How to Intercept a Conversation Held on the Other Side of the Planet

109,145 views
113,006 views

Published on

Published in: Technology, Business
2 Comments
18 Likes
Statistics
Notes
  • 'After being in relationship with Wilson for seven years,he broke up with me, I did everything possible to bring him back but all was in vain, I wanted him back so much because of the love I have for him, I begged him with everything, I made promises but he refused. I explained my problem to someone online and she suggested that I should contact a spell caster that could help me cast a spell to bring him back but I am the type that don't believed in spell, I had no choice than to try it, I meant a spell caster called Dr Zuma zuk and I email him, and he told me there was no problem that everything will be okay before three days, that my ex will return to me before three days, he cast the spell and surprisingly in the second day, it was around 4pm. My ex called me, I was so surprised, I answered the call and all he said was that he was so sorry for everything that happened, that he wanted me to return to him, that he loves me so much. I was so happy and went to him, that was how we started living together happily again. Since then, I have made promise that anybody I know that have a relationship problem, I would be of help to such person by referring him or her to the only real and powerful spell caster who helped me with my own problem and who is different from all the fake ones out there. Anybody could need the help of the spell caster, his email: spiritualherbalisthealing@gmail.com or call him +2349055637784 you can email him if you need his assistance in your relationship or anything. CONTACT HIM NOW FOR SOLUTION TO ALL YOUR PROBLEMS'
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • xaxaxaxa
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
109,145
On SlideShare
0
From Embeds
0
Number of Embeds
96,744
Actions
Shares
0
Downloads
540
Comments
2
Likes
18
Embeds 0
No embeds

No notes for slide

How to Intercept a Conversation Held on the Other Side of the Planet

  1. 1. How to Intercept a Conversation Held on the Other Side of the Planet
  2. 2. Who we are Sergey Puzankov Dmitry Kurbatov Information Security Specialists Positive Technologies
  3. 3. Denial of Service on Mobile Switching Center Fraud in SS7 network Short Message Interception USSD Money Transfer Subscriber’s Location Voice Call Interception Hot for Mobile network operators Hot for everyone Topics
  4. 4. All of us are subscribers Service Availability Quality of Service Security
  5. 5. Mobile Services Dynamics Voice Mobile Data Traffic
  6. 6. Yesterday: Closed Ecosystems
  7. 7. Today: Unified Technologies
  8. 8. Today: Common Interfaces
  9. 9. Today: IP Connectivity
  10. 10. Today: Widen Borders Get your own femtocell • Hack it • Upload modified firmware • Make a call/SMS interception • Get into IPsec • Get into Core network
  11. 11. Tomorrow: virtualization
  12. 12. SIGTRAN Time Machine Through SIGTRAN back to 1970’s
  13. 13. SS7 SS7 Network HLR A B MSC VLR Gateway MSC Billing SMS-C
  14. 14. SS7 HLRMSC VLR Gateway MSC Billing SMS-C Radio Part A B Cell Phone Base Transceiver Station Base Station Controller
  15. 15. SS7 MSC/VLR HLR A B Gateway MSC Billing SMS-C MSC VLR Mobile Switching Center Visitor Location Register
  16. 16. SS7 Gateway MSC HLR A B MSC VLR Billing SMS-C Gateway MSC Gateway Mobile Switching Center
  17. 17. SS7 SMS-C HLR A B MSC VLR Gateway MSC Billing SMS-C Short Message Service Center
  18. 18. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C Homeу Location Register HLR
  19. 19. SS7 Billing A B MSC VLR Gateway MSC SMS-C HLR Billing
  20. 20. SS7 IDs HLR A B MSC VLR Gateway MSC Billing SMS-C GT – Global Title 0 123 4567890
  21. 21. SS7 IDs HLR A B MSC VLR Gateway MSC Billing SMS-C GT – Global Title 0 123 4567890 MSISDN – A or B mobile numbers 0 123 4567890
  22. 22. SS7 IDs HLR A B MSC VLR Gateway MSC Billing SMS-C GT – Global Title 0 123 4567890 MSISDN – A or B mobile numbers 0 123 4567890 MSRN – Mobile Subscriber Roaming Number 0 123 4567890
  23. 23. SS7 IDs HLR A B MSC VLR Gateway MSC Billing SMS-C GT – Global Title 0 123 4567890 MSISDN – A or B mobile numbers 0 123 4567890 MSRN – Mobile Subscriber Roaming Number 0 123 4567890 IMSI – International Mobile Subscriber Identity 15 digits
  24. 24. SS7 How to get in? HLR A B MSC VLR Gateway MSC Billing SMS-C
  25. 25. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS Core PS Core IMS Core Networks
  26. 26. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto Access Networks
  27. 27. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX Exchange Points
  28. 28. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Support
  29. 29. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support IT IT network
  30. 30. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Internet Internet IT network
  31. 31. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Internet IT networkTraffic
  32. 32. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Internet IT networkThreats Attacker Attacker Attacker Attacker AttackerAttacker
  33. 33. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Internet IT networkThreat Attacker Attacker Attacker Attacker AttackerAttacker
  34. 34. Mobile Switching Center DoS Just like DHCP Starvation
  35. 35. SS7 Collect info HLR Attacker B Gateway MSC We know B-Number 0 123 4567802 MSC VLR
  36. 36. SS7 Collect info HLR Attacker as SMSC B MSC VLR Gateway MSC 1 We know B-Number 0 123 4567802 SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802?
  37. 37. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC
  38. 38. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits
  39. 39. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits
  40. 40. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC
  41. 41. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits 3PRNprovideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits.
  42. 42. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 3PRN 4 provideRoamingNumber MSRN 0 123 4560001
  43. 43. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 3PRN 4 Default timeouts for MSRN: • Ericsson – 30 sec • Huawei – 45 sec provideRoamingNumber MSRN 0 123 4560001
  44. 44. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 … MSRN 0 123 4569999 3PRN 4 provideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits. provideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits. provideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits.… provideRoamingNumber MSRN 0 123 4560001provideRoamingNumber MSRN 0 123 4560001 provideRoamingNumber MSRN 0 123 4569999…
  45. 45. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 … MSRN 0 123 4569999 3PRN 4 provideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits.
  46. 46. SS7 HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 … MSRN 0 123 4569999 3PRN 4 noRoamingNumberAvailable Make it starve
  47. 47. SS7 HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 … MSRN 0 123 4569999 3PRN 4 noRoamingNumberAvailable Make it starve
  48. 48. SS7 DoS HLR Attacker as HLR B Gateway MSC Real HLR 10k – 500k MSC VLR
  49. 49. SS7 DoS HLR Attacker as HLR Gateway MSC PRN Real HLR B 10k – 500k MSC VLR 3 provideRoamingNumber I am HLR. My GT 1 321 4568701. Provide MSRN for Subscriber-ANY IMSI 15 digits.
  50. 50. SS7 DoS HLR Attacker as HLR Gateway MSC PRN Real HLR B 10k – 500k MSC VLR 3 4 noRoamingNumberAvailable
  51. 51. SS7 DoS HLR Attacker as HLR Gateway MSC PRN Real HLR B 10k – 500k MSC VLR 3 4 No incoming calls Sad calling party
  52. 52. Fraud in SS7
  53. 53. SS7 SS7 interconnection HLRMSC VLR Gateway MSC Billing SMS-C HLRMSC VLR Gateway MSC Billing SMS-C HLRMSC VLR Gateway MSC Billing SMS-C Trusted environment
  54. 54. Leadership team HLRMSC VLR Gateway MSC Billing SMS-C CEO CSO CMO CCO CLO
  55. 55. Leadership team HLRMSC VLR Gateway MSC Billing SMS-C CEO CSO CMO CCO CLO Really?! Trust them?
  56. 56. Uncharged calls 1) Spoof MSC 2) Initiate «home network» call 3) Forward call anywhere
  57. 57. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know B-Number 0 123 4567802 A
  58. 58. SS7 Collect info HLR Attacker as SMSC B MSC VLR Gateway MSC 1 We know B-Number 0 123 4567802 SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? A
  59. 59. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC A
  60. 60. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits A
  61. 61. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits A
  62. 62. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC A
  63. 63. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-B IMSI 15 digits. We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits
  64. 64. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-B IMSI 15 digits. We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits
  65. 65. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits HLR stores Subscriber-B IMSI 15 digits MSC/VLR 1 321 4567801 4
  66. 66. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits HLR stores Subscriber-B IMSI 15 digits MSC/VLR 1 321 4567801 4 We serve Subscriber-B
  67. 67. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows nothing
  68. 68. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 5 6 sendRoutingInfo Where is Subscriber-B MSISDN 0 123 4567802 = Where is Subscriber-B located?
  69. 69. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 6 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 7 provideSubscriberInfo I am HLR. My GT 0 123 4567800. Provide location for the Subscriber-B.
  70. 70. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 6 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 7 8 provideSubscriberInfo Subscriber-B is in the Home network.
  71. 71. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 6 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows that Subscriber-B is at home. This information will be sent to a billing platform. 7 8 8
  72. 72. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 5 9 sendRoutingInfo Where is Subscriber-B MSISDN 0 123 4567802 located = What is MSRN for Subscriber-B?
  73. 73. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 provideRoamingNumber I am HLR. My GT 0 123 4567800. Provide MSRN for Subscriber-B IMSI 15 digits. 10
  74. 74. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 provideRoamingNumber MSRN 53 12345678 10 11
  75. 75. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows Subscriber-B MSRN 53 12345678 10 11 11
  76. 76. SS7 Forward a call to… Cuba HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows Subscriber-B MSRN 53 12345678 10 11 11 12
  77. 77. SS7 Forward a call to… HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 provideRoamingNumber MSRN 53 12345678 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows Subscriber-B MSRN 53 12345678 10 11
  78. 78. Who pays? ACall from to while at “home” = $ 0.05B ACall from to = $ 1.00Cuba
  79. 79. Who pays? ACall from to while at “home” = $ 0.05B ACall from to = $ 1.00Cuba $ 1.00 - $ 0.05 = $ 0.95 – Attacker profit
  80. 80. Call from to = $ 0.30 Who pays? ACall from to while at “home” = $ 0.05B ACall from to = $ 1.00Cuba $ 1.00 - $ 0.05 = $ 0.95 – Attacker profit How much Mobile operator loses? MNO Cuba
  81. 81. SMS Interception 1) Collect info 2) Spoof MSC 3) Receive incoming SMSs
  82. 82. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know B-Number 0 123 4567802 A SMS-C
  83. 83. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? SMS-C
  84. 84. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits SMS-C
  85. 85. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-B IMSI 15 digits. We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits SMS-C
  86. 86. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits HLR stores Subscriber-B IMSI 15 digits MSC/VLR 1 321 4567801 4 We serve Subscriber-B SMS-C
  87. 87. SS7 SMS interception HLR B MSC VLR Gateway MSC 5 Attacker as MSC A SMS-C 5 “Hi, meet at 8pm at Baker Street”
  88. 88. SS7 SMS interception HLR B MSC VLR Gateway MSC 5 6 Attacker as MSC A sendRoutingInfoForSM I am SMSC. My GT 0 123 4567804. Where is Subscriber-B MSISDN 0 123 4567802? SMS-C 5 “Hi, meet at 8pm at Baker Street”
  89. 89. SS7 SMS interception HLR B MSC VLR Gateway MSC 7 5 6 Attacker as MSC A sendRoutingInfoForSM I am SMSC. My GT 0 123 4567804. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 1 321 4567801 Subscriber-B IMSI 15 digits SMS-C 5 “Hi, meet at 8pm at Baker Street” HLR sends Attacker address instead of real MSC!
  90. 90. SS7 SMS interception HLR B MSC VLR Gateway MSC 7 5 6 8 Attacker as MSC A sendRoutingInfoForSM I am SMSC. My GT 0 123 4567804. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 1 321 4567801 Subscriber-B IMSI 15 digits SMS-C 5 “Hi, meet at 8pm at Baker Street” SMS-C routes this SMS to the received address.
  91. 91. SS7 SMS interception HLR B MSC VLR Gateway MSC 7 5 6 8 Attacker as MSC A sendRoutingInfoForSM I am SMSC. My GT 0 123 4567804. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 1 321 4567801 Subscriber-B IMSI 15 digits SMS-C 5 “Hi, meet at 8pm at Baker Street” SMS-C routes this SMS to the received address.
  92. 92. SMS interception 1. SMS chats 2. One time passwords 3. Confirmation codes 4. Password recovery
  93. 93. Money Transfer Using USSD 1) Collect info 2) Request account status 3) Transfer money
  94. 94. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know B-Number 0 123 4567802 A
  95. 95. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802?
  96. 96. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits
  97. 97. SS7 Send USSD 1 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits *100#3 processUnstructuredSS-Request I am MSC/VLR. Request how much money has subscriber with IMSI 15 digits?
  98. 98. SS7 Send USSD 1 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA processUnstructuredSS-Request I am MSC/VLR. Request how much money has subscriber with IMSI 15 digits? We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Account info. 3 4 processUnstructuredSS-Request Subscriber’s account is $$$$$.
  99. 99. SS7 Send USSD 1 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Account info. 4 processUnstructuredSS-Request Subscriber’s account is $$$$$. processUnstructuredSS-Request I am MSC/VLR. Request how much money has subscriber with IMSI 15 digits? 3
  100. 100. SS7 Send USSD 2 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Account info. *123*01238765400*100# processUnstructuredSS-Request I am MSC/VLR. Transfer money from IMSI 15 digits to my mobile account. 5
  101. 101. SS7 Send USSD 2 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Account info. 6 processUnstructuredSS-Request OK. processUnstructuredSS-Request I am MSC/VLR. Transfer money from IMSI 15 digits to my mobile account. 5
  102. 102. SS7 Send USSD 2 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Real account info. Subscriber B does not get SMS notification if Attacker combines this attack with the previuos one. 6 processUnstructuredSS-Request OK. processUnstructuredSS-Request I am MSC/VLR. Transfer money from IMSI 15 digits to my mobile account. 5
  103. 103. SS7 Send USSD 2 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Real account info. Subscriber B does not get SMS notification if Attacker combines this attack with the previuos one. 6 processUnstructuredSS-Request OK. processUnstructuredSS-Request I am MSC/VLR. Transfer money from IMSI 15 digits to my mobile account. 5
  104. 104. Subscriber Location Discovery 1) Collect info 2) Receive Cell ID 3) Get point on the map
  105. 105. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know B-Number 0 123 4567802 A
  106. 106. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802?
  107. 107. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits
  108. 108. SS7 Get Cell ID HLR Attacker as HLR B MSC VLR Gateway MSC We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits 3PSIprovideSubscriberInfo I am HLR. My GT 1 321 4567801. Provide location for the Subscriber-B.
  109. 109. SS7 Get Cell ID HLR Attacker as HLR B MSC VLR Gateway MSC We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Cell ID 3PRN 4 provideSubscriberInfo Cell ID. provideSubscriberInfo I am HLR. My GT 1 321 4567801. Provide location for the Subscriber-B.
  110. 110. SS7 Get Cell ID HLR Attacker as HLR B MSC VLR Gateway MSC We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Cell ID 3PRN 4 provideSubscriberInfo Cell ID. provideSubscriberInfo I am HLR. My GT 1 321 4567801. Provide location for the Subscriber-B. MCC: 250 MNC: 90 LAC: 4A67 CID: 673D
  111. 111. SS7 Get location HLR Attacker as HLR B MSC VLR Gateway MSC We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Cell ID 5 MCC: 250 MNC: 90 LAC: 4A67 CID: 673D Search in Internet physical location by MCC, MNC, LAC, CID
  112. 112. Get location
  113. 113. Get location
  114. 114. Voice Call Interception 1) Collect info 2) Change subscriber profile 3) Add third party into mobile call
  115. 115. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know A-Number 0 123 4567802 A Billing
  116. 116. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know A-Number 0 123 4567802 Attacker as SMSC A SRI4SM sendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-A MSISDN 0 123 4567802? Billing
  117. 117. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Attacker as SMSC A SRI4SM sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Billing sendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-A MSISDN 0 123 4567802?
  118. 118. SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 3 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-A IMSI 15 digits. We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Billing
  119. 119. SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Billing 4 insertSubscriberData Subscriber’s profile: • Allowed/prohibited services • Forwarding settings • Billing platform address updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-A IMSI 15 digits.
  120. 120. SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 4 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-A IMSI 15 digits. insertSubscriberData Subscriber’s profile: • Allowed/prohibited services • Forwarding settings • Address of billing platform
  121. 121. SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 5 We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing updateLocation I am MSC/VLR. My GT 1 321 4567801. Subscriber-A IMSI 15 digits is served by 0 123 4567803 5
  122. 122. updateLocation I am MSC/VLR. My GT 1 321 4567801. Subscriber-A IMSI 15 digits is served by 0 123 4567803 SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 5 We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 5
  123. 123. SS7 Change profile HLR Attacker as HLR B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 6 insertSubscriberData I am HLR. Change profile for Subscriber-A. Billing GT 1 321 4567801.
  124. 124. SS7 Change profile HLR Attacker as HLR B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 6 7 insertSubscriberData OK. insertSubscriberData I am HLR. Change profile for Subscriber-A. Billing GT 1 321 4567801.
  125. 125. SS7 Change profile HLR Attacker as HLR B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 6 7 insertSubscriberData OK. insertSubscriberData I am HLR. Change profile for Subscriber-A. Billing GT 1 321 4567801.
  126. 126. SS7 Change profile HLR Attacker B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 6 7 insertSubscriberData OK. insertSubscriberData I am HLR. Change profile for Subscriber-A. Billing GT 1 321 4567801.
  127. 127. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing Subscriber A calls to Subscriber B. 8
  128. 128. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 9 9 HLR interrogation procedure: • sendRoutingInfo • provideSubscriberInfo Subscriber A calls to Subscriber B. 8
  129. 129. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing InitialDP Start billing . Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 10 Subscriber A calls to Subscriber B. 8
  130. 130. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing InitialDP Start billing . Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 10 Subscriber A calls to Subscriber B. 8
  131. 131. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing Proceed billing. ApplyCharging RequestReportBCSMEvent Connect Reroute call to number 1 321 4567802 InitialDP Start billing . Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 10 11 Subscriber A calls to Subscriber B. 8
  132. 132. SS7 Call interception HLR Attacker as MSC B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing IAM Continue call. Subscriber-A 0 123 4567802 calls to Subscriber-C 1 321 4567802 12 Subscriber A calls to Subscriber B. 8
  133. 133. SS7 Call interception HLR Attacker as MSC B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing 12 Subscriber A calls to Subscriber B. 8 13 IAM Continue call. Subscriber-A 0 123 4567802 calls to Subscriber-C 1 321 4567802
  134. 134. SS7 Call interception HLR Attacker as MSC B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing IAM Initiate a new call Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 12 14 Subscriber A calls to Subscriber B. 8 13 IAM Continue call. Subscriber-A 0 123 4567802 calls to Subscriber-C 1 321 4567802
  135. 135. SS7 Call interception HLR Attacker as MSC B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing IAM Initiate a new call Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 12 14 8 13 15 Subscriber A calls to Subscriber B. IAM Continue call. Subscriber-A 0 123 4567802 calls to Subscriber-C 1 321 4567802
  136. 136. Conclusion SS7 rules Just the tip of the iceberg
  137. 137. The End. Sergey Puzankov Dmitry Kurbatov spuzankov@ptsecurity.com dkurbatov@ptsecurity.com Questions?

×