In a case of criminal cash theft of a subscriber of a Swiss, Mobile Network Operator MNO a suspect did hack into the Core Network and increased his own credit for his prepaid account by a 3 digit amount monthly for the past 2 years.
We hang on the area of the Gx Diameter protocol between Packet Data Network PDN - GateWay (P-GW) and Policy and Charging Rules Function PCRF by the Credit Control Request CCR. All indicators direct to a Diameter protocol vulnerability actually unknown.
Who did investigate a similar case? As commercially highly sensite pls answer here carefully. As I support collaboration-based open learning I do not wish a PM as there is a lack of MNO forensics investigators who may learn on this case.
hi Rolf,
I am new in the area of Digital Forensic, but Telecom protocol is my daily job for the past 8 years. Gx protocol is merely used to control the PCC rules, which is basically more or less a QoS rules.
So I would say the benefit that can be gained through hacking via Gx is not related to the prepaid account balance. Gy protocol is the one relates directly with the prepaid balance. But maybe if you could elaborate more, I would be happy to help.
IP Spoofing diameter peers might be possible, depends on the settings on each peer. So it's more like injecting diameter packet as if this packet was sent from the PCRF to PCEF to send the new PCC rules. Some diameter peers allows unknown 'ghost' host to establish a peer communication that allows them to send CCR. But on this case, the identity of this 'ghost' peer should somehow appear on the PCRF's log, and this could become one of your IoC.
I would say the suspect needs to have experience on this area, or he/she needs to do some research on how it works by taking tcpdump and got hold into it for sometimes.
Regards,
Lintang
Any protocol can have unknown vulnerabilities, but what if you look for the wrong thing ?! )
@onty - Thank you! Will study your advice before replying (homework first -)
As I support collaboration-based open learning I do not wish a PM as there is a lack of MNO forensics investigators who may learn on this case.
Hopefully you won't receive a response like "This is where the bad guy messed up", only to help them build a better mouse trap the next time around.
Closed