Attacking NextGen Roaming Networks

Presented at Black Hat Europe 2017, Dec. 6, 2017, 10:15 a.m. (60 minutes).

Weaknesses of SS7 Roaming Networks are well known – but what about the Diameter interfaces coming up at the moment? Diameter is and will be used for roaming connections of LTE/LTE-A mobile networks - a new architecture, and a new implementation. But still, one remains the same: it is a AAA protocol designed for trusted environments - roaming interconnection interfaces between providers.

As we know from the past, it is possible to get access to such networks, as you can simply buy access if you spend enough money; as typical attackers in such environments are fraudsters or agencies, they definitely will. Therefore, securing these interface and assessing the infrastructure components and its configuration is very important.

In our talk, we will explain not only how Diameter-based networks work and which messages and functions exit, but also which of them can be abused by attackers. Typical attacks are information leaks about the environment, but also attacks against the authentication and encryption of customers. These information can be used for interception of mobile data/calls, but also to establish new business models of fraud.

To demonstrate such attacks, we developed a testing framework covering information gathering, mobile phone tracking, denial of service attacks, pay fraud, and interception of data. The framework will be released during our talk and will enable providers and security companies to assess a telco's diameter network configuration and demonstrate what can happen if no proper security measures are applied. We also will give an outlook on how a provider can protect from such kind of attacks.


Presenters:

  • Daniel Mende - Security Researcher, ERNW GmbH
    Daniel Mende is a German security researcher with ERNW GmbH and specializes in network protocols and technologies. He is well known for his Layer2 extensions of the SPIKE and Sulley fuzzing frameworks. He has also discussed new ways of building botnets and presented on protocol security at many occasions including Troopers, ShmooCon and Black Hat. He has written several tools for assessment of telecommunication networks like ss7MAPer, Pytacle, GTP-Scan, Dizzy and APNBF.
  • Hendrik Schmidt - Security Researcher, ERNW GmbH
    Hendrik Schmidt is a seasoned security researcher with focus on telecommunication networks. He is working at the german based ERNW GmbH and has vast experience in large and complex enterprise networks. Over the years he evaluated and reviewed all kinds of network protocols and applications. He loves to play with complex technologies and networks and demonstrated several of implementation and design flaws. In this context he learned how to play around with core and backhaul networks, wrote protocol fuzzers and spoofers for testing implementations and security architecture. As his profession as pentester, security researcher, or consultant he will happily share his knowledge with the audience.

Links:

Similar Presentations: