
Relational Graph Processing on GPUs Haicheng Wu 1 , Daniel Zinn 2 , Molham Aref 2 , Sudhakar

Relational Graph Processing on GPUs Haicheng Wu 1 , Daniel Zinn 2 , Molham Aref 2 , Sudhakar

Multipredicate Join Algorithms for Accelerating Relational Graph Processing on GPUs Haicheng Wu 1 , Daniel Zinn 2 , Molham Aref 2 , Sudhakar Yalamanchili 1 1. Georgia Institute of Technology 2. LogicBlox Inc. SCHOOL OF ELECTRICAL AND COMPUTER

796 views • 44 slides

More recommend