hackers have broken into GPRS billing

Steve Schear s.schear at comcast.net
Fri Oct 3 11:22:30 EDT 2003 

Some time today (October 2th), the GPRS world will reveal that it has a 
security vulnerability which has seen an undisclosed number of its 
customers ripped off. They've been trapped into connecting to malicious 
content servers, by hackers penetrating the billing system. The first 
international phone company to admit that they have installed a solution - 
one offered by Check Point - will be the German phone provider, E-Plus.

The scam is called "the over-billing attack." It works quite simply because 
of a link from the Internet world - unregulated - to the normally tightly 
regulated GSM planet. "Network administrators face an exponential onslaught 
of attacks that to date have traditionally been confined to the world of 
wire line data," was the summary from Check Point.

There are lots of potential issues, but the one which has forced the phone 
networks to acknowledge that there is a problem, is a scam where a company 
obtains IP addresses that the GPRS operators own, in the "cellular pool" 
and start pinging those addresses. When one of them responds, the scam 
operator knows that a user has been assigned the address. And, 
unbelievably, there was nothing to stop them simply providing services 
direct to that IP address - and taking the money out of the GPRS billing 
system to pay for it. The network, typically, only found out about the 
attack weeks later, when the angry customer queried the service provided, 
and insisted that they had not signed up for it.

Getting the IP address list costs the crook no more than it takes to log 
onto the GPRS network with a data call, and getting assigned an address by 
a perfectly standard DHCP server inside the operator's network.

Check Point hasn't revealed specifics of how it blocks this attack, but the 
solution is based on its Firewall-1 software, which is already installed in 
most cellular networks. "The problem could be fixed by changing the 
hardware," said a spokesman for Check Point. "But that would take a year to 
implement, and would require hardware changes in virtually every network 
operator's equipment. The alternative is to use the knowledge in the GPRS 
firewall to implement an action in the IP firewall."

The solution does require the operator to run Firewall-1 on its Internet 
equipment as well as its GPRS servers. Once that is in place, Checkpoint 
has a single mnagement architecture for all its firewalls. "Our preferred 
solution is to write a rule that says: 'I have now closed this session on 
my GPRS side, so tell the IP firewall to look for any IP sessions with this 
IP address, and close them'," said a Check Point executive. Check Point 
expects several other announcements from phone network operators in the 
coming weeks.

The problem isn't limited to GPRS. Any mobile network that is internally 
trusted - and that includes next-level technology like UMTS 3G networks - 
will face similar threats when linking its internal, trusting network to 
the free-for-all that is the Internet, and will have to adopt similar 
solutions, says Check Point. "The vulnerability also applies between data 
networks. The GPRS Transfer Protocol, GTP, provides no security to protect 
the communications between GPRS networks," says the company in its sales 
blurbs. "So the GPRS/UMTS network is at risk, both from its own 
subscribers, and from its partner networks." Details from Check Point itself

<http://www.newswireless.net/articles/031002-scam.html>

steve

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list