Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis

2014, Hackito Ergo Sum - Security ConferenceHacking Telco equipment: The HLR/HSS – Laurent Ghigonis – P1 Security
Hacking Telco equipment
The HLR/HSS
Laurent Ghigonis
Security researcher at P1 Security

What are we talking about ?
A mobile network operator Core Network
Network passive capture showing Global Titles

Mobile Operators
• Conveys the majority of voice communications
worldwide
• Conveys our data
• Conveys growing M2M traffic
• Emergency systems notifications uses it
=> We now rely on it and we have some security
expectations

Mobile Operators and governance
• In Europe

• In France
Lets check the reality …

HSS Front End
HLR Front End
AuC HSM
Provisioning DSA
3 Back Ends
Provisioning Gateway
Install Server
Admin
Routing DSA
The Witness : An HLR/HSS
Typical HLR/HSS in use in operator Core Network

HLR/HSS in Mobile Core Network
A mobile network operator Core Network
Network passive capture showing Global Titles

• HLR is used in all 2G Operator Network
• HSS is used in all 3G/4G Operator Network
• Stores customer data
– Subscriber identifier (IMSI)
– Subscriber encryption keys
– Subscriber approximate location
– Subscriber SIM plan options
• Critical to the operator
– HLR down == Network down, no calls possible

HLR/HSS receiving subscriber location update
from the operator SS7/Diameter signaling links

Lets make it talk …

Plan
HLR/HSS Robustness assessment
• Virtualization
– Virtualization and instrumentation
• System Analysis
– Localroot, Framework complexity
• Network Fuzzing
– SS7 Protocols
• Binaries Reverse
– More vulns

HLR/HSS Virtualization
No, it’s not ATCA / NFV

An HLR/HSS is an ecosystem

An HLR/HSS is an ecosystem
• HLR + HSS Front-end
• HLR Administration server
• Application/Database routing servers
• HLR Backend/Database (multiple)
• HSM (Hardware Security Module) for keys

HLR/HSS is never alone

Where to start
• Most exposed from the outside
=> HLR/HSS Front-end
– Receives SS7/Diameter traffic
• Telecom network stacks
– Receives provisioning requests
– Connected to the HSM

HSS Front End
HLR Front End
AuC HSM
Provisioning DSA
3 Back Ends
Provisioning Gateway
Install Server
Admin
Routing DSA
Where to start
Typical HLR/HSS in use in operator Core Network

Virtualization of HLR/HSS
Frontend

Original Equipment Manufacturer
• Specs of the real equipment
– i386 / x64 / Sparc
– Solaris / CentOS
– 32 GB of RAM
– CPU 16 Cores
– TB hard drive + External SAN

Qemu/KVM
• Faster than VirtualBox
• More flexible
• Tweak code to add more network interfaces
• VDE Switch for networking

Qemu/KVM
qemu-system-x86_64
-machine type=pc,accel=kvm:tcg -pidfile ./myhlr.pid
-m 7.2g -smp 4 -drive file=/dev/mapper/lvm-vm--myhlr,cache=none
-vnc 127.0.0.1:2,password,tls,lossy -display curses -rtc base=localtime,driftfix=slew
-net vde,vlan=1,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=1,macaddr=52:54:00:00:10:01
-net vde,vlan=4, sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=4,macaddr=52:54:00:00:10:02
• Physical partition for disk
– Do not use disk file on host btrfs
• super slow
• ext4 is ok
– http://www.linux-kvm.org/page/Tuning_KVM
• Curses output
• Improvements: serial terminal

Qemu/KVM
• Solaris 10
– Qemu/KVM ok for x64
– Fails for SPARC
• Stock kernel
– /kernel
– /usr/kernel
• Custom kernel modules
– For Telecom Signaling [Signalware]
• Uses grub
• Failsafe mode

Inside the machine
• ZFS filesystem
• Solaris 10
• Everything is installed via packages
• Multiple Oracle databases
– Even on HLR/HSS Front-end only
• A lot of Middleware framework to start the
actual network stacks / applications
• Telco stacks: based on Ulticom Signalware
• The OS expects its precious network cards

System Analysis

The filesystem
• ZFS = Filesystem + Volume manager
• ZFS pool (often mirrored)
– ZFS root pool
• 100-200GB usually enough
• Prepare free space for system/processes dump
– ZFS Dump pool
• Should be more than size of your RAM
– ZFS SWAP pool
• Should be more that size of your RAM

The filesystem
• ZFS offers good resilience against data corruption,
and is very picky when there is too much
corruption
– You can’t recover when filesystem is too much broken
– You can try
$ zdb -e -p /dev/dsk/c0t3d0p0 -F -X -AAA -dd rpool 1
$ zpool import -f -F -X 19485729304958623456 mypool
$ zpool import -o readonly=on -o autoreplace=on -o
failmode-continue -m -N -f -F -X 19485729304958623456
mypool
• If it fails
– Code your own tool by modifying ZOL
http://zfsonlinux.org/

Filesystem /advdata/
autoinstmnt/
bin@
boot/
cust_data/
dump@
environment.txt*
etc/
export/
false/
global@
home/
installmnt/
kernel/
lib/
mnt/
net/
nsr/
opt/
patchmnt/
platform/
root/
rpool/
rtp_environ.txt
sbin/
tftpboot/
ti_var/
tmp/
TspAcc@
TspAccBackup@
TspCore@
tspinst/
TspTickets@
updateSW/
usr/
var/
vol/
Grub/platform + failsafe
Applications data
Kernel
Telco specific apps
Home + Applications data + Telco specific apps
Crashdumps from Telco specific apps

Some packages installed
application SMAWrtp
Telecommunication Service Platform (TSP) Base Package
application OMNI
Signalware System
application S6U-4
Signalware System
application OMNI-C7X
Signalware C7 Extensions
application INTPahacu
AC Utimaco HSM

Low hanging fruits
• SUID executables
– SUID Total: 162 (155 binaries, 7 scripts)
– SUID Root: 142 (137 binaries, 5 scripts)
• Signalware
Boot process
“becoming root”
by Design

Local roots
• Of course, we often find multiple local roots
• Some are really too easy (one command):

Example of Telco network stack:
NSN TSP / RTP + Ulticom Signalware
• TSP + RTP framework are found on NSN NT-
HLR
– Found in many European and Worldwide
operators
– Very similar to Apertio OneHLR
• TSP: Telco Server Platform (Ericsson) / Telco
Service Platform (NSN, others, generic name)
• RTP: Resilient Telco Platform (NSN)

Example of Telco network stack:
NSN TSP / RTP + Ulticom Signalware
• SS7 Protocol handling
Reminder: SS7 stack

Network Fuzzing

Fuzzing SS7: M3UA
• Example: Flooding badly handled
– Leads to alerts flooding in OSS
– Leads to loss of previous alerts !
– P1VID#799

Fuzzing SS7: SCCP
• Example result: 1 specific MSU repeated 2 times
causes DoS of all Signaling Interconnections
– HLR is down during 2 minutes
– Total Denial of Service of the network
– Nobody can receive calls in the whole country
core 'core.xxx' of 15477: /export/home/xxx
01 msu_processing ()
02 msg_distribution ()
03 main ()
04 _start ()
– If the attack is repeated, the DoS is permanent during
the attack
– P1VID#773
So long for the critical infrastructure …

Fuzzing SS7: SCCP

Fuzzing SS7: MAP
• Example results: 1 specific MSU causes MAP
process crashes
– 5 MSU/second makes HLR totally unresponsive to
any other MAP Query
• Total Denial of Service of the network
• Nobody can receive calls in the whole country
– 1 MSU/second makes HLR totally drop 50% of
other MAP Queries
• Network is highly perturbed
• 50% of the called in the whole country are failing
– P1VID#772

Fuzzing Diameter
• Process Crash with 1 specific manually crafted MSU
Logs do not even report process crash.
Neither the OSS Alerts.
Application logs:
Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM:
Service could not be processed correctly,
vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type:
S6a-xxxxxxxxx
S6a-xxxxxxxxx
UTC Tue Sep 3 01:20:44 2013 Services_Esm_Log_Message: vc_Priority=LOG_ERR,
vc_MessageInformation=ESM: Service could not be processed correctly,
S6a-xxxxxxxxx
S6a-xxxxxxxxx
Behind that, process core dumps are created…
P1VID#718

Does redundancy saves you ?
• No !
• Same N front-ends == same crashes
• Messages just needs to be sent N times

Binaries reverse

Often, too much help…
• Binaries not stripped
– Debug symbols / function names / … available
• No anti-debug mechanism
• Libraries headers on production machines
– Great help in understanding the internals
• Large documentation about internals on
production machines
– Great help in understanding the internals
• Updated binaries and previous binaries both on
production machines
– Binary diff to track issues fixed

Signalware Kernel modules
• Example: Parsing of SCCP header

Signalware Kernel modules
• Kernel modules signaling parsing is robust
• IPC to communicate with userland binaries
• Complexity leads to other type of errors
– Logic errors
– Race conditions
– Slow handling of some types of MSUs

Signalware userland binaries
• Parsing less robust (less tested)
• Example logic error due to IPC / Framework
complexity:
Can be triggered from the International SS7 network
Null pointer dereference

So verdict ?

So verdict ?
• Misconceptions!
– No crashes on a Critical Core Network Element
• FAIL
– Robustness against network attacks
• FAIL
• Redundancy != Robust, attack kills Front-end one by one
– Modern
• Depends, but from what we see there is much room for
improvement

• Reality on Threats analysis: Maybe
• Reality of Telco equipment security: Very bad
• Public information: Very bad
• Telco private sector information: Didn’t see impact

Consequences
• Mobile Network crashes for unknown publicly
available reason
• Spying on phone calls / customer activities from a
single point (Core Network) is relatively easy
• Fraud

Recommendations
• Secure SDLC (Secure Software Development Life Cycle)
– Design
– Implementation
– Testing
• Especially for vendors custom stacks/services
TCAP/MAP parsing bugs leading to overflows, …
• Vendors security audits (HLR isolated)
– System audit
– Network audit
• Testbed audits (HLR in environment)
– System audit
– Network audit
– Before deploying to production

Recommendations: securing the OS
• Use Solaris Zones to split services: P1VID#764
• Use Solaris Audit mechanism: P1VID#765
• Authenticate the hardware
– To prevent emulation
• Use the latest OS protections against exploitation
– Solaris 11 has ASLR
– Use custom Linux kernel
• Use a firewall by default on the machine itself
• …

Recommendations: OSS
• Make it faster !
– People should be able to use it to react when
under attack
– E.g. NSN @vantage commander
• Need access to all low-level network traffic for
forensics

Recommendations: For the operators
• Push the vendors to fix the bugs
• Some of the attacks we discovered can be filtered
– Operators do not have to wait for bugs to be fixed
– Filter at perimeter boundaries
(typically STP / Router)
– Depends on STP / Router models and security
“features”
• Sometime filtering options are charged by vendor
• It is possible to filter also at the SCCP provider
level

To be continued
• Telecom Network Elements security is low
– We tested multiple Network Element
types/models, from different vendors
• Vendors, Governments and security
researchers have work to do
• Vulnerability disclosure in security critical
infrastructure is scarce
– Dangerous ?
– Not if there is collaboration

Other aspects of Telecom Security
• We talked here about equipment security
– It’s a work in progress, and only HLR/HSS
– Mainly Network Equipment Vendor responsibility
• Also consider
– Other Network Elements security
– GRX / IPX / SCCP Providers security
– Deployment security (passwords policies,
filtering…), Operator responsability
– Telecom Network Fraud (SS7 spoofing, Call/SMS
Spoofing, …), Operator responsability

References
Governance literature on critical infrastructure:
• European level
– 2007:
http://www.nato-pa.int/default.asp?COM=1165&LNG=0
– 2012
http://www.nato.int/cps/en/natolive/news_88054.htm?selectedLocale=en
– 2013
http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/crisis-and-
terrorism/critical-infrastructure/index_en.htm
http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/crisis-and-
terrorism/critical-infrastructure/docs/swd_2013_318_on_epcip_en.pdf
• France
– 2012
http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000026638421
&dateTexte=&categorieLien=id
– 2013
http://www.gouvernement.fr/gouvernement/livre-blanc-2013-de-la-defense-et-
de-la-securite-nationale

That’s it, please react.
Thank you
laurent@p1sec.com
http://www.p1sec.com

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis (20)

Recently uploaded (20)

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis