NGHLR SS7 stack software is not robust and suffers from Remote Denial of Service. Impact Enables any person sending malicious SCCP trafc to the HLR to crash it. This includes the whole international SS7 network as HLRs need always to be globally reachable. P1vid#148 - https://saas.p1sec.com/vulns/148 8ellablllLy for Lelco AblllLy Lo cope wlLh x mllllon of requesLs noL AblllLy Lo cope wlLh malformed Lramc nSn nCPL8 remoLe uenlal of Servlce caused by fraglle SS7 sLack CSM MA prlmluve MA_lC8WA8u_ACCLSS_SlCnALLlnC enables 8An slgnallng ln[ecuon Severity Medium Description
This GSM MAP MSU "MAP_FORWARD_ACCESS_SIG NALLING" forwards any content to the Radio Access Network (RAN). Impact The result is that some external entities may send or spoof MAP_FORWARD_ACCESS_SIGN ALLING MSUs to target MSC GTs and have the vulnerable MSCs to inject this signaling into the radio network (typically RANAP). P1vid#145 - https://saas.p1sec.com/vulns/145 normal Spoofed Spoof and ln[ecL radlo slgnallng As lf lL was comlng from 8adlo neLwork lun Anu-forenslcs Same auack as vlu#187 Also crash Lrlcsson Lramc monlLorlng log analysls forenslc Lools (1 vku vlu#213) Code sharlng beLween enforcemenL and forenslc Lools 15 P1vid#213 - https://saas.p1sec.com/vulns/213 3C and L1L LogeLher 16 8An LC eer Lo eer 8adlo Access neLwork x2A enode8's eer Lo eer 1ranslauon Lvery base sLauon can Lalk Lo every oLher neLwork auack surface lncrease 1oLal spread lnLo Lhe 8An neLwork CperaLor-wlde L2 neLwork L2 auacks, less defense ln depLh, scannlng only blocked by slze of neLwork uld C1 dlsappear? no 17 18 user daLa bLw en8s: L1L user lane L1L 8An Cvervlew 19 Typically a common physical connection X2 Mul Mul S1 IP/Ethernet transport MME OSS-RC LTE RAN X2 Mul S1 UP X2 Mul S1 S1 Evolved Packet Network (EPC) SGW S1 CP SeGW Typically a common physical connection X2 Mul Mul S1 IP/Ethernet transport MME OSS-RC LTE RAN X2 Mul S1 UP X2 Mul S1 S1 Evolved Packet Network (EPC) SGW S1 CP SeGW
wnlng CSS: L2 neLwork mlsLakes always happen Can'L caLch lL wlLh muluple overlapplng /8 neLworks: auLomaLe! lrom any enode8 Lo Lhe nMS lrom any enode8 Lo any enode8 ?ou can beL on lnsecure provlslonlng Amerlcan example & 8emoLe mlscongurauon 20 enode8 Pardware Auacks 21 DUS (2G+3G+4G) & DUL (4G) Radio Local Ethernet ports (not TDM anymore) Uplink to DWDM / Optical net Ericsson RBS 6602 Hardware (in)security system L1L: LqulpmenL Auack surface lncrease ulameLer (new) Added surface new code, maLurlLy ln quesuon very few commerclal fuzzers supporL lL Lven less really Lrlgger bugs ln ulameLer (depLh pbm) S1/x2A (new) C1 + MA wlLhln Lwo compleLely new proLocols WlLh encapsulauon of user Lramc (non Access SLraLum proLocol) WhaL could posslbly go wrong? 22 23 24 ulameLer audlL/fuzzlng problem 25 AudlLor blas #1: Cpen sLandards doesn'L mean vlslon ulameLer nearly every parameLer ls opuonal 8esulL nobody knows whaL ls a valld comblnauon . 1o LesL / fuzz / ln[ecL ComblnaLorlal exploslon Sequence / ulalogue / llow Av comblnauon Av values luzzed parameLer Lven manufacLurer don'L know how Lo successfully lnsLrumenL Lhe uevlce under 1esL luzzer SupporL ls noL luzzer successful Lrlggerlng 26 AudlLor blas #2: luzzlng ls as deep as fuzzer goes And fuzzer never go deep enough Commerclal fuzzer 0 trigger/1000 iteration SLandard own fuzzer 13 triggers/1000 iterations
need LargeL-speclc developmenL CusLomlzed own fuzzer: 85 triggers/1000 iterations 27 L1L: new rlsk wlLh ulameLer ulameLer lnformauon neLwork dlssemlnauon ulameLer awesomeness dlsLrlbuuon/cenLrallzauon lLs own evll slde resenL ln many daLabase PSS, SuM/Su8, Cuu
1he goal was Lo cenLrallze 1he resulL ls one more daLabase 28 L1L Puawel Speclc 29 uSn = SCSn + MML uCW = SeCW + SCW + un CW / CW wnlng L1L PSS: C++ SCL ln[ecuon everywhere 30 L1L PSS wnlng meLhodology CSS ls consldered Core lL ls accesslble by enode8s Someume: neLwork lLerlng mlsLakes Cen: Allowed for rovlslonnlng CSS can connecL Lo PSS PSS exporLs Loo many servlces Mux/1unnel klnd of Lhlnklng one porL == many servlces 31 L1L LC funcuonal plane, no CAM 32 Add CAM: complexlLy exploslon 33 AudlLor blas #3: Manual vlslon ls always lncompleLe need some auLomauon 200 Ans * 16 mllllon ls == need Lo have dedlcaLed scanner Lach valld C1 Lunnel ls a new 16 mllllons ls Lo scan Address space exploslon ?ou CAnnC1 do lL manually ?ou CAnnC1 do lL wlLhouL speclc scanners 34 wnlng MML: Pardcoded encrypuon keys 35 P1 VKB CVID#485 DES Hardcoded keys everywhere uemo 36 Legacy S lnLerfaces of lnLeresL Lo L1L Cl : lnLerface from CCSn Lo lnLerneL Cn : lnLerface beLween SCSn and oLher SCSn and (lnLernal) CCSn Cp : lnLerface beLween lnLernal SCSn and exLernal CCSn (C8x used here) 37 eunS vs lunS Leaks Lo lnLerneL asslve unSmon Leaks Lo C8S Leaks Lo 3C daLa Leaks Lo L1L LC Legacy C8S / uM1S C8x 1Lu / uomaln .gprs CulLe monollLhlc: An 8Al ral<8Al>. mnc08. mcc204.gprs Cnly Ans and some" neLwork elemenL 39 lMS unS 3gppneLwork.org SupporLs and llsLs all neLwork LlemenL LAC 8AC Lxamples rac<8AC>.lac<LAC>.mnc08.mcc204.gprs 40 L1L LC unS Same as lMS unS buL exLended SupporLs and llsLs mosL SAL LC neLwork LlemenLs MML SCW Lxamples mmec<MMEC>.mmegi<MMEGI>.mme.epc.mnc99.mcc208.3gppnetwork.org
41 wnlng from L1L moblle lnfrasLrucLure 8everse paLh proLecuon L1L Moblle daLa access 8lC1918 leaks (Someume) uaLacom l lnfrasLrucLure access (now more oen) 42 NAT CGNAT wnlng from exLernal: ulrecL MML access from lnLerneL wnlng from exLernal wlLhouL any reverse paLh Lrlck. Shodan doesn'L work on Lhese MML auack surface exposed 43 NAT CGNAT AudlLor blas #4: 1esLbed ls always more secure 1esLbed ls more secure Lhan producuon Legacy lmpacL ScalablllLy lmpacL AudlL ls oen only permlued ln LesLbed LlablllLy oLenual for uenlal of Servlce 8esulL Auackers advanLage roducuon goes unLesLed 44 AudlLor blas #4: 1esLbed ls always more secure 1esLbed ls more secure Lhan producuon Legacy lmpacL ScalablllLy lmpacL 1here's always someLhlng more on Lhe prod neLwork AudlL ls oen only permlued ln LesLbed LlablllLy oLenual for uenlal of Servlce 8esulL Auackers advanLage roducuon goes unLesLed 45 1echnlcal CapaclLy & knowledge lssue Who Can audlL all new L1L proLocols and legacy proLocols Pas experuse on Lhe archlLecLures & vendors equlpmenL CuaranLee Scannlng quallLy Coverage on all proLocols & arch (CSl8, lMS, Pybrld, SCharge) Cover all perlmeLers and accesses Ans C8x & lx accesses SpllL unS user plane and conLrol plane 46 Concluslon L1L ls supposed Lo be bullL wlLh securlLy ulerence beLween sLandardlzauon and real securlLy neLwork LqulpmenL vendors are sull lagglng Cpenlng up of Lhe Lechnology Cood: deeper lndependenL securlLy research CperaLors Sull dlslnformed by vendors SecurlLy Lhrough obscurlLy ln 2013! unbellevable! Some are gemng proacuve 47 "./%012