Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

DefCamp
DefCampDefCamp
Kirill Puzankov Mobile signaling threats and vulnerabilities - real cases from our experience
Signaling System 7 (SS7) is the control plane that is used for exchanging data between network devices in telecommunications networks Call control functions: establish and release Subscriber mobility management: roaming possibilities, location- based services, seamless calls for moving subscribers Short message service Supplementary service control: call forwarding, call waiting, call hold SS7 introduces: Signaling System 7
History of Signaling Security The state of signaling security has not changed for almost 40 years Trusted ecosystem SS7 network developed. Trusted environment. No security mechanisms in the protocol stack No security Scope grows SIGTRAN (SS7 over IP) introduced. Number of operators grows. Security is still missing Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security Not trusted anymore Growing number of SS7 interconnections, increasing amount of SS7 traffic. No security policies or restrictions 1980 2018 2000 Innovations of TODAY rely on OBSOLETE technologies from YESTERDAY
Why SS7 is not secure SIGTRAN SIGTRAN IWF/DEA Diameter LTE Once a hacker connects to the SS7 network of a mobile operator, they can attack subscribers of any operator around the world
Governments and global organizations worried by SS7 security
Mobile operators and SS7 security Security assessment SS7 firewall Security monitoringSMS Home Routing Security configuration
Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report 2018 – Diameter vulnerabilities exposure report
SS7 Security Audit. Common Facts and Figures • Subscribers could be geotracked on 75% of analyzed networks • Incoming SMS messages could be intercepted in 90% of cases • Voice calls could be intercepted in 53% of cases Threat 2015 2016 2017 Subscriber information disclosure 100% 100% 100% Network information disclosure 100% 92% 63% Subscriber traffic interception 100% 100% 89% Fraud 100% 85% 78% Denial of service 100% 100% 100%
SS7 vs Diameter comparison 4G networks are nearly equally vulnerable
Signaling Monitoring. Common Facts and Figures Almost 99% of attacks are connected with disclosing confidential subscriber data
Network vulnerability statistics: SMS Home Routing 67% of installed SMS Home Routing systems have been bypassed Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection
Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly
Basic nodes and identifiers HLR — Home Location Register MSC/VLR — Mobile Switching Center and Visited Location Register SMS-C — SMS Centre MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity STP — Signaling Transfer Point GT — Global Title, address of a core node element
IMSI An IMSI identifier, by itself, is not valuable to an intruder But intruders can carry out many malicious actions against subscribers when they know the IMSI, such as:  Location tracking  Service disturbance  SMS interception  Voice call eavesdropping The IMSI is considered personal data as per GDPR.
SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
SMS Home Routing bypass
SMS delivery with no SMS Home Routing in place STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text SRI4SM — SendRoutingInfoForSM HLR SMS-C
SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
SMS Router SMS Home Routing STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
SMS Router SMS Home Routing against malefactors STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
Numbering plans Country Code (Romania) Network Destination Code Mobile Country Code (Romania) Mobile Network Code Operator HLRRule of GT Translation E.164 MSISDN and GT 40 700 1231237 E.212 IMSI 226 99 4564567894 E.214 Mobile GT 40 700 4564567894
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx SMS Router
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
SendRoutingInfoForSM message Called Party Address = MSISDN
SMS Home Routing bypass attack STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP HLR 1 HLR 2 1. SRI4SM Request • E.214 / Random IMSI • MSISDN 2. SRI4SM Request • E.214 / Random IMSI • MSISDN 3. SRI4SM Response • IMSI • MSC address The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
Another way to bypass the Home Router
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN STP
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved
TCAP Protocol TCAP Message Type Transaction IDs Dialogue Portion Component Portion Begin, Continue, End, Abort Source and/or Destination IDs Application Context Name (ACN) ACN Version Operation Code Payload Application Context Name corresponds to a respective Operation Code TCAP – Transaction Capabilities Application Part
Application Context 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed Application Context
SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside
SMS Home Routing bypass with malformed Application Context HLR SMS Router 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC Equal IMSIs means the SMS Home Routing solution is absent or not involved 1. SRI4SM Request: MSISDN Malformed ACN 2. SRI4SM Response: IMSI, MSC
Firewall bypass
SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall
SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
SS7 firewall: typical deployment scheme HLRSTP 1. SRI Request: MSISDN SS7 firewall 2. SRI Request: MSISDN The message is blocked SRI – SendRoutingInfo
Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
SS7 firewall: bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN SS7 firewall 2. SRI Request: MSISDN Malformed ACN Malformed Application Context
SS7 firewall bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN 2. SRI Request: MSISDN Malformed ACN 3. SRI Response: IMSI, …3. SRI Response: IMSI, … SS7 firewall is aside SS7 firewall
Tricky location tracking
SMS delivery HLR MSC 2SMS-CMSC 1 1. Mo-ForwardSM: A-Num, B-Num 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast
SMS spam through SS7 HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast SMS-C MSC 2MSC 1
TCAP handshake as a protection measure HLR 1. TCAP Begin: ACN = MoSMRelay 4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2 2. TCAP Continue 3. Mo-ForwardSM: A-Num, B-Num 9. ReturnResultLast 6. TCAP Begin: ACN = MtSMRelay 7. TCAP Continue 8. Mt-ForwardSM:A-Num, IMSI 9. ReturnResultLast SMS-C MSC 2MSC 1
Location retrieval for intelligent network services HLR1. AnyTimeInterrogation: MSISDN 4. AnyTimeInterrogation: CellID 2. ProvideSubscriberInfo: IMSI 3. ProvideSubscriberInfo: CellID MSC/VLRIN AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving cell in order to perform a location-based service. This message is allowed for internal operations only. It should be prohibited in external connections.
Blocking an illegitimate location request HLRSTP 1. AnyTimeInterrogation: MSISDN The message is blocked SS7 firewall 2. AnyTimeInterrogation: MSISDN
TCAP handshake exploit Is it possible to encapsulate a malformed location request into the protection mechanism and receive result?
SS7 firewall: bypass within a TCAP handshake HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation operation that responds with the serving Cell identity, which provides subscriber location to within ~100 meters SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake The incoming signaling message does not contain an operation code, so the STP does not send it to the SS7 firewall for inspection HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 2. TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. The STP routes this message to the node that is involved into the initial transaction. 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR 4. ProvideSubscriberInfo Cell IDIMSI
SS7 firewall: bypass within a TCAP handshake SS7 firewall is aside HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 5. AnyTimeinterrogation: Cell ID TCAP End 5. AnyTimeInterrogation: Cell ID TCAP End 4. ProvideSubscriberInfo Cell IDIMSI 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR
Main problems Architecture flaws Configuration mistakes Software bugs
Things to remember 1. Deploying security tool does not mean the network is secure. About 67% of SMS Home Routing solutions on tested networks were bypassed. 2. Test the network. Penetration testing is a good practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them. 3. Know the perimeter. Continuous security monitoring enables a mobile operator to know which vulnerabilities are exploited and, therefore, protect the network.
Thank you! ptsecurity.com Kirill Puzankov kpuzankov@ptsecurity.com
1 of 62

Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

Download to read offline
Technology

Kirill Puzankov in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

DefCamp
DefCampDefCamp

Recommended

Attacks you can't combat: vulnerabilities of most robust MNOs by
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
350 views51 slides
Worldwide attacks on SS7/SIGTRAN network by
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
39.9K views50 slides
Worldwide attacks on SS7 network by
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
1.1K views50 slides
How to Intercept a Conversation Held on the Other Side of the Planet by
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
137.4K views140 slides
Telecom under attack: demo of fraud scenarios and countermeasures by
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresPositiveTechnologies
271 views29 slides
High-level architecture of Mobile Cellular Networks from 2G to 5G by
High-level architecture of Mobile Cellular Networks from 2G to 5GHigh-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5G3G4G
28.6K views10 slides

More Related Content

What's hot

SS7 Vulnerabilities by
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
2.8K views15 slides
Complete umts call flow by
Complete umts call flowComplete umts call flow
Complete umts call flowsivakumar D
18.2K views4 slides
Core cs overview (1) by
Core cs overview (1)Core cs overview (1)
Core cs overview (1)Rashid Khan
2.5K views46 slides
IMS + VoLTE Overview by
IMS + VoLTE OverviewIMS + VoLTE Overview
IMS + VoLTE OverviewHamidreza Bolhasani
4.1K views49 slides
Introduction to Mobile Core Network by
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Networkyusufd
112.9K views35 slides
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network by
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
4.5K views104 slides

What's hot(20)

SS7 Vulnerabilities by PositiveTechnologies
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
PositiveTechnologies2.8K views
Complete umts call flow by sivakumar D
Complete umts call flowComplete umts call flow
Complete umts call flow
sivakumar D18.2K views
Core cs overview (1) by Rashid Khan
Core cs overview (1)Core cs overview (1)
Core cs overview (1)
Rashid Khan2.5K views
IMS + VoLTE Overview by Hamidreza Bolhasani
IMS + VoLTE OverviewIMS + VoLTE Overview
IMS + VoLTE Overview
Hamidreza Bolhasani4.1K views
Introduction to Mobile Core Network by yusufd
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Network
yusufd112.9K views
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network by Hamidreza Bolhasani
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
Hamidreza Bolhasani4.5K views
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or... by Alejandro Corletti Estrada
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Alejandro Corletti Estrada6.1K views
VoLTE Flows and CS network by Karel Berkovec
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
Karel Berkovec37.9K views
Assaulting diameter IPX network by Alexandre De Oliveira
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
Alexandre De Oliveira3.4K views
VoLTE flows - basics by Karel Berkovec
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
Karel Berkovec26.4K views
Attacking GRX - GPRS Roaming eXchange by P1Security
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security 8.4K views
Telecom security from ss7 to all ip all-open-v3-zeronights by P1Security
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security 5.3K views
Telecom incidents investigation: daily work behind the scenes by PositiveTechnologies
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
PositiveTechnologies141 views
CS-Core Mobile Network (General) by Hamidreza Bolhasani
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)
Hamidreza Bolhasani3.1K views
Signaling security essentials. Ready, steady, 5G! by PositiveTechnologies
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
PositiveTechnologies526 views
Radio network overview by Md Mustafizur Rahman
Radio network overviewRadio network overview
Radio network overview
Md Mustafizur Rahman2.2K views
Call flows by Shweta Kumar PMP, ACC, CSM, CSPO
Call flowsCall flows
Call flows
Shweta Kumar PMP, ACC, CSM, CSPO75.9K views
Summary 2G y 3G by Axel Abraham Valdes
Summary 2G y 3GSummary 2G y 3G
Summary 2G y 3G
Axel Abraham Valdes2.4K views
Simplified Call Flow Signaling: Registration - The Attach Procedure by 3G4G
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
3G4G7.9K views
LTE network: How it all comes together architecture technical poster by David Swift
LTE network: How it all comes together architecture technical posterLTE network: How it all comes together architecture technical poster
LTE network: How it all comes together architecture technical poster
David Swift3K views

Similar to Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

Computaris SS7 Firewall by
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 FirewallComputaris
6.7K views23 slides
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf by
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
32 views2 slides
Небезопасность сотовых сетей вчера, сегодня, завтра by
Небезопасность сотовых сетей вчера, сегодня, завтраНебезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтраPositive Hack Days
415 views45 slides
Rk 3 gsm network @guddu by
Rk 3 gsm network @gudduRk 3 gsm network @guddu
Rk 3 gsm network @guddusarojsatpathy49
320 views40 slides
Rk 3 gsm network by
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm networkAzri Randy
463 views40 slides
GSM Network by
GSM NetworkGSM Network
GSM Networknareshkingster
12.9K views28 slides

Similar to Mobile signaling threats and vulnerabilities - real cases and statistics from our experience(20)

Computaris SS7 Firewall by Computaris
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 Firewall
Computaris6.7K views
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf by SPY24
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SPY2432 views
Небезопасность сотовых сетей вчера, сегодня, завтра by Positive Hack Days
Небезопасность сотовых сетей вчера, сегодня, завтраНебезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтра
Positive Hack Days415 views
Rk 3 gsm network @guddu by sarojsatpathy49
Rk 3 gsm network @gudduRk 3 gsm network @guddu
Rk 3 gsm network @guddu
sarojsatpathy49320 views
Rk 3 gsm network by Azri Randy
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm network
Azri Randy463 views
GSM Network by nareshkingster
GSM NetworkGSM Network
GSM Network
nareshkingster12.9K views
Gsm.....ppt by balu008
Gsm.....pptGsm.....ppt
Gsm.....ppt
balu008162.2K views
Signaling network vulnerabilities exposed, protection strategies for operator... by Xura
Signaling network vulnerabilities exposed, protection strategies for operator...Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...
Xura805 views
Gsm by Nur Islam
GsmGsm
Gsm
Nur Islam2.7K views
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej by PROIDEA
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PROIDEA27 views
Ussd call back or UCB by Rawand Jaf
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCB
Rawand Jaf2K views
ppt of gsm network by manish digant
ppt of gsm networkppt of gsm network
ppt of gsm network
manish digant716 views
SS7: Locate. Track. Manipulate. by 3G4G
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
3G4G16K views
Fighting telecom fraud. Explaining SMS SS7 fraud by Martyn Sukys
Fighting telecom fraud. Explaining SMS SS7 fraudFighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraud
Martyn Sukys205 views
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks by Omer Coskun
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
Omer Coskun1.4K views
report by Prateek Bansal
reportreport
report
Prateek Bansal281 views
Gsm1 by Vikran Kottaisamy
Gsm1Gsm1
Gsm1
Vikran Kottaisamy1.1K views
LTE Masterclass: “Signaling network vulnerabilities and protection strategies... by Xura
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
Xura528 views
Introduction to GSM by Shilpin Pvt. Ltd.
Introduction to GSMIntroduction to GSM
Introduction to GSM
Shilpin Pvt. Ltd.1.9K views
GSM by JAI MCA-STUDENT
GSMGSM
GSM
JAI MCA-STUDENT1.8K views

More from DefCamp

Remote Yacht Hacking by
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
1.7K views89 slides
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
974 views167 slides
The Charter of Trust by
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
558 views24 slides
Internet Balkanization: Why Are We Raising Borders Online? by
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
309 views22 slides
Bridging the gap between CyberSecurity R&D and UX by
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
260 views13 slides
Secure and privacy-preserving data transmission and processing using homomorp... by
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
470 views102 slides

More from DefCamp(20)

Remote Yacht Hacking by DefCamp
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp1.7K views
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by DefCamp
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp974 views
The Charter of Trust by DefCamp
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp558 views
Internet Balkanization: Why Are We Raising Borders Online? by DefCamp
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp309 views
Bridging the gap between CyberSecurity R&D and UX by DefCamp
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp260 views
Secure and privacy-preserving data transmission and processing using homomorp... by DefCamp
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp470 views
Drupalgeddon 2 – Yet Another Weapon for the Attacker by DefCamp
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp269 views
Economical Denial of Sustainability in the Cloud (EDOS) by DefCamp
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp254 views
Trust, but verify – Bypassing MFA by DefCamp
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp323 views
Threat Hunting: From Platitudes to Practical Application by DefCamp
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
DefCamp218 views
Building application security with 0 money down by DefCamp
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp179 views
Implementation of information security techniques on modern android based Kio... by DefCamp
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp215 views
Lattice based Merkle for post-quantum epoch by DefCamp
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp241 views
The challenge of building a secure and safe digital environment in healthcare by DefCamp
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp323 views
Timing attacks against web applications: Are they still practical? by DefCamp
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp258 views
Tor .onions: The Good, The Rotten and The Misconfigured by DefCamp
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp816 views
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t... by DefCamp
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp294 views
We will charge you. How to [b]reach vendor’s network using EV charging station. by DefCamp
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp443 views
Connect & Inspire Cyber Security by DefCamp
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp290 views
The lions and the watering hole by DefCamp
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp225 views

Recently uploaded

Microsoft Power Platform.pptx by
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptxUni Systems S.M.S.A.
61 views38 slides
Scaling Knowledge Graph Architectures with AI by
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AIEnterprise Knowledge
50 views15 slides
Special_edition_innovator_2023.pdf by
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdfWillDavies22
18 views6 slides
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
43 views35 slides
PRODUCT PRESENTATION.pptx by
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptxangelicacueva6
18 views1 slide
"Running students' code in isolation. The hard way", Yurii Holiuk by
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk Fwdays
24 views34 slides

Recently uploaded(20)

Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.61 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge50 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2218 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum43 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva618 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays24 views
SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva620 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec15 views
Democratising digital commerce in India-Report by Kapil Khandelwal (KK)
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-Report
Kapil Khandelwal (KK)20 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Dr. Jimmy Schwarzkopf24 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld27 views
Design Driven Network Assurance by Network Automation Forum
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network Assurance
Network Automation Forum19 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil418 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal18 views
Info Session November 2023.pdf by AleksandraKoprivica4
Info Session November 2023.pdfInfo Session November 2023.pdf
Info Session November 2023.pdf
AleksandraKoprivica415 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty22 views
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe by Simone Puorto
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
Simone Puorto13 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays33 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc72 views

Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

  • 1. Kirill Puzankov Mobile signaling threats and vulnerabilities - real cases from our experience
  • 2. Signaling System 7 (SS7) is the control plane that is used for exchanging data between network devices in telecommunications networks Call control functions: establish and release Subscriber mobility management: roaming possibilities, location- based services, seamless calls for moving subscribers Short message service Supplementary service control: call forwarding, call waiting, call hold SS7 introduces: Signaling System 7
  • 3. History of Signaling Security The state of signaling security has not changed for almost 40 years Trusted ecosystem SS7 network developed. Trusted environment. No security mechanisms in the protocol stack No security Scope grows SIGTRAN (SS7 over IP) introduced. Number of operators grows. Security is still missing Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security Not trusted anymore Growing number of SS7 interconnections, increasing amount of SS7 traffic. No security policies or restrictions 1980 2018 2000 Innovations of TODAY rely on OBSOLETE technologies from YESTERDAY
  • 4. Why SS7 is not secure SIGTRAN SIGTRAN IWF/DEA Diameter LTE Once a hacker connects to the SS7 network of a mobile operator, they can attack subscribers of any operator around the world
  • 5. Governments and global organizations worried by SS7 security
  • 6. Mobile operators and SS7 security Security assessment SS7 firewall Security monitoringSMS Home Routing Security configuration
  • 7. Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report 2018 – Diameter vulnerabilities exposure report
  • 8. SS7 Security Audit. Common Facts and Figures • Subscribers could be geotracked on 75% of analyzed networks • Incoming SMS messages could be intercepted in 90% of cases • Voice calls could be intercepted in 53% of cases Threat 2015 2016 2017 Subscriber information disclosure 100% 100% 100% Network information disclosure 100% 92% 63% Subscriber traffic interception 100% 100% 89% Fraud 100% 85% 78% Denial of service 100% 100% 100%
  • 9. SS7 vs Diameter comparison 4G networks are nearly equally vulnerable
  • 10. Signaling Monitoring. Common Facts and Figures Almost 99% of attacks are connected with disclosing confidential subscriber data
  • 11. Network vulnerability statistics: SMS Home Routing 67% of installed SMS Home Routing systems have been bypassed Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection
  • 12. Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly
  • 13. Basic nodes and identifiers HLR — Home Location Register MSC/VLR — Mobile Switching Center and Visited Location Register SMS-C — SMS Centre MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity STP — Signaling Transfer Point GT — Global Title, address of a core node element
  • 14. IMSI An IMSI identifier, by itself, is not valuable to an intruder But intruders can carry out many malicious actions against subscribers when they know the IMSI, such as:  Location tracking  Service disturbance  SMS interception  Voice call eavesdropping The IMSI is considered personal data as per GDPR.
  • 15. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  • 17. SMS delivery with no SMS Home Routing in place STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text SRI4SM — SendRoutingInfoForSM HLR SMS-C
  • 18. SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
  • 19. SMS Router SMS Home Routing STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 20. SMS Router SMS Home Routing against malefactors STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 21. Numbering plans Country Code (Romania) Network Destination Code Mobile Country Code (Romania) Mobile Network Code Operator HLRRule of GT Translation E.164 MSISDN and GT 40 700 1231237 E.212 IMSI 226 99 4564567894 E.214 Mobile GT 40 700 4564567894
  • 22. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router
  • 23. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx SMS Router
  • 24. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 25. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 27. SMS Home Routing bypass attack STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP HLR 1 HLR 2 1. SRI4SM Request • E.214 / Random IMSI • MSISDN 2. SRI4SM Request • E.214 / Random IMSI • MSISDN 3. SRI4SM Response • IMSI • MSC address The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 28. Another way to bypass the Home Router
  • 29. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN STP
  • 30. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP
  • 31. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address
  • 32. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved
  • 33. TCAP Protocol TCAP Message Type Transaction IDs Dialogue Portion Component Portion Begin, Continue, End, Abort Source and/or Destination IDs Application Context Name (ACN) ACN Version Operation Code Payload Application Context Name corresponds to a respective Operation Code TCAP – Transaction Capabilities Application Part
  • 34. Application Context 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 35. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 36. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed Application Context
  • 37. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside
  • 38. SMS Home Routing bypass with malformed Application Context HLR SMS Router 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC Equal IMSIs means the SMS Home Routing solution is absent or not involved 1. SRI4SM Request: MSISDN Malformed ACN 2. SRI4SM Response: IMSI, MSC
  • 40. SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall
  • 41. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  • 42. SS7 firewall: typical deployment scheme HLRSTP 1. SRI Request: MSISDN SS7 firewall 2. SRI Request: MSISDN The message is blocked SRI – SendRoutingInfo
  • 43. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 44. SS7 firewall: bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN SS7 firewall 2. SRI Request: MSISDN Malformed ACN Malformed Application Context
  • 45. SS7 firewall bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN 2. SRI Request: MSISDN Malformed ACN 3. SRI Response: IMSI, …3. SRI Response: IMSI, … SS7 firewall is aside SS7 firewall
  • 47. SMS delivery HLR MSC 2SMS-CMSC 1 1. Mo-ForwardSM: A-Num, B-Num 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast
  • 48. SMS spam through SS7 HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast SMS-C MSC 2MSC 1
  • 49. TCAP handshake as a protection measure HLR 1. TCAP Begin: ACN = MoSMRelay 4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2 2. TCAP Continue 3. Mo-ForwardSM: A-Num, B-Num 9. ReturnResultLast 6. TCAP Begin: ACN = MtSMRelay 7. TCAP Continue 8. Mt-ForwardSM:A-Num, IMSI 9. ReturnResultLast SMS-C MSC 2MSC 1
  • 50. Location retrieval for intelligent network services HLR1. AnyTimeInterrogation: MSISDN 4. AnyTimeInterrogation: CellID 2. ProvideSubscriberInfo: IMSI 3. ProvideSubscriberInfo: CellID MSC/VLRIN AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving cell in order to perform a location-based service. This message is allowed for internal operations only. It should be prohibited in external connections.
  • 51. Blocking an illegitimate location request HLRSTP 1. AnyTimeInterrogation: MSISDN The message is blocked SS7 firewall 2. AnyTimeInterrogation: MSISDN
  • 52. TCAP handshake exploit Is it possible to encapsulate a malformed location request into the protection mechanism and receive result?
  • 53. SS7 firewall: bypass within a TCAP handshake HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation operation that responds with the serving Cell identity, which provides subscriber location to within ~100 meters SS7 firewall MSC/VLR
  • 54. SS7 firewall: bypass within a TCAP handshake The incoming signaling message does not contain an operation code, so the STP does not send it to the SS7 firewall for inspection HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 55. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 56. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 2. TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 57. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. The STP routes this message to the node that is involved into the initial transaction. 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 58. SS7 firewall: bypass within a TCAP handshake HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR 4. ProvideSubscriberInfo Cell IDIMSI
  • 59. SS7 firewall: bypass within a TCAP handshake SS7 firewall is aside HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 5. AnyTimeinterrogation: Cell ID TCAP End 5. AnyTimeInterrogation: Cell ID TCAP End 4. ProvideSubscriberInfo Cell IDIMSI 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR
  • 61. Things to remember 1. Deploying security tool does not mean the network is secure. About 67% of SMS Home Routing solutions on tested networks were bypassed. 2. Test the network. Penetration testing is a good practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them. 3. Know the perimeter. Continuous security monitoring enables a mobile operator to know which vulnerabilities are exploited and, therefore, protect the network.
  • 62. Thank you! ptsecurity.com Kirill Puzankov kpuzankov@ptsecurity.com