1www.iansresearch.com©2014 IANS
Cellular Network AttacksWhat the latest vulnerabilities mean for businesses and individuals
Aaron Turner – CEO, IntegriCellIANS Research Faculty
2www.iansresearch.com©2014 IANS
At a Glance
Every network humans have constructed has vulnerabilities
Why should cellular networks be any different?
The base station problem
Localized attacks with significant impacts
The SS7 problem
Global attacks with enormous consequences
How MDM/EMM/MAM are essentially useless playthings when it
comes to these vulnerabilities
We’ve got a lot of work to do
3www.iansresearch.com©2014 IANS
Cellular network architecture overview
Operator 1Operator 2
Operator 3
SS7
Ne
two
rk
4www.iansresearch.com©2014 IANS
A quick cellular network lesson
BTS – Base Transceiver Station
A ‘cell tower’, the point where the cellular network moves from fiber to RF
HLR – Home Location Register
The ‘billing database’ for non-roaming users – what services you’re entitled to
VLR – Visitor Location Register
The ‘billing database’ for roaming users – what services the home operator tells the roaming operator it can offer
SS7 – Signaling System #7
Packet-like network, relies on SIGTRAN (IETF protocol) to transmit messages between Operators
MSC – Mobile Switching Center
Handles the functions of cell-handoff, SS7 interchange (for cell-to-landline calls), SMS services, voice conferencing and billing/charging
5www.iansresearch.com©2014 IANS
Remember when…
We used to create passive
network sniffers?
Just a matter of double-
connecting the TX and RX
pairs
In the OSI Model – ‘Physical’
attack
6www.iansresearch.com©2014 IANS
Back to the Future
Imagine cellular RF signals as
the new physical attack layer
As copper was to CAT V cable,
RF is to cellular
Unfortunately…
Cell phones do not have the
integrity controls to assure
connection to authorized BTS’
Most cellular subscribers have
no idea what the state of their
network connection is
7www.iansresearch.com©2014 IANS
What does this mean?
Your cell phone will gladly connect to any BTS that says it wants to
talk to it
The BTS instructs the phone what level of protection the
communications must have
Weak or no encryption? Sure thing!
The BTS can terminate, capture, replay or otherwise manipulate
anything flowing through the BTS
Yes, even if the BTS is not owned by the authorized operator, an
attacker can capture all of the traffic
Voice, SMS & Data
8www.iansresearch.com©2014 IANS
False BTS Scenario
Theory: Attackers would put their BTS in a cargo van, drive
around the attack target and stay mobile
Reality: Attackers are placing their BTS inside of the building, and
conducting persistent attacks
9www.iansresearch.com©2014 IANS
What data can be stolen?
London: Media company’s offices targeted for pre-market access
to financial information
Earnings report ‘heads up’ SMS sent to financial reporter
Financial reporter’s service intercepted
Attacker able to gain an advantage in commodities or equities
US: Engineering facilities targeted for product development
information
Rapid prototyping teams rely more on their mobile devices than IT
infrastructure
Attackers able to gather product development details & scheduling
information
10www.iansresearch.com©2014 IANS
15 total areas of interest in DC
Over 40 alerts in those areas
4 research devices
Washington DC Findings
11www.iansresearch.com©2014 IANS
Bay Area Findings
5 total areas of interest
Over 30 firewall alerts
3 research devices
2 networks
2 locations where full intercept capabilities were underway
12www.iansresearch.com©2014 IANS
BTS Vulnerabilities Bottom Line
Cellular network communications can be easily intercepted
Intercept is a localized attack
Limited to a particular area, based on the strength of the false BTS’
signal
Not necessarily scalable for large-scale attacks
Intercept can be universal or targeted
All devices in a particular area or interceptors can ‘shed’ non-
targeted devices and only focus on those of interest
What controls exist?
Baseband firewalls are the best option for false BTS awareness
Beware of software-only offerings, true promiscuous-mode
monitoring requires kernel- and driver-level modification of cellular
radios
13www.iansresearch.com©2014 IANS
What’s this SS7 thing?
SS7 is like DNS and SMTP rolled into one system
Allows carriers to perform lookups on subscribers’ status AND
Allows carriers to deliver content to each other on subscriber activity
What could possibly go wrong?
SS7 high-profile examples:
Number portability
SMS one-time-use codes
Subscriber geolocation (criminal investigation, etc.)
14www.iansresearch.com©2014 IANS
SS7 – Vulnerabilities Overview
Every network operator has SS7 nodes which they have
configured as Service Control Points (SCP) and Signaling
Gateways (SG)
Perimeter-based
protections &
controls
Have security
perimeters failed in
the past?
15www.iansresearch.com©2014 IANS
What attacks can be run today?
International Roaming Fraud
SIM vendor in country X sells an ‘unlimited roaming’ SIM for country Y
SIM vendor colludes with attackers to toggle the SIM from post-paid to
pre-paid and back again
Essentially allows for a free month of roaming
SIM vendor profits, operator in country loses revenues
Bad news for operators… what about for
enterprises?
16www.iansresearch.com©2014 IANS
Subscriber Tracking & Information Disclosure
What if I wanted to track your company’s executives in real time?
Use the information for potential deal-making intelligence
M&A opportunities, etc.
Operators say, “Can’t happen!”
VLR/
MSCHLR
SS7
interconnectX
17www.iansresearch.com©2014 IANS
But, the perimeter fails…
Just like with perimeters of the past, they can be bypassed
HLRVLR/
MSC
SS7
interconnect
18www.iansresearch.com©2014 IANS
VLR Query Example
Even if the HLR filters request, most of the time the VLR is
vulnerable
Operators have hardened their SG’s and HLR’s but not their VLR’s
IMEI and subscriber state (currently in a phone call or not?) can be
requested
19www.iansresearch.com©2014 IANS
SMS Intercept
electronic banking & SMS MFA fraud, made possible by forced re-
routing of authentication SMS messages and/or calls to the
attacker
SS7
interconnect
1
4
HLR XVLR/
MSC
SMSC
2. Bank sends text
message with
mTAN to
subscriber A
1. Attacker tells HLR that
subscriber A is now logged
on to his “network”
(updateLocation)
4. SMS is
delivered to
attacker (mt-
ForwardSM)
3. SMSC gets referred to
attacker’s “VLR” as
destination by HLR
(sendRoutingInfoForSM)
2
3
A
20www.iansresearch.com©2014 IANS
Root cause analysis
Attackers are likely exploiting common cybersecurity vulnerabilities
to gain access to SS7 Interconnects
As long as the attacker does not get too greedy or send too many commands through the roaming partner’s SS7 Interconnect, it is very difficult to detect these types of attacks
Attack surface is surprising large: 800 operators in 220 countrieshttp://www.gsma.com/membership/who-are-our-gsma-members/full-membership/
1. Attacker identifies vulnerable
international roaming partner and
runs APT-style operation
2. Exploited SS7 Interconnect
then used to send commands
to target
3. Attacker exploits target
SS7 network for fraud or
information gathering
21www.iansresearch.com©2014 IANS
Cellular Network VulnerabilitiesThe Bottom Line
BTS Vulns:
Enterprises are left with very little control
Deploy baseband firewalls and monitor
SS7 Vulns:
Shift away from SMS-driven authentication
Train executives to leave primary phones behind on sensitive trips
Vendors like Payfone are going to be in a rough situation
22www.iansresearch.com©2014 IANS
Questions & Comments?
Aaron Turner
Or – connect with me on LinkedIn
https://www.linkedin.com/in/aaronrturner