Session
Fahrplan 34C3
Security

Mobile Data Interception from the Interconnection Link

Saal Adams
Dr. Silke Holtmanns
Many mobile network operators rush to upgrade their networks to 4G/LTE from 2G and 3G, not only to improve the service, but also the security. The Diameter protocol - the successor of SS7 in Long Term Evolution (LTE) networks is believed to offer more protection to the network itself and to the end-users. However, also Diameter offers a rich functionality set, which can be also exploited and misused, if the network is not properly protected. We will show in this lecture, how data interception (MiM) can be done via the diameter based interconnection link.

Ever since the public revelation of global surveillance and the exploits targeting the mobile communication backend and in particular the interconnection network that links operators to each other, the general awareness of security and privacy in telecommunication industry has increased. Misusing the technical features of mobile core network technology - specifically the Signaling System 7 (SS7) has disclosed numerous ways to locate, track and manipulate the routine cellular activities of cellphone users e.g. as shown by Karsten Nohl and Tobias Engel in 2008 and 2014. In fact, the SMS-based key recovery mechanism becoming vulnerable because of the SS7 vulnerabilities, like we saw in the recent mTAN attack in spring 2017 in Germany. Many mobile network operator rush to upgrade their networks to 4G/LTE from 2G and 3G, not only to improve the service, but also the security. The Diameter protocol - the successor of SS7 in Long Term Evolution (LTE) networks is believed to offer more protection to the network itself and to the end-users. However, Diameter inherits many functionalities and traits of the SS7 network. Therefore, some attacks are also possible there e.g. location tracking, DoS or SMS interception in LTE by abusing the Diameter-based interconnection. In this talk, we dig deeper into the Diameter interconnection to uncover how data connections can be intercepted from the interconnection link using the diameter based interfaces that are open to the interconnection network. We will show how a subscriber profile can be manipulated to allow resetting of the access point configuration and by that allow a classical man-in-the middle attack for data communications. We first discuss the current status of interconnection or mobile telephony core network security and explain the basic interfaces. This will then be followed by outlining the data collection attacks and the interception attacks, which exploit and combine information from several interfaces. Both authors have a realistic insight on the actual deployment reality and security status of the interconnection network. We discuss the practicalities of such attacks with the help of screenshots, network logs and wireshark traces during this talk. We will conclude the talk with solutions for countermeasures in the interconnection edge nodes, proper security configurations in LTE networks, GSMA protection standards for monitoring and strategies for improvising filtering policies of firewalls that defend the system from roaming abuses Ever since the public revelation of global surveillance and the exploits targeting the mobile communication backend and in particular the interconnection network that links operators to each other, the general awareness of security and privacy in telecommunication industry has increased. Misusing the technical features of mobile core network technology - specifically the Signaling System 7 (SS7) has disclosed numerous ways to locate, track and manipulate the routine cellular activities of cellphone users e.g. as shown by Karsten Nohl and Tobias Engel in 2008 and 2014. In fact, the SMS-based key recovery mechanism becoming vulnerable because of the SS7 vulnerabilities, like we saw in the recent mTAN attack in spring 2017 in Germany. Many mobile network operator rush to upgrade their networks to 4G/LTE from 2G and 3G, not only to improve the service, but also the security. The Diameter protocol - the successor of SS7 in Long Term Evolution (LTE) networks is believed to offer more protection to the network itself and to the end-users. However, Diameter inherits many functionalities and traits of the SS7 network. Therefore, some attacks are also possible there e.g. location tracking, DoS or SMS interception in LTE by abusing the Diameter-based interconnection. In this talk, we dig deeper into the Diameter interconnection to uncover how data connections can be intercepted from the interconnection link using the diameter based interfaces that are open to the interconnection network. We will show how a subscriber profile can be manipulated to allow resetting of the access point configuration and by that allow a classical man-in-the middle attack for data communications. We first discuss the current status of interconnection or mobile telephony core network security and explain the basic interfaces. This will then be followed by outlining the data collection attacks and the interception attacks, which exploit and combine information from several interfaces. Both authors have a realistic insight on the actual deployment reality and security status of the interconnection network. We discuss the practicalities of such attacks with the help of screenshots, network logs and wireshark traces during this talk. We will conclude the talk with solutions for countermeasures in the interconnection edge nodes, proper security configurations in LTE networks, GSMA protection standards for monitoring and strategies for improvising filtering policies of firewalls that defend the system from roaming abuses

Additional information

Type lecture
Language English

More sessions

12/27/17
Security
oranav
Saal Dijkstra
How I hacked Sasmung eMMC chips: from an indication that they have a firmware - up until code execution ability on the chip itself, relevant to a countless number of devices. It all started when Samsung Galaxy S3 devices started dying due to a bug in their eMMC firmware. I will cover how I figured out there's a firmware inside the chip, how I obtained it, and my journey to gaining code execution on the chip itself — up until the point in which I could grab a bricked Galaxy S3, and fix it ...
12/27/17
Security
Mathias Dalheimer
Saal Adams
Wir retten das Klima mit Elektroautos — und bauen die Ladeinfrastruktur massiv aus. Leider werden dabei auch Schwachstellen auf allen Ebenen sichtbar: Von fehlender Manipulationssicherheit der Ladesäulen bis hin zu inhärent unsicheren Zahlungsprotokollen und kopierbaren Zahlkarten. Ladesäulenhersteller und Ladenetzbetreiber lassen ihre Kunden im Regen stehen — geht das schnelle Wachstum des Marktanteils zu Lasten der Kundensicherheit?
12/27/17
Security
Filippo Valsorda
Saal Dijkstra
The Go implementation of the P-256 elliptic curve had a small bug due to a misplaced carry bit affecting less than 0.00000003% of field subtraction operations. We show how to build a full practical key recovery attack on top of it, capable of targeting JSON Web Encryption.
12/27/17
Security
Artem Kondratenko
Saal Clarke
Year 2017 was rich in vulnerabilities discovered for Cisco networking devices. At least 3 vulnerabilities leading to a remote code execution were disclosed. This talk will give an insight on exploit development process for Cisco IOS for two of the mentioned critical vulnerabilities. Both lead to a full takeover of the target device. Both PowerPC and MIPS architectures will be covered. The presentation will feature an SNMP server exploitation demo.
12/27/17
Security
Saal Borg
Positive Technologies researchers Maxim Goryachy and Mark Ermolov have discovered a vulnerability that allows running unsigned code. The vulnerability can be used to activate JTAG debugging for the Intel Management Engine processor core. When combined with DCI, this allows debugging ME via USB.
12/27/17
Security
argp
Saal Clarke
This talk presents the technical details and the process of reverse engineering and re-implementation of the evasi0n7 jailbreak's main kernel exploit. This work was done in late 2013, early 2014 (hence the "archaeology" in the title), however, it will provide insight into the kernel debugging setup for iOS devices (iDevices), the encountered difficulties and how they were overcome, all of which can be useful for current iOS kernel vulnerability research.
12/27/17
Security
Saal Dijkstra
Do you want to learn how modern binary code obfuscation and deobfuscation works? Did you ever encounter road-blocks where well-known deobfuscation techniques do not work? Do you want to see a novel deobfuscation method that learns the code's behavior without analyzing the code itself? Then come to our talk and we give you a step-by-step guide.