hacking telco equipment
play

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security - PowerPoint PPT Presentation

Jul 12, 2023 •124 likes •724 views

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS Laurent Ghigonis P1 Security 2014, Hackito Ergo Sum - Security Conference What are we talking about ? A mobile

  1. Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  2. What are we talking about ? A mobile network operator Core Network Network passive capture showing Global Titles Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  3. Mobile Operators • Conveys the majority of voice communications worldwide • Conveys our data • Conveys growing M2M traffic • Emergency systems notifications uses it => We now rely on it and we have some security expectations Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  4. Mobile Operators and governance • In Europe Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  5. Mobile Operators and governance • In France Lets check the reality … Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  6. The Witness : An HLR/HSS AuC HSM HLR Front End HSS Front End Provisioning DSA Routing DSA Install Server Admin Provisioning Gateway 3 Back Ends Typical HLR/HSS in use in operator Core Network Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  7. HLR/HSS in Mobile Core Network A mobile network operator Core Network Network passive capture showing Global Titles Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  8. HLR/HSS in Mobile Core Network Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  9. HLR/HSS in Mobile Core Network Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  10. HLR/HSS in Mobile Core Network • HLR is used in all 2G Operator Network • HSS is used in all 3G/4G Operator Network • Stores customer data – Subscriber identifier (IMSI) – Subscriber encryption keys – Subscriber approximate location – Subscriber SIM plan options • Critical to the operator – HLR down == Network down, no calls possible Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  11. HLR/HSS in Mobile Core Network HLR/HSS receiving subscriber location update from the operator SS7/Diameter signaling links Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  12. Lets make it talk … Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  13. Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  14. Plan HLR/HSS Robustness assessment • Virtualization – Virtualization and instrumentation • System Analysis – Localroot, Framework complexity • Network Fuzzing – SS7 Protocols • Binaries Reverse – More vulns Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  15. HLR/HSS Virtualization No, it’s not ATCA / NFV Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  16. An HLR/HSS is an ecosystem Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  17. An HLR/HSS is an ecosystem • HLR + HSS Front-end • HLR Administration server • Application/Database routing servers • HLR Backend/Database (multiple) • HSM (Hardware Security Module) for keys Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  18. HLR/HSS is never alone Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  19. Where to start • Most exposed from the outside => HLR/HSS Front-end – Receives SS7/Diameter traffic • Telecom network stacks – Receives provisioning requests – Connected to the HSM Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  20. Where to start AuC HSM HLR Front End HSS Front End Provisioning DSA Routing DSA Install Server Admin Provisioning Gateway 3 Back Ends Typical HLR/HSS in use in operator Core Network Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  21. Virtualization of HLR/HSS Frontend Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  22. Original Equipment Manufacturer • Specs of the real equipment – i386 / x64 / Sparc – Solaris / CentOS – 32 GB of RAM – CPU 16 Cores – TB hard drive + External SAN Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  23. Qemu/KVM • Faster than VirtualBox • More flexible • Tweak code to add more network interfaces • VDE Switch for networking Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  24. Qemu/KVM qemu-system-x86_64 \ -machine type=pc,accel=kvm:tcg -pidfile ./myhlr.pid \ -m 7.2g -smp 4 -drive file=/dev/mapper/lvm-vm--myhlr,cache=none \ -vnc 127.0.0.1:2,password,tls,lossy -display curses -rtc base=localtime,driftfix=slew \ -net vde,vlan=1,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=1,macaddr=52:54:00:00:10:01 \ -net vde,vlan=2,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=2,macaddr=52:54:00:00:10:02 \ -net vde,vlan=3,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=3,macaddr=52:54:00:00:10:02 \ -net vde,vlan=4, sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=4,macaddr=52:54:00:00:10:02 \ -net vde,vlan=5,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=5,macaddr=52:54:00:00:10:02 \ -net vde,vlan=6,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=6,macaddr=52:54:00:00:10:02 \ -net vde,vlan=7,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=7,macaddr=52:54:00:00:10:02 \ -net vde,vlan=8,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=8,macaddr=52:54:00:00:10:02 \ -net vde,vlan=9,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=9,macaddr=52:54:00:00:10:02 \ -net vde,vlan=10,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=10,macaddr=52:54:00:00:10:02 \ -net vde,vlan=11,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=11,macaddr=52:54:00:00:10:02 \ -net vde,vlan=12,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=12,macaddr=52:54:00:00:10:02 • Physical partition for disk – Do not use disk file on host btrfs • super slow • ext4 is ok – http://www.linux-kvm.org/page/Tuning_KVM • Curses output • Improvements: serial terminal Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  25. Qemu/KVM • Solaris 10 – Qemu/KVM ok for x64 – Fails for SPARC • Stock kernel – /kernel – /usr/kernel • Custom kernel modules – For Telecom Signaling [Signalware] • Uses grub • Failsafe mode Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  26. Inside the machine • ZFS filesystem • Solaris 10 • Everything is installed via packages • Multiple Oracle databases – Even on HLR/HSS Front-end only • A lot of Middleware framework to start the actual network stacks / applications • Telco stacks: based on Ulticom Signalware • The OS expects its precious network cards Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  27. System Analysis Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  28. The filesystem • ZFS = Filesystem + Volume manager • ZFS pool (often mirrored) – ZFS root pool • 100-200GB usually enough • Prepare free space for system/processes dump – ZFS Dump pool • Should be more than size of your RAM – ZFS SWAP pool • Should be more that size of your RAM Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

  29. The filesystem • ZFS offers good resilience against data corruption, and is very picky when there is too much corruption – You can’t recover when filesystem is too much broken – You can try $ zdb -e -p /dev/dsk/c0t3d0p0 -F -X -AAA -dd rpool 1 $ zpool import -f -F -X 19485729304958623456 mypool $ zpool import -o readonly=on -o autoreplace=on -o failmode-continue -m -N -f -F -X 19485729304958623456 mypool • If it fails – Code your own tool by modifying ZOL http://zfsonlinux.org/ Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security 2014, Hackito Ergo Sum - Security Conference

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Towards an Economic Valuation of Telco-based Valuation of Telco based Identity

Towards an Economic Valuation of Telco-based Valuation of Telco based Identity

Towards an Economic Valuation of Telco-based Valuation of Telco based Identity Management Enablers Enablers PrimeLife/IFIP Summer School 2010 Helsingborg, 2010-08-04 Kai Rannenberg, S ascha Koschinat, Andreas Albers, Gkhan

1.07k views • 60 slides
VAS Management Platform. Solution from TELCO to TELCO Powered by 1Click The fastest payment

VAS Management Platform. Solution from TELCO to TELCO Powered by 1Click The fastest payment

VAS Management Platform. Solution from TELCO to TELCO Powered by 1Click The fastest payment tool mVAS services can 4 Times 1Click payment conversion rate is higher generate than the standard flow credit card payment up to 5% of total

1.07k views • 18 slides
Agenda Telco and 5G Network Functions Virtualization OPNFV and Software Defined

Agenda Telco and 5G Network Functions Virtualization OPNFV and Software Defined

Agenda Telco and 5G Network Functions Virtualization OPNFV and Software Defined Everything with SUSE Realizing NFVI requirements Performance Demo Telco and 5G LTE Network Architecture Telco functions The infrastructure

748 views • 39 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
OPEN PLATFORM BaSED 5g On the road to THE Software telco Alex Jinsung Choi, Deutsche Telekom

OPEN PLATFORM BaSED 5g On the road to THE Software telco Alex Jinsung Choi, Deutsche Telekom

OPEN PLATFORM BaSED 5g On the road to THE Software telco Alex Jinsung Choi, Deutsche Telekom ONF Spotlight, Sept 2020 internal We observe accelerating market dynamics Altogether having the potential to disrupt the telco sector

277 views • 11 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
PREPARE FOR EDGE SERVICES BY VIRTUALIZING YOUR CENTRAL OFFICE Ian Hood Hanen Garcia Chief

PREPARE FOR EDGE SERVICES BY VIRTUALIZING YOUR CENTRAL OFFICE Ian Hood Hanen Garcia Chief

PREPARE FOR EDGE SERVICES BY VIRTUALIZING YOUR CENTRAL OFFICE Ian Hood Hanen Garcia Chief Technologist Telco Solutions Manager Global Service Providers Red Hat Red Hat TELCO TRANSFORMATION IN THE ERA OF DIGITAL DISRUPTION Telco

312 views • 29 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

486 views • 27 slides
Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012 Agenda Importance Attack Tree for Cheating On-line Poker Bots Denial of Service Collusion Software Exploits Conclusion Importance Out-of-band market for virtual equipment

1.07k views • 63 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
How to build a telco in the cloud Why are we here? Currently, telcos... are seen merely as a

How to build a telco in the cloud Why are we here? Currently, telcos... are seen merely as a

How to build a telco in the cloud Why are we here? Currently, telcos... are seen merely as a wire-provider . o offer a few products, tightly coupled to their infrastructure. o aren't seen as tech-leaders in the cloud/software world.

316 views • 17 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
The Challenge: Telco-grade Dependability with Extreme Agility Telecommunications Business

The Challenge: Telco-grade Dependability with Extreme Agility Telecommunications Business

ModelTalk : A Framework for Developing Domain Specific Executable Models Atzmon Hen-tov and Lior Schachter Pontis Ltd., Israel Joint Work With: David H. Lorenz The Open University of Israel The Challenge: Telco-grade Dependability with

431 views • 21 slides
Rui A. Costa Quality / Recognition Team 90% with a Master's degree ORGANOGRAM Organogram

Rui A. Costa Quality / Recognition Team 90% with a Master's degree ORGANOGRAM Organogram

Rui A. Costa Quality / Recognition Team 90% with a Master's degree ORGANOGRAM Organogram SECTORS & R&I TOPICS Sectors TELCO SOLUTIONS umeter.ubiwhere.com www.ubiwhere.com TELCO R&I TELCO R&I QoS/QoE EU PROJECTS |

496 views • 45 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Laboratory Equipment & Safety Symbols CHEMISTRY GRADE 10 Laboratory Equipment Beaker

Laboratory Equipment & Safety Symbols CHEMISTRY GRADE 10 Laboratory Equipment Beaker

Laboratory Equipment & Safety Symbols CHEMISTRY GRADE 10 Laboratory Equipment Beaker Mortar and Pestle Laboratory Equipment Watch Glass Evaporating Dish Laboratory Equipment Florence (Volumetric) Plastic Wash Bottle Flask (Washing

409 views • 21 slides
Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

481 views • 37 slides
MTTR and spare parts policy for BT equipment for BT equipment BT equipment with long MTTR

MTTR and spare parts policy for BT equipment for BT equipment BT equipment with long MTTR

MTTR and spare parts policy for BT equipment for BT equipment BT equipment with long MTTR PSB ISOLDE ISOLDE LEIR PS SPS SPS Stand-by service and expert call-out lists Conclusions With input from: B Balhan E

309 views • 27 slides
R-CAP Process Equipment, Inc. Equipment Solutions for Wet & Dry Processing 1 R-CAP

R-CAP Process Equipment, Inc. Equipment Solutions for Wet & Dry Processing 1 R-CAP

R-CAP Process Equipment, Inc. Equipment Solutions for Wet & Dry Processing 1 R-CAP Background Founded in 1990 in Barrington, IL Started as a representative for stainless steel tank & kettle manufacturers Strong growth &

446 views • 11 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
Telco Reforms From De-monopolisation to Gigabit Economy ITU Regional Economic Dialogue on

Telco Reforms From De-monopolisation to Gigabit Economy ITU Regional Economic Dialogue on

Telco Reforms From De-monopolisation to Gigabit Economy ITU Regional Economic Dialogue on Information and Telecommunication Technologies for Europe and CIS Odessa, 30-31 October 2019 Christoph Legutko Director Broadband Connectivity Policy

207 views • 5 slides

More recommend