RE: Questions on GSM Penetration test

From: Emmanuel Gadaix (emmanuel@relaygroup.com)
Date: 01/26/02 

Date: Sat, 26 Jan 2002 09:59:50 +0700
To: <pen-test@securityfocus.com>
From: Emmanuel Gadaix <emmanuel@relaygroup.com>

GSM security is generally not very well understood by your average
"pentest" company.

There is one company that is specializing in this domain. Check out
http://www.globerelay.com

The pentest of a GSM network does involve "normal" security work (e.g.
firewall assessment, host hardening, application review, routers security,
etc.)
It mostly involve testing GSM Network Elements (NE) such as MSC, HLR, BSC,
BTS, VMS, OTA, SMSC, IN, etc. Such NEs sometimes run obscure operating
systems and are very proprietary. Most of them assume knowledge of digital
signalling protocols such as SS7 (MTP, SCCP, TCAP, MAP, ISUP, BSSAP, INAP,
CAMEL).

The most important part of a GSM network are actually not the NEs
themselves but the OSS network that managed them. As such, platforms such
as the NMS (Network Management system), the mediation device and the
billing system environment are very critical to the security of the GSM
infrastructure.

For anybody who's interested I have written a paper last year (that was
presented at Blackhat Hong Kong and Singapore) on GSM security, so feel
free to ask and I'll send you a copy.

Regards
Emmanuel

At 04:32 PM 1/25/2002, Lubomir.Nistor@star-21.de wrote:
>I really doubt that there is any company like this.. as not many people on
>this planet know how exactly GSM network works, and those people are
>building it..
>
>Penetration test of GSM net should be done as a normal pen-test, but I
>suppose insider attack is where can be done a lot.
>outside attacks have to do something with radio engineering and
>basestation-phone communication (DoS, wiretaping, ..)
>
>inside attacks are more interesting, as you can access devices via IP :)
>no radio :)
>and do some serious (mis)configuration.
>
>
>Although I haven't done any GSM pentests, but i know some radio networks
>basics...
>
>Lubo
>
>PS: if anybody got some docs about how GSM radio communication works pls
>send me a copy (not general descr, but specific protocol descr, fields
>descr, timing etc..)
>PS2: sources of firmware helps as well..
>
>-----Original Message-----
>From: ricci_ieong [mailto:ricci_ieong@yahoo.com]
>Sent: Donnerstag, 24. Januar 2002 04:10
>To: pen-test@securityfocus.com
>Subject: Questions on GSM Penetration test
>
>
>Hello All,
>
> I would like to know if there is any company offering penetration
> test
>services onto GSM network not the IP network. How to perform that type of
>test? Which company can offer that service?
>
> Thanks.
>
>Ricci
>
>
>
>_________________________________________________________
>
>Do You Yahoo!?
>
>Get your free @yahoo.com address at http://mail.yahoo.com
>
>
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: AlarmNet reliability how can it go down with no notice?
    ... Is there any Honeywell GSM product that will be taking the place of the ... Your security company also sets the frequency of the test reports to the ... Companies is such that left in its current state, the demise of POTS is ... off-hook phone stops communication or at least slows it down assuming the ...
    (alt.security.alarms)
  • Re: GPRS vulnerabilities
    ... >there are documented cases of the GPRS backbone being ... There are documented cases of GPRS security exposure seen from the MS, ... GSM operators are like banks, ... The vulnerabilities we exposed were not GPRS-specific, ...
    (Pen-Test)
  • Re: RE: Questions on GSM Penetration test - Security Associates
    ... GSM secuirity has improved alot since the early 90's when the analog ... >GSM security is generally not very well understood by your average ... >The pentest of a GSM network does involve "normal" security work (e.g. ... >>automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • Re: Cell Phone Encryption/Security in The USA
    ... I don't know of any compilations of security issues ... GSM introduced the SIM card that separates phone and user ... >But GSM isn't secure either, ... phone conversations are not secure and that it is trivial to listen to ...
    (sci.crypt)
  • RE: Questions on GSM Penetration test
    ... as not many people on this planet know how exactly GSM network works, and those people are building it.. ... Penetration test of GSM net should be done as a normal pen-test, but I suppose insider attack is where can be done a lot. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)