Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
3 likes2,823 views
This document discusses attacks on telecommunication networks using vulnerabilities in the Signaling System 7 (SS7) protocol. It describes how stolen mobile devices can be unblocked by exploiting the relationship between the device's IMEI and user's IMSI during the normal IMEI check procedure. The attack involves sending a fake CHECK_IMEI request containing a blacklisted IMEI along with the correct associated IMSI to override the blacklist status. This allows stolen devices to be reactivated without authorization.
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
- 1. 1 © Nokia Solutions and Networks 2015 Check_IMEI Misusage Siddharth Rao / Silke Holtmanns / Ian Oliver / Tuomas Aura 21-08-2015 Public
- 2. 2 © Nokia Solutions and Networks 2015 Agenda Public • Background of SS7 attacks • Normal Check_IMEI procedure • Assumptions • Attack scenario description • Summary
- 3. 3 © Nokia Solutions and Networks 2015 • Telecommunication systems are vulnerable. • Recent attacks • Locate • Trace/intercept • Manipulate Frauds Illegitimate activities • Core network Protocol • Signaling System #7 Public Motivation
- 4. 4 © Nokia Solutions and Networks 2015 • Protocol foundation to enable roaming. • Call establishment , management and release. • Short Message Services (SMS). • Supplementary services. • Toll free numbers. • Tele-voting. • Enhanced Message Services (EMS). • Local Number Portability (LNP). Signaling System #7 Public
- 5. 5 © Nokia Solutions and Networks 2015 Public SS7 Attacks timeline
- 6. 6 © Nokia Solutions and Networks 2015 Public SS7 Attacks impact
- 7. 7 © Nokia Solutions and Networks 2015 Public Unblocking stolen mobile devices using SS7-MAP vulnerabilities Exploiting the relationship between IMEI and IMSI for EIR access - Siddharth Rao, Dr. Silke Holtmanns, Dr. Ian Oliver, Dr Tuomas Aura
- 8. 8 © Nokia Solutions and Networks 2015 Public Normal IMEI (device ID) Check procedure
- 9. 9 © Nokia Solutions and Networks 2015 Public CheckIMEI ASN Structure Contains only IMEI.
- 10. 10 © Nokia Solutions and Networks 2015 • Attacker has a stolen phone which is blacklisted and he knows the IMSI (Subsriber id) which was associated with it while blocking or last use by the victim. The attacker does not need to have the original SIM as it is sufficient to have just the IMSI. • Attacker has access to SS7 network. • The Global Title (GT, “SS7 name of a node”) of the Equipment Identity Register (EIR) is required. • Mobile Switching Center (MSC) GT might be needed (depending on operator configuration). • Feature and IMSI check options are enabled. Public Assumptions
- 11. 11 © Nokia Solutions and Networks 2015 Users loose their phones and find it again, easy ”recovery” in EIR wanted MSC sends IMEI (device id) along with IMSI (subscriber id) during MAP_CHECK_IMEI. Initially the IMEI is checked to know the list it belongs to. If it is found on the black list, an additional check of IMSI is made. If there is a match between IMSI provisioned with IMEI in the EIR database (This is the IMSI-IMEI pair in the EIR before the victim blocks his stolen device.) with the IMSI found in MAP_CHECK_IMEI message then this overrides the blacklist condition. Phone no longer blacklisted. Public Feature
- 12. 12 © Nokia Solutions and Networks 2015 Public Attack Scenario
- 13. 13 © Nokia Solutions and Networks 2015 Public CheckIMEI ASN Structure Contains IMEI and IMSI !!!!
- 14. 14 © Nokia Solutions and Networks 2015 1. A CHECK_IMEI* is received with IMEI = 12345678901234, and IMSI = 495867256894125. 2. An individual IMEI match is found indicating that the IMEI is on the Black List. 3. Normally required response would be Black Listed, however; because an IMSI is present in the message, and the IMEI is on the Black List, the IMSI is compared to the IMSI entry in the database for this IMEI. 4. In this case, the IMSI in the RTDB matches the IMSI in the query, thus the Black Listed condition is cancelled/overridden. 5. EIR formulates a CHECK_IMEI* response with Equipment Status = 0 whiteListed. Public Example
- 15. 15 © Nokia Solutions and Networks 2015 • Stolen phones would have much higher value, if they are not blacklisted and can be sold via ebay or simlar means. Why should somebody do this? Public Source: http://www.wired.com/2014/12/where-stolen-smart-phones-go/ • 1 in 10 smart-phone owners are the victims of phone theft. • In United States, 113 phones per minute are stolen or lost. $7 million worth of smart phones on a daily basis.
- 16. 16 © Nokia Solutions and Networks 2015 Public EIR Coverage Source: Farrell, G. (2015). Preventing phone theft and robbery: the need for government action and international coordination. Crime Science, 4(1), 1-11.
- 17. 17 © Nokia Solutions and Networks 2015 • Attack has not been observed in real networks. • Research was done on protocol level and publicly available information. • Not all EIRs affected. • Business case exist for the attack. • Easy to add ”Check_IMEI*” to the filter list of network internal messages to stop this kind of attack before it appears in real. Public Summary
- 18. 18 © Nokia Solutions and Networks 2015 THANK YOU Public Contact: siddharth.rao@aalto.fi
- 19. 19 © Nokia Solutions and Networks 2015 Public
- 20. 20 © Nokia Solutions and Networks 2015 Public Copyright and confidentiality The contents of this document are proprietary and confidential property of Nokia Solutions and Networks. This document is provided subject to confidentiality obligations of the applicable agreement(s). This document is intended for use of Nokia Solutions and Networks customers and collaborators only for the purpose for which this document is submitted by Nokia Solution and Networks. No part of this document may be reproduced or made available to the public or to any third party in any form or means without the prior written permission of Nokia Solutions and Networks. This document is to be used by properly trained professional personnel. Any use of the contents in this document is limited strictly to the use(s) specifically created in the applicable agreement(s) under which the document is submitted. The user of this document may voluntarily provide suggestions, comments or other feedback to Nokia Solutions and Networks in respect of the contents of this document ("Feedback"). Such Feedback may be used in Nokia Solutions and Networks products and related specifications or other documentation. Accordingly, if the user of this document gives Nokia Solutions and Networks Feedback on the contents of this document, Nokia Solutions and Networks may freely use, disclose, reproduce, license, distribute and otherwise commercialize the feedback in any Nokia Solutions and Networks product, technology, service, specification or other documentation. Nokia Solutions and Networks operates a policy of ongoing development. Nokia Solutions and Networks reserves the right to make changes and improvements to any of the products and/or services described in this document or withdraw this document at any time without prior notice. The contents of this document are provided "as is". Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to the accuracy, reliability or contents of this document. NOKIA SOLUTIONS AND NETWORKS SHALL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS DOCUMENT or for any loss of data or income or any special, incidental, consequential, indirect or direct damages howsoever caused, that might arise from the use of this document or any contents of this document. This document and the product(s) it describes are protected by copyright according to the applicable laws. Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of their respective owners. © Nokia Solutions and Networks 2015