Upload File

attacking nextgen roaming networks · 2018. 5. 11. · roaming network provider a provider c...

  • Home
  • Documents
  • Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction
45
1 Attacking NextGen Roaming Networks

Upload: others

Post on 20-Aug-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

1

Attacking NextGen Roaming Networks

Page 2: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

22

Agenda

o

o

o

Page 3: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

3

What is SS7?

o

o

o

o

o

o

Page 4: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

4

Roaming Network

Provider A Provider C

Provider B

BobAlice

The Most Simple Situation:

Alice has a contract with Provider A

Bob has a contract with Provider B

Page 5: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

5

The roaming situation:

Alice has a contract with Provider A

Bob has a contract with Provider B

Alice is connected to Network of Provider C

Roaming Network

Provider A Provider C

Provider B

Bob

Alice

Page 6: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

6

The roaming situation:

Alice has a contract with Provider A

Bob has a contract with Provider B

Alice is connected to Network of Provider C

Roaming Network

Provider A Provider C

Provider B

Bob

Alice

Interaction with Provider of Alice

Page 7: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

7

Typical Roaming Interaction

o

o

o

o

Page 8: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

8

SS7 Weaknesses

o

o

o

o

o

Page 9: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

9

Vulnerability Classification

o

o

o

o

Source: SANS Institute - The Fall of SS7 How Can the Critical Security Controls Help?

Page 10: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

10

SS7-MAP Message Classification

Page 11: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

11

Tool

o

o

o

o

o

o

Page 12: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

12

Page 13: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

13

Roaming in 4G/LTE Networks

o

o

o

o

o

Page 14: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

14

Diameter Networks

o

o

o

o

Page 15: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

15

LTE Roaming

Provider A Provider B

Diameter

SIP & RTP

IPX

Page 16: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

16

DRA DRA

Provider A

MME

HSS

PCRF

OCS

Provider C

DRAMME

Alice

IPX

SGW

DEA DEADRA

IMSPGW

Method 1: Home Routed IMS

Page 17: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

17

Method 2: Local Breakout

DRA DRA

Provider A

MME

HSS

PCRF

OCS

Provider C

MME

Alice

IPX

DEA DEADRA

IMSSGW/PGW

DRA

IMS

Page 18: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

18

Some Diameter Interfaces

o

o

o

o

o

o

o

o

Page 19: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

19

Diameter – The Base Protocol

Source: RFC 6733

Page 20: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

20

Used to match answer with response

Which application is used? (S6a, Sh, …)

Host which is initiating the request

Realm which is initiating the request

Page 21: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

21

Diameter Messages (S6a)

o

o

o

o

o

o

o

o

Page 22: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

22

Page 23: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

23

Let‘s do some Attacker Modeling

o

o

o

o

o

o

o

o

o

o

Page 24: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

24

Tracking

o

o

Page 25: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

25

Interception Attacks

o

o

o

Page 26: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

26

Message/Call Interception

o

o

o

o

o

o

o

Page 27: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

27

Fraud

o

o

o

Page 28: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

28

Denial of Service

o

o

Page 29: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

29

Limitations

o

o

Page 30: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

30

Summary (aka. let there be attacks)

Page 31: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

31

Topology & Topology Hiding

o

o

o

o

Page 32: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

32

Spoofing? Yes!

o

o

Page 33: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

33

Cross-Checking of PLMNs and Identities

o

o

o

o

Page 34: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

34

Tool!

o

o

o

o

o

Page 35: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

35

Tool (cont.)

o

o

o

Page 36: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

36

Tool (cont.)

o

o

Page 37: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

37

diameter_enum config file[DEFAULT]

origin-host: vanir

origin-realm: vanir

destination-host: fd.ernw.net

destination-realm: fd.ernw.net

host-ip-address: 10.11.12.1

vendor-id: 0

product-name: denum

inband-security-id: 0

mnc: 001

mcc: 001

imsi: 0010012345678

plmnid: 12f345

msisdn: 12345678

imei: 9876543210

Page 38: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

3838

LIVE DEMO!

o

Page 39: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

39

Penetration Testing of Interconnect Technologies

o

o

o

o

o

Page 40: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

40

What’s in There / Recommendations

o

o

o

o

o

o

o

o

o

o

o

Page 41: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

41

Controls from Our Perspective

o

o

o

o

o

Page 42: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

42

Summary & Outlook

o

o

o

o

o

Page 43: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

43

There’s never enough time…

THANK YOU… ...for yours!

@Enno_Insinuator

[email protected]

https://www.ernw.de/
https://www.insinuator.net/
Page 44: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

44

Thank you!

Page 45: Attacking NextGen Roaming Networks · 2018. 5. 11. · Roaming Network Provider A Provider C Provider B Bob Interaction with Alice Provider of Alice. 7 Typical Roaming Interaction

45

Sources

o

http://www.freepik.com/
http://www.flaticon.com/

Roaming Market Dynamics: Dr. Tayfun Çataltepe · Corporate Roaming GPRS Revenue Consumer Roaming GPRS Revenue ... •Roaming market dynamics: o Consumers’ increasing need to use

Permanent Roaming

Roaming Analytics - ayscom.com · roaming revenue streams, manage roaming partner relations and quickly resolve QoS issues. TARGET GROUPS With the Roaming Analytics solution, the

Roaming Hubs for CDMA: Rapid Roaming Expansion Made Possiblecdg.org/resources/files/white_papers/CDMA Roaming Hub... · 2017-12-08 · 5 Learning from GSM Roaming Experiences GSM

Can one e-Invoicing provider really serve you? Ever consider Roaming?

VoLTE Roaming Service Using New VoLTE Roaming Architecture

Global Roaming Guide - ソフトバンクbroadband.mb.softbank.jp/mb/en/global_service/roaming/roaming... · Global Roaming Service is a service that allows you to use your SoftBank

Winning in the Service Provider Market - RainFocus · BTS/eNodeB TSCF Radio Access Communication Service Provider Network Interconnect IPX Partner IP Peer Roaming 3G/4G SS7 I-BCF

Peering Taskforce Update Financial Clearing House (FCH) Peering Roaming Service Provider (RSP)Peering Ted Bolerjack – Sprint Sara Schleutker – Qualcomm

Regulation of International Roaming - cost605.org · Regulation of International Roaming in EU In 2008 EU adopted a legislation on International Roaming: ... Roaming costs per scenario

The SIM and International Roaming - Decoupling of Roaming

User Plane Roaming DNS Solution Page 1 DNS Solution User Plane Roaming LBS Roaming Meeting, San Francisco November 28, 2006 DNS Solution User Plane Roaming

IMS Roaming and Interworking Guidelines Version 18.0 … · 2.3.1 Operational Requirements for IMS Voice and Video 10 ... Inter-Service Provider IP Backbone ... IMS Roaming and Interworking

international Roaming Explained - GSMA · International roaming explained Africa. 3 1 Contents 1. Mobile roaming explained 1. Mobile roaming explained..... 1 2. Mobile roaming in

RAID Roaming · RAID Roaming RAID Roaming is a single Central Roaming Management Solution, enabling mobile operators to manage the entire life cycle of roaming agreements from signing,

GPRS Roaming

Page 1 Non-Trusted User Plane Roaming LBS Roaming Meeting, San Francisco November 28, 2006 Non-Trusted User Plane Roaming LBS Roaming Meeting, San Francisco

Page 1 Settlement for LBS User Plane Roaming LBS Roaming Meeting, Denver January 18, 2007 Settlement for LBS User Plane Roaming LBS Roaming Meeting, Denver

Global Roaming From Sprint - CDGcdg.org/news/events/CDMASeminar/031211/4-SprintGlobalRoaming_1… · Global Roaming From Sprint. Domestic Roaming ... International Roaming with a

data roaming

International roaming explained - GSMA · PDF fileMobile roaming explained. Figure 1.1 Overview of international roaming technology and operations ... Roaming services Traffic flow

Roaming Awards – Inbound Roaming Service · – first loyalty management provider in telecoms with global scope • Its ‘Inbound Roaming Service’ is now being used by more than

Client Roaming - Cisco...Client Roaming • AssistedRoaming,page1 • 802.11v,page4 • 802.11Bands,page7 • OptimizedRoaming,page11 • CCXLayer2ClientRoaming,page13 Assisted Roaming

802.11 WLAN Roaming and Fast-Secure Roaming on CUWN · 802.11 WLAN Roaming and Fast-Secure Roaming on CUWN Contents Introduction Prerequisites Requirements Components Used Background

Beeline roaming-partners...Beeline roaming-partners Enjoy your trip in more than 170 countries with Beeline roaming! The following types of roaming are available depending on a roaming-partner

Study ‘Roaming data services’ - European Commissionec.europa.eu/information_society/activities/roaming/docs/study... · Study ‘Roaming data services ... new technologies were

Alice De E-marketing van een premium brand Internet service provider

Control Plane Roaming LBS Roaming Meeting, Denver January 18, 2007

OPPORTUNITIES MNO REQUIREMENTS & 5G ROAMING · leading market intelligence and publications on Wholesale Roaming, IoT Roaming, 5G Roaming, IPX and Analytics & Fraud in Roaming. Research

SIP and VoIP - TU Berlin · 4 7 Example: simple SIP call (2.) Alice uses VoIP provider 1 (VP1) as proxy Bob uses VoIP provider 2 (VP2) as proxy Alice sends SIP URI to VP1 via TCP

International Roaming and Roaming Partnerships · How to apply to Roaming Revenue leakage Steering of Roaming What is steering Different steering solutions: SS Steering Sim Steering

ROAMING IS EXPENSIVE James 1:16.……..Warned of Roaming Mat.22:29……….Roaming from Bible James 5:19-20...Roaming from Truth Luke 15……………Roaming from Home

International Roaming

Alice Springs Town Council - Amazon Web Services · 2019-11-28 · • Alice Springs is strengthened as a regional service provider • A high standard of physical infrastructure

Page 1 Control Plane Roaming LBS Roaming Meeting, Denver January 18, 2007 Control Plane Roaming LBS Roaming Meeting, Denver January 18, 2007