Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

DefCamp
DefCampDefCamp
Kirill Puzankov
Mobile signaling threats and
vulnerabilities - real cases from
our experience
Signaling System 7 (SS7) is the control plane that is
used for exchanging data between network devices
in telecommunications networks
Call control functions: establish and
release
Subscriber mobility management:
roaming possibilities, location-
based services, seamless calls for
moving subscribers
Short message service
Supplementary service control: call
forwarding, call waiting, call hold
SS7 introduces:
Signaling System 7
History of Signaling Security
The state of signaling security
has not changed for almost 40 years Trusted
ecosystem
SS7 network developed.
Trusted environment. No security
mechanisms in the protocol stack
No security
Scope
grows
SIGTRAN (SS7 over IP)
introduced. Number of operators
grows. Security is still missing
Huge number of MNOs, MVNOs,
and VAS providers. SS7 widely
used, Diameter added and
spreading. Still not enough security
Not trusted
anymore
Growing number of SS7
interconnections, increasing amount
of SS7 traffic. No security policies
or restrictions
1980
2018
2000
Innovations of TODAY
rely on OBSOLETE technologies
from YESTERDAY
Why SS7 is not secure
SIGTRAN
SIGTRAN
IWF/DEA
Diameter
LTE
Once a hacker connects to
the SS7 network of a mobile
operator, they can attack
subscribers of any operator
around the world
Governments and global organizations worried by SS7 security
Mobile operators and SS7 security
Security assessment
SS7 firewall
Security monitoringSMS Home Routing
Security
configuration
Research and publications
2014 – Signaling System 7 (SS7) security report
2014 – Vulnerabilities of mobile Internet (GPRS)
2016 – Primary security threats for SS7 cellular networks
2017 – Next-generation networks, next-level
cybersecurity problems (Diameter vulnerabilities)
2017 – Threats to packet core security of 4G network
2018 – SS7 vulnerabilities and attack exposure report
2018 – Diameter vulnerabilities exposure report
SS7 Security Audit. Common Facts and Figures
• Subscribers could be geotracked on 75% of
analyzed networks
• Incoming SMS messages could be intercepted
in 90% of cases
• Voice calls could be intercepted in 53% of cases
Threat 2015 2016 2017
Subscriber information disclosure 100% 100% 100%
Network information disclosure 100% 92% 63%
Subscriber traffic interception 100% 100% 89%
Fraud 100% 85% 78%
Denial of service 100% 100% 100%
SS7 vs Diameter comparison
4G networks
are nearly
equally
vulnerable
Signaling Monitoring. Common Facts and Figures
Almost 99% of attacks are connected with
disclosing confidential subscriber data
Network vulnerability statistics: SMS Home Routing
67%
of installed SMS Home
Routing systems have
been bypassed
Possibility of
exploitation of some
threats in networks
with SMS Home
Routing installed is
greater than in
networks without
protection
Network vulnerability statistics: SS7 firewall
Penetration level of SS7
firewalls on mobile
networks:
2015 — 0%
2016 — 7%
2017 — 33%
Filtering system alone
cannot protect the network
thoroughly
Basic nodes and identifiers
HLR — Home Location Register
MSC/VLR — Mobile Switching
Center and Visited Location
Register
SMS-C — SMS Centre
MSISDN — Mobile Subscriber
Integrated Services Digital Number
IMSI — International Mobile
Subscriber Identity
STP — Signaling Transfer Point
GT — Global Title, address of a
core node element
IMSI
An IMSI identifier, by itself, is not valuable to an intruder
But intruders can carry out many malicious actions
against subscribers when they know the IMSI, such as:
 Location tracking
 Service disturbance
 SMS interception
 Voice call eavesdropping
The IMSI is considered personal data as per GDPR.
SS7 messages for IMSI retrieval
SendRoutingInfo
SendIMSI
SendRoutingInfoForLCS
SendRoutingInfoForSM
Should be blocked on the network border
May be blocked on the HLR
– SMS Home Routing as a protection tool
SMS Home Routing bypass
SMS delivery with no SMS Home Routing in place
STP
MSC
1. SRI4SM Request
• MSISDN
1. SRI4SM Request
• MSISDN
2. SRI4SM Response
• IMSI
• MSC Address
2. SRI4SM Response
• IMSI
• MSC Address
3. MT-SMS
• IMSI
• SMS Text
3. MT-SMS
• IMSI
• SMS Text
SRI4SM — SendRoutingInfoForSM
HLR
SMS-C
SRI4SM abuse by a malefactor
STP
MSC
1. SRI4SM Request
• MSISDN
1. SRI4SM Request
• MSISDN
2. SRI4SM Response
• IMSI
• MSC Address
2. SRI4SM Response
• IMSI
• MSC Address
HLR
SMS Router
SMS Home Routing
STP
HLR
MSC
1. SRI4SM Request
• MSISDN
1. SRI4SM Request
• MSISDN
3. MT-SMS
• Fake IMSI
• SMS Text
3. MT-SMS
• Fake IMSI
• SMS Text
4. SRI4SM Request
• MSISDN
6. MT-SMS
• Real IMSI
• SMS Text
SMS-C
5. SRI4SM Response
• Real IMSI
• MSC Address
2. SRI4SM Response
• Fake IMSI
• SMS-R Address
2. SRI4SM Response
• Fake IMSI
• SMS-R Address
SMS Router
SMS Home Routing against malefactors
STP
HLR
MSC
1. SRI4SM Request
• MSISDN
1. SRI4SM Request
• MSISDN
2. SRI4SM Response
• Fake IMSI
• SMS-R Address
2. SRI4SM Response
• Fake IMSI
• SMS-R Address
Numbering plans
Country Code (Romania) Network Destination Code
Mobile Country Code (Romania) Mobile Network Code
Operator HLRRule of GT Translation
E.164 MSISDN and GT 40 700 1231237
E.212 IMSI 226 99 4564567894
E.214 Mobile GT 40 700 4564567894
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP
SS7 Message
HLR 1
HLR 2
SMS Router
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP
SS7 Message
HLR 1
HLR 2
E.214 Global Title
Translation Table
40 + 700 + 0xxxxxxxxx
40 + 700 + 4xxxxxxxxx
SMS Router
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP
SS7 Message
HLR 1
HLR 2
SMS Router
E.214 Global Title
Translation Table
40 + 700 + 0xxxxxxxxx
40 + 700 + 4xxxxxxxxx
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP
SS7 Message
HLR 1
HLR 2
SMS Router
E.214 Global Title
Translation Table
40 + 700 + 0xxxxxxxxx
40 + 700 + 4xxxxxxxxx
SendRoutingInfoForSM message
Called Party Address = MSISDN
SMS Home Routing bypass attack
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP HLR 1
HLR 2
1. SRI4SM Request
• E.214 / Random IMSI
• MSISDN
2. SRI4SM Request
• E.214 / Random IMSI
• MSISDN
3. SRI4SM Response
• IMSI
• MSC address
The malefactor needs to guess any IMSI
from a HLR serving the target subscriber
SMS Router is aside
SMS Router
E.214 Global Title
Translation Table
40 + 700 + 0xxxxxxxxx
40 + 700 + 4xxxxxxxxx
Another way to bypass the Home Router
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN STP
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN
2. SRI4SM Request: MSISDN
STP
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN
2. SRI4SM Request: MSISDN
STP
3. SRI4SM Response: Fake IMSI, SMS-R address
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN
2. SRI4SM Request: MSISDN
STP
3. SRI4SM Response: Fake IMSI, SMS-R address
Different IMSIs mean SMS Home Routing procedure is involved
TCAP Protocol
TCAP Message Type
Transaction IDs
Dialogue Portion
Component Portion
Begin, Continue, End, Abort
Source and/or Destination IDs
Application Context Name (ACN)
ACN Version
Operation Code
Payload
Application Context Name
corresponds to a respective
Operation Code
TCAP – Transaction Capabilities Application Part
Application Context
0 – CCITT
4 – Identified Organization
0 – ETSI
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
Application Context change
0 – CCITT
4 – Identified Organization
0 – ETSI
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
0 – CCITT
4 – Identified Organization
x – Unknown
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
SMS Home Routing bypass with malformed Application Context
HLR1. SRI4SM Request: MSISDN
Malformed ACN
1. SRI4SM Request: MSISDN
Malformed ACN
STP
SMS Router
Malformed Application Context
SMS Home Routing bypass with malformed Application Context
HLR1. SRI4SM Request: MSISDN
Malformed ACN
1. SRI4SM Request: MSISDN
Malformed ACN
STP
2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC
SMS Router
SMS Router is aside
SMS Home Routing bypass with malformed Application Context
HLR
SMS Router
1. SRI4SM Request: MSISDN
Malformed ACN
STP
2. SRI4SM Response: IMSI, MSC
Equal IMSIs means the SMS
Home Routing solution is absent
or not involved
1. SRI4SM Request: MSISDN
Malformed ACN
2. SRI4SM Response: IMSI, MSC
Firewall bypass
SS7 firewall: typical deployment scheme
HLRSTP
1. SS7 message 3. SS7 message
2. SS7
message
SS7 firewall
SS7 messages for IMSI retrieval
SendRoutingInfo
SendIMSI
SendRoutingInfoForLCS
SendRoutingInfoForSM
Should be blocked on the network border
May be blocked on the HLR
– SMS Home Routing as a protection tool
SS7 firewall: typical deployment scheme
HLRSTP
1. SRI Request: MSISDN
SS7 firewall
2. SRI Request: MSISDN
The message is blocked
SRI – SendRoutingInfo
Application Context change
0 – CCITT
4 – Identified Organization
0 – ETSI
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
0 – CCITT
4 – Identified Organization
x – Unknown
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
SS7 firewall: bypass with malformed Application Context
HLRSTP
1. SRI Request: MSISDN
Malformed ACN
SS7 firewall
2. SRI Request: MSISDN
Malformed ACN
Malformed Application Context
SS7 firewall bypass with malformed Application Context
HLRSTP
1. SRI Request: MSISDN
Malformed ACN
2. SRI Request: MSISDN
Malformed ACN
3. SRI Response: IMSI, …3. SRI Response: IMSI, …
SS7 firewall is aside
SS7 firewall
Tricky location tracking
SMS delivery
HLR
MSC 2SMS-CMSC 1
1. Mo-ForwardSM: A-Num, B-Num
2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2
4. Mt-ForwardSM: A-Num, IMSI
5. ReturnResultLast5. ReturnResultLast
SMS spam through SS7
HLR
2. SRI4SM:
B-Num
3. SRI4SM: IMSI, MSC2
4. Mt-ForwardSM: A-Num, IMSI
5. ReturnResultLast5. ReturnResultLast
SMS-C MSC 2MSC 1
TCAP handshake as a protection measure
HLR
1. TCAP Begin: ACN = MoSMRelay
4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2
2. TCAP Continue
3. Mo-ForwardSM: A-Num,
B-Num
9. ReturnResultLast
6. TCAP Begin: ACN = MtSMRelay
7. TCAP Continue
8. Mt-ForwardSM:A-Num,
IMSI
9. ReturnResultLast
SMS-C MSC 2MSC 1
Location retrieval for intelligent network services
HLR1. AnyTimeInterrogation: MSISDN
4. AnyTimeInterrogation: CellID
2. ProvideSubscriberInfo: IMSI
3. ProvideSubscriberInfo: CellID
MSC/VLRIN
AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving
cell in order to perform a location-based service.
This message is allowed for internal operations only. It should be prohibited in external connections.
Blocking an illegitimate location request
HLRSTP
1. AnyTimeInterrogation: MSISDN
The message is blocked
SS7 firewall
2. AnyTimeInterrogation: MSISDN
TCAP handshake exploit
Is it possible to encapsulate a malformed
location request into the protection mechanism
and receive result?
SS7 firewall: bypass within a TCAP handshake
HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry
The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation
operation that responds with the serving Cell identity, which
provides subscriber location to within ~100 meters
SS7 firewall
MSC/VLR
SS7 firewall: bypass within a TCAP handshake
The incoming signaling message does not contain an operation
code, so the STP does not send it to the SS7 firewall for inspection
HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry
SS7 firewall
MSC/VLR
SS7 firewall: bypass within a TCAP handshake
HLRSTP
2. TCAP Continue 2. TCAP Continue
1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry
SS7 firewall
MSC/VLR
SS7 firewall: bypass within a TCAP handshake
HLRSTP
2. TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
2. TCAP Continue
The AnyTimeInterrogation operation is encapsulated into
TCAP Continue instead of normal TCAP Begin message.
1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry
SS7 firewall
MSC/VLR
SS7 firewall: bypass within a TCAP handshake
HLRSTP
2. TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
The AnyTimeInterrogation operation is encapsulated into
TCAP Continue instead of normal TCAP Begin message.
The STP routes this message to the node that is involved into
the initial transaction.
2. TCAP Continue
1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry
SS7 firewall
MSC/VLR
SS7 firewall: bypass within a TCAP handshake
HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP
2. TCAP Continue
1. TCAP Begin: ACN = AnyTimeInfoEnquiry
2. TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
SS7 firewall
MSC/VLR
4. ProvideSubscriberInfo Cell IDIMSI
SS7 firewall: bypass within a TCAP handshake
SS7 firewall is aside
HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP
2. TCAP Continue
1. TCAP Begin: ACN = AnyTimeInfoEnquiry
2. TCAP Continue
5. AnyTimeinterrogation: Cell ID
TCAP End
5. AnyTimeInterrogation: Cell ID
TCAP End
4. ProvideSubscriberInfo Cell IDIMSI
3. AnyTimeInterrogation: MSISDN
TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
SS7 firewall
MSC/VLR
Main problems
Architecture flaws
Configuration mistakes
Software bugs
Things to remember
1. Deploying security tool does not mean the network is
secure. About 67% of SMS Home Routing solutions on
tested networks were bypassed.
2. Test the network. Penetration testing is a good practice
to discover a lot of vulnerabilities. Discover and close
existing vulnerabilities before hackers find and exploit
them.
3. Know the perimeter. Continuous security monitoring
enables a mobile operator to know which vulnerabilities
are exploited and, therefore, protect the network.
Thank you!
ptsecurity.com
Kirill Puzankov kpuzankov@ptsecurity.com
1 of 62

Recommended

Attacks you can't combat: vulnerabilities of most robust MNOs by
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
350 views51 slides
Worldwide attacks on SS7/SIGTRAN network by
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
39.9K views50 slides
Worldwide attacks on SS7 network by
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
1.1K views50 slides
How to Intercept a Conversation Held on the Other Side of the Planet by
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
137.4K views140 slides
Telecom under attack: demo of fraud scenarios and countermeasures by
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresPositiveTechnologies
271 views29 slides
High-level architecture of Mobile Cellular Networks from 2G to 5G by
High-level architecture of Mobile Cellular Networks from 2G to 5GHigh-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5G3G4G
28.6K views10 slides

More Related Content

What's hot

SS7 Vulnerabilities by
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
2.8K views15 slides
Complete umts call flow by
Complete umts call flowComplete umts call flow
Complete umts call flowsivakumar D
18.2K views4 slides
Core cs overview (1) by
Core cs overview (1)Core cs overview (1)
Core cs overview (1)Rashid Khan
2.5K views46 slides
IMS + VoLTE Overview by
IMS + VoLTE OverviewIMS + VoLTE Overview
IMS + VoLTE OverviewHamidreza Bolhasani
4.1K views49 slides
Introduction to Mobile Core Network by
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Networkyusufd
112.9K views35 slides
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network by
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
4.5K views104 slides

What's hot(20)

Complete umts call flow by sivakumar D
Complete umts call flowComplete umts call flow
Complete umts call flow
sivakumar D18.2K views
Core cs overview (1) by Rashid Khan
Core cs overview (1)Core cs overview (1)
Core cs overview (1)
Rashid Khan2.5K views
Introduction to Mobile Core Network by yusufd
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Network
yusufd112.9K views
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network by Hamidreza Bolhasani
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
Hamidreza Bolhasani4.5K views
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or... by Alejandro Corletti Estrada
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
VoLTE Flows and CS network by Karel Berkovec
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
Karel Berkovec37.9K views
Attacking GRX - GPRS Roaming eXchange by P1Security
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security 8.4K views
Telecom security from ss7 to all ip all-open-v3-zeronights by P1Security
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security 5.3K views
Telecom incidents investigation: daily work behind the scenes by PositiveTechnologies
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
Simplified Call Flow Signaling: Registration - The Attach Procedure by 3G4G
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
3G4G7.9K views
LTE network: How it all comes together architecture technical poster by David Swift
LTE network: How it all comes together architecture technical posterLTE network: How it all comes together architecture technical poster
LTE network: How it all comes together architecture technical poster
David Swift3K views

Similar to Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

Computaris SS7 Firewall by
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 FirewallComputaris
6.7K views23 slides
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf by
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
32 views2 slides
Небезопасность сотовых сетей вчера, сегодня, завтра by
Небезопасность сотовых сетей вчера, сегодня, завтраНебезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтраPositive Hack Days
415 views45 slides
Rk 3 gsm network @guddu by
Rk 3 gsm network @gudduRk 3 gsm network @guddu
Rk 3 gsm network @guddusarojsatpathy49
320 views40 slides
Rk 3 gsm network by
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm networkAzri Randy
463 views40 slides
GSM Network by
GSM NetworkGSM Network
GSM Networknareshkingster
12.9K views28 slides

Similar to Mobile signaling threats and vulnerabilities - real cases and statistics from our experience(20)

Computaris SS7 Firewall by Computaris
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 Firewall
Computaris6.7K views
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf by SPY24
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SPY2432 views
Небезопасность сотовых сетей вчера, сегодня, завтра by Positive Hack Days
Небезопасность сотовых сетей вчера, сегодня, завтраНебезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтра
Positive Hack Days415 views
Rk 3 gsm network by Azri Randy
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm network
Azri Randy463 views
Gsm.....ppt by balu008
Gsm.....pptGsm.....ppt
Gsm.....ppt
balu008162.2K views
Signaling network vulnerabilities exposed, protection strategies for operator... by Xura
Signaling network vulnerabilities exposed, protection strategies for operator...Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...
Xura805 views
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej by PROIDEA
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PROIDEA27 views
Ussd call back or UCB by Rawand Jaf
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCB
Rawand Jaf2K views
SS7: Locate. Track. Manipulate. by 3G4G
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
3G4G16K views
Fighting telecom fraud. Explaining SMS SS7 fraud by Martyn Sukys
Fighting telecom fraud. Explaining SMS SS7 fraudFighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraud
Martyn Sukys205 views
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks by Omer Coskun
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
Omer Coskun1.4K views
LTE Masterclass: “Signaling network vulnerabilities and protection strategies... by Xura
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
Xura528 views

More from DefCamp

Remote Yacht Hacking by
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
1.7K views89 slides
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
974 views167 slides
The Charter of Trust by
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
558 views24 slides
Internet Balkanization: Why Are We Raising Borders Online? by
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
309 views22 slides
Bridging the gap between CyberSecurity R&D and UX by
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
260 views13 slides
Secure and privacy-preserving data transmission and processing using homomorp... by
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
470 views102 slides

More from DefCamp(20)

Remote Yacht Hacking by DefCamp
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp1.7K views
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by DefCamp
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp974 views
The Charter of Trust by DefCamp
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp558 views
Internet Balkanization: Why Are We Raising Borders Online? by DefCamp
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp309 views
Bridging the gap between CyberSecurity R&D and UX by DefCamp
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp260 views
Secure and privacy-preserving data transmission and processing using homomorp... by DefCamp
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp470 views
Drupalgeddon 2 – Yet Another Weapon for the Attacker by DefCamp
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp269 views
Economical Denial of Sustainability in the Cloud (EDOS) by DefCamp
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp254 views
Trust, but verify – Bypassing MFA by DefCamp
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp323 views
Threat Hunting: From Platitudes to Practical Application by DefCamp
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
DefCamp218 views
Building application security with 0 money down by DefCamp
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp179 views
Implementation of information security techniques on modern android based Kio... by DefCamp
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp215 views
Lattice based Merkle for post-quantum epoch by DefCamp
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp241 views
The challenge of building a secure and safe digital environment in healthcare by DefCamp
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp323 views
Timing attacks against web applications: Are they still practical? by DefCamp
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp258 views
Tor .onions: The Good, The Rotten and The Misconfigured by DefCamp
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp816 views
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t... by DefCamp
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp294 views
We will charge you. How to [b]reach vendor’s network using EV charging station. by DefCamp
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp443 views
Connect & Inspire Cyber Security by DefCamp
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp290 views
The lions and the watering hole by DefCamp
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp225 views

Recently uploaded

Microsoft Power Platform.pptx by
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptxUni Systems S.M.S.A.
61 views38 slides
Scaling Knowledge Graph Architectures with AI by
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AIEnterprise Knowledge
50 views15 slides
Special_edition_innovator_2023.pdf by
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdfWillDavies22
18 views6 slides
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
43 views35 slides
PRODUCT PRESENTATION.pptx by
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptxangelicacueva6
18 views1 slide
"Running students' code in isolation. The hard way", Yurii Holiuk by
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk Fwdays
24 views34 slides

Recently uploaded(20)

Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2218 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays24 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec15 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty22 views
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe by Simone Puorto
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
Simone Puorto13 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays33 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc72 views

Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

  • 1. Kirill Puzankov Mobile signaling threats and vulnerabilities - real cases from our experience
  • 2. Signaling System 7 (SS7) is the control plane that is used for exchanging data between network devices in telecommunications networks Call control functions: establish and release Subscriber mobility management: roaming possibilities, location- based services, seamless calls for moving subscribers Short message service Supplementary service control: call forwarding, call waiting, call hold SS7 introduces: Signaling System 7
  • 3. History of Signaling Security The state of signaling security has not changed for almost 40 years Trusted ecosystem SS7 network developed. Trusted environment. No security mechanisms in the protocol stack No security Scope grows SIGTRAN (SS7 over IP) introduced. Number of operators grows. Security is still missing Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security Not trusted anymore Growing number of SS7 interconnections, increasing amount of SS7 traffic. No security policies or restrictions 1980 2018 2000 Innovations of TODAY rely on OBSOLETE technologies from YESTERDAY
  • 4. Why SS7 is not secure SIGTRAN SIGTRAN IWF/DEA Diameter LTE Once a hacker connects to the SS7 network of a mobile operator, they can attack subscribers of any operator around the world
  • 5. Governments and global organizations worried by SS7 security
  • 6. Mobile operators and SS7 security Security assessment SS7 firewall Security monitoringSMS Home Routing Security configuration
  • 7. Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report 2018 – Diameter vulnerabilities exposure report
  • 8. SS7 Security Audit. Common Facts and Figures • Subscribers could be geotracked on 75% of analyzed networks • Incoming SMS messages could be intercepted in 90% of cases • Voice calls could be intercepted in 53% of cases Threat 2015 2016 2017 Subscriber information disclosure 100% 100% 100% Network information disclosure 100% 92% 63% Subscriber traffic interception 100% 100% 89% Fraud 100% 85% 78% Denial of service 100% 100% 100%
  • 9. SS7 vs Diameter comparison 4G networks are nearly equally vulnerable
  • 10. Signaling Monitoring. Common Facts and Figures Almost 99% of attacks are connected with disclosing confidential subscriber data
  • 11. Network vulnerability statistics: SMS Home Routing 67% of installed SMS Home Routing systems have been bypassed Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection
  • 12. Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly
  • 13. Basic nodes and identifiers HLR — Home Location Register MSC/VLR — Mobile Switching Center and Visited Location Register SMS-C — SMS Centre MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity STP — Signaling Transfer Point GT — Global Title, address of a core node element
  • 14. IMSI An IMSI identifier, by itself, is not valuable to an intruder But intruders can carry out many malicious actions against subscribers when they know the IMSI, such as:  Location tracking  Service disturbance  SMS interception  Voice call eavesdropping The IMSI is considered personal data as per GDPR.
  • 15. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  • 17. SMS delivery with no SMS Home Routing in place STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text SRI4SM — SendRoutingInfoForSM HLR SMS-C
  • 18. SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
  • 19. SMS Router SMS Home Routing STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 20. SMS Router SMS Home Routing against malefactors STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 21. Numbering plans Country Code (Romania) Network Destination Code Mobile Country Code (Romania) Mobile Network Code Operator HLRRule of GT Translation E.164 MSISDN and GT 40 700 1231237 E.212 IMSI 226 99 4564567894 E.214 Mobile GT 40 700 4564567894
  • 22. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router
  • 23. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx SMS Router
  • 24. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 25. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 27. SMS Home Routing bypass attack STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP HLR 1 HLR 2 1. SRI4SM Request • E.214 / Random IMSI • MSISDN 2. SRI4SM Request • E.214 / Random IMSI • MSISDN 3. SRI4SM Response • IMSI • MSC address The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 28. Another way to bypass the Home Router
  • 29. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN STP
  • 30. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP
  • 31. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address
  • 32. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved
  • 33. TCAP Protocol TCAP Message Type Transaction IDs Dialogue Portion Component Portion Begin, Continue, End, Abort Source and/or Destination IDs Application Context Name (ACN) ACN Version Operation Code Payload Application Context Name corresponds to a respective Operation Code TCAP – Transaction Capabilities Application Part
  • 34. Application Context 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 35. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 36. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed Application Context
  • 37. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside
  • 38. SMS Home Routing bypass with malformed Application Context HLR SMS Router 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC Equal IMSIs means the SMS Home Routing solution is absent or not involved 1. SRI4SM Request: MSISDN Malformed ACN 2. SRI4SM Response: IMSI, MSC
  • 40. SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall
  • 41. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  • 42. SS7 firewall: typical deployment scheme HLRSTP 1. SRI Request: MSISDN SS7 firewall 2. SRI Request: MSISDN The message is blocked SRI – SendRoutingInfo
  • 43. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 44. SS7 firewall: bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN SS7 firewall 2. SRI Request: MSISDN Malformed ACN Malformed Application Context
  • 45. SS7 firewall bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN 2. SRI Request: MSISDN Malformed ACN 3. SRI Response: IMSI, …3. SRI Response: IMSI, … SS7 firewall is aside SS7 firewall
  • 47. SMS delivery HLR MSC 2SMS-CMSC 1 1. Mo-ForwardSM: A-Num, B-Num 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast
  • 48. SMS spam through SS7 HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast SMS-C MSC 2MSC 1
  • 49. TCAP handshake as a protection measure HLR 1. TCAP Begin: ACN = MoSMRelay 4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2 2. TCAP Continue 3. Mo-ForwardSM: A-Num, B-Num 9. ReturnResultLast 6. TCAP Begin: ACN = MtSMRelay 7. TCAP Continue 8. Mt-ForwardSM:A-Num, IMSI 9. ReturnResultLast SMS-C MSC 2MSC 1
  • 50. Location retrieval for intelligent network services HLR1. AnyTimeInterrogation: MSISDN 4. AnyTimeInterrogation: CellID 2. ProvideSubscriberInfo: IMSI 3. ProvideSubscriberInfo: CellID MSC/VLRIN AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving cell in order to perform a location-based service. This message is allowed for internal operations only. It should be prohibited in external connections.
  • 51. Blocking an illegitimate location request HLRSTP 1. AnyTimeInterrogation: MSISDN The message is blocked SS7 firewall 2. AnyTimeInterrogation: MSISDN
  • 52. TCAP handshake exploit Is it possible to encapsulate a malformed location request into the protection mechanism and receive result?
  • 53. SS7 firewall: bypass within a TCAP handshake HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation operation that responds with the serving Cell identity, which provides subscriber location to within ~100 meters SS7 firewall MSC/VLR
  • 54. SS7 firewall: bypass within a TCAP handshake The incoming signaling message does not contain an operation code, so the STP does not send it to the SS7 firewall for inspection HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 55. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 56. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 2. TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 57. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. The STP routes this message to the node that is involved into the initial transaction. 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 58. SS7 firewall: bypass within a TCAP handshake HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR 4. ProvideSubscriberInfo Cell IDIMSI
  • 59. SS7 firewall: bypass within a TCAP handshake SS7 firewall is aside HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 5. AnyTimeinterrogation: Cell ID TCAP End 5. AnyTimeInterrogation: Cell ID TCAP End 4. ProvideSubscriberInfo Cell IDIMSI 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR
  • 61. Things to remember 1. Deploying security tool does not mean the network is secure. About 67% of SMS Home Routing solutions on tested networks were bypassed. 2. Test the network. Penetration testing is a good practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them. 3. Know the perimeter. Continuous security monitoring enables a mobile operator to know which vulnerabilities are exploited and, therefore, protect the network.
  • 62. Thank you! ptsecurity.com Kirill Puzankov kpuzankov@ptsecurity.com