Pages

Monday, February 16, 2015

The research: Mobile Internet traffic hijacking via GTP and GRX

Most users assume that mobile network access is much safer because a big mobile-telecoms provider will protect subscribers. Unfortunately, as practice shows, mobile Internet is a great opportunity for the attacker.


Positive Technologies experts have detected vulnerabilities in the infrastructure of mobile networks, allowing an attacker to intercept unencrypted GPRS traffic, spoof the data, block the Internet access, and determine the subscriber's location. Not only cell phones are exposed to threats, but also special devices connected to 2G/3G/4G networks via modems: ATM machines and payment terminals, remote transport and industrial equipment control systems, telemetry and monitoring tools, etc.

Operators of mobile services usually encrypt GPRS traffic between the mobile terminal (smartphone, modem) and the Serving GPRS Support Node (SGSN) using GEA-1/2/3 encryption algorithms, making it difficult to intercept and decrypt information. In order to bypass this restriction an attacker can access the operator's basic network where the data is not protected by authentication mechanisms. Routing nodes (or gateway nodes) called GGSN are a weak point. We can easily find the required nodes using Shodan.io search engine for Internet-connected systems controlling industrial equipment. Vulnerable nodes have open GTP ports which allows attackers to set up the connection and then encapsulate GTP control packets into the created tunnel.  If parameters were selected properly GGSN will take them as packets from legitimate devices within the operator's network.

The described above GTP protocol in no way should be seen from the Internet. In practice, however, things are often quite different: There are more than 207,000 devices with open GTP ports all over the global Internet. More than five hundred of them are components of cellular network architecture and respond to the request for a connection.



Another benefit for attackers is that GTP is not the only protocol used to manage the detected hosts. FTP, SSH, Web, etc. are also used for management purposes. An attacker can connect to the node of a mobile network operator by exploiting vulnerabilities (for example, default passwords) in these interfaces.

Experimental search through the Shodan site reveals some vulnerable devices, including ones with open Telnet and turned off password authentication. An attacker can perform an intrusion into the network of the operator in the Central African Republic by connecting to this device and implementing the required settings.


 Having access to the network of any operator, the attacker will automatically get access to the GRX network and other operators of mobile services. One single mistake made by one single operator in the world creates this opportunity for attack to many other mobile networks.

Among the various ways of using the compromised boundary host we should note the following: disconnection of subscribers from the Internet or blocking their access to the Internet; connecting to the Internet with the credentials of a legitimate user and at the expense of others; listening to the traffic of the victim and fishing attacks. An attacker can also get the subscriber's ID (IMSI) and monitor the subscriber's location worldwide until the SIM card is changed.

 Let us describe in more detail some of the security threats.

Internet at the expense of others

Goal. The exhaustion of the subscriber's account and use of the connection for illegal purposes.

Attack vector: An attacker conducts attacks from the GRX network or the operator's network.

Description. The attack is based on sending the “Create PDP context request” packets with the IMSI of a subscriber known in advance. Thus, the subscriber's credentials are used to establish connection. Unsuspecting subscriber will get a huge bill.

It is possible to establish connection via the IMSI of a non-existent subscriber, as subscriber authorization is performed at the stage of connecting to SGSN and GGSN receives already verified connections.  Since the SGSN is compromised, no verification is carried out.


Result. An attacker can connect to the Internet with the credentials of a legitimate user.

Data interception

Goal. To listen to the traffic of the victim and conduct a fishing attack.

Attack vector: An attacker conducts attacks from the GRX network or the operator's network.

Description. An attacker can intercept data sent between the subscriber's device and the Internet by sending an “Update PDP Context Request” message with spoofed GSN addresses to SGSN and GGSN. This attack is an analogue of the ARP Spoofing attack at the GTP level.



Result. Listening to traffic or spoofing traffic from the victim and disclosure of sensitive data.

DNS tunneling

Goal. To get non-paid access to the Internet from the subscriber's mobile station.

Attack vector: The attacker is the subscriber of a mobile phone network and acts through a mobile phone.

Description. This is a well-known attack vector, rooted in the days of dial-up, but the implementation of low-price and fast dedicated Internet access made it less viable.  However, this attack can be used in mobile networks, for example, in roaming when prices for mobile Internet are unreasonably high and the data transfer speed is not that important (for example, for checking email).

The point of this attack is that some operators do not rate DNS traffic, usually in order to redirect the subscriber to the operator's webpage for charging the balance.  An attacker can use this vulnerability by sending special crafted requests to the DNS server; to get access one needs a specialized host on the Internet.


Result. Getting non-paid access to the Internet at the expense of mobile operator.

Substitution of DNS for GGSN

Goal. To listen to the traffic of the victim and conduct a fishing attack.

Attack vector: An attacker acts through the Internet.

Description. If an attacker gets access to GGSN (which is quite possible as we could see), the DNS address can be spoofed with the attacker's address and all the subscriber's traffic will be redirected through the attacker's host. Thus, listening to all the mobile traffic of the subscriber is possible.


Result. An ability to listen to traffic or spoof traffic from all subscribers and then gather confidential data to engage it in fishing attacks.

Some of the attacks can not be performed if the equipment is configured properly. Still the results of the research made by Positive Technologies suggest that misconfiguration is a common problem in the telecommunications sphere. Vendors often leave some services enabled while these services should be disabled on this equipment, which gives additional opportunities to attackers.  Due to the large number of nodes it is recommended to automate the control process using specific tools such as MaxPatrol.



How to Protect Yourself

Security measures required to protect against such attacks include proper configuration of equipment, utilizing firewalls at the GRX network edge, using 3GPP TS 33.210 recommendations to configure the security settings within the PS Core network,  security monitoring of the perimeter as well as developing security compliances for the equipment and performing regular compliance management tasks.

Many people rely on new communication standards that include new safety technologies. However, despite the development of such standards (3G, 4G) we cannot completely abandon the use of old generation networks (2G).  The reason is the specifics of the implementation of mobile networks and the fact that the 2G base stations have better coverage as well as the fact that 3G networks use their infrastructure. LTE still uses the GTP protocol and therefore the necessary protection measures will be relevant in the foreseeable future.

The results of this research were gathered by Positive Technologies experts in 2013 and 2014 during consulting on security analysis for several large mobile operators.  For detailed report on Vulnerabilities of mobile Internet (GPRS), please visit Positive Technologies official site: www.ptsecurity.com/download/Vulnerabilities_of_Mobile_Internet.pdf

20 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. I got my already programmed and blanked ATM card to withdraw the maximum of $1000 daily for a maximum of 20 days. I am so happy about this because i got mine last week and I have used it to get $6000 for free. Jane is giving out the card just to help the poor and needy though it is illegal but it is something nice and she is not like other scam pretending to have the ATM cards. And no one gets caught when using the card. get yours from her. Just send her an email on janeashey333@yahoo.com and be happy like Me...

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. I'm interested in your article
    I also have a similar article about travel in Indonesia you can visit http://ps-tsi.gunadarma.ac.id/Information Regarding Indonesia for more info

    ReplyDelete
  4. Thank you so much - so useful. Blogging is made so much easier because of sites like this scholarship essay writing help

    ReplyDelete
  5. Hackgenius!!! We are certified hackers that can render many services!!!
    Get in touch with us today
    we render service such as:
    University grades changing
    How to hack Paypal, MasterCard, credit card untraceable
    Facebook hack, Twitter hack, Instagram hack
    Erase criminal records hack
    Email interception hack
    Hack computer remotely
    Wifi easy hack
    Email accounts hack
    Hack into any GOVERNMENT AGENCY WEBSITE
    Control devices remotely hack
    Bank accounts hack
    Hack WORD-PRESS Blogs
    Untraceable Ip and all degree of hacking.
    Contact us today via: oceancardhackers@gmail.com or call +2348168199202

    ReplyDelete
  6. Hello friend, i want to share my testimony on how i got my BLANK ATM card which have change my life today. i was once living on the street where by things were so hard for me, even to pay off my bills was very difficult for me i have to park off my apartment and start sleeping on the street of Vegas. i tried all i could do to secure a job but all went in vain because i was from the black side of America. so i decided to browse through on my phone for jobs online where i got an advert on Hackers advertising a Blank ATM card which can be used to hack any ATM Machine all over the world, i never thought this could be real because most advert on the internet are based on fraud, so i decided to give this a try and look where it will lead me to if it can change my life for good. i contacted this hackers and they told me they are from Australia and also they have branch all over the world in which they use in developing there ATM CARDS, this is real and not a scam it have help me out. to cut the story short this men who were geeks and also experts at ATM repairs, programming and execution who taught me various tips and tricks about breaking into an ATM Machine with a Blank ATM card.i applied for the Blank ATM card and it was delivered to me within 3 days and i did as i was told to and today my life have change from a street walker to my house, there is no ATM MACHINES this BLANK ATM CARD CANNOT penetrate into it because it have been programmed with various tools and software before it will be send to you. my life have really change and i want to share this to the world, i know this is illegal but also a smart way of living Big because the government cannot help us so we have to help our self. if you also want this BLANK ATM CARD i want you to contact the Hackers email on jameshacker157@gmail.com and you life will never remain the same email jameshacker157@gmail.com

    ReplyDelete
  7. Hello friend, i want to share my testimony on how i got my BLANK ATM card which have change my life today. i was once living on the street where by things were so hard for me, even to pay off my bills was very difficult for me i have to park off my apartment and start sleeping on the street of Vegas. i tried all i could do to secure a job but all went in vain because i was from the black side of America. so i decided to browse through on my phone for jobs online where i got an advert on Hackers advertising a Blank ATM card which can be used to hack any ATM Machine all over the world, i never thought this could be real because most advert on the internet are based on fraud, so i decided to give this a try and look where it will lead me to if it can change my life for good. i contacted this hackers and they told me they are from Australia and also they have branch all over the world in which they use in developing there ATM CARDS, this is real and not a scam it have help me out. to cut the story short this men who were geeks and also experts at ATM repairs, programming and execution who taught me various tips and tricks about breaking into an ATM Machine with a Blank ATM card.i applied for the Blank ATM card and it was delivered to me within 3 days and i did as i was told to and today my life have change from a street walker to my house, there is no ATM MACHINES this BLANK ATM CARD CANNOT penetrate into it because it have been programmed with various tools and software before it will be send to you. my life have really change and i want to share this to the world, i know this is illegal but also a smart way of living Big because the government cannot help us so we have to help our self. if you also want this BLANK ATM CARD i want you to contact the Hackers email on jameshacker157@gmail.com and you life will never remain the same email jameshacker157@gmail.com

    ReplyDelete
  8. A good Microphone is actually supposed to input sound. your own sound is usually maintained throughout digital application from the computer. individual can furthermore EMPLOY This for live communication towards Internet. every one of the input devices usually are basically supposed to impart some kind regarding info in your computer. Therefore, these include called info input devices. Data-sending device

    ReplyDelete
  9. BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast
    you can be to get the new PROGRAMMED blank ATM card that is capable of
    hacking into any ATM machine,anywhere in the world. I got to know about
    this BLANK ATM CARD when I was searching for job online about a month
    ago..It has really changed my life for good and now I can say I'm rich and
    I can never be poor again. The least money I get in a day with it is about
    $50,000.(fifty thousand USD) Every now and then I keeping pumping money
    into my account. Though is illegal,there is no risk of being caught
    ,because it has been programmed in such a way that it is not traceable,it
    also has a technique that makes it impossible for the CCTVs to detect
    you..For details on how to get yours today, email the hackers on : (
    atmmachinehackers1@gmail.com ). Tell your
    loved once too, and start to live large. That's the simple testimony of how
    my life changed for good...Love you all ...the email address again is ;
    atmmachinehackers1@gmail.com

    ReplyDelete
  10. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email DR Dan on (collinshackers13@gmail.com ) or call +2348112305404 for how to get it and its cost,and how to also hack credit cards and send the money to your self..I never believe on this before not until i was a full and clear testimony, this man is great and wonderful now am rich. i wont stop testifying him till you get bless too
    ***NOTE:please let him know you came through me because this is what i promise him. good luck friends. email (collinshackers13@gmail.com ) or call +2348112305404...

    Send these few details to the email..
    Name:
    Age:
    Occupation:
    Gender:
    Country:
    State:
    Phone number:

    ReplyDelete
  11. PLEASE TAKE YOUR TIME AND READ MY GREAT STORY....BLANK ATM CHANGED MY LIFE

    My name is Helena Jasen, i want to share my testimony on how i got my BLANK ATM card which has change my life from worst to better. i was once living on the street where by things were so hard for me, even to pay off my bills was very difficult for me i have to park off my apartment and started sleeping on the street. i tried all i could do to secure a job but all went in vain because i was from the black side of America. so i decided to browse through on my phone for jobs online where i got an advert on Hackers advertising a Blank ATM card which can be used to hack any ATM Machine all over the world, i never thought this could be real because most advert on the internet are based on fraud, so i decided to give this a try and look where it will lead me to, if it can change my life for good. i contacted this hacker (MR MARK BENSON) and he told me that he will help me secure a blank ATM, that he has been helping people around the world, and also he has branches all over the world in which he uses in developing there ATM CARDS, this is real and not a scam it has helped me out. to cut the story short this man who was a geek and also an expert at ATM repairs, programming and execution who taught me various tips and tricks about breaking into an ATM Machine with a Blank ATM card.i applied for the Blank ATM card and it was delivered to me within 3 days, and agreed to his terms and conditions, and today my life has changed from a street walker to a house owner, there is no ATM MACHINES this BLANK ATM CARD CANNOT penetrate into because it has been programmed with various tools and software before it will be sent to you. my life have really changed and i want to share this to the world, i know this is illegal but also a smart way of living Big because the government cannot help us so we have to help our selfs.
    Hacked and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (legitblankatm_hacker@outlook.com) call him on +2348057756157 on how to get yours if you are interested. I am just sharing this testimony because of the joy in me, I don't want to benefit from this alone because i believe there are people like me out there who need this same help.

    This card has been programmed and can withdraw 10,000USD within 24 hours in any currency your country makes use of. And the credit limit is up to 100,000USD. The card will make the security camera malfunction at that particular time until you are done with the transaction you can never be traced.

    I am from the United States of America and i have travelled to four different countries to make use of this card and it worked in all the countries, so i believe anywhere you are around the earth this card will work for you perfectly.

    It is 100% safe to use this card. Because it will be shipped to you as a gift card.

    He can also reload any Active and valid cards, any type of card just contact him for a reload (prepaid cards, credit/debit cards).

    Email....legitblankatm_hacker@outlook.com
    Name.....Mark Benson
    Contact number....+2348057756157.

    ReplyDelete
  12. JAMES TECH OF THE EMAIL ADDRESS(bestatmhack01@gmail.com) ITS AT IT AGAIN! COOL WAY TO HAVE FINANCIAL FREEDOM!!! ARE TIRED OF LIVING A POOR LIFE,THEN HERE IS THE OPPORTUNITY YOU HAVE BEEN WAITING FOR. GET THE NEW ATM BLANK CARD THAT CAN HACKER ANY ATM MACHINE AND WITHDRAW MONEY FROM ANY ACCOUNT. YOUR HAVE TO BE SMART TO MAKE USE OF THIS PROGRAMMED CARD,YOU AND I KNOW THAT ITS ILLEGAL. IT HAS SPECIAL FEATURES, THAT MAKES THE MACHINE UNABLE TO DETECT THE CARD, AND ITS TRANSACTION IS UNTRACEABLE . YOU CAN USE IT ANYWHERE IN THE WORLD. WITH THIS CARD YOU CAN WITHDRAW NOTHING LESS THAN $20,000 IN A DAY. SO TO GET THE HACKERS VIA EMAIL ADDRESS : bestatmhack01@gmail.com

    ReplyDelete
  13. BE CAREFUL OF FAKE ATM CARD HACKERS ON THE INTERNET!

    I came across so many comments of a blank ATM card worth's millions, thus i doubted all this but there was this comment made by Lambert Harold including his email for confirmation regarding the card. I contacted Lambert and he told me everything and how he purchased the card from GREAT HACKERS. immediately i contacted the email address he gave me {Hackedcredits.atmcards.net@gmail.com }. Few hours later i got a response and was told all the processing which i agreed willing to see the end. Three days later i received an email regarding my tracking number to my parcel and before i knew it, the CARD was delivered by the courier service. I did not believe all this even when i was holding the ATM card, until i was able to withdraw the $7,000.00 he told me i can withdrew per day. Today i am a company owner with so many other properties, all thanks to GREAT HACKERS. I took time to make this comment to avoid anyone falling into the hands of scam, so i advice you never to contact any other ATM card seller expect this very man because he is for real. Contact him today via email{Hackedcredits.atmcards.net@gmail.com }

    ReplyDelete

  14. HOW I GOT RICH VIA BLANK ATM CARD
    Thanks to all of these advanced features,EXPLANATION OF HOW THESE CARD WORKS..........
    You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT 3,000$, 2nd VAULT 5,000$ or in any currency, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly... Done. ***NOTE: DON'T EVER MAKE THE MISTAKE OF CLICKING THE "ALL" OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT all an attacker has to do is merely approach an infected ATM and enter a special PIN code in order to access the secret menu that will allow him to make cash withdrawals of $5.000 or control the trojan (for example, to delete it). To make a withdrawal the person has to know the appropriate commands, as well as a special formula that will calculate a session key — some kind of a two-factor authentication. If both codes are correct, then a second menu will appear that allows the criminal to choose the cassette number and make a withdrawal. Although one can only dispense 40 banknotes per transaction, it’s possible to dispense any amount of money by simply performing the actions several times over.WE MUST TAKE IT BY FOES WE FAITH ALL THINS ARE
    PASSABLE MY EMAIL [cliffordblankatmcardhacker@gmail.com]
    MY PHONE NUMBER +2348161554365 or whatsapp him via +2348158836673

    ReplyDelete
  15. Hello everyone am KAREN from USA am using this medium to announce to
    the world and those in need of financial stability to look no futher
    but contact fidelityatmhackers@outlook.com who helped me with the
    card in less than 1 week after being scammed of my money by others and
    yet no card. Are you in need of a loan? Or some sort of financial
    distress and need saving, SEIZE this opportunity and get rich in no
    time. There are no hidden charges and they deal on transparency basis.
    I am forever grateful to FIDELITY HACKERS for changing my life a whole new.
    Contact via email on fidelityatmhackers@outlook.com

    ReplyDelete
  16. EXPERIENCED HACKER FOR HIRE.....WE SPECIALIZE IN HIGH GRADE UNLOCKING,PHONE TRACKING,DATABASES HACK,CODE ENCRYPTION,UNTRACEABLE IP,WEBSITES HACK,BANK TRANSFERS,CREDITS CARD HACK,CLEARING OF CRIMINAL RECORDS,EMAIL ADDRESS HACKING,COMPANY RECORDS HACKING. WE CAN EVEN PUT YOUR NAME IN THE KINGDOM OF HEAVEN.
    CONTACT ASAP ON hackass099@gmail.com
    SERIOUS MINDED PEOPLE SHOULD CONTACT....

    ReplyDelete
  17. I got my already programmed and blanked ATM card to withdraw the maximum of $1000 daily for a maximum of 20 days. I am so happy about this because i got mine last week and I have used it to get $6000 for free. Jane is giving out the card just to help the poor and needy though it is illegal but it is something nice and she is not like other scam pretending to have the ATM cards. And no one gets caught when using the card. get yours from her. Just send her an email on janeashey333@yahoo.com and be happy like Me...

    ReplyDelete