Reversing HLR, HSS and SPR: rooting the heart of the Network and Mobile cores from Huawei to Ericsson

Presented at REcon 2013, June 21, 2013, 4 p.m. (60 minutes)

The HLR was the holy grail. We've shown previously how we could crash it (SCCP and MAP fuzzing) or root it (OAM and proprietary protocols vulnerabilities). This critical infrastructure component has mutated into HSS and then into the Subscriber Profile Registry. It's now an all-encompassing database, access from LTE as well as from 2G and 3G legacy networks, as well now as a fixed network database. We will see how all these database can be reversed and which kind of vulnerabilities can be found and exploited into these software. These also apply to many other critical equipment such as GGSN, (e)NodeB, STP, DRA, etc. We will also see how now concentration of network software at these manufacturers can enable with one single reverse or vulnerability to target many different equipments such as WASN, LTE SAE PDN GW, GGSN.

Presenters:

• Philippe Langlois
  Philippe Langlois is an entrepreneur and leading security researcher, expert in the domain of telecom and network security. He has founded internationally recognized security companies (Qualys, WaveSecurity, INTRINsec, P1 Security) as well as led technical, development and research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France. His first business, Worldnet, France's first public Internet service provider, was founded in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB, Hack.lu). Previously a professor at Ecole de Guerre Economique and various universities in France (Amiens, Marne La Vallée) and internationally (FUSR-U, EERCI, ANRSI). He is a FUSR-U collaborator and founding member. Philippe advises industry associations (GSM Association Security Group, several national organizations) and governmental officials and contributes to Critical Infrastructure advisory committees and conferences in Telecom and Network security. Now, Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner & auditor which help telecom companies, operators and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at: p1security Philippe has previously presented at the following security/hacking conferences: Hack.lu, Hack in the Box (HITB, Amsterdam, Dubai, Kuala Lumpur), Blackhat, Hackito Ergo Sum (paris,france), SOURCE, Chaos Communication Congress (Berlin, Germany), ekoparty (bueos aires, argentina), H2HC (sao paulo, brazil), SYSCAN (Hong Kong; Thailand), Bellua (Jakarta, Indonesia), INT (Mauritius), Interop (France), Rubicon (USA)...

Links:

• https://recon.cx/2013/schedule/events/52.html

Similar Presentations:

• AppSec USA 2014 / Blended Web and Database Attacks on Real-time, In-Memory Platforms
• ShmooCon XII (2016) / LTE Security and Protocol Exploits
• DEF CON 24 (2016) / Attacking BaseStations - an Odyssey through a Telco's Network