Troopers TelcoSecDay – Next Talks (II)


in addition to those recently announced and these, we’ve identified three more suitable talks for the TelcoSecDay ;-).

These are:

Hendrik Schmidt: Security Aspects of VoLTE

Synopsis: VoLTE is on its rise in mobile telecommunications. The service is provided by the IP Multimedia Subsystem (IMS) which consists of a couple of components. All those components offer new and, from an attacker’s perspective, interesting interfaces. This talk evaluates the most interesting interfaces and demonstrates attack vectors an attacker could abuse. This covers attacks from customer access, Internet VoIP services and roaming exchange.

Bio: Hendrik Schmidt is a security researcher with particular interest in telecommunication networks. Over the years he focused on evaluating and reviewing all kinds of network protocols and applications. He loves to play with packets and to “use them for his own purposes”. He has been involved in writing fuzzers and spoofing tools for testing protocol implementations and security architectures. Hendrik works as a pentester and consultant at ERNW and will happily share his knowledge with the audience.

“Watching the Watchers”

Synopsis: The Snowden revelations about the five-eyes interception capabilities confirmed what many have suspected for years. The NSA and their goons are compromising telco networks of Western countries. The recent Belgacom debacle is just an example of the overreach of this cabal of intelligence services. This presentation will disclose a live session that was discovered during a security audit mission on a GSM network. It presents the methodologies used by the adversary, some of its tools, the protocols used with their C&C, and other interesting tidbits gathered from forensic analysis.

Bio: The speaker is passionate both about information security and mobile telecommunications.


Shahar Tal: I hunt TR-069 admins – CWMP Insecurity

Synopsis: We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course. We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices. We conclude with Misfortune Cookie – a TR-069 client-side vulnerability that still compromises millions of devices across the globe.

Bio: Shahar Tal leads a team of vulnerability researchers at Check Point Software Technologies. Prior to joining Check Point, Shahar held leadership roles in the Israel Defense Force (IDF), where he was trained and served as an officer in elite technology R&D units. Shahar (that’s Major Tal, for you) brings over ten years of experience in his game. Shahar is a proud father, husband and a security geek who still can’t believe he’s getting paid to travel to awesome infosec cons. When you meet him, ask him to show you his hexdump tattoo.



We look forward to an interesting research workshop,


Leave a Reply

Your email address will not be published. Required fields are marked *