1. 1 © Nokia Solutions and Networks 2015
Check_IMEI Misusage
Siddharth Rao / Silke Holtmanns / Ian Oliver / Tuomas Aura
21-08-2015
Public

2. 2 © Nokia Solutions and Networks 2015
Agenda
Public
• Background of SS7 attacks
• Normal Check_IMEI procedure
• Assumptions
• Attack scenario description
• Summary

3. 3 © Nokia Solutions and Networks 2015
• Telecommunication systems are vulnerable.
• Recent attacks
• Locate
• Trace/intercept
• Manipulate
Frauds
Illegitimate activities
• Core network Protocol
• Signaling System #7
Public
Motivation

4. 4 © Nokia Solutions and Networks 2015
• Protocol foundation to enable roaming.
• Call establishment , management and release.
• Short Message Services (SMS).
• Supplementary services.
• Toll free numbers.
• Tele-voting.
• Enhanced Message Services (EMS).
• Local Number Portability (LNP).
Signaling System #7
Public

5. 5 © Nokia Solutions and Networks 2015 Public
SS7 Attacks timeline

6. 6 © Nokia Solutions and Networks 2015 Public
SS7 Attacks impact

7. 7 © Nokia Solutions and Networks 2015 Public
Unblocking stolen mobile devices using
SS7-MAP vulnerabilities
Exploiting the relationship between IMEI and IMSI for EIR access
- Siddharth Rao, Dr. Silke Holtmanns, Dr. Ian Oliver, Dr Tuomas Aura

8. 8 © Nokia Solutions and Networks 2015 Public
Normal IMEI (device ID) Check procedure

9. 9 © Nokia Solutions and Networks 2015 Public
CheckIMEI ASN Structure
Contains only IMEI.

10. 10 © Nokia Solutions and Networks 2015
• Attacker has a stolen phone which is blacklisted and he knows the IMSI
(Subsriber id) which was associated with it while blocking or last use by the
victim. The attacker does not need to have the original SIM as it is sufficient
to have just the IMSI.
• Attacker has access to SS7 network.
• The Global Title (GT, “SS7 name of a node”) of the Equipment Identity
Register (EIR) is required.
• Mobile Switching Center (MSC) GT might be needed (depending on operator
configuration).
• Feature and IMSI check options are enabled.
Public
Assumptions

11. 11 © Nokia Solutions and Networks 2015
Users loose their phones and find it again, easy ”recovery” in EIR
wanted
 MSC sends IMEI (device id) along with IMSI (subscriber id) during
MAP_CHECK_IMEI.
 Initially the IMEI is checked to know the list it belongs to. If it is found
on the black list, an additional check of IMSI is made. If there is a
match between IMSI provisioned with IMEI in the EIR database (This is
the IMSI-IMEI pair in the EIR before the victim blocks his stolen
device.) with the IMSI found in MAP_CHECK_IMEI message then this
overrides the blacklist condition.
 Phone no longer blacklisted.
Public
Feature

12. 12 © Nokia Solutions and Networks 2015 Public
Attack Scenario

13. 13 © Nokia Solutions and Networks 2015 Public
CheckIMEI ASN Structure
Contains IMEI and IMSI !!!!

14. 14 © Nokia Solutions and Networks 2015
1. A CHECK_IMEI* is received with IMEI = 12345678901234, and IMSI =
495867256894125.
2. An individual IMEI match is found indicating that the IMEI is on the
Black List.
3. Normally required response would be Black Listed, however; because
an IMSI is present in the message, and the IMEI is on the Black List,
the IMSI is compared to the IMSI entry in the database for this IMEI.
4. In this case, the IMSI in the RTDB matches the IMSI in the query, thus
the Black Listed condition is cancelled/overridden.
5. EIR formulates a CHECK_IMEI* response with Equipment Status = 0
whiteListed.
Public
Example

15. 15 © Nokia Solutions and Networks 2015
• Stolen phones would have much higher value, if they are not blacklisted and can be sold
via ebay or simlar means.
Why should somebody do this?
Public
Source: http://www.wired.com/2014/12/where-stolen-smart-phones-go/
• 1 in 10 smart-phone owners are the
victims of phone theft.
• In United States, 113 phones per minute
are stolen or lost.
 $7 million worth of smart phones on
a daily basis.

16. 16 © Nokia Solutions and Networks 2015 Public
EIR Coverage
Source: Farrell, G. (2015). Preventing phone theft and robbery: the need for government action and international coordination. Crime Science, 4(1), 1-11.

17. 17 © Nokia Solutions and Networks 2015
• Attack has not been observed in real networks.
• Research was done on protocol level and publicly available
information.
• Not all EIRs affected.
• Business case exist for the attack.
• Easy to add ”Check_IMEI*” to the filter list of network internal
messages to stop this kind of attack before it appears in real.
Public
Summary

18. 18 © Nokia Solutions and Networks 2015
THANK YOU
Public
Contact: siddharth.rao@aalto.fi

19. 19 © Nokia Solutions and Networks 2015 Public

20. 20 © Nokia Solutions and Networks 2015 Public
Copyright and confidentiality
The contents of this document are proprietary and
confidential property of Nokia Solutions and Networks.
This document is provided subject to confidentiality
obligations of the applicable agreement(s).
This document is intended for use of Nokia Solutions
and Networks customers and collaborators only for the
purpose for which this document is submitted by Nokia
Solution and Networks. No part of this document may
be reproduced or made available to the public or to any
third party in any form or means without the prior
written permission of Nokia Solutions and Networks.
This document is to be used by properly trained
professional personnel. Any use of the contents in this
document is limited strictly to the use(s) specifically
created in the applicable agreement(s) under which the
document is submitted. The user of this document may
voluntarily provide suggestions, comments or other
feedback to Nokia Solutions and Networks in respect of
the contents of this document ("Feedback"). Such
Feedback may be used in Nokia Solutions and Networks
products and related specifications or other
documentation. Accordingly, if the user of this
document gives Nokia Solutions and Networks Feedback
on the contents of this document, Nokia Solutions and
Networks may freely use, disclose, reproduce, license,
distribute and otherwise commercialize the feedback in
any Nokia Solutions and Networks product, technology,
service, specification or other documentation.
Nokia Solutions and Networks operates a policy of
ongoing development. Nokia Solutions and Networks
reserves the right to make changes and improvements
to any of the products and/or services described in this
document or withdraw this document at any time
without prior notice.
The contents of this document are provided "as is".
Except as required by applicable law, no warranties of
any kind, either express or implied, including, but not
limited to, the implied warranties of merchantability and
fitness for a particular purpose, are made in relation to
the accuracy, reliability or contents of this document.
NOKIA SOLUTIONS AND NETWORKS SHALL NOT BE
RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS
DOCUMENT or for any loss of data or income or any
special, incidental, consequential, indirect or direct
damages howsoever caused, that might arise from the
use of this document or any contents of this document.
This document and the product(s) it describes are
protected by copyright according to the
applicable laws.
Nokia is a registered trademark of Nokia Corporation.
Other product and company names mentioned
herein may be trademarks or trade names of their
respective owners.
© Nokia Solutions and Networks 2015