day1_Hacking-telco-equipment-The-HLR-HSS-Laurent-Ghigonis-p1sec

More documents

Recommendations

Info

Fuzzing SS7: MAP • Example results: 1 specific MSU causes MAP process crashes – 5 MSU/second makes <strong>HLR</strong> totally unresponsive to any other MAP Query • Total Denial of Service of the network • Nobody can receive calls in the whole country – 1 MSU/second makes <strong>HLR</strong> totally drop 50% of other MAP Queries • Network is highly perturbed • 50% of the called in the whole country are failing 2014, Hackito Ergo Sum - Security Conference
Fuzzing Diameter • Process Crash with 1 specific manually crafted MSU Logs do not even report process crash. Neither the OSS Alerts. Application logs: Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx UTC Tue Sep 3 01:20:44 2013 Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: Service could not be processed correctly, vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: S6a-xxxxxxxxx Behind that, process core dumps are created… 2014, Hackito Ergo Sum - Security Conference
Page 1 and 2: Hacking Telco equipment The HLR/HSS
Page 3 and 4: Mobile Operators • Conveys the ma
Page 5 and 6: Mobile Operators and governance •
Page 7 and 8: HLR/HSS in Mobile Core Network 2014
Page 9 and 10: HLR/HSS in Mobile Core Network 2014
Page 11 and 12: HLR/HSS in Mobile Core Network HLR/
Page 13 and 14: 2014, Hackito Ergo Sum - Security C
Page 15 and 16: HLR/HSS Virtualization No, it’s n
Page 17 and 18: An HLR/HSS is an ecosystem • HLR
Page 19 and 20: Where to start • Most exposed fro
Page 21 and 22: Virtualization of HLR/HSS Frontend
Page 23 and 24: Qemu/KVM • Faster than VirtualBox
Page 25 and 26: Qemu/KVM • Solaris 10 - Qemu/KVM
Page 27 and 28: System Analysis 2014, Hackito Ergo
Page 29 and 30: The filesystem • ZFS offers good
Page 31 and 32: Some packages installed application
Page 33 and 34: Local roots • Of course, we often
Page 35 and 36: Example of Telco network stack: NSN
Page 37 and 38: Fuzzing SS7: M3UA • Example: Floo
Page 39: Fuzzing SS7: SCCP 2014, Hackito Erg
Page 43 and 44: Binaries reverse 2014, Hackito Ergo
Page 45 and 46: Signalware Kernel modules • Examp
Page 47 and 48: Signalware userland binaries • Pa
Page 49 and 50: • Misconceptions! So verdict ? -
Page 51 and 52: Consequences • Mobile Network cra
Page 53 and 54: Recommendations: securing the OS
Page 55 and 56: To be continued • Telecom Network
Page 57 and 58: References Governance literature on

day1_Hacking-telco-equipment-The-HLR-HSS-Laurent-Ghigonis-p1sec

Create successful ePaper yourself

Delete template?

Save as template?