December 13, 2011

How to Hack a Telecommunications Company and Stay Alive

Sergey Gordeychik, Deputy CEO at Positive Technologies

Penetration testing of telecommunications companies' networks is one of the most complex but still interesting tasks. Millions of IP addresses, tens of thousands of hosts, hundreds of web servers — and just a month for all this. What challenges are waiting for an auditor during the telecom network testing? What notes should be taken?

What is so peculiar about telecoms?
The present-day telecommunications companies serve tens or sometimes hundreds of subscribers, which obliges such companies to build and support huge networks. Most of the companies of the field are going through a convergence process, which is merging different services: broadband and wireless access services, hosting, mobile communication, VoIP and PST of different regions and countries as a part of a company, network and on convergent technological platforms.

Stranger in a Strange Land
It is important to realize that many hosts and networks you will work with do not belong to the client. You can spend hours and days to find the owner of a host. So it is better to establish contact with the client to avoid disappointment and unnecessary work.

Another peculiarity of a telecommunications company is a great number of security perimeters. However, the interaction of perimeters is deep. The network you got onto may seem inoffensive, but the next moment you find yourself one step from the holy of holies — the technology network core.


Telecom's perimeter (right — possible; left — ideal)

Attacks against subscribers
You client's profit almost entirely consists of the money paid by subscribers. In case the telecommunications operator fails to provide the services (for example, because of DoS), it loses money the subscriber could spend and also suffers a stain on its reputation. You should also remember that the operator handles large quantities of confidential information, the disclosure of which may lead to penalties and other sanctions imposed by a regulation authority.

Let us consider services provided by the present-day operators with a view to the possible attacks against subscribers.

Broadband access services (BAS)
In most cases, BAS are based on a sparsely segmented IP network. Subscribers' devices and gateways (BRAS), which control the devices' access to outside networks, connect to such IP network. The BAS access level of many telecommunications companies is a kind of a manual on network devices insecurity and it serves as a training ground for schoolchildren and first-year students.

The main types of vulnerabilities in subscriber access devices are: control protocols (SNMP, Telnet, HTTP, UPnP, TFTP), available from the Internet, or the operator access networks; insecure (blank) passwords; no protection from a client-side web attack (Anti-DNS Pinning, CSRF etc.).

Besides, many users give excellent opportunities for attacks performing automatization. Even if it is only 1 user out of 1,000 whose password is "password1": when there are 10,000,000 subscribers, there are 10,000 potential incidents.

Show me the money!
A router password usually matches a user's password needed to access a self-service portal or it is stored in configuration file of the device, since the router uses it to complete authorization in BRAS and gain access to the Internet. If you know the password for the Internet or self-service portal access, it is easy to demonstrate one of the following threats to the client:

  • changing subscriber details and withdrawing money via mobile payment services (integration with payment systems);
  • account fund depletion and, as a result, access lock through changing the tariff plan or buying additional services (such as parental management);
  • access lock trough changing passwords or configurations of subscribers' devices.
  • subscribers' financial and personal information leakage.

Father is away on business
A common defect of mobile networks is the lack of Caller ID filtering on the contact line with roaming partners, and also essential delay in billing in case of roaming. Knowing these defects, an attacker can use his or her own VoIP gateway to fake a subscriber's Caller ID and perform different attacks against mobile network subscribers.

Depending on configuration, many services (such as voice-mail, location tracking, guaranteed payment, sending money to a mobile account) may not require additional authorization besides Caller ID. On the other hand, the additional authorization can be performed in an original way and encourage the attacker to overstep the limits, which are vary from tapping subscribers' messages to stealing mobile money.

Mobile malware
The unification of smartphone platforms and, as a result, decrease in development costs lead to the explosion of malware for mobile devices. Different ways of monetization (e. g. making money via PRS) may cause substantial damage to subscribers and operators as well. Therefore we shouldn't ignore such kind of attack against subscribers: it would be enough to check operating efficiency of the operator's malware filtering system via different transmission channels (MMS, WAP etc.), and test the anti-fraud system's reaction to common behavior patterns of fraud programs.

Hosting
Virtual hosting is one of the vulnerable types of services. In most cases, large sparsely segmented networks without additional protection systems are used, which allows an intruder to perform attacks within segments (such as ARP Spoofing, IP Spoofing, DNS Spoofing).

It's important to realize that an auditor has no right to search for and exploit vulnerabilities in different companies' sites just because it has fallen to his or her lot to be hosted on the same server as the client.

Attacks by subscribers
The fact that subscribers can perform attacks is rarely taken into account: most companies do not consider them to be potential intruders. However, it works differently for telecommunications companies. Their customers get to a telecom's network and actually have more privileges than the Internet users (therefore, many attacks are easy to be performed).

Rule of rest
The rule an auditor needs when working with telecom's networks is simple: subscribers’ resources belong to subscribers and not to the operator you entered into an agreement with. The client's employees may have another opinion, but believe me they are mistaken. To avoid any problems during the penetration testing, you need to remember three issues:

  • The auditor searches for vulnerabilities and does not exploit them while working with subscribers' systems.
  • Demonstrations of vulnerabilities exploitation are performed on the performer's mobile terminals, terminal equipment, accounts or upon the subscriber's written contest.
  • Actions related to obtaining access to information protected by the law are to be performed by the client's employees or upon the subscriber's written contest.

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete