SlideShare a Scribd company logo

Attacks you can't combat: vulnerabilities of most robust MNOs

P
PositiveTechnologies

The document discusses SS7 (Signaling System No. 7) vulnerabilities in mobile networks, detailing how attackers can exploit these weaknesses to intercept calls, track locations, and steal sensitive data without needing advanced skills. It emphasizes the lack of security mechanisms within the SS7 protocol and proposes solutions such as SS7 firewalls and careful network configuration to mitigate these risks. The importance of using intrusion detection solutions alongside SS7 firewalls is highlighted to effectively detect and block potential threats.

Technology
1 of 51
Downloaded 33 times
1
2
3
4
Most read
5
Most read
6
7
Most read
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Attacks you can’t combat: Vulnerabilities of most robust mobile operators Sergey Puzankov
About me 18+ years in telecom industry 7+ years in telecom security Research results & community contribution Knowledge sharing spuzankov@ptsecurity.com sergey_puzankov @xigins @
SS7 basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and tear down telephone calls, send and receive SMS messages, provide subscriber mobility, and more.  Fixed telephony  2G/3G mobile networks  Interconnection with next- generation networks
Who are potential targets? © GSMA Intelligence 2018, Mobile connections by technology https://www.gsmaintelligence.com/research/2018/02/infographic-mobile-connections-by-technology/656/ 5
Now what can a Hacker do? Easily From anywhere Any mobile operator No special skills needed Get access to your email and social media Track location of VIPs and public figures Perform massive denial of service attacks Intercept private data, calls and SMS messages Steal money Take control of your digital identity
History of signaling security SS7 development Scope grows Not trusted anymore Trusted environment. No security mechanisms in the protocol stack. SIGTRAN (SS7 over IP) introduced. Security is still missing. Growing number of SS7 connections, increasing amount of SS7 traffic. No security policies or restrictions. Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security.
Mobile operators and SS7 security Security assessment Signaling IDSSMS Home Routing Security configuration SS7 firewall
Basic nodes and identifiers MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity GT — Global Title, address of a core node element HLR — Home Location Register SMS-C — SMS Centre STP — Signaling Transfer Point MSC/VLR — Mobile Switching Center and Visited Location Register
SS7 protocol stack TCAP MAP SCCP Signaling Connection Control Part is responsible for the routing of a signaling message by Global Titles. Transaction Capabilities Application Part is responsible for transactions and dialogues processing. Mobile Application Part is payload that contains an operation code and appropriate parameters such as IMSI, profile information, and location data.
SS7 security means SS7 firewall is the most sophisticated signaling security tool that protects the network against a wide range of threats such as IMSI disclosure, location tracking, and traffic interception. SMS Home Routing is intended to prevent SMS fraud and hide IMSI identities. Signaling Transfer Point makes simple screening of signaling messages.
Signaling Transfer Point  Signaling Transfer Point is a router that relays SS7 messages between signaling end-points and other signaling transfer points.  Usually the STP is a border point in a signaling network.  It is possible to use the STP for the screening of the ineligible signaling traffic.  Screening rules of the most STPs are simple, for instance, blocking a signaling message by a source address or redirecting a signaling message by an operation code.  The STP looks through a signaling message layer by layer and applies a rule as soon as the first appropriate pattern is triggered.
SMS delivery process SRI4SM — SendRoutingInfoForSM STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text HLR SMS-C
SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
SMS Home Routing SMS RouterSTP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
SMS Home Routing against malefactors SMS RouterSTP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message
SS7 firewall: blocking rules Firewall rules Category 1 Block a message by an operation code SS7 Message HLR MSC Category 2 Block a message by an operation code and correlation of a source address and subscriber identity Category 3 Block a message by an operation code and subscriber’s real location SCCP Source / Destination TCAP Application Context MAP OpCode, IMSI, … SS7 firewall
SS7 attacks and vulnerabilities IMSI disclosure Location tracking Voice call interception (MiTM)via a malformed Application Context Name (ACN) parameter via Operation Code Tag substitution via a Double MAP vulnerability
IMSI disclosure Exploitation of malformed ACN
TCAP protocol TCAP Message Type — mandatory Transaction IDs — mandatory Dialogue Portion — optional Component Portion — optional
Changing ACN 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization 4 – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
IMSI disclosure via malformed ACN TCAP Malformed ACN HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed ACN SCCP Destination HLR MAP OpCode, param
IMSI disclosure via malformed ACN HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router SMS Router bypassed 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC
IMSI disclosure via malformed ACN HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC Equal IMSIs mean the SMS Home Routing solution is absent or not involved.
Location tracking Substitution of Operation Code Tag
Numbering plans Mobile Network Operator Country Code (China) Network Destination Code Mobile Country Code (China) Mobile Network Code E.164 MSISDN and GT 86 854 1231237 E.212 IMSI 460 80 4564567894
Blocking rule: category 2 Source address Subscriber identity Operation code Switzerland ≠ China Category 2 Block a message by an operation code and correlation of a source address and subscriber identity
ITU-T Q.773 Recommendation = 2 = 6 ITU-T Q.773 – Transaction capabilities formats and encoding
Location tracking via Global OpCode 1. PSI with Global OpCode tag 2. PSI with Global OpCode tag The SS7 FW is looking for a Local OpCode. Global OpCodes are ignored. 3. PSI with Global OpCode tag STP MSC/VLR
Location tracking via Global OpCode STP 4. PSI Response: Cell ID 4. PSI Response: Cell ID MSC/VLR 1. PSI with Global OpCode tag 2. PSI with Global OpCode tag 3. PSI with Global OpCode tag The VLR replies with the Local OpCode and a requested cell identity. Equipment of four vendors replies to signaling messages with the Global OpCode.
Voiace call interception (MiTM) Exploitation of a Double MAP vulnerability
Voice call interception (MiTM) 1. InsertSubscriberData Request: IMSI Spoofed billing platform address 1. InsertSubscriberData Request: IMSI Spoofed billing platform address STP MSC/VLR
Voice call interception (MiTM) 1. InsertSubscriberData Request: IMSI Spoofed billing platform address 1. InsertSubscriberData Request: IMSI Spoofed billing platform address STP 2. InsertSubscriberData Response 2. InsertSubscriberData Response MSC/VLR 3. TCAP End 3. TCAP End
Voice call interception (MiTM) 1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-Num STP MSC/VLR
Voice call interception (MiTM) 1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-Num STP 2. Connect :PBX-Num 2. Connect :PBX-Num MSC/VLR
Voice call interception (MiTM) 1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-Num STP 2. Connect :PBX-Num 2. Connect :PBX-Num 3. IAM: A-Num, B-Num 3. IAM: A-Num, B-Num
SS7 FW against MiTM attack 1. InsertSubscriberData Request: IMSI, Spoofed billing platform address STP 2. InsertSubscriberData Request: IMSI, Spoofed billing platform address The SS7 FW correlates the IMSI and source address and blocks the InsertSubscriberData message. Switzerland ≠ China
TCAP protocol TCAP Message Type — mandatory Transaction IDs — mandatory Dialogue Portion — optional Component Portion — optional
Double MAP component TCAP Message Type — mandatory Transaction IDs — mandatory Dialogue Portion — optional Component Portion — optional Component 1 Component 2 The SS7 FW checks a subscriber’s ID in the first component considering the other data as a long payload not meant to be inspected.
Double MAP in MiTM attack STP SS7 FW TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ MSC/VLR Inspect the first component only and forward the message to the network PBXSend the message to the SS7 FW for inspection
Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError MSC/VLR TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX
Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ MSC/VLR TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ Inspect the first component only and forward the message to the network. PBX
Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError TCAP Continue ReturnResultLast MSC/VLR TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX
Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnResultLast TCAP Continue ReturnError TCAP Continue ReturnResultLast MSC/VLR TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX
Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError TCAP End TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX TCAP Continue ReturnResultLast TCAP Continue ReturnResultLast MSC/VLR
Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError TCAP End MSC/VLR TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX TCAP Continue ReturnResultLast TCAP Continue ReturnResultLast
Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError MSC/VLR TCAP End TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX TCAP Continue ReturnResultLast TCAP Continue ReturnResultLast
Double MAP in MiTM attack STP SS7 FW MSC/VLR TCAP Continue ReturnError TCAP End TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX TCAP Continue ReturnResultLast TCAP Continue ReturnResultLast
Main issues in SS7 security SS7 architecture flaws Configuration mistakes Software bugs
Conclusion Check if your security tools are effective against new vulnerabilities. Use an intrusion detection solution along with an SS7 firewall in order to detect threats promptly and block a hostile source. Configure your STP and SS7 firewall carefully. Do not forget about malformed Application Context Name and Global OpCodes. Block TCAP Begin messages with double MAP components. We observed only one legal pair: BeginSubscriberActivity + ProcessUnstructuredSS-Data. 1 2 3 4
Thank you! Sergey Puzankov, spuzankov@ptsecurity.com

More Related Content

PDF
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
PDF
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
PDF
Mobile signaling threats and vulnerabilities - real cases and statistics from...
DefCamp
 
PDF
Attacking GRX - GPRS Roaming eXchange
P1Security
 
PPT
SS7 & SIGTRAN
Stephanie Galloway-Williams
 
PDF
SS7: Locate. Track. Manipulate.
3G4G
 
PPTX
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
PositiveTechnologies
 
PDF
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
DefCamp
 
Attacking GRX - GPRS Roaming eXchange
P1Security
 
SS7 & SIGTRAN
Stephanie Galloway-Williams
 
SS7: Locate. Track. Manipulate.
3G4G
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
PositiveTechnologies
 
Philippe Langlois - LTE Pwnage - P1security
P1Security
 

What's hot (20)

PDF
SS7 Vulnerabilities
PositiveTechnologies
 
PDF
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Alejandro Corletti Estrada
 
PDF
Philippe Langlois - Hacking HLR HSS and MME core network elements
P1Security
 
PPT
Gsm call routing
Ramakrishna Pulikonda
 
PDF
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
PDF
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
PPTX
Gsm architecture and call flow
Mohd Nazir Shakeel
 
PDF
Mobile Networks Architecture and Security (2G to 5G)
Hamidreza Bolhasani
 
PDF
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
P1Security
 
PPTX
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
Hamidreza Bolhasani
 
PPTX
Paging and Location Update
Abidullah Zarghoon
 
PDF
Signaling security essentials. Ready, steady, 5G!
PositiveTechnologies
 
PPTX
Multiprotocol label switching (mpls) - Networkshop44
Jisc
 
PPTX
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
PositiveTechnologies
 
PPTX
What is SS7? An Introduction to Signaling System 7
Alan Percy
 
PDF
Overview of Telecommunication networks
Algiers Tech Meetup
 
PPTX
Telecom under attack: demo of fraud scenarios and countermeasures
PositiveTechnologies
 
PDF
Telecom Security in the Era of 5G and IoT
PositiveTechnologies
 
PDF
Handoff
Sri Manakula Vinayagar Engineering College
 
DOC
Moc mtc
Razzaqe
 
SS7 Vulnerabilities
PositiveTechnologies
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Alejandro Corletti Estrada
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
P1Security
 
Gsm call routing
Ramakrishna Pulikonda
 
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
Gsm architecture and call flow
Mohd Nazir Shakeel
 
Mobile Networks Architecture and Security (2G to 5G)
Hamidreza Bolhasani
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
P1Security
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
Hamidreza Bolhasani
 
Paging and Location Update
Abidullah Zarghoon
 
Signaling security essentials. Ready, steady, 5G!
PositiveTechnologies
 
Multiprotocol label switching (mpls) - Networkshop44
Jisc
 
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
PositiveTechnologies
 
What is SS7? An Introduction to Signaling System 7
Alan Percy
 
Overview of Telecommunication networks
Algiers Tech Meetup
 
Telecom under attack: demo of fraud scenarios and countermeasures
PositiveTechnologies
 
Telecom Security in the Era of 5G and IoT
PositiveTechnologies
 
Handoff
Sri Manakula Vinayagar Engineering College
 
Moc mtc
Razzaqe
 
Ad

Similar to Attacks you can't combat: vulnerabilities of most robust MNOs (20)

PDF
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
AliAlwesabi
 
PDF
Computaris SS7 Firewall
Computaris
 
PDF
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SPY24
 
PDF
2015.11.06. Luca Melette_Mobile threats evolution
Tech and Law Center
 
PDF
SS7: 2G/3G's weakest link
PositiveTechnologies
 
PPTX
Telecom incidents investigation: daily work behind the scenes
PositiveTechnologies
 
PPTX
Небезопасность сотовых сетей вчера, сегодня, завтра
Positive Hack Days
 
PDF
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
AliAlwesabi
 
PPTX
Cellcrypt - An Introduction to Secure Mobile Communications
Paul Parke
 
PDF
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
AliAlwesabi
 
PPTX
Signaling network vulnerabilities exposed, protection strategies for operator...
Xura
 
PDF
The known unknowns of SS7 and beyond
Siddharth Rao
 
PDF
Turner.issa la.mobile vulns.150604
ISSA LA
 
PDF
Telecom Security
Priyanka Aash
 
PDF
Security mgt track turner-aaron-11am-.issa-la.mobile vulns.150529
ISSA LA
 
PDF
Is 41 network signaling
Sri Manakula Vinayagar Engineering College
 
PDF
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
AliAlwesabi
 
PDF
User location tracking attacks for LTE networks using the Interworking Functi...
Siddharth Rao
 
PDF
sim-usim-csim-and-isim document and note
CuongNguyen700595
 
PDF
Positive approach to security of Core networks
PositiveTechnologies
 
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
AliAlwesabi
 
Computaris SS7 Firewall
Computaris
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SPY24
 
2015.11.06. Luca Melette_Mobile threats evolution
Tech and Law Center
 
SS7: 2G/3G's weakest link
PositiveTechnologies
 
Telecom incidents investigation: daily work behind the scenes
PositiveTechnologies
 
Небезопасность сотовых сетей вчера, сегодня, завтра
Positive Hack Days
 
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
AliAlwesabi
 
Cellcrypt - An Introduction to Secure Mobile Communications
Paul Parke
 
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
AliAlwesabi
 
Signaling network vulnerabilities exposed, protection strategies for operator...
Xura
 
The known unknowns of SS7 and beyond
Siddharth Rao
 
Turner.issa la.mobile vulns.150604
ISSA LA
 
Telecom Security
Priyanka Aash
 
Security mgt track turner-aaron-11am-.issa-la.mobile vulns.150529
ISSA LA
 
Is 41 network signaling
Sri Manakula Vinayagar Engineering College
 
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
AliAlwesabi
 
User location tracking attacks for LTE networks using the Interworking Functi...
Siddharth Rao
 
sim-usim-csim-and-isim document and note
CuongNguyen700595
 
Positive approach to security of Core networks
PositiveTechnologies
 
Ad

More from PositiveTechnologies (7)

PPTX
Security course: exclusive 5G SA pitfalls and new changes to legislation
PositiveTechnologies
 
PPTX
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
PositiveTechnologies
 
PPTX
5G mission diary: Houston, we have a problem
PositiveTechnologies
 
PPTX
Cybersecurity & Fraud Mitigation in Telcos
PositiveTechnologies
 
PDF
On the verge of fraud
PositiveTechnologies
 
PDF
Simjacker: how to protect your network from the latest hot vulnerability
PositiveTechnologies
 
PDF
Creating a fuzzer for telecom protocol 4G LTE case study
PositiveTechnologies
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
PositiveTechnologies
 
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
PositiveTechnologies
 
5G mission diary: Houston, we have a problem
PositiveTechnologies
 
Cybersecurity & Fraud Mitigation in Telcos
PositiveTechnologies
 
On the verge of fraud
PositiveTechnologies
 
Simjacker: how to protect your network from the latest hot vulnerability
PositiveTechnologies
 
Creating a fuzzer for telecom protocol 4G LTE case study
PositiveTechnologies
 

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Approach and Philosophy of On baking technology
30anthuong17
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 

Attacks you can't combat: vulnerabilities of most robust MNOs

  • 1. Attacks you can’t combat: Vulnerabilities of most robust mobile operators Sergey Puzankov
  • 2. About me 18+ years in telecom industry 7+ years in telecom security Research results & community contribution Knowledge sharing spuzankov@ptsecurity.com sergey_puzankov @xigins @
  • 3. SS7 basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and tear down telephone calls, send and receive SMS messages, provide subscriber mobility, and more.  Fixed telephony  2G/3G mobile networks  Interconnection with next- generation networks
  • 4. Who are potential targets? © GSMA Intelligence 2018, Mobile connections by technology https://www.gsmaintelligence.com/research/2018/02/infographic-mobile-connections-by-technology/656/ 5
  • 5. Now what can a Hacker do? Easily From anywhere Any mobile operator No special skills needed Get access to your email and social media Track location of VIPs and public figures Perform massive denial of service attacks Intercept private data, calls and SMS messages Steal money Take control of your digital identity
  • 6. History of signaling security SS7 development Scope grows Not trusted anymore Trusted environment. No security mechanisms in the protocol stack. SIGTRAN (SS7 over IP) introduced. Security is still missing. Growing number of SS7 connections, increasing amount of SS7 traffic. No security policies or restrictions. Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security.
  • 7. Mobile operators and SS7 security Security assessment Signaling IDSSMS Home Routing Security configuration SS7 firewall
  • 8. Basic nodes and identifiers MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity GT — Global Title, address of a core node element HLR — Home Location Register SMS-C — SMS Centre STP — Signaling Transfer Point MSC/VLR — Mobile Switching Center and Visited Location Register
  • 9. SS7 protocol stack TCAP MAP SCCP Signaling Connection Control Part is responsible for the routing of a signaling message by Global Titles. Transaction Capabilities Application Part is responsible for transactions and dialogues processing. Mobile Application Part is payload that contains an operation code and appropriate parameters such as IMSI, profile information, and location data.
  • 10. SS7 security means SS7 firewall is the most sophisticated signaling security tool that protects the network against a wide range of threats such as IMSI disclosure, location tracking, and traffic interception. SMS Home Routing is intended to prevent SMS fraud and hide IMSI identities. Signaling Transfer Point makes simple screening of signaling messages.
  • 11. Signaling Transfer Point  Signaling Transfer Point is a router that relays SS7 messages between signaling end-points and other signaling transfer points.  Usually the STP is a border point in a signaling network.  It is possible to use the STP for the screening of the ineligible signaling traffic.  Screening rules of the most STPs are simple, for instance, blocking a signaling message by a source address or redirecting a signaling message by an operation code.  The STP looks through a signaling message layer by layer and applies a rule as soon as the first appropriate pattern is triggered.
  • 12. SMS delivery process SRI4SM — SendRoutingInfoForSM STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text HLR SMS-C
  • 13. SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
  • 14. SMS Home Routing SMS RouterSTP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 15. SMS Home Routing against malefactors SMS RouterSTP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 16. SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message
  • 17. SS7 firewall: blocking rules Firewall rules Category 1 Block a message by an operation code SS7 Message HLR MSC Category 2 Block a message by an operation code and correlation of a source address and subscriber identity Category 3 Block a message by an operation code and subscriber’s real location SCCP Source / Destination TCAP Application Context MAP OpCode, IMSI, … SS7 firewall
  • 18. SS7 attacks and vulnerabilities IMSI disclosure Location tracking Voice call interception (MiTM)via a malformed Application Context Name (ACN) parameter via Operation Code Tag substitution via a Double MAP vulnerability
  • 20. TCAP protocol TCAP Message Type — mandatory Transaction IDs — mandatory Dialogue Portion — optional Component Portion — optional
  • 21. Changing ACN 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization 4 – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 22. IMSI disclosure via malformed ACN TCAP Malformed ACN HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed ACN SCCP Destination HLR MAP OpCode, param
  • 23. IMSI disclosure via malformed ACN HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router SMS Router bypassed 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC
  • 24. IMSI disclosure via malformed ACN HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC Equal IMSIs mean the SMS Home Routing solution is absent or not involved.
  • 26. Numbering plans Mobile Network Operator Country Code (China) Network Destination Code Mobile Country Code (China) Mobile Network Code E.164 MSISDN and GT 86 854 1231237 E.212 IMSI 460 80 4564567894
  • 27. Blocking rule: category 2 Source address Subscriber identity Operation code Switzerland ≠ China Category 2 Block a message by an operation code and correlation of a source address and subscriber identity
  • 28. ITU-T Q.773 Recommendation = 2 = 6 ITU-T Q.773 – Transaction capabilities formats and encoding
  • 29. Location tracking via Global OpCode 1. PSI with Global OpCode tag 2. PSI with Global OpCode tag The SS7 FW is looking for a Local OpCode. Global OpCodes are ignored. 3. PSI with Global OpCode tag STP MSC/VLR
  • 30. Location tracking via Global OpCode STP 4. PSI Response: Cell ID 4. PSI Response: Cell ID MSC/VLR 1. PSI with Global OpCode tag 2. PSI with Global OpCode tag 3. PSI with Global OpCode tag The VLR replies with the Local OpCode and a requested cell identity. Equipment of four vendors replies to signaling messages with the Global OpCode.
  • 31. Voiace call interception (MiTM) Exploitation of a Double MAP vulnerability
  • 32. Voice call interception (MiTM) 1. InsertSubscriberData Request: IMSI Spoofed billing platform address 1. InsertSubscriberData Request: IMSI Spoofed billing platform address STP MSC/VLR
  • 33. Voice call interception (MiTM) 1. InsertSubscriberData Request: IMSI Spoofed billing platform address 1. InsertSubscriberData Request: IMSI Spoofed billing platform address STP 2. InsertSubscriberData Response 2. InsertSubscriberData Response MSC/VLR 3. TCAP End 3. TCAP End
  • 34. Voice call interception (MiTM) 1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-Num STP MSC/VLR
  • 35. Voice call interception (MiTM) 1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-Num STP 2. Connect :PBX-Num 2. Connect :PBX-Num MSC/VLR
  • 36. Voice call interception (MiTM) 1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-Num STP 2. Connect :PBX-Num 2. Connect :PBX-Num 3. IAM: A-Num, B-Num 3. IAM: A-Num, B-Num
  • 37. SS7 FW against MiTM attack 1. InsertSubscriberData Request: IMSI, Spoofed billing platform address STP 2. InsertSubscriberData Request: IMSI, Spoofed billing platform address The SS7 FW correlates the IMSI and source address and blocks the InsertSubscriberData message. Switzerland ≠ China
  • 38. TCAP protocol TCAP Message Type — mandatory Transaction IDs — mandatory Dialogue Portion — optional Component Portion — optional
  • 39. Double MAP component TCAP Message Type — mandatory Transaction IDs — mandatory Dialogue Portion — optional Component Portion — optional Component 1 Component 2 The SS7 FW checks a subscriber’s ID in the first component considering the other data as a long payload not meant to be inspected.
  • 40. Double MAP in MiTM attack STP SS7 FW TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ MSC/VLR Inspect the first component only and forward the message to the network PBXSend the message to the SS7 FW for inspection
  • 41. Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError MSC/VLR TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX
  • 42. Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ MSC/VLR TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ Inspect the first component only and forward the message to the network. PBX
  • 43. Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError TCAP Continue ReturnResultLast MSC/VLR TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX
  • 44. Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnResultLast TCAP Continue ReturnError TCAP Continue ReturnResultLast MSC/VLR TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX
  • 45. Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError TCAP End TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX TCAP Continue ReturnResultLast TCAP Continue ReturnResultLast MSC/VLR
  • 46. Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError TCAP End MSC/VLR TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX TCAP Continue ReturnResultLast TCAP Continue ReturnResultLast
  • 47. Double MAP in MiTM attack STP SS7 FW TCAP Continue ReturnError MSC/VLR TCAP End TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX TCAP Continue ReturnResultLast TCAP Continue ReturnResultLast
  • 48. Double MAP in MiTM attack STP SS7 FW MSC/VLR TCAP Continue ReturnError TCAP End TCAP Continue InsertSubscriberData_REQ InsertSubscriberData_REQ TCAP Begin DeleteSubscriberData_REQ InsertSubscriberData_REQ PBX TCAP Continue ReturnResultLast TCAP Continue ReturnResultLast
  • 49. Main issues in SS7 security SS7 architecture flaws Configuration mistakes Software bugs
  • 50. Conclusion Check if your security tools are effective against new vulnerabilities. Use an intrusion detection solution along with an SS7 firewall in order to detect threats promptly and block a hostile source. Configure your STP and SS7 firewall carefully. Do not forget about malformed Application Context Name and Global OpCodes. Block TCAP Begin messages with double MAP components. We observed only one legal pair: BeginSubscriberActivity + ProcessUnstructuredSS-Data. 1 2 3 4