Mobile and Telecom Applied Hacking and Reverse Engineering

Learn about contemporary telecom and mobile system reverse engineering within the context of Telecom and Mobile Network operators and how to attack core telecom infrastructure (Core Network, Services, Mobile Apps, Handset platforms, IoT platforms).

We will see from the mobile handset (Android, apps, platform) to the operator Core Network how these technologies meshed together and how to make sense of their protocols and applications.

CLASS OUTLINE

Part 1: Operator Infrastructure attack surface, Vulnerabilities, Core Network protocols & network element binary reversing

• We will dig into Core Network protocols, reverse engineer some specified and some proprietary telecom Core Network protocols.
• Access network protocols analysis. We will look into the network protocols that are used by the mobile handsets toward the mobile network.
• The training will show the various attack surfaces for these networks and show the impact of vulnerabilities for each network element.
• Huawei MGW8900 Core Network Element (legacy, monolithic, VxWorks + FPGA) description, analysis and reverse engineering.
• Legacy Core Network element analysis Nokia DX200 Core Network Element (legacy, monolithic) description and analysis.
• Huawei HSS / MSC Core Network Element (ATCA, recent, Linux + FPGA) description, analysis and reverse engineering.
• ZTE Core Network Element (ATCA, recent, Linux) description, analysis and reverse engineering.

Part 2: IoT (in)security, Handsets & subscriber applications reverse engineering and bug hunting

• IoT security & M2M connection reverse engineering
• Mobile phone usage of the network and applications (CS, USSD, SMS, Packet Switched/Data, VAS). We will look into the protocols used by the mobile, analyzing them and detailing where security problems can appear.
• Proprietary apps and their interface to the telecom systems. We will see by reversing some proprietary apps how these apps use non-standard interfaces within the mobile network. We will use frameworks for static analysis (dead code, binary form) and dynamic analysis (live running apps, within existing phone/handset).
• Samsung Android platform (Android + Proprietary extensions). We will look into Samsung Android platform specifics and security,
• Corporate data/Packet Switched mobile broadband connection analysis. We will analyze and reverse common access setups and protocols to look for the vulnerabilities within these networks. We will look into multiple solution for corporate access to the network. If time permits, we will look in existing 3G/4G access kits and their vulnerabilities.
• Mobility applications insecurity (automotive vulnerabilities, geographical information system vulnerabilities, car hacking through mobile connection, …)
• Commercial VoIP / SIP implementation reverse engineering and vulnerability analysis.
• Femtocell security vulnerabilities and reverse engineering.

Attendees Will Receive

• Training material: Protected copy of the slides used by the presenter.

CLASS REQUIREMENTS

Prerequisites

• Basic knowledge of telecom & network principles: what is 2G, 3G, 4G; OSI network layers.
• Good knowledge and usage of Wireshark.
• Basic skills and usage of Linux for reverse engineering (knowledge of tools in a Backtrack/Kali for reverse engineering is a plus).
• Know how to to tethering for your laptop through your mobile phone

Hardware

• Laptop with Linux installed either in a VM or native, Backtrack/Kali recommended.
• Mobile phone (Android recommended) and working SIM card with sufficient credit for voice, SMS and data (roaming working and tested is a plus).
• Additional SIM cards optional, but recommended.

Minimum Software to Install

• Pptional: Disassembler such as Hopper/Radare2/IDA Pro

BIO

Philippe Langlois is an entrepreneur and leading security researcher, expert in the domain of telecom and network security. He has founded internationally recognized security companies (Qualys, WaveSecurity, INTRINsec, P1 Security) as well as led technical, development and research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France. His first business, Worldnet, France’s first public Internet service provider, was founded in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB, Hack.lu). Previously a professor at Ecole de Guerre Economique and various universities in France (Amiens, Marne La Vallée) and internationally (FUSR-U, EERCI, ANRSI). He is a FUSR-U collaborator and founding member. Philippe advises industry associations (GSM Association Security Group, several national organizations) and governmental officials and contributes to Critical Infrastructure advisory committees and conferences in Telecom and Network security. Now, Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner & auditor which help telecom companies, operators and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at: p1security.

Philippe has previously presented at the following security/hacking conferences: Hack.lu, Hack in the Box (HITB, Amsterdam, Dubai, Kuala Lumpur), Blackhat, Hackito Ergo Sum (paris,france), SOURCE, Chaos Communication Congress (Berlin, Germany), ekoparty (bueos aires, argentina), H2HC (sao paulo, brazil), SYSCAN (Hong Kong; Thailand), Bellua (Jakarta, Indonesia), INT (Mauritius), Interop (France), Rubicon (USA)… (You can find some of the events listed here).