Applied hacking on legacy monolithic MSC and HLR to modular ATCA's reversing and mobile platforms by Philippe Langlois

Instructors: Philippe Langlois
Dates: 25-26 June 2014
Capacity: 15 Seats

Learn about contemporary telecom and mobile system reverse engineering within the context of Telecom and Mobile Network operators and how core telecom infrastructure operates, down to the usage of these services by operators, mobile apps and handset manufacturer's platforms.

We will see from the mobile handset (Android, apps, platform) to the enterprise applications (iPBX) up to the Core Network how these technologies meshed together and how to make sense of their protocols and applications.

Part 1: Handsets & subscriber applications

* Mobile phone usage of the network and applications (CS, USSD, SMS, Packet Switched/Data, VAS). We will look into the protocols used by the mobile, analyzing them and detailing where security problems can appear. We will use OsmocomBB and try to analyze the simulated networks.

* Proprietary apps and their interface to the telecom systems. We will see by reversing some proprietary apps how these apps use non-standard interfaces within the mobile network. We will use frameworks for static analysis (dead code, binary form) and dynamic analysis (live running apps, within existing phone/handset).

* Samsung Android platform (Android + Proprietary extensions). We will look into Samsung Android platform specifics and security,

* Access network protocols analysis. We will look into the network protocols that are used by the mobile handsets toward the mobile network.

Part 2: PBX, Femtocell and enterprise access methods

* M2M connection reverse engineering

* Corporate data/Packet Switched mobile broadband connection analysis. We will analyze and reverse common access setups and protocols to look for the vulnerabilities within these networks. We will look into multiple solution for corporate access to the network. If time permits, we will look in existing 3G/4G access kits and their vulnerabilities.

* Alcatel Lucent OmniPCX iPBX: We will look in the typical setup and vulnerabilities of modern PBX for enterprise access. We will look into the embedded operating system of these PBX by extracting them from the hardware.

* Commercial SIP implementation reverse engineering and vulnerability analysis.

* Hardware embedded SIP TA audit and reverse engineering.

* Femtocell security vulnerabilities and reverse engineering.

Part 3: Core Network protocols & network element

* We will dig into Core Network protocols, reverse engineer some specified and some proprietary telecom Core Network protocols.

* The training will show the various attack surfaces for these networks and show the impact of vulnerabilities for each network element.

* Legacy Core Network element analysis Nokia DX200 Core Network Element (legacy, monolithic) description and analysis

* Huawei MGW8900 Core Network Element (legacy, monolithic, VxWorks + FPGA) description, analysis and reverse engineering

* Huawei HSS / MSC Core Network Element (ATCA, recent, Linux + FPGA) description, analysis and reverse engineering

* ZTE Core Network Element (ATCA, recent, Linux) description, analysis and reverse engineering

Attendees will receive

* Evaluation access to P1 Security's vulnerability scanner for Telecom infrastructure (PTA - P1 Telecom Auditor)

* Developer account for Immunapp mobile security platform.

* Training material: copy of the slides used by the presenter.

Class Requirements


* Basic knowledge of telecom & network principles: what is 2G, 3G, 4G; OSI network layers.

* Good knowledge and usage of Wireshark.

* Basic skills and usage of Linux for reverse engineering (strings, knowledge of tools in a Backtrack for reverse engineering).

Minimum Software to install:

* Laptop with Linux installed either in a VM or native, Backtrack recommended.

* Legal IDA Pro license optional, but recommended.

* Mobile phone (Android recommended) and working SIM card with sufficient credit for voice, SMS and data.

* Additional SIM cards optional, but recommended.

* Note: we will have some Pre-paid Card available.


Philippe Langlois is an entrepreneur and leading security researcher, expert in the domain of telecom and network security. He has founded internationally recognized security companies (Qualys, WaveSecurity, INTRINsec, P1 Security) as well as led technical, development and research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France. His first business, Worldnet, France's first public Internet service provider, was founded in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB, Previously a professor at Ecole de Guerre Economique and various universities in France (Amiens, Marne La Vallée) and internationally (FUSR-U, EERCI, ANRSI). He is a FUSR-U collaborator and founding member. Philippe advises industry associations (GSM Association Security Group, several national organizations) and governmental officials and contributes to Critical Infrastructure advisory committees and conferences in Telecom and Network security. Now, Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner & auditor which help telecom companies, operators and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at: p1security

Philippe has previously presented at the following security/hacking conferences:, Hack in the Box (HITB, Amsterdam, Dubai, Kuala Lumpur), Blackhat, Hackito Ergo Sum (paris,france), SOURCE, Chaos Communication Congress (Berlin, Germany), ekoparty (bueos aires, argentina), H2HC (sao paulo, brazil), SYSCAN (Hong Kong; Thailand), Bellua (Jakarta, Indonesia), INT (Mauritius), Interop (France), Rubicon (USA)... (You can find some of the events listed here )

To Register

Click here to register.