P1 Labs » Conferences

[31C3] SS7map : mapping vulnerability of the international mobile roaming infrastructure at #31C3

Alexandre De Oliveira — Fri, 05 Dec 2014 13:38:41 +0000

Laurent Ghigonis and Alexandre De Oliveira from P1 Security team will be presenting the work done on the global SS7 network at Chaos Computer Conference in Hambourg the 27th Dec 2014.

The conference “SS7map : mapping vulnerability of the international mobile roaming infrastructure” will focus on the method used to map the global SS7 network, what have been map the network and more in depth statistics and analysis.

Details of the conference schedule:
Start time: 2014-12-27 23:00:00 +0100
Room: Saal 6

CCC is one of the main security event in Europe, it will take place from 27th Dec to 30th Dec 2014.

See you at #31C3 !

[Hackito Ergo Sum 2014] Hacking Telco Equipment: The HLR/HSS

Laurent Ghigonis — Wed, 07 May 2014 18:11:57 +0000

P1 Security presented at the Hackito Ergo Sum 2014 conference in Paris (http://2014.hackitoergosum.org/) the weaknesses of Telecom Infrastructure systems, and particularly HLR/HSS equipment.

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis from P1Security

Download slides here.

Abstract:

HLR and HSS are the most important Telecom Equipment in an Operator Core Network.
We are going to see that this so-called “Critical Infrastructure” is not as robust as you could think, by exploring the some weaknesses of the HLR/HSS equipment.

Plan:
* Virtualization of HLR/HSS, for instrumentation purposes
* HLR/HSS system analysis
* SS7/Diameter network fuzzing
* HLR/HSS binaries reverse

We also did another presentation on Worldwide attacks on SS7/SIGTRAN network at HES.

[Hackito Ergo Sum 2014] Worldwide attacks on SS7/SIGTRAN network

Pierre-Olivier Vauboin — Fri, 02 May 2014 13:59:34 +0000

We are pleased to announce that P1 Security was present at the Hackito Ergo Sum 2014 conference in Paris (http://2014.hackitoergosum.org/).

Worldwide attacks on SS7/SIGTRAN network from P1Security

Download slides here.

Abstract:

Mobile telecommunication networks are complex and provide a wide range of services, making them a tempting target for fraudsters and for intelligence agencies. Moreover, the architecture, equipment and protocols used on these networks were never designed with security in mind, availability being the first concern. Today, even though some telecom operators are investing money into securing their network, events confirm that for most of them maturity in term of security is yet to come, as recently shown with the example of massive traffic interception on compromised SCCP and GRX providers like Belgacom’s BICS. Here we present the most typical and legitimate telecom callflows from making a mobile phone call to sending a SMS. Then we describe the protocol layers involved and how to abuse them, which fields can be manipulated in order to attack both the operator infrastructure and its subscribers. Finally, we show a real life example of scan performed from an international SS7 interconnection and practical attacks on subscribers such as spam, spoofed SMS and user location tracking.