Transcription
Hacking Telco equipmentThe HLR/HSSLaurent GhigonisSecurity researcher at P1 SecurityHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
What are we talking about ?A mobile network operator Core NetworkNetwork passive capture showing Global TitlesHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Mobile Operators Conveys the majority of voice communicationsworldwide Conveys our data Conveys growing M2M traffic Emergency systems notifications uses it We now rely on it and we have some securityexpectationsHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Mobile Operators and governance In EuropeHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Mobile Operators and governance In FranceLets check the reality Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
The Witness : An HLR/HSSAuC HSMHLR Front EndHSS Front EndProvisioning DSARouting DSAInstall ServerAdminProvisioning Gateway3 Back EndsTypical HLR/HSS in use in operator Core NetworkHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
HLR/HSS in Mobile Core NetworkA mobile network operator Core NetworkNetwork passive capture showing Global TitlesHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
HLR/HSS in Mobile Core NetworkHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
HLR/HSS in Mobile Core NetworkHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
HLR/HSS in Mobile Core Network HLR is used in all 2G Operator Network HSS is used in all 3G/4G Operator Network Stores customer data– Subscriber identifier (IMSI)– Subscriber encryption keys– Subscriber approximate location– Subscriber SIM plan options Critical to the operator– HLR down Network down, no calls possibleHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
HLR/HSS in Mobile Core NetworkHLR/HSS receiving subscriber location updatefrom the operator SS7/Diameter signaling linksHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Lets make it talk Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
PlanHLR/HSS Robustness assessment Virtualization– Virtualization and instrumentation System Analysis– Localroot, Framework complexity Network Fuzzing– SS7 Protocols Binaries Reverse– More vulnsHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
HLR/HSS VirtualizationNo, it’s not ATCA / NFVHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
An HLR/HSS is an ecosystemHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
An HLR/HSS is an ecosystem HLR HSS Front-endHLR Administration serverApplication/Database routing serversHLR Backend/Database (multiple)HSM (Hardware Security Module) for keysHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
HLR/HSS is never aloneHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Where to start Most exposed from the outside HLR/HSS Front-end– Receives SS7/Diameter traffic Telecom network stacks– Receives provisioning requests– Connected to the HSMHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Where to startAuC HSMHLR Front EndHSS Front EndProvisioning DSARouting DSAInstall ServerAdminProvisioning Gateway3 Back EndsTypical HLR/HSS in use in operator Core NetworkHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Virtualization of HLR/HSSFrontendHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Original Equipment Manufacturer Specs of the real equipment– i386 / x64 / Sparc– Solaris / CentOS– 32 GB of RAM– CPU 16 Cores– TB hard drive External SANHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Qemu/KVM Faster than VirtualBoxMore flexibleTweak code to add more network interfacesVDE Switch for networkingHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Qemu/KVMqemu-system-x86 64-machine type pc,accel kvm:tcg -pidfile ./myhlr.pid-m 7.2g -smp 4 -drive file /dev/mapper/lvm-vm--myhlr,cache none-vnc 127.0.0.1:2,password,tls,lossy -display curses -rtc base localtime,driftfix slew-net vde,vlan 1,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 1,macaddr 52:54:00:00:10:01-net vde,vlan 2,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 2,macaddr 52:54:00:00:10:02-net vde,vlan 3,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 3,macaddr 52:54:00:00:10:02-net vde,vlan 4, sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 4,macaddr 52:54:00:00:10:02-net vde,vlan 5,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 5,macaddr 52:54:00:00:10:02-net vde,vlan 6,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 6,macaddr 52:54:00:00:10:02-net vde,vlan 7,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 7,macaddr 52:54:00:00:10:02-net vde,vlan 8,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 8,macaddr 52:54:00:00:10:02-net vde,vlan 9,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 9,macaddr 52:54:00:00:10:02-net vde,vlan 10,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 10,macaddr 52:54:00:00:10:02-net vde,vlan 11,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 11,macaddr 52:54:00:00:10:02-net vde,vlan 12,sock /home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan 12,macaddr 52:54:00:00:10:02\\\\\\\\\\\\\\\ Physical partition for disk– Do not use disk file on host btrfs super slow ext4 is ok– http://www.linux-kvm.org/page/Tuning KVM Curses output Improvements: serial terminalHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Qemu/KVM Solaris 10– Qemu/KVM ok for x64– Fails for SPARC Stock kernel– /kernel– /usr/kernel Custom kernel modules– For Telecom Signaling [Signalware] Uses grub Failsafe modeHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Inside the machine ZFS filesystemSolaris 10Everything is installed via packagesMultiple Oracle databases– Even on HLR/HSS Front-end only A lot of Middleware framework to start theactual network stacks / applications Telco stacks: based on Ulticom Signalware The OS expects its precious network cardsHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
System AnalysisHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
The filesystem ZFS Filesystem Volume manager ZFS pool (often mirrored)– ZFS root pool 100-200GB usually enough Prepare free space for system/processes dump– ZFS Dump pool Should be more than size of your RAM– ZFS SWAP pool Should be more that size of your RAMHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
The filesystem ZFS offers good resilience against data corruption,and is very picky when there is too muchcorruption– You can’t recover when filesystem is too much broken– You can try zdb -e -p /dev/dsk/c0t3d0p0 -F -X -AAA -dd rpool 1 zpool import -f -F -X 19485729304958623456 mypool zpool import -o readonly on -o autoreplace on -ofailmode-continue -m -N -f -F -X 19485729304958623456mypool If it fails– Code your own tool by modifying ZOLhttp://zfsonlinux.org/Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
advdata/autoinstmnt/[email protected]/cust t/platform/root/rpool/rtp environ.txtsbin/tftpboot/ti [email protected]/usr/var/vol/Filesystem /Grub/platform failsafeHome Applications data Telco specific appsApplications dataKernelTelco specific appsCrashdumps from Telco specific appsHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Some packages installedapplication SMAWrtpTelecommunication Service Platform (TSP) Base Packageapplication OMNISignalware Systemapplication S6U-4Signalware Systemapplication OMNI-C7XSignalware C7 Extensionsapplication INTPahacuAC Utimaco HSMHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Low hanging fruits SUID executables– SUID Total: 162 (155 binaries, 7 scripts)– SUID Root: 142 (137 binaries, 5 scripts) SignalwareBoot process“becoming root”by DesignHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Local roots Of course, we often find multiple local roots Some are really too easy (one command):Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Example of Telco network stack:NSN TSP / RTP Ulticom Signalware TSP RTP framework are found on NSN NTHLR– Found in many European and Worldwideoperators– Very similar to Apertio OneHLR TSP: Telco Server Platform (Ericsson) / TelcoService Platform (NSN, others, generic name) RTP: Resilient Telco Platform (NSN)Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Example of Telco network stack:NSN TSP / RTP Ulticom Signalware SS7 Protocol handlingReminder: SS7 stackHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Network FuzzingHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Fuzzing SS7: M3UA Example: Flooding badly handled– Leads to alerts flooding in OSS– Leads to loss of previous alerts !– P1VID#799Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Fuzzing SS7: SCCP Example result: 1 specific MSU repeated 2 timescauses DoS of all Signaling Interconnections– HLR is down during 2 minutes– Total Denial of Service of the network– Nobody can receive calls in the whole countrycore 'core.xxx' of 15477:01 msu processing ()02 msg distribution ()03 main ()04 start ()/export/home/xxx– If the attack is repeated, the DoS is permanent duringthe attack– P1VID#773So long for the critical infrastructure Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Fuzzing SS7: SCCPHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Fuzzing SS7: MAP Example results: 1 specific MSU causes MAPprocess crashes– 5 MSU/second makes HLR totally unresponsive toany other MAP Query Total Denial of Service of the network Nobody can receive calls in the whole country– 1 MSU/second makes HLR totally drop 50% ofother MAP Queries Network is highly perturbed 50% of the called in the whole country are failing– P1VID#772Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Fuzzing Diameter Process Crash with 1 specific manually crafted MSULogs do not even report process crash.Neither the OSS Alerts.Application logs:Services Esm Log Message: vc Priority LOG ERR, vc MessageInformation ESM:Service could not be processed correctly,vc AdditionalInformation Reason: xxxxxxxxx data unavailable, Message Type:S6a-xxxxxxxxxServices Esm Log Message: vc Priority LOG ERR, vc MessageInformation ESM:Service could not be processed correctly,vc AdditionalInformation Reason: xxxxxxxxx data unavailable, Message Type:S6a-xxxxxxxxxUTC Tue Sep 3 01:20:44 2013 Services Esm Log Message: vc Priority LOG ERR,vc MessageInformation ESM: Service could not be processed correctly,vc AdditionalInformation Reason: xxxxxxxxx data unavailable, Message Type:S6a-xxxxxxxxxServices Esm Log Message: vc Priority LOG ERR, vc MessageInformation ESM:Service could not be processed correctly,vc AdditionalInformation Reason: xxxxxxxxx data unavailable, Message Type:S6a-xxxxxxxxxBehind that, process core dumps are created P1VID#718Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Does redundancy saves you ? No ! Same N front-ends same crashes Messages just needs to be sent N timesHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Binaries reverseHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Often, too much help Binaries not stripped– Debug symbols / function names / available No anti-debug mechanism Libraries headers on production machines– Great help in understanding the internals Large documentation about internals onproduction machines– Great help in understanding the internals Updated binaries and previous binaries both onproduction machines– Binary diff to track issues fixedHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Signalware Kernel modules Example: Parsing of SCCP headerHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Signalware Kernel modules Kernel modules signaling parsing is robust IPC to communicate with userland binaries Complexity leads to other type of errors– Logic errors– Race conditions– Slow handling of some types of MSUsHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Signalware userland binaries Parsing less robust (less tested) Example logic error due to IPC / Frameworkcomplexity:Null pointer dereferenceCan be triggered from the International SS7 networkHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
So verdict ?Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
So verdict ? Misconceptions!– No crashes on a Critical Core Network Element FAIL– Robustness against network attacks FAIL Redundancy ! Robust, attack kills Front-end one by one– Modern Depends, but from what we see there is much room forimprovementHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Mobile Operators and governance Reality on Threats analysis: MaybeReality of Telco equipment security: Very badPublic information: Very badTelco private sector information: Didn’t see impactHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Consequences Mobile Network crashes for unknown publiclyavailable reason Spying on phone calls / customer activities from asingle point (Core Network) is relatively easy FraudHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Recommendations Secure SDLC (Secure Software Development Life Cycle)– Design– Implementation– Testing Especially for vendors custom stacks/servicesTCAP/MAP parsing bugs leading to overflows, Vendors security audits (HLR isolated)– System audit– Network audit Testbed audits (HLR in environment)– System audit– Network audit– Before deploying to productionHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Recommendations: securing the OS Use Solaris Zones to split services: P1VID#764 Use Solaris Audit mechanism: P1VID#765 Authenticate the hardware– To prevent emulation Use the latest OS protections against exploitation– Solaris 11 has ASLR– Use custom Linux kernel Use a firewall by default on the machine itself Hacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Recommendations: OSS Make it faster !– People should be able to use it to react whenunder attack– E.g. NSN @vantage commander Need access to all low-level network traffic forforensicsHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Recommendations: For the operators Push the vendors to fix the bugs Some of the attacks we discovered can be filtered– Operators do not have to wait for bugs to be fixed– Filter at perimeter boundaries(typically STP / Router)– Depends on STP / Router models and security“features” Sometime filtering options are charged by vendor It is possible to filter also at the SCCP providerlevelHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
To be continued Telecom Network Elements security is low– We tested multiple Network Elementtypes/models, from different vendors Vendors, Governments and securityresearchers have work to do Vulnerability disclosure in security criticalinfrastructure is scarce– Dangerous ?– Not if there is collaborationHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Other aspects of Telecom Security We talked here about equipment security– It’s a work in progress, and only HLR/HSS– Mainly Network Equipment Vendor responsibility Also consider– Other Network Elements security– GRX / IPX / SCCP Providers security– Deployment security (passwords policies,filtering ), Operator responsability– Telecom Network Fraud (SS7 spoofing, Call/SMSSpoofing, ), Operator responsabilityHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
ReferencesGovernance literature on critical infrastructure: European level– 2007:http://www.nato-pa.int/default.asp?COM 1165&LNG 0– 2012http://www.nato.int/cps/en/natolive/news 88054.htm?selectedLocale en– ture/index ucture/docs/swd 2013 318 on epcip en.pdf France– idTexte JORFTEXT000026638421&dateTexte &categorieLien id– eHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
That’s it, please react.Thank [email protected]://www.p1sec.comHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security2014, Hackito Ergo Sum - Security Conference
Hacking Telco equipment: The HLR/HSS - Laurent Ghigonis - P1 Security 2014, Hackito Ergo Sum - Security Conference HSS Front End HLR Front End AuC HSM Provisioning DSA 3 Back Ends Provisioning Gateway Install Server Admin Routing DSA The Witness : An HLR/HSS Typical HLR/HSS in use in operator Core Network
