Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Turner.issa vulns.150604

320 visualizaciones

Publicado el

Turner.issa vulns.150604

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Turner.issa vulns.150604

  1. 1. 1 ©2014 IANS Cellular Network Attacks What the latest vulnerabilities mean for businesses and individuals Aaron Turner – CEO, IntegriCell IANS Research Faculty
  2. 2. 2 ©2014 IANS At a Glance  Every network humans have constructed has vulnerabilities  Why should cellular networks be any different?  The base station problem  Localized attacks with significant impacts  The SS7 problem  Global attacks with enormous consequences  How MDM/EMM/MAM are essentially useless playthings when it comes to these vulnerabilities  We’ve got a lot of work to do
  3. 3. 3 ©2014 IANS Cellular network architecture overview Operator 1 Operator 2 Operator 3 SS7Network
  4. 4. 4 ©2014 IANS A quick cellular network lesson  BTS – Base Transceiver Station  A ‘cell tower’, the point where the cellular network moves from fiber to RF  HLR – Home Location Register  The ‘billing database’ for non-roaming users – what services you’re entitled to  VLR – Visitor Location Register  The ‘billing database’ for roaming users – what services the home operator tells the roaming operator it can offer  SS7 – Signaling System #7  Packet-like network, relies on SIGTRAN (IETF protocol) to transmit messages between Operators  MSC – Mobile Switching Center  Handles the functions of cell-handoff, SS7 interchange (for cell-to- landline calls), SMS services, voice conferencing and billing/charging
  5. 5. 5 ©2014 IANS Remember when…  We used to create passive network sniffers?  Just a matter of double- connecting the TX and RX pairs  In the OSI Model – ‘Physical’ attack
  6. 6. 6 ©2014 IANS Back to the Future  Imagine cellular RF signals as the new physical attack layer  As copper was to CAT V cable, RF is to cellular  Unfortunately…  Cell phones do not have the integrity controls to assure connection to authorized BTS’  Most cellular subscribers have no idea what the state of their network connection is
  7. 7. 7 ©2014 IANS What does this mean?  Your cell phone will gladly connect to any BTS that says it wants to talk to it  The BTS instructs the phone what level of protection the communications must have  Weak or no encryption? Sure thing!  The BTS can terminate, capture, replay or otherwise manipulate anything flowing through the BTS  Yes, even if the BTS is not owned by the authorized operator, an attacker can capture all of the traffic  Voice, SMS & Data
  8. 8. 8 ©2014 IANS False BTS Scenario  Theory: Attackers would put their BTS in a cargo van, drive around the attack target and stay mobile  Reality: Attackers are placing their BTS inside of the building, and conducting persistent attacks
  9. 9. 9 ©2014 IANS What data can be stolen?  London: Media company’s offices targeted for pre-market access to financial information  Earnings report ‘heads up’ SMS sent to financial reporter  Financial reporter’s service intercepted  Attacker able to gain an advantage in commodities or equities  US: Engineering facilities targeted for product development information  Rapid prototyping teams rely more on their mobile devices than IT infrastructure  Attackers able to gather product development details & scheduling information
  10. 10. 10 ©2014 IANS 15 total areas of interest in DC Over 40 alerts in those areas 4 research devices Washington DC Findings
  11. 11. 11 ©2014 IANS Bay Area Findings 5 total areas of interest Over 30 firewall alerts 3 research devices 2 networks 2 locations where full intercept capabilities were underway
  12. 12. 12 ©2014 IANS BTS Vulnerabilities Bottom Line  Cellular network communications can be easily intercepted  Intercept is a localized attack  Limited to a particular area, based on the strength of the false BTS’ signal  Not necessarily scalable for large-scale attacks  Intercept can be universal or targeted  All devices in a particular area or interceptors can ‘shed’ non- targeted devices and only focus on those of interest  What controls exist?  Baseband firewalls are the best option for false BTS awareness  Beware of software-only offerings, true promiscuous-mode monitoring requires kernel- and driver-level modification of cellular radios
  13. 13. 13 ©2014 IANS What’s this SS7 thing?  SS7 is like DNS and SMTP rolled into one system  Allows carriers to perform lookups on subscribers’ status AND  Allows carriers to deliver content to each other on subscriber activity  What could possibly go wrong?  SS7 high-profile examples:  Number portability  SMS one-time-use codes  Subscriber geolocation (criminal investigation, etc.)
  14. 14. 14 ©2014 IANS SS7 – Vulnerabilities Overview  Every network operator has SS7 nodes which they have configured as Service Control Points (SCP) and Signaling Gateways (SG)  Perimeter-based protections & controls  Have security perimeters failed in the past?
  15. 15. 15 ©2014 IANS What attacks can be run today?  International Roaming Fraud  SIM vendor in country X sells an ‘unlimited roaming’ SIM for country Y  SIM vendor colludes with attackers to toggle the SIM from post-paid to pre-paid and back again  Essentially allows for a free month of roaming  SIM vendor profits, operator in country loses revenues  Bad news for operators… what about for enterprises?
  16. 16. 16 ©2014 IANS Subscriber Tracking & Information Disclosure  What if I wanted to track your company’s executives in real time?  Use the information for potential deal-making intelligence  M&A opportunities, etc.  Operators say, “Can’t happen!” VLR/ MSC HLR SS7 interconnect X
  17. 17. 17 ©2014 IANS But, the perimeter fails…  Just like with perimeters of the past, they can be bypassed HLR VLR/ MSC SS7 interconnect
  18. 18. 18 ©2014 IANS VLR Query Example  Even if the HLR filters request, most of the time the VLR is vulnerable  Operators have hardened their SG’s and HLR’s but not their VLR’s  IMEI and subscriber state (currently in a phone call or not?) can be requested
  19. 19. 19 ©2014 IANS SMS Intercept  electronic banking & SMS MFA fraud, made possible by forced re- routing of authentication SMS messages and/or calls to the attacker SS7 interconnect 1 4 HLR XVLR/ MSC SMSC 2. Bank sends text message with mTAN to subscriber A 1. Attacker tells HLR that subscriber A is now logged on to his “network” (updateLocation) 4. SMS is delivered to attacker (mt- ForwardSM) 3. SMSC gets referred to attacker’s “VLR” as destination by HLR (sendRoutingInfoForSM) 2 3 A
  20. 20. 20 ©2014 IANS Root cause analysis  Attackers are likely exploiting common cybersecurity vulnerabilities to gain access to SS7 Interconnects  As long as the attacker does not get too greedy or send too many commands through the roaming partner’s SS7 Interconnect, it is very difficult to detect these types of attacks  Attack surface is surprising large: 800 operators in 220 countries 1. Attacker identifies vulnerable international roaming partner and runs APT-style operation 2. Exploited SS7 Interconnect then used to send commands to target 3. Attacker exploits target SS7 network for fraud or information gathering
  21. 21. 21 ©2014 IANS Cellular Network Vulnerabilities The Bottom Line  BTS Vulns:  Enterprises are left with very little control  Deploy baseband firewalls and monitor  SS7 Vulns:  Shift away from SMS-driven authentication  Train executives to leave primary phones behind on sensitive trips  Vendors like Payfone are going to be in a rough situation
  22. 22. 22 ©2014 IANS Questions & Comments? Aaron Turner Or – connect with me on LinkedIn