SIM Runner: Hunting, Detecting and Retiring GSM Bypass Fraud

GSM bypass fraud costs operators billions of dollars a year Tracking and disabling the devices used by fraudsters is itself an industry, in which operators invest huge resources. We will show how, through the evolution of human behavior simulators (HBS), the current state of the art in detection is being evaded. This talk will demonstrate new techniques for detecting and disabling the use of these gateways, regardless of HBS.

Welcome back to hunting and detecting GSM bypass fraud and GSM Gateways in IP and telecom networks. GSM bypass fraud costs operators billions of dollars a year, for example, in 2015 it cost $6 Billion alone. Tracking and disabling the devices used by fraudsters is itself an industry, in which operators invest huge resources. We will show how, through the evolution of human behavior simulators (HBS), the current state of the art in detection is being evaded. This talk will demonstrate new techniques for detecting and disabling the use of these gateways, regardless of HBS.

This talk builds on research previously conducted and presented at Troopers 2017, and at the GSMA FSAG meeting where the research received the GSMA Hall of Fame award.

The vulnerabilities that exist within GSM gateway devices from various vendors, as well as the hidden functionality that is built into them, will be discussed and demonstrated. Then the cloud deployment management tools that vendors have developed to allow centralised remote administration of thousands of these devices will be examined. Of course with centralized architectures come single points of failure and we will demonstrate how unknowing users and the organizations who have signed up to use these sim clouds are exposed to detection and compromise of their voice, SMS, and SIP data through vulnerabilities in the cloud based management systems.

From backdoors to hidden protocols, privilege escalation, interception, detection, magic kill packets and hidden SMS commands, we use this offensive research to demonstrate a multitude of weaknesses that can be combined to put all these devices in the hands of attackers or telecom companies that are actively looking to remove them from their networks.

Building on these techniques we have developed a tool: GSM BypassMap. GSM BypassMap will publicly released at the talk and is a free to use mapping project that actively detects and accurately fingerprints these devices globally across 5 different major vendors. The map shows affected areas, deployment strategies, vendors, serial numbers and even in specific cases IMSIs of the sim cards attached to GSM gateways used for fraud. This project will be freely available online as an active GSM Bypass Map for MNO’s to monitor and for us to continue coordinating research into these devices.

We hope that this project will spark a conversation and demonstrate that offensive based researched and active detection strategies, which have been adopted in the IT infosec world, can be effectively deployed to help reduce GSM bypass fraud globally.