How to Intercept a Conversation
Held on the Other Side of the
Planet
Who we are
Sergey Puzankov
Dmitry Kurbatov
Information Security Specialists
Positive Technologies
Denial of Service on Mobile Switching Center
Fraud in SS7 network
Short Message Interception
USSD Money Transfer
Subscribe...
All of us are subscribers
Service Availability
Quality of Service
Security
Mobile Services Dynamics
Voice
Mobile Data Traffic
Yesterday: Closed Ecosystems
Today: Unified Technologies
Today: Common Interfaces
Today: IP Connectivity
Today: Widen Borders
Get your own femtocell
• Hack it
• Upload modified firmware
• Make a call/SMS interception
• Get into...
Tomorrow: virtualization
SIGTRAN
Time Machine
Through SIGTRAN back to 1970’s
SS7
SS7 Network
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
SS7
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
Radio Part
A
B
Cell Phone
Base Transceiver Station
Base Station Controller
SS7
MSC/VLR
HLR
A
B
Gateway
MSC
Billing
SMS-C
MSC
VLR
Mobile Switching Center
Visitor Location Register
SS7
Gateway MSC
HLR
A
B
MSC
VLR
Billing
SMS-C
Gateway
MSC
Gateway Mobile Switching Center
SS7
SMS-C
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
Short Message Service Center
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
Homeу Location Register
HLR
SS7
Billing
A
B
MSC
VLR
Gateway
MSC SMS-C
HLR
Billing
SS7
IDs
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
SS7
IDs
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 456...
SS7
IDs
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 456...
SS7
IDs
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 456...
SS7
How to get in?
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS Core
PS Core
IMS
Core Networks
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
Access Networks
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
Exchange Poin...
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
su...
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
su...
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
su...
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
su...
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
su...
SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
su...
Mobile Switching Center DoS
Just like DHCP Starvation
SS7
Collect info
HLR
Attacker
B
Gateway
MSC
We know
B-Number 0 123 4567802
MSC
VLR
SS7
Collect info
HLR
Attacker
as SMSC
B
MSC
VLR
Gateway
MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSM
I ...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
sendRoutingInfoFor...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
sendRoutingInfoFor...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4...
SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
3PR...
SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSR...
SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSR...
SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSR...
SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSR...
SS7
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001...
SS7
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001...
SS7
DoS
HLR
Attacker
as HLR
B
Gateway
MSC
Real
HLR
10k – 500k
MSC
VLR
SS7
DoS
HLR
Attacker
as HLR
Gateway
MSC
PRN
Real
HLR
B
10k – 500k
MSC
VLR
3
provideRoamingNumber
I am HLR.
My GT 1 321 456...
SS7
DoS
HLR
Attacker
as HLR
Gateway
MSC
PRN
Real
HLR
B
10k – 500k
MSC
VLR
3
4
noRoamingNumberAvailable
SS7
DoS
HLR
Attacker
as HLR
Gateway
MSC
PRN
Real
HLR
B
10k – 500k
MSC
VLR
3
4
No incoming
calls
Sad calling party
Fraud in SS7
SS7
SS7 interconnection
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
HLRMSC
VLR
Gateway
MSC
B...
Leadership team
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
CEO
CSO CMO CCO
CLO
Leadership team
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
CEO
CSO CMO CCO
CLO
Really?!
Trust them?
Uncharged calls
1) Spoof MSC
2) Initiate «home network» call
3) Forward call anywhere
SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
A
SS7
Collect info
HLR
Attacker
as SMSC
B
MSC
VLR
Gateway
MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSM
I ...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
A
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
sendRoutingInfoFor...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
sendRoutingInfoFor...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4...
SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Subsc...
SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Subsc...
SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR store...
SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR store...
SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digit...
SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
...
SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 dig...
SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 dig...
SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 dig...
SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
...
SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 dig...
SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 dig...
SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 dig...
SS7
Forward a call to…
Cuba
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IM...
SS7
Forward a call to…
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
provideRoamingNumber
MSRN 53 12345678
HLR stores
Sub...
Who pays?
ACall from to while at “home” = $ 0.05B
ACall from to = $ 1.00Cuba
Who pays?
ACall from to while at “home” = $ 0.05B
ACall from to = $ 1.00Cuba
$ 1.00 - $ 0.05 = $ 0.95 – Attacker profit
Call from to = $ 0.30
Who pays?
ACall from to while at “home” = $ 0.05B
ACall from to = $ 1.00Cuba
$ 1.00 - $ 0.05 = $ 0.9...
SMS Interception
1) Collect info
2) Spoof MSC
3) Receive incoming SMSs
SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
A
SMS-C
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
A
SRI4SMsendRoutingI...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4...
SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Subsc...
SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR store...
SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
5
Attacker
as MSC
A
SMS-C
5
“Hi, meet at 8pm at Baker
Street”
SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
5 6
Attacker
as MSC
A
sendRoutingInfoForSM
I am SMSC.
My GT 0 123 4567804.
...
SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
7
5 6
Attacker
as MSC
A
sendRoutingInfoForSM
I am SMSC.
My GT 0 123 4567804...
SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
7
5 6
8
Attacker
as MSC
A
sendRoutingInfoForSM
I am SMSC.
My GT 0 123 45678...
SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
7
5 6
8
Attacker
as MSC
A
sendRoutingInfoForSM
I am SMSC.
My GT 0 123 45678...
SMS interception
1. SMS chats
2. One time passwords
3. Confirmation codes
4. Password recovery
Money Transfer
Using USSD
1) Collect info
2) Request account status
3) Transfer money
SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
A
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
A
SRI4SMsendRoutingI...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4...
SS7
Send USSD 1
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
*100#...
SS7
Send USSD 1
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
processUnstructuredSS-Request
I am MSC/VLR.
Request how muc...
SS7
Send USSD 1
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Accou...
SS7
Send USSD 2
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Accou...
SS7
Send USSD 2
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Accou...
SS7
Send USSD 2
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real ...
SS7
Send USSD 2
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real ...
Subscriber Location Discovery
1) Collect info
2) Receive Cell ID
3) Get point on the map
SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
A
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
A
SRI4SMsendRoutingI...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4...
SS7
Get Cell ID
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4...
SS7
Get Cell ID
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4...
SS7
Get Cell ID
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4...
SS7
Get location
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 ...
Get location
Get location
Voice Call Interception
1) Collect info
2) Change subscriber profile
3) Add third party into mobile call
SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
A-Number 0 123 4567802
A
Billing
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
A-Number 0 123 4567802
Attacker
as SMSC
A
SRI4SM
sendRouting...
SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4...
SS7
Collect info
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Su...
SS7
Collect info
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 1...
SS7
Collect info
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 1...
SS7
Collect info
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
5
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 1...
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
Subscriber-A IMSI 15 digits is served by
0 123 4567803
SS7
Collect info
...
SS7
Change profile
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 1...
SS7
Change profile
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 1...
SS7
Change profile
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 1...
SS7
Change profile
HLR
Attacker
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567...
SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/...
SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/...
SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/...
SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/...
SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/...
SS7
Call interception
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR ...
SS7
Call interception
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR ...
SS7
Call interception
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR ...
SS7
Call interception
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR ...
Conclusion
SS7 rules
Just the tip of the iceberg
The End.
Sergey Puzankov
Dmitry Kurbatov
spuzankov@ptsecurity.com
dkurbatov@ptsecurity.com
Questions?
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Upcoming SlideShare
Loading in...5
×

How to Intercept a Conversation Held on the Other Side of the Planet

94,236

Published on

Published in: Technology, Business
1 Comment
11 Likes
Statistics
Notes
No Downloads
Views
Total Views
94,236
On Slideshare
0
From Embeds
0
Number of Embeds
111
Actions
Shares
0
Downloads
367
Comments
1
Likes
11
Embeds 0
No embeds

No notes for slide

How to Intercept a Conversation Held on the Other Side of the Planet

  1. 1. How to Intercept a Conversation Held on the Other Side of the Planet
  2. 2. Who we are Sergey Puzankov Dmitry Kurbatov Information Security Specialists Positive Technologies
  3. 3. Denial of Service on Mobile Switching Center Fraud in SS7 network Short Message Interception USSD Money Transfer Subscriber’s Location Voice Call Interception Hot for Mobile network operators Hot for everyone Topics
  4. 4. All of us are subscribers Service Availability Quality of Service Security
  5. 5. Mobile Services Dynamics Voice Mobile Data Traffic
  6. 6. Yesterday: Closed Ecosystems
  7. 7. Today: Unified Technologies
  8. 8. Today: Common Interfaces
  9. 9. Today: IP Connectivity
  10. 10. Today: Widen Borders Get your own femtocell • Hack it • Upload modified firmware • Make a call/SMS interception • Get into IPsec • Get into Core network
  11. 11. Tomorrow: virtualization
  12. 12. SIGTRAN Time Machine Through SIGTRAN back to 1970’s
  13. 13. SS7 SS7 Network HLR A B MSC VLR Gateway MSC Billing SMS-C
  14. 14. SS7 HLRMSC VLR Gateway MSC Billing SMS-C Radio Part A B Cell Phone Base Transceiver Station Base Station Controller
  15. 15. SS7 MSC/VLR HLR A B Gateway MSC Billing SMS-C MSC VLR Mobile Switching Center Visitor Location Register
  16. 16. SS7 Gateway MSC HLR A B MSC VLR Billing SMS-C Gateway MSC Gateway Mobile Switching Center
  17. 17. SS7 SMS-C HLR A B MSC VLR Gateway MSC Billing SMS-C Short Message Service Center
  18. 18. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C Homeу Location Register HLR
  19. 19. SS7 Billing A B MSC VLR Gateway MSC SMS-C HLR Billing
  20. 20. SS7 IDs HLR A B MSC VLR Gateway MSC Billing SMS-C GT – Global Title 0 123 4567890
  21. 21. SS7 IDs HLR A B MSC VLR Gateway MSC Billing SMS-C GT – Global Title 0 123 4567890 MSISDN – A or B mobile numbers 0 123 4567890
  22. 22. SS7 IDs HLR A B MSC VLR Gateway MSC Billing SMS-C GT – Global Title 0 123 4567890 MSISDN – A or B mobile numbers 0 123 4567890 MSRN – Mobile Subscriber Roaming Number 0 123 4567890
  23. 23. SS7 IDs HLR A B MSC VLR Gateway MSC Billing SMS-C GT – Global Title 0 123 4567890 MSISDN – A or B mobile numbers 0 123 4567890 MSRN – Mobile Subscriber Roaming Number 0 123 4567890 IMSI – International Mobile Subscriber Identity 15 digits
  24. 24. SS7 How to get in? HLR A B MSC VLR Gateway MSC Billing SMS-C
  25. 25. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS Core PS Core IMS Core Networks
  26. 26. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto Access Networks
  27. 27. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX Exchange Points
  28. 28. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Support
  29. 29. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support IT IT network
  30. 30. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Internet Internet IT network
  31. 31. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Internet IT networkTraffic
  32. 32. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Internet IT networkThreats Attacker Attacker Attacker Attacker AttackerAttacker
  33. 33. SS7 HLR A B MSC VLR Gateway MSC Billing SMS-C CS CoreUTRAN PS Core IMS LTE Wi-Fi WiMAX PON DSL Femto GRX/IPX OAM Remote support Internet IT networkThreat Attacker Attacker Attacker Attacker AttackerAttacker
  34. 34. Mobile Switching Center DoS Just like DHCP Starvation
  35. 35. SS7 Collect info HLR Attacker B Gateway MSC We know B-Number 0 123 4567802 MSC VLR
  36. 36. SS7 Collect info HLR Attacker as SMSC B MSC VLR Gateway MSC 1 We know B-Number 0 123 4567802 SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802?
  37. 37. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC
  38. 38. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits
  39. 39. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits
  40. 40. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC
  41. 41. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits 3PRNprovideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits.
  42. 42. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 3PRN 4 provideRoamingNumber MSRN 0 123 4560001
  43. 43. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 3PRN 4 Default timeouts for MSRN: • Ericsson – 30 sec • Huawei – 45 sec provideRoamingNumber MSRN 0 123 4560001
  44. 44. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 … MSRN 0 123 4569999 3PRN 4 provideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits. provideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits. provideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits.… provideRoamingNumber MSRN 0 123 4560001provideRoamingNumber MSRN 0 123 4560001 provideRoamingNumber MSRN 0 123 4569999…
  45. 45. SS7 Make it starve HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 … MSRN 0 123 4569999 3PRN 4 provideRoamingNumber I am HLR. My GT 1 321 4567801. Provide MSRN for Subscriber-B IMSI 15 digits.
  46. 46. SS7 HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 … MSRN 0 123 4569999 3PRN 4 noRoamingNumberAvailable Make it starve
  47. 47. SS7 HLR Attacker as HLR B MSC VLR Gateway MSC We know MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits MSRN 0 123 4560001 … MSRN 0 123 4569999 3PRN 4 noRoamingNumberAvailable Make it starve
  48. 48. SS7 DoS HLR Attacker as HLR B Gateway MSC Real HLR 10k – 500k MSC VLR
  49. 49. SS7 DoS HLR Attacker as HLR Gateway MSC PRN Real HLR B 10k – 500k MSC VLR 3 provideRoamingNumber I am HLR. My GT 1 321 4568701. Provide MSRN for Subscriber-ANY IMSI 15 digits.
  50. 50. SS7 DoS HLR Attacker as HLR Gateway MSC PRN Real HLR B 10k – 500k MSC VLR 3 4 noRoamingNumberAvailable
  51. 51. SS7 DoS HLR Attacker as HLR Gateway MSC PRN Real HLR B 10k – 500k MSC VLR 3 4 No incoming calls Sad calling party
  52. 52. Fraud in SS7
  53. 53. SS7 SS7 interconnection HLRMSC VLR Gateway MSC Billing SMS-C HLRMSC VLR Gateway MSC Billing SMS-C HLRMSC VLR Gateway MSC Billing SMS-C Trusted environment
  54. 54. Leadership team HLRMSC VLR Gateway MSC Billing SMS-C CEO CSO CMO CCO CLO
  55. 55. Leadership team HLRMSC VLR Gateway MSC Billing SMS-C CEO CSO CMO CCO CLO Really?! Trust them?
  56. 56. Uncharged calls 1) Spoof MSC 2) Initiate «home network» call 3) Forward call anywhere
  57. 57. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know B-Number 0 123 4567802 A
  58. 58. SS7 Collect info HLR Attacker as SMSC B MSC VLR Gateway MSC 1 We know B-Number 0 123 4567802 SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? A
  59. 59. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC A
  60. 60. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits A
  61. 61. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits A
  62. 62. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC A
  63. 63. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-B IMSI 15 digits. We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits
  64. 64. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-B IMSI 15 digits. We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits
  65. 65. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits HLR stores Subscriber-B IMSI 15 digits MSC/VLR 1 321 4567801 4
  66. 66. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits HLR stores Subscriber-B IMSI 15 digits MSC/VLR 1 321 4567801 4 We serve Subscriber-B
  67. 67. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows nothing
  68. 68. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 5 6 sendRoutingInfo Where is Subscriber-B MSISDN 0 123 4567802 = Where is Subscriber-B located?
  69. 69. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 6 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 7 provideSubscriberInfo I am HLR. My GT 0 123 4567800. Provide location for the Subscriber-B.
  70. 70. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 6 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 7 8 provideSubscriberInfo Subscriber-B is in the Home network.
  71. 71. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 6 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows that Subscriber-B is at home. This information will be sent to a billing platform. 7 8 8
  72. 72. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 5 9 sendRoutingInfo Where is Subscriber-B MSISDN 0 123 4567802 located = What is MSRN for Subscriber-B?
  73. 73. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 provideRoamingNumber I am HLR. My GT 0 123 4567800. Provide MSRN for Subscriber-B IMSI 15 digits. 10
  74. 74. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 provideRoamingNumber MSRN 53 12345678 10 11
  75. 75. SS7 Forward a call HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows Subscriber-B MSRN 53 12345678 10 11 11
  76. 76. SS7 Forward a call to… Cuba HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows Subscriber-B MSRN 53 12345678 10 11 11 12
  77. 77. SS7 Forward a call to… HLR Attacker as MSC B MSC VLR Gateway MSCA 5 9 provideRoamingNumber MSRN 53 12345678 HLR stores Subscriber-B MSISDN 0 123 4567802 IMSI 15 digits MSC/VLR 1 321 4567801 GatewayMSC knows Subscriber-B MSRN 53 12345678 10 11
  78. 78. Who pays? ACall from to while at “home” = $ 0.05B ACall from to = $ 1.00Cuba
  79. 79. Who pays? ACall from to while at “home” = $ 0.05B ACall from to = $ 1.00Cuba $ 1.00 - $ 0.05 = $ 0.95 – Attacker profit
  80. 80. Call from to = $ 0.30 Who pays? ACall from to while at “home” = $ 0.05B ACall from to = $ 1.00Cuba $ 1.00 - $ 0.05 = $ 0.95 – Attacker profit How much Mobile operator loses? MNO Cuba
  81. 81. SMS Interception 1) Collect info 2) Spoof MSC 3) Receive incoming SMSs
  82. 82. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know B-Number 0 123 4567802 A SMS-C
  83. 83. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? SMS-C
  84. 84. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits SMS-C
  85. 85. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-B IMSI 15 digits. We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits SMS-C
  86. 86. SS7 Spoof MSC HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits HLR stores Subscriber-B IMSI 15 digits MSC/VLR 1 321 4567801 4 We serve Subscriber-B SMS-C
  87. 87. SS7 SMS interception HLR B MSC VLR Gateway MSC 5 Attacker as MSC A SMS-C 5 “Hi, meet at 8pm at Baker Street”
  88. 88. SS7 SMS interception HLR B MSC VLR Gateway MSC 5 6 Attacker as MSC A sendRoutingInfoForSM I am SMSC. My GT 0 123 4567804. Where is Subscriber-B MSISDN 0 123 4567802? SMS-C 5 “Hi, meet at 8pm at Baker Street”
  89. 89. SS7 SMS interception HLR B MSC VLR Gateway MSC 7 5 6 Attacker as MSC A sendRoutingInfoForSM I am SMSC. My GT 0 123 4567804. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 1 321 4567801 Subscriber-B IMSI 15 digits SMS-C 5 “Hi, meet at 8pm at Baker Street” HLR sends Attacker address instead of real MSC!
  90. 90. SS7 SMS interception HLR B MSC VLR Gateway MSC 7 5 6 8 Attacker as MSC A sendRoutingInfoForSM I am SMSC. My GT 0 123 4567804. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 1 321 4567801 Subscriber-B IMSI 15 digits SMS-C 5 “Hi, meet at 8pm at Baker Street” SMS-C routes this SMS to the received address.
  91. 91. SS7 SMS interception HLR B MSC VLR Gateway MSC 7 5 6 8 Attacker as MSC A sendRoutingInfoForSM I am SMSC. My GT 0 123 4567804. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 1 321 4567801 Subscriber-B IMSI 15 digits SMS-C 5 “Hi, meet at 8pm at Baker Street” SMS-C routes this SMS to the received address.
  92. 92. SMS interception 1. SMS chats 2. One time passwords 3. Confirmation codes 4. Password recovery
  93. 93. Money Transfer Using USSD 1) Collect info 2) Request account status 3) Transfer money
  94. 94. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know B-Number 0 123 4567802 A
  95. 95. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802?
  96. 96. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits
  97. 97. SS7 Send USSD 1 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits *100#3 processUnstructuredSS-Request I am MSC/VLR. Request how much money has subscriber with IMSI 15 digits?
  98. 98. SS7 Send USSD 1 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA processUnstructuredSS-Request I am MSC/VLR. Request how much money has subscriber with IMSI 15 digits? We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Account info. 3 4 processUnstructuredSS-Request Subscriber’s account is $$$$$.
  99. 99. SS7 Send USSD 1 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Account info. 4 processUnstructuredSS-Request Subscriber’s account is $$$$$. processUnstructuredSS-Request I am MSC/VLR. Request how much money has subscriber with IMSI 15 digits? 3
  100. 100. SS7 Send USSD 2 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Account info. *123*01238765400*100# processUnstructuredSS-Request I am MSC/VLR. Transfer money from IMSI 15 digits to my mobile account. 5
  101. 101. SS7 Send USSD 2 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Account info. 6 processUnstructuredSS-Request OK. processUnstructuredSS-Request I am MSC/VLR. Transfer money from IMSI 15 digits to my mobile account. 5
  102. 102. SS7 Send USSD 2 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Real account info. Subscriber B does not get SMS notification if Attacker combines this attack with the previuos one. 6 processUnstructuredSS-Request OK. processUnstructuredSS-Request I am MSC/VLR. Transfer money from IMSI 15 digits to my mobile account. 5
  103. 103. SS7 Send USSD 2 HLR Attacker as MSC/VLR B MSC VLR Gateway MSCA We know HLR 0 123 4567800 Subscriber-B IMSI 15 digits Real account info. Subscriber B does not get SMS notification if Attacker combines this attack with the previuos one. 6 processUnstructuredSS-Request OK. processUnstructuredSS-Request I am MSC/VLR. Transfer money from IMSI 15 digits to my mobile account. 5
  104. 104. Subscriber Location Discovery 1) Collect info 2) Receive Cell ID 3) Get point on the map
  105. 105. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know B-Number 0 123 4567802 A
  106. 106. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know B-Number 0 123 4567802 Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802?
  107. 107. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Attacker as SMSC A SRI4SMsendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-B MSISDN 0 123 4567802? sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits
  108. 108. SS7 Get Cell ID HLR Attacker as HLR B MSC VLR Gateway MSC We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits 3PSIprovideSubscriberInfo I am HLR. My GT 1 321 4567801. Provide location for the Subscriber-B.
  109. 109. SS7 Get Cell ID HLR Attacker as HLR B MSC VLR Gateway MSC We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Cell ID 3PRN 4 provideSubscriberInfo Cell ID. provideSubscriberInfo I am HLR. My GT 1 321 4567801. Provide location for the Subscriber-B.
  110. 110. SS7 Get Cell ID HLR Attacker as HLR B MSC VLR Gateway MSC We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Cell ID 3PRN 4 provideSubscriberInfo Cell ID. provideSubscriberInfo I am HLR. My GT 1 321 4567801. Provide location for the Subscriber-B. MCC: 250 MNC: 90 LAC: 4A67 CID: 673D
  111. 111. SS7 Get location HLR Attacker as HLR B MSC VLR Gateway MSC We know B-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-B IMSI 15 digits Cell ID 5 MCC: 250 MNC: 90 LAC: 4A67 CID: 673D Search in Internet physical location by MCC, MNC, LAC, CID
  112. 112. Get location
  113. 113. Get location
  114. 114. Voice Call Interception 1) Collect info 2) Change subscriber profile 3) Add third party into mobile call
  115. 115. SS7 Collect info HLR Attacker B MSC VLR Gateway MSC We know A-Number 0 123 4567802 A Billing
  116. 116. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 SRI4SM We know A-Number 0 123 4567802 Attacker as SMSC A SRI4SM sendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-A MSISDN 0 123 4567802? Billing
  117. 117. SS7 Collect info HLR B MSC VLR Gateway MSC 1 1 2 2 SRI4SM We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Attacker as SMSC A SRI4SM sendRoutingInfoForSM I am HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Billing sendRoutingInfoForSM I am SMSC. My GT 1 321 4567801. Where is Subscriber-A MSISDN 0 123 4567802?
  118. 118. SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 3 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-A IMSI 15 digits. We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Billing
  119. 119. SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Billing 4 insertSubscriberData Subscriber’s profile: • Allowed/prohibited services • Forwarding settings • Billing platform address updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-A IMSI 15 digits.
  120. 120. SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 3 We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 4 updateLocation I am MSC/VLR. My GT 1 321 4567801. I serve Subscriber-A IMSI 15 digits. insertSubscriberData Subscriber’s profile: • Allowed/prohibited services • Forwarding settings • Address of billing platform
  121. 121. SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 5 We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing updateLocation I am MSC/VLR. My GT 1 321 4567801. Subscriber-A IMSI 15 digits is served by 0 123 4567803 5
  122. 122. updateLocation I am MSC/VLR. My GT 1 321 4567801. Subscriber-A IMSI 15 digits is served by 0 123 4567803 SS7 Collect info HLR Attacker as MSC B MSC VLR Gateway MSCA 5 We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 5
  123. 123. SS7 Change profile HLR Attacker as HLR B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 6 insertSubscriberData I am HLR. Change profile for Subscriber-A. Billing GT 1 321 4567801.
  124. 124. SS7 Change profile HLR Attacker as HLR B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 6 7 insertSubscriberData OK. insertSubscriberData I am HLR. Change profile for Subscriber-A. Billing GT 1 321 4567801.
  125. 125. SS7 Change profile HLR Attacker as HLR B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 6 7 insertSubscriberData OK. insertSubscriberData I am HLR. Change profile for Subscriber-A. Billing GT 1 321 4567801.
  126. 126. SS7 Change profile HLR Attacker B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 6 7 insertSubscriberData OK. insertSubscriberData I am HLR. Change profile for Subscriber-A. Billing GT 1 321 4567801.
  127. 127. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing Subscriber A calls to Subscriber B. 8
  128. 128. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing 9 9 HLR interrogation procedure: • sendRoutingInfo • provideSubscriberInfo Subscriber A calls to Subscriber B. 8
  129. 129. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 Billing InitialDP Start billing . Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 10 Subscriber A calls to Subscriber B. 8
  130. 130. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing InitialDP Start billing . Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 10 Subscriber A calls to Subscriber B. 8
  131. 131. SS7 Call interception HLR Attacker as Billing B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing Proceed billing. ApplyCharging RequestReportBCSMEvent Connect Reroute call to number 1 321 4567802 InitialDP Start billing . Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 10 11 Subscriber A calls to Subscriber B. 8
  132. 132. SS7 Call interception HLR Attacker as MSC B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing IAM Continue call. Subscriber-A 0 123 4567802 calls to Subscriber-C 1 321 4567802 12 Subscriber A calls to Subscriber B. 8
  133. 133. SS7 Call interception HLR Attacker as MSC B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing 12 Subscriber A calls to Subscriber B. 8 13 IAM Continue call. Subscriber-A 0 123 4567802 calls to Subscriber-C 1 321 4567802
  134. 134. SS7 Call interception HLR Attacker as MSC B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing IAM Initiate a new call Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 12 14 Subscriber A calls to Subscriber B. 8 13 IAM Continue call. Subscriber-A 0 123 4567802 calls to Subscriber-C 1 321 4567802
  135. 135. SS7 Call interception HLR Attacker as MSC B MSC VLR Gateway MSCA We know A-Number 0 123 4567802 HLR 0 123 4567800 MSC/VLR 0 123 4567803 Subscriber-A IMSI 15 digits Subscriber-A profile Billing 0 123 4567808 B-Number 0 123 4567805 Billing IAM Initiate a new call Subscriber-A 0 123 4567802 calls to Subscriber-B 0 123 4567805 12 14 8 13 15 Subscriber A calls to Subscriber B. IAM Continue call. Subscriber-A 0 123 4567802 calls to Subscriber-C 1 321 4567802
  136. 136. Conclusion SS7 rules Just the tip of the iceberg
  137. 137. The End. Sergey Puzankov Dmitry Kurbatov spuzankov@ptsecurity.com dkurbatov@ptsecurity.com Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×