Scribd
Upload
135 views14 pages

Cyber Security Threats To Telecom Networks

The document discusses cyber security threats to telecom networks. It outlines possible entry points such as mobile stations, the internet, and fiber to the home connections. It then describes several attack vectors including exploiting core network nodes, sending crafted SIP messages to perform tasks like caller ID spoofing, and hijacking tunnel sessions through roaming interfaces.

Uploaded by

Abubakar Athuman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
135 views14 pages

Cyber Security Threats To Telecom Networks

The document discusses cyber security threats to telecom networks. It outlines possible entry points such as mobile stations, the internet, and fiber to the home connections. It then describes several attack vectors including exploiting core network nodes, sending crafted SIP messages to perform tasks like caller ID spoofing, and hijacking tunnel sessions through roaming interfaces.

Uploaded by

Abubakar Athuman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Cyber Security Threats to Telecom Networks

Rosalia D’Alessandro
Hardik Mehta
Loay Abdelrazek
Press Release: some highlights

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 2
Telecom Architecture Overview
IMS

Internet
MME HSS

PCRF
Other Data
ENodeB
Network
4G SGW
PGW

MVNO

CRBT IPX

SGSN HLR Internet


NodeB RNC
3G
GGSN Other Data
MSC/VLR
Network

Streaming Server
MVNO

OLT
FTTH SBC CDN GRX
Transcoder
Content
DRM

OLO
Access Network Core Network

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 3
Possible Entry Points
IMS

Internet
MME HSS

PCRF
Other Data
ENodeB
Network
4G SGW
PGW

MVNO

CRBT IPX

SGSN HLR
Internet
NodeB RNC
3G
GGSN Other Data
MSC/VLR
Network

Streaming Server
MVNO

OLT
FTTH SBC CDN GRX
Transcoder
Content
DRM

OLO
Access Network Core Network

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 4
Attack Vectors
Mobile Stations (3G/ 4G): Internet: IMS
• Enumeration and exploitation of internal core • Compromise web applications deployed in DMZ
network nodes • Exploitation of internal network components possible
Internet
• Sending crafted SIP messages to perform tasks
MME like, HSS if there is lack of segregation between DMZ and core
Caller ID spoofing PCRFnetwork
Other Data
ENodeB
• Identifying nodes running signaling stacks (e.g. • Possible to connect with network nodes (e.g Network
4G SGW
SIGTRAN stack) and sending malicious signaling traffic PGW PGW/GGSN or SGSN) exposed on the public domain
using Sigploit • Sending crafted SIP messages to SBCs exposed MVNO
on the
public domain
IPX
Fiber to The Home (FTTH):
• Enumeration
SGSN
and exploitation of internal core
HLR Roaming interfaces: Internet
NodeB RNC
3G network nodes • Using SS7, perform HLR lookup to get subscriber
GGSN information like, IMSI and serving MSC Other Data
• VLAN hoping possible between VoIP, ITPV and Data
MSC/VLR
Network
• Using GTP, identify active tunnel session and hijack
• Using VoIP, Crafted SIP messages can be sent to
the session
perform SIP attacks like DoS
• Using SS7/ Diameter, perform attacks leadingMVNO
to fraud
• Using IPTV, Send crafted IGMP messages to subscribe Streaming Server
like over-billing
unbilled channels
OLT
FTTH SBC CDN
Transcoder• Using SS7/ Diameter, perform interception attacks
GRX
Content like, SMS and Call
DRM

OLO
Access Network Core Network

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 5
Attack Vectors
IMS

Internet
MME HSS

PCRF
Other Data
ENodeB
Network
4G SGW
PGW

MVNO

IPX
Roaming in Pakistan
SGSN HLR Internet
NodeB RNC
3G
GGSN Other Data
MSC/VLR
Network

Streaming Server
MVNO

OLT
FTTH SBC CDN GRX
Transcoder
Content
DRM

OLO
Access Network Core Network

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 6
Attack Vectors
IMS

‐ DNS Lookups for exposed LTE nodes


“3gppnetwork.org” Internet
MME HSS

PCRF
Other Data
ENodeB
Network
4G SGW
PGW

MVNO

IPX

SGSN HLR Internet


NodeB RNC
3G
GGSN Other Data
MSC/VLR
Network

Streaming Server
MVNO

OLT
FTTH SBC CDN GRX
Transcoder
Content
DRM

OLO
Access Network Core Network

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 7
Attack Scenario
IMS

Internet
MME HSS

PCRF
Other Data
ENodeB
Network
4G SGW
PGW

MVNO

CRBT IPX

HLR
‐ Internal network enumeration resulted in
SGSN Internet
NodeB RNC
identification of node part of VAS networks,
3G
CRBT GGSN Other Data
MSC/VLR
Network
‐ Caller Ring Back Tone (CRBT), is connecting
with HLR and MSC, it enabled customers to
subscribe for personalized audio, in place of MVNO
Streaming Server
regular tone
OLT
‐ FTTH
Due to lack of basic security controls, it SBC
was CDN Transcoder GRX
possible to gain root access of the node from Content
DRM
subscriber network segment
OLO
Access Network Core Network

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 8
Attack Scenario
‐ The compromised node is connected to the core. IMS
‐ It is then possible to use the node to initiate other core related
attacks (i.e using protocol vulnerabilities like SS7, Diameter of Internet
GTP). MME HSS

‐ Using a global title scanner, we can gather more info about the PCRF
Other Data
SS7 core. ENodeB
Network
4G SGW
PGW

MVNO

CRBT IPX

SGSN HLR
Internet
NodeB RNC
3G
GGSN Other Data
MSC/VLR
Network

Streaming Server
MVNO

OLT
FTTH SBC CDN GRX
Transcoder
Content
DRM

OLO
Access Network Core Network

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 9
Attack Scenario
‐ HLR(s) are identified. Attacker
HLR
MSC IMS
‐ Query the HLR(s) to retrieve the IMSI.
SendRoutingInfoForSM Req.
‐ IMSI is the key to any mobile operation. (MSISDN, HLR GT) Internet
MME HSS

PCRF
Other Data
ENodeB
Network
4G SGW SendRoutingInfoForSM Resp.
PGW
(IMSI, VMSC GT)
MVNO

CRBT IPX

SGSN HLR
Internet
NodeB RNC
3G
GGSN Other Data
MSC/VLR
Network

Streaming Server
MVNO

OLT
FTTH SBC CDN GRX
Transcoder
Content
DRM

OLO
Access Network Core Network

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 10
Attack Scenario
‐ Internet at the expense of others. IMS

‐ Works for EPC and UMTS packet core.


Internet
‐ Using GTPv1 or GTPv2. MME HSS

‐ Hijack the data connection of a PCRF


Other Data
subscriber using his retrieved IMSI.
ENodeB
Network
4G SGW
PGW

MVNO

CRBT IPX

SGSN HLR
Internet
NodeB RNC
3G
GGSN Other Data
MSC/VLR
Network

Streaming Server
MVNO

OLT
FTTH SBC CDN GRX
Transcoder
Content
DRM

OLO
Access Network Core Network

Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 11
Attack Demonstration
Basic Best Practices to Reduce Attack Exposure
• Implement network traffic segregation
• Bind services to correct network interfaces
• Limit the reachability of internal nodes from UEs
• Limit the reachability of network nodes from Internet by configuring correctly routing protocols
• Deploy secure configuration of network nodes
• Secure configuration of all network services;
• Disabling of insecure and unneeded network services;
• Changing of default passwords;
• Hardening;
• Configuration and enabling of authentication and access control; Logging of all access attempts and other security-relevant
events;
• Configuration of the network node to not disclose unnecessary information;
• Continuous deployment of the latest security patches.
• Security testing and regular vulnerability scanning;
• Implement traffic filtering policies at the boundaries
• Basic IP Filtering
• Signaling FW
• Monitor network traffic to discover anomalies
• Deploy a Security Signaling Monitoring (Intrusion Detection System / IDS)
Cyber Security Threats to Telecom Networks - Rosalia D’Alessandro, Hardik Mehta and Loay Abdelrazek 13
Thank You

You might also like