AusCERT 2018 - Hunting fraud in telecom networks

We don't often think about how our mobile phone calls are rated between countries. But understanding how that happens is something carriers and telecommunications services think about constantly. And it turns out criminals also think about this. 

Vladimir Wolstencroft, the head of security research at Twilio, has looked at this closely and has found a new type of crime, called "interconnect bypass" is being used to defraud telecommunications providers of funds and to potentially capture our personal call and SMS data. 

This happens using a device called a SIM box. This is a GSM gateway that can hold SIM cards and has a HTTP interface as well as antennae. It can be used to defraud telecom providers by capturing calls and redirecting them over the public internet rather than carrier networks, to capture data from mobile phone users or to compromise PBX systems.

Wolstencroft spent a significant portion of his presentation on the second day of the AusCERT 2018 conference talking about interconnect bypass fraud.

One of the ways telecommunications networks derive profit is through termination fees they charge each other. When a call goes from one country to another, the country receiving the call, charges the sender a fee. Interconnect bypass fraud uses SIM boxes to traverse private cloud networks to bridge the calls between countries rather than the carrier network where the fees are charged. Wolstencroft said this fraud, sometimes called "grey routes" is the second biggest type of telecommunications fraud and costs the industry about $6B per year.

Here's how it works. When a person uses their mobile phone to make a call, it connects to a cell tower. Instead of the cell tower, they connect to a SIM box that the criminals have installed somewhere. When they make the call, the SIM box directs that to another SIM box in the country where the call receiver is. The connection between the two SIM boxes, which may be thousands of kilometres apart, is made across a private cloud. The SIM box at the receiver's end then calls the receiver of the call and the connection is completed. 

This works where the call rates between the origin and destination are different so there is profit for criminals.

However, Wolstencroft said there's no guarantee that the calls are secure.

Network operators are aware of this and have employed techniques to detect when a SIM box is being used. As mobile callers are usually moving around and SIM boxes are static, carriers use geolocation services to determine if the SIM cards involved in the calls are moving. If not, they block the SIM cards in the SIM boxes from operating. But SIM box makers are upping their game and have ways to rotate the SIMs in use as well as using software to obfuscate their presence.

In order to make the SIM boxes appear as if they are humans making the calls, the software in the boxes carry out "Human Behaviour Simulation" (HBS). A cottage industry has evolved alongside the SIM boxes where HBS is provided as a service to SIM box operators.

Adding to the complexity is that some carriers actually purchase these grey route call minutes at trade shows as they are less expensive than the traditional carrier networks.

Aside from calls and SMS data being captured on the devices, potentially giving criminals access to your actual calls and text messages, most of the SIM boxes available on the market are packed with their own vulnerabilities. Analysis by Wolstencroft and his team found that, among the six most popular SIM boxes available, there are between 100 and 3000 vulnerabilities on each device.

And with some of the gangs employing hundreds of SIM boxes, cloud services have been created for for managing networks of the devices. And those cloud-based management services have also found to be vulnerable.

We tend to think that our mobile calls and text messages are secure. But there's a nasty underbelly in the telco business that is used by criminals to conduct fraud and steal data. Wolstencroft's presentation highlighted that services we take for granted are actually quite complex and are being exploited by criminals. 

Tags TelecommunicationsTwilio#AusCERT18

Show Comments