Starting from scratch – Mobile Core Network Honeypot
Duration: 50 min + 10 min Q&A
Presenters: Silke Holtmanns, Falvia Sebeni
Silke has been hanging around in mobile security for 18 years. She had fun with mobile payments, the air interface, SIM cards, phones and now with the core of the mobile networks. After designing over 10 years 3GPP security, she decided to get to get into the dark area between the networks….She has a sweet spot for telco protocols, Taekwondo, cakes, portrait paintings and pen testing.
Flavia has a background in software development and telco data analysis. She enjoys digging into the security aspects of (mobile) networks, travelling and good food.
Abstract: How do mobile networks actually work, when you connect? What happens if somebody calls you from another network? How does security work there? What are the attacks there?
We will introduce mobile core network security and explain, how attackers exploit the system. Mobile networks do not have the IT security "history", so we have to start from scratch to protect them (some do not have even IP!). Machine learning is a good tool, but one needs the “right data”. We describe how we are tackling nation state attacks with machine learning on telco networks. It is a journey... and we will give an outline for 5G.
Minimize the "telco speak / abbreviations" and get over the message how we need to build up protection for mobile networks
Note: If the conference has another mobile core network security talk, then the Intro can be shortened and we can roll a bit on the details and the machine learning.
Introduction to mobile connectivity (mobile IPX explained for the rest of us...) - Silke
- What actually happens when your device connects to a cellular network
- Explaination of the background messages that happen when a user roams (linkage to audience)
- Explaination of relationship of operators toward each other
Interconnection - IPX - the hidden private Internet
- What is it?
- A network developed to enable roaming
- Where does it come from?
- Developed over 35 years ago
- Designed as closed private network by 5 operators
- Evolution of mobile networks
- Now roughly 2000 operators + many service providers
- Mix and match of technologies and protocols
- Opens up more and more (examples given)
- How does this relate to the audience?
- Does this interest me, I don't travel? -> yes you are still reachable via IPX
- IoT connectivity (e.g. car) -> everything is connected
Attacks on IPX
- Attackers: nation states, criminals, military (known attacks)
- NSA Auroragold, GCHQ Belgacom
- Banking TAN attack
- Drone program - data acquisition from cellular networks for targeted attacks
- Crypto vault hack using one time password hijacking
- What did they do?
- Location Tracking, DoS, exploits, password pishing, data interception, eavesdropping
- Attacks will be sorted by technology used to perform them (i.e. 2G, 3G/4G)
- How do attackers get in? - Example screen shots will be shown, maybe I show some life
- Service companies
- Hack your way in
- Trick a local operator
- What is the world doing?
- Mobile industry (red pill, blue pill, both pills...)
- How to change a dinosaurus
- Large variety between operators and countries! Not all networks equally vulnerable
- Regulators (Fin, US, EU, Canada, China)
- What is the next perfect storm?
- Malware in networks
- Kill switches in network
- Can we not just put here antivirus and a nice FW?
- Telco protocols are different and have their own logic (some example flow will be shown)
- We talk about lot of data, we can not do it by hand
- No labelled data set for attack there, who has a fully labeled data set for telco attacks?
Our honeypot (Flavia)
- IPX network technology (I'm afraid we will not be able to avoid some abbreviations in that section of the talk)
- Which nodes connect to each other
- How do they connect and why?
- Architecture used in our honeypot
- Brief introduction on the set-up and software used
- How does it look from the outside and why do we make it look like that?
- Ports open and why those
- Normal stuff (scanning, OS specific etc)
- The interesting attacks
- Applying Machine Learning
Some labelled attacks now there
Feature extraction for real traffic (comes over IPX and not Internet, so some adaption needed)
Take real traffic data and cluster around the found labeled attack
Risks for 5G IPX traffic