Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

12 views

Published on

Kirill Puzankov in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

  1. 1. Kirill Puzankov Mobile signaling threats and vulnerabilities - real cases from our experience
  2. 2. Signaling System 7 (SS7) is the control plane that is used for exchanging data between network devices in telecommunications networks Call control functions: establish and release Subscriber mobility management: roaming possibilities, location- based services, seamless calls for moving subscribers Short message service Supplementary service control: call forwarding, call waiting, call hold SS7 introduces: Signaling System 7
  3. 3. History of Signaling Security The state of signaling security has not changed for almost 40 years Trusted ecosystem SS7 network developed. Trusted environment. No security mechanisms in the protocol stack No security Scope grows SIGTRAN (SS7 over IP) introduced. Number of operators grows. Security is still missing Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security Not trusted anymore Growing number of SS7 interconnections, increasing amount of SS7 traffic. No security policies or restrictions 1980 2018 2000 Innovations of TODAY rely on OBSOLETE technologies from YESTERDAY
  4. 4. Why SS7 is not secure SIGTRAN SIGTRAN IWF/DEA Diameter LTE Once a hacker connects to the SS7 network of a mobile operator, they can attack subscribers of any operator around the world
  5. 5. Governments and global organizations worried by SS7 security
  6. 6. Mobile operators and SS7 security Security assessment SS7 firewall Security monitoringSMS Home Routing Security configuration
  7. 7. Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report 2018 – Diameter vulnerabilities exposure report
  8. 8. SS7 Security Audit. Common Facts and Figures • Subscribers could be geotracked on 75% of analyzed networks • Incoming SMS messages could be intercepted in 90% of cases • Voice calls could be intercepted in 53% of cases Threat 2015 2016 2017 Subscriber information disclosure 100% 100% 100% Network information disclosure 100% 92% 63% Subscriber traffic interception 100% 100% 89% Fraud 100% 85% 78% Denial of service 100% 100% 100%
  9. 9. SS7 vs Diameter comparison 4G networks are nearly equally vulnerable
  10. 10. Signaling Monitoring. Common Facts and Figures Almost 99% of attacks are connected with disclosing confidential subscriber data
  11. 11. Network vulnerability statistics: SMS Home Routing 67% of installed SMS Home Routing systems have been bypassed Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection
  12. 12. Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly
  13. 13. Basic nodes and identifiers HLR — Home Location Register MSC/VLR — Mobile Switching Center and Visited Location Register SMS-C — SMS Centre MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity STP — Signaling Transfer Point GT — Global Title, address of a core node element
  14. 14. IMSI An IMSI identifier, by itself, is not valuable to an intruder But intruders can carry out many malicious actions against subscribers when they know the IMSI, such as:  Location tracking  Service disturbance  SMS interception  Voice call eavesdropping The IMSI is considered personal data as per GDPR.
  15. 15. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  16. 16. SMS Home Routing bypass
  17. 17. SMS delivery with no SMS Home Routing in place STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text SRI4SM — SendRoutingInfoForSM HLR SMS-C
  18. 18. SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
  19. 19. SMS Router SMS Home Routing STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  20. 20. SMS Router SMS Home Routing against malefactors STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  21. 21. Numbering plans Country Code (Romania) Network Destination Code Mobile Country Code (Romania) Mobile Network Code Operator HLRRule of GT Translation E.164 MSISDN and GT 40 700 1231237 E.212 IMSI 226 99 4564567894 E.214 Mobile GT 40 700 4564567894
  22. 22. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router
  23. 23. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx SMS Router
  24. 24. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  25. 25. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  26. 26. SendRoutingInfoForSM message Called Party Address = MSISDN
  27. 27. SMS Home Routing bypass attack STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP HLR 1 HLR 2 1. SRI4SM Request • E.214 / Random IMSI • MSISDN 2. SRI4SM Request • E.214 / Random IMSI • MSISDN 3. SRI4SM Response • IMSI • MSC address The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  28. 28. Another way to bypass the Home Router
  29. 29. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN STP
  30. 30. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP
  31. 31. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address
  32. 32. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved
  33. 33. TCAP Protocol TCAP Message Type Transaction IDs Dialogue Portion Component Portion Begin, Continue, End, Abort Source and/or Destination IDs Application Context Name (ACN) ACN Version Operation Code Payload Application Context Name corresponds to a respective Operation Code TCAP – Transaction Capabilities Application Part
  34. 34. Application Context 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  35. 35. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  36. 36. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed Application Context
  37. 37. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside
  38. 38. SMS Home Routing bypass with malformed Application Context HLR SMS Router 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC Equal IMSIs means the SMS Home Routing solution is absent or not involved 1. SRI4SM Request: MSISDN Malformed ACN 2. SRI4SM Response: IMSI, MSC
  39. 39. Firewall bypass
  40. 40. SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall
  41. 41. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  42. 42. SS7 firewall: typical deployment scheme HLRSTP 1. SRI Request: MSISDN SS7 firewall 2. SRI Request: MSISDN The message is blocked SRI – SendRoutingInfo
  43. 43. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  44. 44. SS7 firewall: bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN SS7 firewall 2. SRI Request: MSISDN Malformed ACN Malformed Application Context
  45. 45. SS7 firewall bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN 2. SRI Request: MSISDN Malformed ACN 3. SRI Response: IMSI, …3. SRI Response: IMSI, … SS7 firewall is aside SS7 firewall
  46. 46. Tricky location tracking
  47. 47. SMS delivery HLR MSC 2SMS-CMSC 1 1. Mo-ForwardSM: A-Num, B-Num 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast
  48. 48. SMS spam through SS7 HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast SMS-C MSC 2MSC 1
  49. 49. TCAP handshake as a protection measure HLR 1. TCAP Begin: ACN = MoSMRelay 4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2 2. TCAP Continue 3. Mo-ForwardSM: A-Num, B-Num 9. ReturnResultLast 6. TCAP Begin: ACN = MtSMRelay 7. TCAP Continue 8. Mt-ForwardSM:A-Num, IMSI 9. ReturnResultLast SMS-C MSC 2MSC 1
  50. 50. Location retrieval for intelligent network services HLR1. AnyTimeInterrogation: MSISDN 4. AnyTimeInterrogation: CellID 2. ProvideSubscriberInfo: IMSI 3. ProvideSubscriberInfo: CellID MSC/VLRIN AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving cell in order to perform a location-based service. This message is allowed for internal operations only. It should be prohibited in external connections.
  51. 51. Blocking an illegitimate location request HLRSTP 1. AnyTimeInterrogation: MSISDN The message is blocked SS7 firewall 2. AnyTimeInterrogation: MSISDN
  52. 52. TCAP handshake exploit Is it possible to encapsulate a malformed location request into the protection mechanism and receive result?
  53. 53. SS7 firewall: bypass within a TCAP handshake HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation operation that responds with the serving Cell identity, which provides subscriber location to within ~100 meters SS7 firewall MSC/VLR
  54. 54. SS7 firewall: bypass within a TCAP handshake The incoming signaling message does not contain an operation code, so the STP does not send it to the SS7 firewall for inspection HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  55. 55. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  56. 56. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 2. TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  57. 57. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. The STP routes this message to the node that is involved into the initial transaction. 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  58. 58. SS7 firewall: bypass within a TCAP handshake HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR 4. ProvideSubscriberInfo Cell IDIMSI
  59. 59. SS7 firewall: bypass within a TCAP handshake SS7 firewall is aside HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 5. AnyTimeinterrogation: Cell ID TCAP End 5. AnyTimeInterrogation: Cell ID TCAP End 4. ProvideSubscriberInfo Cell IDIMSI 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR
  60. 60. Main problems Architecture flaws Configuration mistakes Software bugs
  61. 61. Things to remember 1. Deploying security tool does not mean the network is secure. About 67% of SMS Home Routing solutions on tested networks were bypassed. 2. Test the network. Penetration testing is a good practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them. 3. Know the perimeter. Continuous security monitoring enables a mobile operator to know which vulnerabilities are exploited and, therefore, protect the network.
  62. 62. Thank you! ptsecurity.com Kirill Puzankov kpuzankov@ptsecurity.com

×