DeepSec 2018 Talk: Attacks on Mobile Operators – Aleksandr Kolchanov
I’d like to talk about telecom security. My research contains information about security of mobile operators: classic and new (or very rare) attack vectors and vulnerabilities. This presentation will consist of three main parts:
First, I will share information on the security of mobile operators in general. I’ll tell you a little bit about why it is important (usually, phone numbers are used as a key to social networks, messengers, bank accounts, etc). So, if an attacker can hack a mobile operator, he can gain access to a big amount of user data and money. Also, in this part, I will tell you about typical SS7 attacks (how to intercept SMS or send fake ones).
During the second part, I will tell you about different vulnerabilities and security issues. All of the problems I will refer to were found in systems of mobile operators from Russia and the Ukraine. I will speak about the classical vulnerabilities I found (XXS, CSRF and HTTPS issues) that allow attackers to gain access to subscribe accounts through a mobile operators site or an application.
Also, I will talk about authorisation issues (SMS codes, bruteforce, etc). Then I will tell you about new attack vectors (or very rare ones): attacks via IVR (at call centers), problems in operator services, that allow to send SMS from user numbers, and problems in operator applications (which allow attackers to intercept calls and SMS). I also will speak about attacks on SIM-card change systems (how I can gain access to information that I can use to change SIM-cards and gain access to calls and SMS). Of course, I will show demos and PoC (images, video or real-time demonstration) of some attacks.
In the final part of the talk I will talk about post-exploitation. The main idea of this part is to show how I can use the vulnerabilities, addressed in the second part of my talk, to gain access to private data (including SMS-content), intercept calls and SMS, send fake SMS, gain access to email, messenger, and social networks accounts (using restore via SMS), to steal money from bank accounts (using account restore or SMS banking) and for some other ideas.
We asked Aleksandr a few more questions about his talk.
Please tell us the top 5 facts about your talk.
I think, that these facts are most interesting:
- Mobile operators are interesting targets for hackers. If somebody hacks them, he will be able to easily hack many other services.
- I will tell you about simple attacks. Any hacker can use these attacks without special equipment and knowledge.
- I researched mobile operators from Russia and Ukraine and discovered that they are not protected against simple attacks.
- In some cases, a simple call will be enough for an attacker to hack victims accounts. Do you want to know more? Just come and listen.
- Some simple attacks are effective against IoT devices and devices for children.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Usually you read about cutting edge researches and attacks (like attacks on modern networks, 5G and LTE), but it is necessary to realize that for most people these researches are not very relevant (these attacks require special equipment and knowledge). Of course, these studies are extremely important, and the attacks they’re examine are dangerous. But I became interested in attacks that do not require special devices or special knowledge. And I realized that these attacks are also dangerous, and, what’s more, almost anyone can carry them out.
Why do you think this is an important topic?
Nowadays mobile operators are not protected enough, so even simple attacks are very effective. I want to draw the attention of the community and mobile operators to this problem to improve the situation.
Is there something you want everybody to know – some good advice for our readers maybe?
If you are interested in the security of the mobile operator that you use, I would advise you to look for information about the available services. Mostly I will talk about the security of IVR systems, personal accounts, SMS and call forwarding.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I think, that in the future hackers will still attack mobile operators and customers. Different services, like email, messengers and social networks become more and more secure, but mobile operators are not so protected. Usually it is more easy to hack an operator and use intercepted code to restore an e-mail account than to directly hack the e-mail account.
Aleksandr Kolchanov is an independent security researcher and consultant. Ex penetration tester of a bank in Russia. He takes part in different bug bounty programs – PayPal, Facebook, Yahoo, Coinbase, Protonmail, Telegram, etc., and holds the first place the Privatbank bug bounty program (one of biggest banks in the Ukraine). Aleksandr also won the “Hack Internet-Bank” competition of PromSvazBank, Russia.
He’s interested in uncommon security issues, telecom problems, airline security and social engineering.