[IP] hackers have broken into GPRS billing

To: ip@xxxxxxxxxxxxxx
Subject: [IP] hackers have broken into GPRS billing
From: Dave Farber <dave@xxxxxxxxxx>
Date: Thu, 02 Oct 2003 11:30:29 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx


Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Thu, 02 Oct 2003 07:25:53 -0700
From: Dewayne Hendricks <dewayne@xxxxxxxxxxxxx>


[Note:  This item comes from reader Claudio Gutiérrez.  DLH]

At 9:35 -0400 10/2/03, Claudio Gutiérrez wrote:
From: Claudio Gutiérrez <gutierrezclaudio@xxxxxxxx>
To: <dewayne@xxxxxxxxxxxxx>
Subject: hackers have broken into GPRS billing
Date: Thu, 2 Oct 2003 09:35:01 -0400

Some time today (October 2th), the GPRS world will reveal that it has asecurity vulnerability which has seen an undisclosed number of itscustomers ripped off. They've been trapped into connecting to maliciouscontent servers, by hackers penetrating the billing system. The firstinternational phone company to admit that they have installed a solution -one offered by Check Point - will be the German phone provider, E-Plus.

The scam is called "the over-billing attack." It works quite simply becauseof a link from the Internet world - unregulated - to the normally tightlyregulated GSM planet. "Network administrators face an exponential onslaughtof attacks that to date have traditionally been confined to the world ofwire line data," was the summary from Check Point.

There are lots of potential issues, but the one which has forced the phonenetworks to acknowledge that there is a problem, is a scam where a companyobtains IP addresses that the GPRS operators own, in the "cellular pool"and start pinging those addresses. When one of them responds, the scamoperator knows that a user has been assigned the address. And,unbelievably, there was nothing to stop them simply providing servicesdirect to that IP address - and taking the money out of the GPRS billingsystem to pay for it. The network, typically, only found out about theattack weeks later, when the angry customer queried the service provided,and insisted that they had not signed up for it.

Getting the IP address list costs the crook no more than it takes to logonto the GPRS network with a data call, and getting assigned an address bya perfectly standard DHCP server inside the operator's network.

Check Point hasn't revealed specifics of how it blocks this attack, but thesolution is based on its Firewall-1 software, which is already installed inmost cellular networks. "The problem could be fixed by changing thehardware," said a spokesman for Check Point. "But that would take a year toimplement, and would require hardware changes in virtually every networkoperator's equipment. The alternative is to use the knowledge in the GPRSfirewall to implement an action in the IP firewall."

The solution does require the operator to run Firewall-1 on its Internetequipment as well as its GPRS servers. Once that is in place, Checkpointhas a single mnagement architecture for all its firewalls. "Our preferredsolution is to write a rule that says: 'I have now closed this session onmy GPRS side, so tell the IP firewall to look for any IP sessions with thisIP address, and close them'," said a Check Point executive. Check Pointexpects several other announcements from phone network operators in thecoming weeks.

The problem isn't limited to GPRS. Any mobile network that is internallytrusted - and that includes next-level technology like UMTS 3G networks -will face similar threats when linking its internal, trusting network tothe free-for-all that is the Internet, and will have to adopt similarsolutions, says Check Point. "The vulnerability also applies between datanetworks. The GPRS Transfer Protocol, GTP, provides no security to protectthe communications between GPRS networks," says the company in its salesblurbs. "So the GPRS/UMTS network is at risk, both from its ownsubscribers, and from its partner networks." Details from Check Point itself


<http://www.newswireless.net/articles/031002-scam.html>

Archives at: <http://Wireless.Com/Dewayne-Net>
Weblog at: <http://weblog.warpspeed.com>


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] write up on my arrival at Carnegie Mellon
Next by Date: [IP] Mystery shrouds arrest of accused software pirate
Previous by thread: [IP] write up on my arrival at Carnegie Mellon
Next by thread: [IP] Mystery shrouds arrest of accused software pirate
Index(es):
- Date
- Thread