 hope you are doing great and safe. First of all, before starting my presentation, I would thanks the organizer, sponsors, Omar Santos and yet another security community, Yas, for their supports. This is my honor to speak at Defcon Writing Village and I'm really excited about this. So this talk, I think is really interesting because we are going to take a look at the mobile network which using by mobile operators and many other entities all around the world. This area of test contains many many valuable information like user location, user unique information and phone number related data. The important thing in this talk is that we are going to review all possible bypassing methods because I think you may hear much about telecom and SS7 vulnerabilities and hacking. So the purposes of this talk are to address all those bypassing techniques from a redeemer perspective. If you're ready, let's get started. So first I want to introduce myself. I'm Ali Abdelahi, a cybersecurity enthusiast with over eight years of experience in variety of fields trying to make the world a safer place. I'm instructor at Hacking 9 and an active researcher and bug hunter. I'm a regular speaker and trainer at famous cybersecurity and hacking global conferences like Cocon, TyphoonCon, Texas Cyber Summit, OS, APSIC Days, Confidence and this year proudly announced that accepts writing village and a speaker and trainer at aerospace and APSIC villages. As you can see, there are many security incidents and news about vulnerabilities and hacking mobile infrastructure, including protocols, communications and interconnections. In the top left corner, there is a news regarding attacking financial organizations and the ATM infection by exploiting SS7 protocol. In this case, hackers try to intercept authorized payment phone SMS to exploit them. So because one of the most usable attacks in SMS interception and spoofing in the lower left corner, you can see a news about using telecom protocol to target UK Metro Bank in 2019. In this scenario, hackers track and intercept text messages to gain unauthorized access to banking accounts. In the top right corner, you can find another news regarding fixing SS7 and telecom vulnerabilities in US, which would be very helpful to secure the communications and subscribers private info. So the last one is news about sending tweets via SMS, which passed by Twitter to avoid unwanted and harmful tweets and combating malicious actors. So now the question is that what types of attacks and well-known VTS, 3D and mobile networks and subscribers and why they are important to red teamers. So the first possible category is subscriber data leakage. Actually, subscriber data leakage is a vital part for red teamers to set up their next steps and scenarios. In this part of the scenarios, they will retrieve subscribers in C number and other stuff. Next one is network data leakage, which is very important for red teamer to understand what's happening inside mobile core network and what kind of devices are in place there. Finding mobile subscribers location is one of the most critical issue. So based on this attack, criminal can retrieve subscribers CGI or cell global identifier and convert it to MCC mobile country code, MNC mobile network code and LAC or LAC location area code and cell ID or CID to find the actual sector which the subscriber connected to. Sniffing is the next scenario which points to voice and SMS interceptions. Spoofing is another case which is very interesting because if you want to take advantage of it as a red teamer, you may perform a call with fake caller ID or send a SMS wire fake number. The last attack category is fraud. Red teamers can perform malicious use of the requests, call redirection, sync or profile swapping, etc. to done fraud attack categories. Now we are starting or bypassing journey one by one. So first of all we are going to talk about the radio segment which is the most accessible part of a mobile network. As you can see here we have a big picture of radio access network or RAN in different technologies. BTS in 2G or GSM, NodeB in 3G or UMTS technology and E-NodeB in 4G or LTE networks. So there is a connection between cell towers to the core networks and based on your traffic type means voice or data. The data pass through to CS core or circuit switch network or packet switch network. In this picture we have 5G architecture. Most of elements are different but from a red teamer point of view, security flaws and opportunities in traditional technologies still available here. Please note that 5G has its own vulnerabilities and because of IP backbone and software usage in this sector generation many other doors open to hackers. Now we are going to review all possible vectors for a red teamer when facing with a mobile network. First is mobile RAN radio access network. So red teamer needs to be in radio field and needs to have some sort of tools like hardware and software. Second is signaling network or CS. So to do this red teamer needs to have access to the signaling network. Red teamer can buy the access from dark web even or officially from telco providers all around the world or based on the contract retrieved from the network owner. Data network is more easier because most of attacks can perform from the internet and some of them from a signaling point. Okay now we are going to review security mechanics in radio access network or radio security. The first one is mobile device registration using IMAI. Second is enabling ciphering algorithms to fight against interception and manning the needle. Third item is using only LTE or LTE advanced or some other advanced mobile technologies instead of traditional mobile core networks in 2G and UMTS. So as you can see here this is the big picture of a radio access network and you can see it is in LTE generation fourth generation. Radio access network in this technology called EU-Tran or Evolve-U-Tran and the e-node beads are here they are connected to each other using each two interfaces and connected to the core network using S1 interfaces. Okay why using IMAI policies actually to fight against phone smuggling, low-fall and security monitoring, tracking stolen devices and criminals are the most usage of mobile device registration or IMAI based policies. Okay now with the help of Motorola phone C115 and 118 and Osmocon BB software we can set an invalid or fake or even duplicate IMAI and set up a call to test network reactions. So this is the first bypass in radio access network. According to this screenshot here network sends identity requests to my phone and the type of identity was IMAI. So I replied to it using an invalid IMAI set to all zero. So the network accepted my invalid IMAI because Cyphering procedure is completed. So there are some types of Cyphering keys like KC, S-RES and random number in radio access network which harden the radio network to avoid active sniffing and they always store in HLR or HSS in core network. HLR or HSS as subscriber database has components called AUC or authentication center which responsible for Cyphering and authentication procedures. To bypass and get these information we are going to targeting AUC in HLR or HSS by abusing SS7 and signaling access as a relevant partner. As you can see I sent a malicious SS7 map SAI or send authentication info to targeted core network from SS7 network to retrieve Cyphering information and the network respond me via RAND, S-RES and KC values in clear text. Another security mechanism is using advanced technologies to bring highest quality and performance, having more security and privacy in core and radio segments and other factors like voice over LT, VULT, flexibility etc. Okay so let's reviewing first round of bypassing method. Totally there is a general way and it is downgrading subscribers to traditional technologies like 3G and 2G which are vulnerable. To perform downgrading we need to use a signal jammer. Security in circuit-sitz network. There are two main security solutions in this segment of network and the first is using SMS home routing and second one is signalling firewall. Home routing acts as a proxy and the definition of home router is to hiding subscriber IMC number which is very valuable information to perform other hacking scenarios from a red teamer perspective. As you can see a red teamer requests to receive IMC number from HLR HSS and the HSS respond with real value. However home router changed the value with a fake one. So the main issue is that how we can detect if home routing is enabled or not. Just need to send two or more malicious SS7 message like send routing info for SM or SRI for SM. If we receive different responses it means that SMS home routing is in place. As you can see here red teamer or our tester send two different messages or the same message two times and responses are different as you can see and the main issue is SMS router here because in both cases HLR HSS respond with a real number. However SMS router changed the actual values. In telecommunications we have three types of GTs or global title which act as IP address. MS ISDN consists of MCC or mobile country code NDC and SN. IMC consists of MCC, MNC or mobile network code and MSIN. MGT consists of MCC, NDC and MSIN. As you can see red teamer can use MGT number and a valid random IMC number to request other information regarding to targeted mobile number and it's really IMC. Signaling firewall. Mobile operators use signaling firewall to protect their signaling infrastructure, signal packet inspection, filtering, white and black listing. Bypassing signaling firewall. So to bypass these kind of firewalls we need just to playing with TCAP. What is TCAP? TCAP is a SS7 sub protocol and it's like TCP. TCAP enables the deployment of advanced intelligent network services by supporting non-circuit related information exchange between signaling points using the SSCP connection less service. TCAP provides the framework to retrieve information or invoke remote operations and that offers the means for end users in the SS7 network to query another end office and act as the software interface between an SS7 and SS7 point and database services in order to obtain data from the SS7 network. To perform bypassing we need to remove application context name from TCAP or sending double operation message. The application context name or ACN is used for all supported ITU TCAP messages except abort, abort message. No attempt to retrieve the ACN is made for abort messages. All other supported messages may have a dialogue portion containing dialogue request, unidirectional dialogue and dialogue response PDU from which the ACN is retrieved. If no dialogue portion is detected then the ACN is assumed to be none. The TCAP opcode based routing feature attempts to find the opcode in all supported TCAP messages except abort. These messages must contain invoke or return results, stand for last or not last as the first component. If not the opcode is assumed to be none. So removing application context name from TCAP message to start the procedure we need to remove dialogue request section from our malicious SS7 message. Then there will not application context name to point to malicious SS7 map message or mobile application part message. So this is the second bypassing method sending double operation message. Actually most of signaling firewall block or accept a message based on message type. So each signaling message has its own opcode and it's a vital number. According to the picture red teamers trying to put a legitimate SS7 map message opcode in the first step and so it seems a legitimate one and then put a malicious SS7 map message. So signaling firewall check just the first operation code which is pointing to legitimate operation. After that the component inside the core network replied to signaling firewall or actually a red teamer here in this scenario and trying to keep session which is legitimate and valid and ask to send the message again so all right teamers say thanks and this is what he wants and still the whole session is still available and legitimate as well. So HLRHSS or signaling point inside our core network will respond with real subscriber in the number and network information and this is what actually a red teamer wants. As I mentioned in past several years a mobile network operator and telecom providers turn against telecom and especially SS7 attacks and enable many security mechanisms. In this stack I try to explain all possible bypassing techniques in all network segments in telecom infrastructures. We must consider that red teaming is very important because in these networks we are dealing with millions of user private data. Be careful that blind hardening and buying security appliances or software because they are not fair enough. We must have behavior analysis and continuous monitoring as complementary solutions. Thank you very much for your attention. I'm still available for any questions. I hope you enjoyed this talk and please in touch with me.