Another Talk Added to Troopers15 TelcoSecDay

We have pretty much finalized the agenda for the Troopers TelcoSecDay and here’s another cool talk (the others can be found here, here and here):

Rob Kuiters: On her majesty’s secret service – GRX and a Spy Agency

Synopsis: In 2013 the GPRS Roaming eXchange (GRX) was in mainstream media as part of the high profile Edward Snowden revelations. The leaked documents indicated that the UK government’s intelligence organisation, Government Communications Headquarters’ (GCHQ) hacked the Belgian GRX provider, Belgacom International Carrier Services (BICS). They did this by targeting the GRX provider’s employees with the ultimate aim of gaining access to Belgacom’s Core GRX routers. Allegedly, GCHQ hacked the GRX routers in order to carry out man-in-the middle “traffic sniffing” attacks against mobile users who are roaming with smartphones or other devices capable of handling data.

In this presentation, the architecture of the GRX network is explored, the protocols they use and give an understanding of the functionalities they provide in relation to roaming mobile users on the 2G, 3G and in the future 4G network. The talk will explain why GRX routers are interesting, particularly to spy agencies and other actors and what an attacker who has access to a GRX network can do and gain access to?

GRX networks are typically isolated networks that are not reachable from the Internet. There are only about 25 of them in existence and the general perception is that they are restricted access networks, which only established telecommunication operators can join. This begs the questions of, what does a typical GRX network look like? What sort of devices are connected to it and how securely are they generally configured? Through extended network scanning activities over a period of several months, these questions will be answered. The presentation will show details of the GRX network discovery, service enumeration & vulnerability assessment. From the type and number of devices found, to the details of security misconfigurations, you will get a glimpse of the attack vectors and surface that are available to an attacker who has access to a GRX network.

How easy would it actually be to gain unauthorised access & carry out “traffic sniffing” attacks? What are the required tools, techniques and network protocols that are involved when performing these types of attacks? These questions will be addressed during the talk. Lastly, views are shared on what the best practices are and risk mitigation steps network operators can carry out to secure and protect their GRX network devices from attackers (state backed or otherwise).

Bio: Rob Kuiters works as an incident response handler in the CISO team at KPN, the largest telecoms provider in the Netherlands. He has been involved in mobile networks from the very early start of GSM in the Netherlands. In 2007 he joined KPN-CERT as a technical mobile security specialist. The main focus of Rob’s work is currently still in mobile networking. His research on the new 4G mobile network contributed to the talk “4G LTE security – what a hacker knows and doesn’t want you to know?” at OHM 2013 Security Conference which he was a co-author & presenter. The main areas of his current research is GRX/IPX (GPRS Roaming eXchange / IP eXchange) and signalling networks security.


Everybody have a great weekend,


Leave a Reply

Your email address will not be published. Required fields are marked *