{"id":10570,"date":"2014-05-30T15:13:22","date_gmt":"2014-05-30T13:13:22","guid":{"rendered":"https:\/\/www.corelan.be\/?p=10570"},"modified":"2014-05-30T15:13:22","modified_gmt":"2014-05-30T13:13:22","slug":"hitb2014ams-day-2-on-her-majestys-secret-service-grx-a-spy-agency","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2014\/05\/30\/hitb2014ams-day-2-on-her-majestys-secret-service-grx-a-spy-agency\/","title":{"rendered":"HITB2014AMS - Day 2 - On Her Majesty's Secret Service: GRX & A Spy Agency"},"content":{"rendered":"

Last year, Belgacom got hacked by an intelligence service (GCHQ?), Rob says. \"What is so interesting about this hack, why did they hack into Belgacom, what would or could be the purpose of a similar hack?\" \u00a0Before answering those questions, we need to take a quick look on how mobile networks work and how mobile data travels the network.\u00a0<\/p>\n

\"DSC<\/p>\n

Mobile data<\/h4>\n

In a mobile data network, it's necessary to know where you are. \u00a0KPN has about 5000 cells throughout the country, and each site has a Cell Identifier (CI). To group them together, an RAC (Route Area Code) is used. \u00a0Every country has its own unique number. \u00a0MCC 204, for example, corresponds with The Netherlands. \u00a0Additionally, each provider has a unique number. \u00a0<\/p>\n

To access the network, you need an APN (Access Point Name), an IMSI (International Mobile Subscriber Identify) and an UICC (Universal Integrated Circuit Card), which is stored on the SIM card. From a network perspective, Rob explains, even more components are needed and used. \u00a0Radio (BTS\/nodeB), a Home Location Register, a Service GPRS Support Node (SGSN), a Gateway GPRS Support Node and DNS servers are needed to provide connectivity. \u00a0<\/p>\n

When the phone sends a data packet, it will hit the data network first. \u00a0The packet reaches the SGSN\/S-GW and gets authenticated (HLR\/HSS). \u00a0After successful authentication, the device will resolve the APN name (using DNS). \u00a0Traffic is then sent to a gateway, and everything behind the gateway is plain TCP\/IP. \u00a0<\/p>\n

To make sure all devices can use their own tunnel, GPRS Tunneling protocol was created, Rob explains, to allow devices to have their own GPRS tunnel. \u00a0The protocol (GTPv0 GPRS, GTPv1 GPRS\/UMTS, GTPv2 LTE) is based on UDP. \u00a0The GTP specification can be found at http:\/\/www.3gpp.org\/DynaReport\/29060.htm<\/p>\n

When a telco gets hacked, there are a number of fields in the GPRS protocol that may be interesting for hackers. \u00a0The IMSI may be interesting, the APN (if it's hidden) and some other information such as MCC, MNC, LAC, CI and IMEI.<\/p>\n

Roaming Mobile data<\/h4>\n

The setup for Mobile roaming is quite similar to a domestic setup. \u00a0A device first connects to a local network and the local SGSN will connect to the HLR of the home country to authenticate the device. After authentication, traffic is sent to the gateway in the home country.... \u00a0and to make that happen, the operators use GRX (GPRS Roaming Exchange). \u00a0 GRX is a concept based on GSMA, but *should* be segmented\/isolated from the rest of the network. \u00a0To understand why access to GRX traffic could be interesting to spy agencies, Stephen continues, we need to look at what the GTP traffic looks like and what is inside the packets.<\/p>\n

\"DSC<\/p>\n

Most of the current network analyzers don't really understand GTP (except for Telco specific ones), so Wesley (one of the people in the KPN Cert team) wrote a script to strip the GTP headers and dissect the traffic. \u00a0The script identifies the link layer header, detects the VLAN tag, checks for the IP\/UDP Header etc... \u00a0basically allowing the researchers to load the stripped PCAP file into NetworkMiner (http:\/\/www.netresec.com\/?page=NetworkMiner) and examine the actual GTP traffic contents. \u00a0 This also means that you can see all cleartext traffic (including credentials etc). \u00a0Being able to get access to GRX traffic can clearly be very valuable to spy agencies.<\/p>\n

Additionally, since the GTP headers contain location information, spies can use the traffic to gather information on where somebody is. www.numberingplans.com is a website that allows you to perform analysis of an IMEI number, including displaying information about the device. http:\/\/unwiredlabs.com\/api<\/a> can be used to get location information.<\/p>\n

\"DSC<\/p>\n

Long story short, getting access to GRX traffic is a big deal and an obvious goal for spies and attackers in general.<\/p>\n

Getting access to the GRX network ?<\/h4>\n

How easy would it be to get GRX access, providing that you are not an operator\/telco, Stephen wonders. \u00a0To determine how easy it would be, they used the \"kill-chain\" methodology, which is a typical penetration testing approach. \u00a0 They started the audit by looking at the GRX BGP Routing table (MNO's) and identified 4,8K subnets (320K IP addresses). \u00a0Next, they performed a \"masscan\" against all of the IPs (limited port scan) and performed a GTP ping (UDP 2152, 2123) using zmap, allowing them to discover all GTP enabled devices. \u00a0Going forward, they used SGSNEMU (part of OpenGGSN) to attempt to connect to GGSN, perform ping requests, create PDP context, and forward packets to connections on Gn\/Gp interfaces.<\/p>\n

Next, they attempted to discover the DNS servers used by the various telcos, which is used by GRX to resolve the APN in order to set up the GTP tunnel. Most operators seem to be running (mostly) Bind and Microsoff DNS, with some of the discovered Bind versions appeared to be quite old and vulnerable to DoS attacks. \u00a0<\/p>\n

\"DSC<\/p>\n

Additionally, they performed a scan for SMTP servers inside the network and discovered a wide variety of servers (Exim, Microsoft, Sendmail, qmail, etc). \u00a0It is unclear why these SMTP servers are present on the network. \u00a0 Next, they performed an FTP scan, Telnet scan, SMB scan, SNMP probing etc... \u00a0and they detected old & vulnerable versions of all kinds of servers and daemons. \u00a0In other words, the GRX network does not only contain GRX related devices. \u00a0In short, it doesn't seem to be a dedicated\/isolated network at all. \u00a0 \u00a0<\/p>\n

Even worse, out of the 42K GRX live hosts, 5.5K hosts from 15 operators were reachable from the internet. So, if one of the vulnerable machines, connected to the internet, gets compromised, it could be used to get inside the GRX network. \u00a0None of the found devices should have been reachable from the internet in the first place.<\/p>\n

Going back to the Belgacom hack, it appears that the breach was based on a direct attack against administrators, instead of compromising external machines. This either means that Belgacom didn't have any exposed systems, the exposed Belgacom systems (if any) were protected well, or perhaps the type of access that could be gained by hacking a vulnerable servers was too limited. \u00a0By attacking an administrator, hackers would get access to a lot more internal systems right away.<\/p>\n

GRX traffic is definitely interesting. It has information on who you are and where you are and what you do. \u00a0It should have been isolated from other networks but that is not the case. \u00a0GRX traffic can definitely be interesting to attackers and spy agencies. \u00a0To prevent issues, operators could:<\/p>\n