4G—Who is paying your cellular phone bill?

The presentation discusses the importance of implementing security measures in mobile networks to prevent attacks and fraud.

• Routing should be by origin realm and origin host to make attackers' lives harder
• Telco-specific MZ range can be used to verify if a message is really from a particular operator
• Logical separation in the nodes of visited incoming Roma's and home subscribers can prevent unauthorized requests
• Location distance check can be used to verify if a message is physically feasible
• Fingerprinting partners can be used to identify flows and raise alerts if there are anomalies
• Security should be treated as a quality indicator and part of business contracts
• Various methods can be used to gain unauthorized access to mobile networks, including bribery and social engineering

The speaker found a scanner that crawled through the internet looking for nodes that talked GTP, a telco protocol that is only spoken in the telco industry. This raised concerns about why these nodes were on the internet and the potential for unauthorized access.

Cellular networks are connected with each other through a worldwide private, but not unaccessible network, called IPX network. Through this network user related information is exchanged for roaming purposes or for cross-network communication. This private network has been breached by criminals and nation states. Cellular networks are extremely complex and many attacks have been already been found e.g. DoS, location tracking, SMS interception, data interception. Many attacks have been seen in practice, but not all attack are understood and not all attack avenues using the IPX network have been explored. This presentation shows how a S9 interface in 4G networks, which is used for charging related user information exchange between operators can be exploited to perform fraud attacks. A demonstration with technical details will be given and guidance on practical countermeasures.