Feeds

Official: crackers have broken into GPRS billing

The over-billing attack

  • alert
  • submit to reddit

High performance access to file storage

Some time today, the GPRS world will reveal that it has a security vulnerability which has seen an undisclosed number of its customers ripped off. They've been trapped into connecting to malicious content servers, by hackers penetrating the billing system.

The first international phone company to admit that they have installed a solution - one offered by Check Point - will be the German phone provider, E-Plus.

The scam is called "the over-billing attack." It works quite simply because of a link from the Internet world - unregulated - to the normally tightly regulated GSM planet. "Network administrators face an exponential onslaught of attacks that to date have traditionally been confined to the world of wire line data," was the summary from Check Point.

There are lots of potential issues, but the one which has forced the phone networks to acknowledge that there is a problem, is a scam where a company obtains IP addresses that the GPRS operators own, in the "cellular pool" and start pinging those addresses.

When one of them responds, the scam operator knows that a user has been assigned the address. And, unbelievably, there was nothing to stop them simply providing services direct to that IP address - and taking the money out of the GPRS billing system to pay for it.

The network, typically, only found out about the attack weeks later, when the angry customer queried the service provided, and insisted that they had not signed up for it.

Getting the IP address list costs the crook no more than it takes to log onto the GPRS network with a data call, and getting assigned an address by a perfectly standard DHCP server inside the operator's network.

Check Point hasn't revealed specifics of how it blocks this attack, but the solution is based on its Firewall-1 software, which is already installed in most cellular networks.

"The problem could be fixed by changing the hardware," said a spokesman for Check Point. "But that would take a year to implement, and would require hardware changes in virtually every network operator's equipment. The alternative is to use the knowledge in the GPRS firewall to implement an action in the IP firewall."

The solution does require the operator to run Firewall-1 on its Internet equipment as well as its GPRS servers.

Once that is in place, Checkpoint has a single mnagement architecture for all its firewalls. "Our preferred solution is to write a rule that says: 'I have now closed this session on my GPRS side, so tell the IP firewall to look for any IP sessions with this IP address, and close them'," said a Check Point executive.

Check Point expects several other announcements from phone network operators in the coming weeks.

The problem isn't limited to GPRS. Any mobile network that is internally trusted - and that includes next-level technology like UMTS 3G networks - will face similar threats when linking its internal, trusting network to the free-for-all that is the Internet, and will have to adopt similar solutions, says Check Point.

"The vulnerability also applies between data networks. The GPRS Transfer Protocol, GTP, provides no security to protect the communications between GPRS networks," says the company in its sales blurbs. "So the GPRS/UMTS network is at risk, both from its own subscribers, and from its partner networks." Details from Check Point itself.

© NewsWireless.Net

High performance access to file storage

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.