Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
User location tracking attacks for LTE networks using
the Interworking Functionality
Silke Holtmanns2 Siddharth Rao1 Ian O...
Overview
1 SS7 based attacks
SS7 background
SS7 attacks recap
2 LTE/ Diameter based attacks
Motivation
Interworking Functi...
Part 1: SS7 attacks
SS7 background
and
Location tracking attacks
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFI...
Signalling System no. 7 (SS7)
A 4 decade old protocol mainly used in the era of 2G/GSM and
before.
However, 2G is still th...
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 5 / 37
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 6 / 37
SS7 Location based attacks
Locating Mobile Phones: First revealed in .2008 by Tobias Engel.
An attacker can locate the vic...
Cellular identifiers
MSISDN - Mobile Station International Subscriber Directory
Number, the phone number.
IMSI - Internatio...
Network elements
HLR - Home Location Register, a central database of cellphone
subscribers.
MSC/VLR - Mobile Switching Cen...
GSM network architecture
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 10 / 37
Attack using call set up messages
Figure : Location disclosure attack using call set up messages [2]
Sid Rao (Aalto/Nokia)...
Attack using SMS protocol messages
Figure : Location disclosure attack using SMS protocol messages [2]
Sid Rao (Aalto/Noki...
Accuracy of the tracked location
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 13 / 37
Attack using billing platform related messages (1)
Figure : Location disclosure attack using billing platform related mess...
Attack using billing platform related messages (2)
Figure : Location disclosure attack using billing platform related mess...
Attack using emergency service related messages
Figure : Location disclosure attack using emergency service related messag...
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 17 / 37
Part 2: LTE/Diameter attacks
LTE
and
Diameter attacks
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networkin...
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 19 / 37
Motivation
Most MNO upgrade their network gradually to avoid service
interruption and optimize ROI of infrastructure.
Inho...
Ideal Diameter Network
Figure : Diameter roaming architecture between two newer networks.
Sid Rao (Aalto/Nokia) LTE locati...
Inhomogeneous Network
Figure : Different networks with different protocol support.
Sid Rao (Aalto/Nokia) LTE location tracki...
Interworking functions
Technical specification TS 29.305 [4] and non-binding report TR
29.805 [5].
Describes how Diameter a...
Phase 1: Obtaining IMSI (1)
Attacker claims to be an IWF node
Typical multi-domain support scenario for roaming and routin...
Phase 1: Obtaining IMSI(2)
The IWF copies IMSI of the victim from username AVP from SRA to SRI
SM ACK.
Sid Rao (Aalto/Noki...
Mapping of parameters from SRI SM to SRR
Attacker’s side
MSISDN of the victim
His own Calling Party Address (cgPA).
The sp...
Mapping of parameters from SRA to SRI SM ACK
locationInfoWithLMSI sub-parameter AVP:
networkNode-Number contains MME addre...
Phase 2: Location disclosure attack
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 28 / 37
Mapping of ISD to IDR
Attacker’s side
Attacker poses as an IWF across the interconnection and sends ISD
message to the tar...
Mapping of IDA to ISD Ack
Depending on the information requested:
EPS Location Information AVP → contains Cell ID.
EPS Use...
LTE Location disclosure attacks summary
SS7 attack vector IWF Attack? Reason
MAP SRI No Very few operators connect
HSS dir...
LTE Location disclosure attacks summary (2)
MAP PSI Yes EPS Location Info i.e. cell
ID, subscriber state, IMEI,
software v...
Countermeasures
Effective SS7 filter/firewall to verify whether a message is:
Operator network internal or from the interconn...
Conclusion
Even if LTE offers very good security on air interface, the Diameter is
as less secure as SS7 when it comes to l...
References I
S. P. Rao, S. Holtmanns, I. Oliver, and T. Aura. (To appear)
We know where you are! Utilising the telecoms co...
References II
TS 29.305
InterWorking Function (IWF) between MAP based and Diameter based interfaces
3rd Generation Partner...
Thank you!
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 37 / 37
Upcoming SlideShare
Loading in …5
×

User location tracking attacks for LTE networks using the Interworking Functionality (IWF)

1,803 views

Published on

IFIP Networking 2016 Presentation
Full paper available at http://dl.ifip.org/db/conf/networking/networking2016/1570236202.pdf

Published in: Technology
  • Be the first to comment

User location tracking attacks for LTE networks using the Interworking Functionality (IWF)

  1. 1. User location tracking attacks for LTE networks using the Interworking Functionality Silke Holtmanns2 Siddharth Rao1 Ian Oliver2 1Aalto University, Finland 2Bell Labs - Nokia Networks, Finland IFIP Networking 2016 17th-19th May 2016 Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 1 / 37
  2. 2. Overview 1 SS7 based attacks SS7 background SS7 attacks recap 2 LTE/ Diameter based attacks Motivation Interworking Functions (IWF) LTE IMSI disclosure attack Location disclosure 3 Countermeasures Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 2 / 37
  3. 3. Part 1: SS7 attacks SS7 background and Location tracking attacks Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 3 / 37
  4. 4. Signalling System no. 7 (SS7) A 4 decade old protocol mainly used in the era of 2G/GSM and before. However, 2G is still the most widely used mobile generation. Built for trusted partner network and use/access to outsiders were denied. However now, almost anyone can use the telco backbone (having money, hacking skills or strong political power). Protocol foundation to enable roaming. Short Message and Supplementary services. Toll free numbers and tele-voting. Enhanced Message Service (EMS) and Local Number Portability (LNP). Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 4 / 37
  5. 5. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 5 / 37
  6. 6. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 6 / 37
  7. 7. SS7 Location based attacks Locating Mobile Phones: First revealed in .2008 by Tobias Engel. An attacker can locate the victim by just having phone number and SS7 access. Exploiting the loopholes of an outdated system i.e Signalling System protocol. Lack of cryptographic protection. Since then, different types of SS7 attacks have been demonstrated by several security researchers. Locate-Track-Manipulate: In 2014, Engel presented more concrete attack which can continuously track besides locating the victim more accurately than the previous attack. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 7 / 37
  8. 8. Cellular identifiers MSISDN - Mobile Station International Subscriber Directory Number, the phone number. IMSI - International Mobile Subscriber Identity, uniquely identifies a SIM. GT - Global Title, uniquely* identify the network elements. Host name or Global IP address : GT :: Internet : Telecom IMEI - International Mobile Equipment Identity, uniquely identifies the cellphone. Cell ID - uniquely identifies a base station within a location area. Cell ID + LAC → uniquely identifies a base station within a network. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 8 / 37
  9. 9. Network elements HLR - Home Location Register, a central database of cellphone subscribers. MSC/VLR - Mobile Switching Centre/Visitor Location Register, keeps track of location and other details of the users in its region. SMSC - Short Message Service Centre (SMSC, handles SMS service by storing and forwarding the messages. gsmSCF - GSM Service control Function, responsible for handling the subscriber billing. GMLC - responsible for emergency and commercial location-based services. Mainly used in the emergency calls (911) location scenarios. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 9 / 37
  10. 10. GSM network architecture Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 10 / 37
  11. 11. Attack using call set up messages Figure : Location disclosure attack using call set up messages [2] Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 11 / 37
  12. 12. Attack using SMS protocol messages Figure : Location disclosure attack using SMS protocol messages [2] Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 12 / 37
  13. 13. Accuracy of the tracked location Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 13 / 37
  14. 14. Attack using billing platform related messages (1) Figure : Location disclosure attack using billing platform related messages [3] Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 14 / 37
  15. 15. Attack using billing platform related messages (2) Figure : Location disclosure attack using billing platform related messages [3] Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 15 / 37
  16. 16. Attack using emergency service related messages Figure : Location disclosure attack using emergency service related messages [3] Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 16 / 37
  17. 17. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 17 / 37
  18. 18. Part 2: LTE/Diameter attacks LTE and Diameter attacks Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 18 / 37
  19. 19. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 19 / 37
  20. 20. Motivation Most MNO upgrade their network gradually to avoid service interruption and optimize ROI of infrastructure. Inhomogeneous set-up =⇒ interesting attack vectors. For interoperability with partners, edge nodes have the ability to translate between Diameter ⇐⇒ SS7. Attack translation We wanted an easy way to port SS7 attacks to Diameter. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 20 / 37
  21. 21. Ideal Diameter Network Figure : Diameter roaming architecture between two newer networks. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 21 / 37
  22. 22. Inhomogeneous Network Figure : Different networks with different protocol support. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 22 / 37
  23. 23. Interworking functions Technical specification TS 29.305 [4] and non-binding report TR 29.805 [5]. Describes how Diameter and SS7-MAP messages should be translated to each other i.e. Attribute Value Pairs (AVP) mapping. General idea: Attacker pretends to be an old type network or node. It forces IPSec secured LTE Diameter network or nodes into using the less secured SS7-MAP. Craft SS7-like attack messages and IWF will take care of the rest. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 23 / 37
  24. 24. Phase 1: Obtaining IMSI (1) Attacker claims to be an IWF node Typical multi-domain support scenario for roaming and routing incoming SMS. MAP commands have to be translated to Diameter specific commands by the receiving IWF node. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 24 / 37
  25. 25. Phase 1: Obtaining IMSI(2) The IWF copies IMSI of the victim from username AVP from SRA to SRI SM ACK. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 25 / 37
  26. 26. Mapping of parameters from SRI SM to SRR Attacker’s side MSISDN of the victim His own Calling Party Address (cgPA). The spoofed Service Center Address(SCA). SM-RP-PRI flag - allows the attacker to get information from the HSS even if the victim is not being served in that network. SM-Delivery-Not-Intended flag (optional). Conversion into SRR IWF maps the above SS7 MAP parameters into respective AVPs of Diameter SRR. Called Party Address (cdPA) AVP is populated before sending to HSS. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 26 / 37
  27. 27. Mapping of parameters from SRA to SRI SM ACK locationInfoWithLMSI sub-parameter AVP: networkNode-Number contains MME address. IMSI of the victim. IWF also sends MAP Information Service Center message to the attacker to confirm the completion of the requested information delivery. But this can be ignored. Please note: There exists several other methods of IMSI retrieval as well e.g. 4G IMSI catchers, WLAN access point and EAP-AKA protocol. But they need the attacker to be in the same vicinity of the target/victim. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 27 / 37
  28. 28. Phase 2: Location disclosure attack Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 28 / 37
  29. 29. Mapping of ISD to IDR Attacker’s side Attacker poses as an IWF across the interconnection and sends ISD message to the targeted network’s IWF. He uses the previously retrieved IMSI and serving node (MME) information. Requested Information parameter includes: sub-parameters Active Location Retrieval requested and Location Information in EPS supported. Allows the attacker to get fine-grained information about the victim e.g. subscriber state, IMEI, software version. Conversion into IDR Target IWF sets the IDR-flag value to 3 → indicates that the location information is requested. IDR message is then directed to MME. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 29 / 37
  30. 30. Mapping of IDA to ISD Ack Depending on the information requested: EPS Location Information AVP → contains Cell ID. EPS User State AVP → victim’s state. Attack using MAP Provide Subscriber Information (PSI) works in similar fashion. The IMEI number and Software version retrieved are hardware specific information of the victim, which can be used for further targeted attacks. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 30 / 37
  31. 31. LTE Location disclosure attacks summary SS7 attack vector IWF Attack? Reason MAP SRI No Very few operators connect HSS directly to DEA or inter- connection. MAP SRI SM Yes Location upto granularity of MME. MAP ATI No IWF cannot directly map ATI commands. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 31 / 37
  32. 32. LTE Location disclosure attacks summary (2) MAP PSI Yes EPS Location Info i.e. cell ID, subscriber state, IMEI, software version and encryp- tion keys. Emergency calls (PSL) No IWF cannot directly map PSL commands. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 32 / 37
  33. 33. Countermeasures Effective SS7 filter/firewall to verify whether a message is: Operator network internal or from the interconnection Communicated within the global title range of the partner. Sent to/from the MS of an outbound roaming subscriber. Whitelist the partners and the protocols used by them. Implement NDS/IP security over the Diameter Edge Agents. AVP specific filtering. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 33 / 37
  34. 34. Conclusion Even if LTE offers very good security on air interface, the Diameter is as less secure as SS7 when it comes to location disclosure attacks. LTE attacks =⇒ It is possible to port SS7 attacks to Diameter network using Interworking functions. IMSI disclosure; location tracking upto MME as well as cellID level; IMEI and OS software version disclosure. Countermeasures include adhering to security standards (NDS/IP) and adopting efficient filtering mechanisms. Review of Diameter protocol “Privacy in LTE networks” to appear in The 9th EAI International Conference on Mobile Multimedia Communications, (IW5GS 2016). Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 34 / 37
  35. 35. References I S. P. Rao, S. Holtmanns, I. Oliver, and T. Aura. (To appear) We know where you are! Utilising the telecoms core network for user tracking.1 The 8th International Conference on Cyber Conflict (CyCon 2016). Tobias Engel (2008) Locating mobile phones using signalling system 7 25th Chaos communication congress, 2008. Tobias Engel (2014) SS7: Locate. track. manipulate 31st Chaos communication congress, 2014. Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 35 / 37
  36. 36. References II TS 29.305 InterWorking Function (IWF) between MAP based and Diameter based interfaces 3rd Generation Partnership Project (3GPP) TR 29.805 InterWorking Function (IWF) between MAP based and Diameter based interfaces, 3rd Generation Partnership Project (3GPP) 1 A survey article combining all SS7 location attacks Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 36 / 37
  37. 37. Thank you! Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 37 / 37

×