Breaking

Telco Research 2015

Hello and a happy new year 2015 to everybody!

As follow up of our 2014 talk “LTE vs. Darwin” I want to inform you about our telco research in 2015. We are currently dealing with the so called IP Multimedia Subsystem (IMS), which handles the call and media logic of 4G telecommunication networks. This network part provides functions like VoIP (or VoLTE) and takes care of the interconnection to other call or media related networks.

The following figure shows a rough overview of the IMS core, including several Call Session Control Function (CSCF) systems, usually logically divided into proxy (P), interrogating (I) and services (S) functions.

IMS Architecture

We currently focus on security issues triggered by a client. In former blogposts and talks of ERNW we have already discussed quite some VoIP security issues (here and here). Remembering that IMS also uses VoIP services, those weaknesses also might be present here. In theory, that means IMS might not only be vulnerable against all types of traditional attacks as source address spoofing, sniffing, Man-In-The-Middle, Denial-of-Service, Cross-Site-Scripting or file Injection, but also newer, telco-specific vulnerabilities. We’ve built a lab with some open implementations and started working on new tools :-).

As a short teaser, please take a look below. There is something going on, right?


Content-Type: message/sipfrag
Content-Length: 1050
From: <sip:hendrik@ernw.de>
To: <sip:test@ernw.de>; <asd’; INSERT into users (user,pass) VALUES (ernw, mypass)>
Call-ID: 00000102
CSeq: 53168353 INVITE
Date: Thu, 01 Jan 2015 20:05:43 GMT+1

For the moment we wish you a happy new year 2015 and stay tuned for some new and very interesting blogposts and talks in the telco security space.

Kind regards,

Hendrik