TelcoSecDay – First Round of Talks

Dear all,
This year the TelcoSecDay will take place on March 15th. For those of you who does not know about: the TelcoSecDay it is a sub-event of Troopers bringing together researchers, vendors and practitioners from the telecommunication / mobile security field.

The event is celebrating its 5th anniversary now, that’s why I’d like to say “thank you” to everybody taking part at this very great discussion round in the last few years. We always had a lot of very good feedback and interesting discussions and the increasing participation list of operators from year to year says (almost) everything!

Anyhow, now let’s dive into this year’s agenda and take a look to the first talks (more will follow):

Alexandre de Oliveira – Assaulting IPX Diameter roaming network
Diameter protocol has been introduced to replace in many aspects SS7/SIGTRAN in the LTE and VoLTE networks, and such as these 2G/3G networks, Diameter also has its dedicated global roaming network named IPX (IP eXchange) that allows international roaming for LTE users.
Back in the days Diameter was already used by the PCRF in 2G/3G networks for charging purposes, but its usage has been extended to completely replace the signalization role of SS7/SIGTRAN in LTE networks.
SS7/SIGTRAN security flows are now public after several publications, but what about Diameter security? By replacing old and insecure protocols, does Diameter come with built-in security?
During the presentation, we will study how the IPX infrastructure operates and how security is taken into account nowadays regarding the newest 4G telecom technologies. Getting into different point of view allowed us to find major Diameter vulnerabilities via the IPX, which affect almost all the network elements HSS, MME, GMLC, PCRF, PDN GW, including DNS serving telecom TLDs. Understanding the mistakes that led to a former generation of telecom networks we came out with insecure protocols will maybe help us to push security by design in the future.
Nevertheless, as a telecom provider we will provide recommendations to secure LTE infrastructures and share technical countermeasures we have implemented against different Diameter attacks and fraud scenarios to protect our network and customers. Along with recommendations, we will present some ways on how to self audit and do self monitoring of your network, as we consider that telecom providers need to take back the control of their networks!

David Batanero – New Age Phreacking: Magic tricks for wholesale fraud.
Every day we make millions of calls routed through a number of wholesale providers, which we can take advantage of. We will discuss how the wholesale world operates, analyzing diverse types of fraud which can be performed through intermediate carriers to obtain a monetary benefit, some of them legally.

Andreas Petker + Joao Collier de Mendonca – “rucki zucki” scanning tool
The assessment of new vulnerabilities and weaknesses are a constant issue for Cyber Emergency Response Teams (CERTs). In order to be able to quickly assess how many affected devices are affected by an arising issue DT CERT has developed a simple yet generic tool for scanning a large number of IP addresses. Heartbleed, Shellshock, open $SERVICE resolver, House-of-Keys, Juniper telnet/ssh backdoor (CVE-2015-7755) are examples of recent problems which demanded the capability of scanning a large number of IP addresses for those weaknesses, so that the situation can be assessed quickly and handled accordingly. The developed tool has basically two main components, one responsible for the management of parallel tasks, the other being weakness-specific part. With this tool, DT CERT was able to scan its main AS (AS3320) for $PROBLEM within $TIME.

Siddhardt Rao – The known unknowns of SS7 and beyond
2014 turned out to be “the year of SS7 vulnerabilities” as the Telco researchers showcased several successful attacks using the Signaling System No 7 (SS7) interconnection network such as subscriber profile modification, eavesdropping, tracking of users, SMS spoofing and call/SMS redirect. These attacks are serious because SS7 and its IP version SIGTRAN, despite its age, remains a key signaling protocol in the mobile networks and will still long be required for interoperability and background compatibility in international roaming. Understandably, telecommunications industry is taking countermeasures against the vulnerabilities that were exposed through the aforementioned attacks. Are all risks now mitigated? Definitely not!
Complexity of network layers and diversity of underlying protocols in SS7 makes it more difficult to find all loopholes in the systems. There exist a lot of ‘known functionalities’ which are indeed the ‘unknown vulnerabilities’. In this talk, we first begin with one of such vulnerabilities in detail, where we discuss how to exploit the relationship between IMEI and IMSI to unblock stolen mobile devices. Here, we also discuss about the existing attacks on modification of subscriber profile using SS7 to recap about the contents of subscriber profile. Secondly, we will outline extending the previously known SS7 based attacks to Diameter/LTE. Furthermore, we will also present with an intuitive attack vector to emphasize the fact that the telecommunication systems are being misused for surveillance. 

Because the TelcoSecDay is invitation only and it is limited to people working or performing research in the telecommunication area, it is not possible to register for the workshop from the Troopers web page. If you are interested to join and you’re willing to actively contribute to the discussion, please contact me via mail (

Have a great weekend and see you in Heidelberg!