TS-310

Reversing telecom
platforms for security

Security Training
Course Reference: TS-310

P1 Security. All rights reserved.

Contact:
Philippe Langlois
phil@p1sec.com
+33 98045 0447

TS-310 Reversing telecom platforms

for security
Applied hacking on legacy monolithic MSC and HLR to modular ATCA's
reversing and mobile platforms

Description of Training Class

Learn about contemporary telecom and mobile system reverse engineering

within the context of Telecom and Mobile Network operators and how core
telecom infrastructure operate, down to the usage of these service by operators
mobile apps and handset manufacturers platforms.
We will see from the mobile handset (Android, apps, platform) to the enterprise
applications (iPBX) up to the Core Network how are all these technologies
meshed together and how to make sense of their protocols and applications.

Duration

Short version: 2 days

Long version: 5 days

Attendees will receive

Evaluation access to P1 Securitys vulnerability scanner for Telecom

infrastructure (PTA - P1 Telecom Auditor)
Developer account for Immunapp mobile security platform.
Training material: Slides copy of the presenter.

Pre-requisites of training class

Basic knowledge of telecom & network principles; what is 2G, 3G, 4G; OSI
network layers; basic knowledge of telecom technologies.
Laptop with Linux installed either in a VM or native, Backtrack or Ubuntu
with reverse engineering and hacking tools recommended.
Good knowledge and usage of Wireshark.
Basic skills and usage of Linux for reverse engineering (strings,
knowledge of tools in a Backtrack for reverse engineering).
Mobile phone (Android recommended) and working SIM card with
sufficient credit for voice, SMS and data.
Additional SIM cards optional, but recommended.
Legal IDA Pro license optional, but recommended.

P1 Security. All rights reserved.

Covered in this training

Part 1: Handsets & subscriber applications

Mobile phone usage of the network and applications (CS, USSD, SMS,
Packet Switched/Data, VAS). We will look into the protocols used by the
mobile, analyzing them and detailing where security problems can
appear. We will use OsmocomBB and try to analyze the live networks
around the conference.
Proprietary apps and their interface to the telecom systems. We will see
by reversing some proprietary apps how these apps use non-standard
interfaces within the mobile network. We will use frameworks for static
analysis (dead code, binary form) and dynamic analysis (live running
apps, within existing phone/handset).
Samsung Android platform (Android + Proprietary extensions). We will
look into Samsung Android platform specifics and security,
Access network protocols analysis. We will look into the network
protocols that are used by the mobile handsets toward the mobile
network.

Part 2: PBX, Femtocell and enterprise access methods

M2M connection reverse engineering

Corporate data/Packet Switched mobile broadband connection analysis.
We will analyze and reverse common access setups and protocols to look
for the vulnerabilities within these networks. We will look into multiple
solution for corporate access to the network. If time permits, we will look
in existing 3G/4G access kits and their vulnerabilities.
Alcatel Lucent OmniPCX iPBX: we will look in the typical setup and
vulnerabilities of modern PBX for enterprise accesses. We will look into
the embedded operating system of these PBX by extracting it from the
hardware.
Commercial SIP implementation reverse engineering and vulnerability
analysis.
Hardware embedded SIP TA audit and reverse engineering.
Femtocell security vulnerabilities and reverse engineering.

Part 3: Core Network protocols & network element

We will dig into Core Network protocols, reverse engineer some specified
and some proprietary telecom Core Network protocols.
The training will show the various attack surface for these networks and
show the impact of vulnerabilities for each network element.
Legacy Core Network element analysis Nokia DX200 Core Network
Element (legacy, monolithic) description and analysis
Huawei MGW8900 Core Network Element (legacy, monolithic, VxWorks +
FPGA) description, analysis and reverse engineering
Huawei HSS / MSC Core Network Element (ATCA, recent, Linux + FPGA)
description, analysis and reverse engineering
ZTE Core Network Element (ATCA, recent, Linux) description, analysis
and reverse engineering

P1 Security. All rights reserved.

About P1 Security Inc.

P1 Security is a vendor independent, technology pioneer and leader in Telecom

Security Audit products with patent pending technology and top research and
development recognized by the GSM Association.

Experts from P1 Security give conferences and training on SIGTRAN and SS7
security worldwide.

Visit our website at www.p1sec.com or contact us for further information.

Contact
Email: sales@p1sec.com
Web: http://www.p1security.com
Address: P1 Security, 231 rue Saint Honor, 75001 Paris, France

P1 Security. All rights reserved.