5G Network Slicing and Network Neutrality: my point of view

Let there be no mistake about this: from a technical point of view, 5G Network Slicing is totally awesome!

However, some aspects seems to disagree with Network Neutrality principles.

Continue reading “5G Network Slicing and Network Neutrality: my point of view”

Security flaws in VoLTE protocol allow an attacker to spoof numbers and track users

The research paper by P1 Security was presented last week in a security conference in France

A team of researchers from security firm P1 Security has detailed a list of flaws in the VoLTE protocol that allows an attacker to spoof anyone’s phone number and place phone calls under new identities, and extract IMSI and geo-location data from pre-call message exchanges.

These issues can be exploited by both altering some VoLTE packets and actively interacting with targets, but also by passively listening to VoLTE traffic on an Android device.

Voice over LTE (VoLTE)

VoLTE is a standard for high-speed wireless communication for mobile phones and data terminals, based on the IP Multimedia Subsystem network.

With VoLTE the voice service being delivered as data flows within the LTE data bearer, without dependency on the legacy circuit-switched voice network to be maintained.

The vulnerabilities

Researchers divide vulnerabilities into “active”, that require modifying special SIP packets, and “passive” that expose data via passive network monitoring or do not require any SIP packet modification.

Below a brief list of the flaws discovered (for extended information please refers to links in ‘Reference’ section, at the end of the post):

User enumeration

SIP INVITE messages are exchanged when phone calls via VoLTE are initiated and passes through all the mobile networking equipment that supports the call: an attacker on the same network can send modified SIP INVITE messages to brute-force the mobile provider and get a list of all users on its network.

Free data channel over SDP

This flaw allows a VoLTE customer to exchange data (phone calls, SMS, mobile data) via VoLTE networks without initiating the CDR module, responsible for billing.

P1 team discovers a method that using SIP and SDP messages to create unmonitored data tunnels in VoLTE networks: it allows possible crime suspects a way to create covert data communications channels.

User identity spoofing

Mobile networking equipment does not verify if the SIP INVITE header information is correct, taking the caller’s identity at face value, so an attacker can modify certain headers in SIP INVITE messages and place calls using another user’s MSISDN (phone number).

VoLTE equipment fingerprinting and topology discovery

This vulnerability allows an attacker to fingerprint network equipment of a target operator just by listening to VoLTE telephony traffic reaching an Android smartphone.

Leak of the victim’s IMEI

Watching VoLTE traffic on an Android that’s initiating a call, researchers discovered that intermediary messages exchanged before establishing a connection reveal information about the caller IMEI number.

Leak of the victim’s personal information

Similarly to the attack above, researchers also discovered that the same SIP messages can also leak more detailed information about victims: attackers could initiate shadow calls, detect the victim’s approximate location, and hang up before the phone call is established.


The paper


How to use the ip command instead of ifconfig

Did you know that in 2009 it was announced that the ifconfig Linux command would be deprecated?

On mostly Linux distribution the ifconfig command has been deprecated and will be definitely replaced by ip command.
What are de differences between ifconfig and ip?

Let’s try to summarize them:

Show network devices

ip addr show
ip link show

Enable a network interface

ifconfig eth0 up
ip link set eth0 up

A network interface can be disabled with:

ifconfig eth0 down
ip link set eth0 down

Setting IP address

The simple version:

ifconfig eth0
ip address add dev eth0

The complete version with network mask or the broadcast address:

ifconfig eth0 netmask broadcast
ip addr add broadcast dev eth0

Delete an IP address

This feature is available only with ip:

ip addr del dev eth0

Add alias interface

ifconfig eth0:1
ip addr add dev eth0 label eth0:1

Add an entry in the ARP table.

arp -i eth0 -s 00:11:22:33:44:55
ip neigh add lladdr 00:11:22:33:44:55 nud permanent dev eth0

Set ARP resolution off on one device

ifconfig -arp eth0
ip link set dev eth0 arp off

Show the routing table

ip route show

With ip you can query on which interface a packet to a given IP address would be routed to:

ip route get

Changing the routing table

Add a route:

route add -net dev eth3
ip route add dev eth3

Removing entries from a routing table:

route del -net dev eth3
ip route del dev eth3

Add a gateway:

route add -net gw
ip route add via

A most complete list of deprecated commands and them replacement is available on this post of Doug Vitale:

Deprecated Linux networking commands and their replacements


Deprecated Linux networking commands and their replacements
Deprecated Linux networking commands and their replacements
Deprecated Linux networking commands and their replacements

The Internet is still broken

BGP Hijacking is an actual problem that we need to solve

Yesterday i have read a brief but interesting article about BGP Hijacking written by Johannes B. Ullrich, published on SANS ISC InfoSec Forum.

About BGP Hijacking i have already written something about, you can read on https://www.andreafortuna.org/bgp-hijacking-current-state-and-future-developments-d4077c215d12.

Essentially, BGP Hijacking is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables:

The Internet is a network of networks.

Each “Autonomous system” (AS) connects to the internet using a router that “speaks” the Border Gateway Protocol (BGP) to disseminate and receive routing information.

The problem is that there is no authoritative way to figure out who is supposed to receive which IP address space.

If I got a new IP address range assigned, or if I agree to route it as part of an agreement with another network, then I will use BGP to advertise this to the Internet.

Sadly, nobody has figured out yet how to validate these advertisements. As a result, it is somewhat common for BGP abused to advertise IP addresses that an organization doesn’t actually own. This can lead to a denial of service, or miscreants can start using it for a man-in-the-middle attack.

The article also refers to the recent event of BGP abuse that has allowed the hijack of a large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies that were briefly routed through a Russian government-controlled telecom:


“Quite suspicious”

“I would classify this as quite suspicious,” Doug Madory, director of Internet analysis at network management firm Dyn, told Ars. “Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions. A typical cause of these errors [is] in some sort of internal traffic engineering, but it would seem strange that someone would limit their traffic engineering to mostly financial networks.”

Ullrich also suggest some mitigations for this kind of attacks:

So in short, what can you do about it?

1 — The internet is an untrusted network. Deal with it. Assume people are rerouting, eavesdropping and manipulating your traffic. Technologies like TLS will help you detect these issues if properly implemented. VPNs can help to secure trusted connections within an organization or between trusted partners. But this is exactly why you have to audit these configurations and make sure they are configured based on current best practices.

2 — Monitor if someone is trying to hijack IP address space you are using.

3 — If you do own IP address space, and if you do manage BGP yourself, then make sure you implement the few security features that are available.

For more information, please refers to original article on SANS Forum:


More references about BPJ Hijacking