User location tracking attacks for LTE networks using
the Interworking Functionality
Silke Holtmanns2 Siddharth Rao1 Ian Oliver2
1Aalto University, Finland 2Bell Labs - Nokia Networks, Finland
IFIP Networking 2016
17th-19th May 2016
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 1 / 37

Overview
1 SS7 based attacks
SS7 background
SS7 attacks recap
2 LTE/ Diameter based attacks
Motivation
Interworking Functions (IWF)
LTE IMSI disclosure attack
Location disclosure
3 Countermeasures
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 2 / 37

Part 1: SS7 attacks
SS7 background
and
Location tracking attacks
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 3 / 37

Signalling System no. 7 (SS7)
A 4 decade old protocol mainly used in the era of 2G/GSM and
before.
However, 2G is still the most widely used mobile generation.
Built for trusted partner network and use/access to outsiders were
denied.
However now, almost anyone can use the telco backbone (having
money, hacking skills or strong political power).
Protocol foundation to enable roaming.
Short Message and Supplementary services.
Toll free numbers and tele-voting.
Enhanced Message Service (EMS) and Local Number Portability
(LNP).
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 4 / 37

Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 5 / 37

Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 6 / 37

SS7 Location based attacks
Locating Mobile Phones: First revealed in .2008 by Tobias Engel.
An attacker can locate the victim by just having phone number and
SS7 access.
Exploiting the loopholes of an outdated system i.e Signalling System
protocol.
Lack of cryptographic protection.
Since then, different types of SS7 attacks have been demonstrated by
several security researchers.
Locate-Track-Manipulate: In 2014, Engel presented more concrete
attack which can continuously track besides locating the victim more
accurately than the previous attack.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 7 / 37

Cellular identifiers
MSISDN - Mobile Station International Subscriber Directory
Number, the phone number.
IMSI - International Mobile Subscriber Identity, uniquely identifies a
SIM.
GT - Global Title, uniquely* identify the network elements.
Host name or Global IP address : GT :: Internet : Telecom
IMEI - International Mobile Equipment Identity, uniquely identifies
the cellphone.
Cell ID - uniquely identifies a base station within a location area.
Cell ID + LAC → uniquely identifies a base station within a network.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 8 / 37

Network elements
HLR - Home Location Register, a central database of cellphone
subscribers.
MSC/VLR - Mobile Switching Centre/Visitor Location Register,
keeps track of location and other details of the users in its region.
SMSC - Short Message Service Centre (SMSC, handles SMS service
by storing and forwarding the messages.
gsmSCF - GSM Service control Function, responsible for handling
the subscriber billing.
GMLC - responsible for emergency and commercial location-based
services. Mainly used in the emergency calls (911) location scenarios.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 9 / 37

GSM network architecture
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 10 / 37

Attack using call set up messages
Figure : Location disclosure attack using call set up messages [2]
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 11 / 37

Attack using SMS protocol messages
Figure : Location disclosure attack using SMS protocol messages [2]
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 12 / 37

Accuracy of the tracked location
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 13 / 37

Attack using billing platform related messages (1)
Figure : Location disclosure attack using billing platform related messages [3]
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 14 / 37

Attack using billing platform related messages (2)
Figure : Location disclosure attack using billing platform related messages [3]
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 15 / 37

Attack using emergency service related messages
Figure : Location disclosure attack using emergency service related messages [3]
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 16 / 37

Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 17 / 37

Part 2: LTE/Diameter attacks
LTE
and
Diameter attacks
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 18 / 37

Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 19 / 37

Motivation
Most MNO upgrade their network gradually to avoid service
interruption and optimize ROI of infrastructure.
Inhomogeneous set-up =⇒ interesting attack vectors.
For interoperability with partners, edge nodes have the ability to
translate between Diameter ⇐⇒ SS7.
Attack translation
We wanted an easy way to port SS7 attacks to Diameter.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 20 / 37

Ideal Diameter Network
Figure : Diameter roaming architecture between two newer networks.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 21 / 37

Inhomogeneous Network
Figure : Different networks with different protocol support.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 22 / 37

Interworking functions
Technical specification TS 29.305 [4] and non-binding report TR
29.805 [5].
Describes how Diameter and SS7-MAP messages should be translated
to each other i.e. Attribute Value Pairs (AVP) mapping.
General idea:
Attacker pretends to be an old type network or node.
It forces IPSec secured LTE Diameter network or nodes into using the
less secured SS7-MAP.
Craft SS7-like attack messages and IWF will take care of the rest.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 23 / 37

Phase 1: Obtaining IMSI (1)
Attacker claims to be an IWF node
Typical multi-domain support scenario for roaming and routing
incoming SMS.
MAP commands have to be translated to Diameter specific commands
by the receiving IWF node.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 24 / 37

Phase 1: Obtaining IMSI(2)
The IWF copies IMSI of the victim from username AVP from SRA to SRI
SM ACK.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 25 / 37

Mapping of parameters from SRI SM to SRR
Attacker’s side
MSISDN of the victim
His own Calling Party Address (cgPA).
The spoofed Service Center Address(SCA).
SM-RP-PRI flag - allows the attacker to get information from the
HSS even if the victim is not being served in that network.
SM-Delivery-Not-Intended flag (optional).
Conversion into SRR
IWF maps the above SS7 MAP parameters into respective AVPs of
Diameter SRR.
Called Party Address (cdPA) AVP is populated before sending to HSS.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 26 / 37

Mapping of parameters from SRA to SRI SM ACK
locationInfoWithLMSI sub-parameter AVP:
networkNode-Number contains MME address.
IMSI of the victim.
IWF also sends MAP Information Service Center message to the
attacker to confirm the completion of the requested information
delivery. But this can be ignored.
Please note:
There exists several other methods of IMSI retrieval as well e.g. 4G IMSI
catchers, WLAN access point and EAP-AKA protocol. But they need the
attacker to be in the same vicinity of the target/victim.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 27 / 37

Phase 2: Location disclosure attack
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 28 / 37

Mapping of ISD to IDR
Attacker’s side
Attacker poses as an IWF across the interconnection and sends ISD
message to the targeted network’s IWF. He uses the previously
retrieved IMSI and serving node (MME) information.
Requested Information parameter includes:
sub-parameters Active Location Retrieval requested and Location
Information in EPS supported.
Allows the attacker to get fine-grained information about the victim
e.g. subscriber state, IMEI, software version.
Conversion into IDR
Target IWF sets the IDR-flag value to 3 → indicates that the location
information is requested.
IDR message is then directed to MME.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 29 / 37

Mapping of IDA to ISD Ack
Depending on the information requested:
EPS Location Information AVP → contains Cell ID.
EPS User State AVP → victim’s state.
Attack using MAP Provide Subscriber Information (PSI) works in
similar fashion.
The IMEI number and Software version retrieved are hardware specific
information of the victim, which can be used for further targeted
attacks.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 30 / 37

LTE Location disclosure attacks summary
SS7 attack vector IWF Attack? Reason
MAP SRI No Very few operators connect
HSS directly to DEA or inter-
connection.
MAP SRI SM Yes Location upto granularity of
MME.
MAP ATI No IWF cannot directly map ATI
commands.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 31 / 37

LTE Location disclosure attacks summary (2)
MAP PSI Yes EPS Location Info i.e. cell
ID, subscriber state, IMEI,
software version and encryp-
tion keys.
Emergency calls (PSL) No IWF cannot directly map PSL
commands.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 32 / 37

Countermeasures
Effective SS7 filter/firewall to verify whether a message is:
Operator network internal or from the interconnection
Communicated within the global title range of the partner.
Sent to/from the MS of an outbound roaming subscriber.
Whitelist the partners and the protocols used by them.
Implement NDS/IP security over the Diameter Edge Agents.
AVP specific filtering.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 33 / 37

Conclusion
Even if LTE offers very good security on air interface, the Diameter is
as less secure as SS7 when it comes to location disclosure attacks.
LTE attacks =⇒ It is possible to port SS7 attacks to Diameter
network using Interworking functions.
IMSI disclosure; location tracking upto MME as well as cellID level;
IMEI and OS software version disclosure.
Countermeasures include adhering to security standards (NDS/IP)
and adopting efficient filtering mechanisms.
Review of Diameter protocol
“Privacy in LTE networks” to appear in The 9th EAI International
Conference on Mobile Multimedia Communications, (IW5GS 2016).
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 34 / 37

References I
S. P. Rao, S. Holtmanns, I. Oliver, and T. Aura. (To appear)
We know where you are! Utilising the telecoms core network for user tracking.1
The 8th International Conference on Cyber Conflict (CyCon 2016).
Tobias Engel (2008)
Locating mobile phones using signalling system 7
25th Chaos communication congress, 2008.
Tobias Engel (2014)
SS7: Locate. track. manipulate
31st Chaos communication congress, 2014.
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 35 / 37

References II
TS 29.305
InterWorking Function (IWF) between MAP based and Diameter based interfaces
3rd Generation Partnership Project (3GPP)
TR 29.805
InterWorking Function (IWF) between MAP based and Diameter based interfaces,
3rd Generation Partnership Project (3GPP)
1
A survey article combining all SS7 location attacks
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 36 / 37

Thank you!
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 37 / 37