More Related Content
Similar to CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf (20)
More from AliAlwesabi (17)
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
- 1. © Copyright 2020. All rights Reserved.
Watching the
Watchers
Cathal Mc Daid
@mcdaidc #rc3
- 2. © Copyright 2020. All rights Reserved. 2
Surveillance Companies are in the News (again)
- 3. © Copyright 2020. All rights Reserved. 3
•2G/3G Core Network
uses Signalling
System 7 (SS7)
• Main security problem:
– Assumes trust between
mobile phone operators
worldwide
• 4G Core Network uses
Diameter Protocol
– Same security problem
exists!
Why are we here
“Age is just a number”. Issue is underlying trust model.
• SS7 (GSM-MAP) – early 90s, Diameter – early 2010s
- 4. © Copyright 2020. All rights Reserved. 4
1) Surveillance Companies
2) Governments
3) Criminals
• Considerable overlap between sources used by Surveillance
Companies and Governments
• Criminal activity is the smallest activity, some overlap between
sources used by these and Surveillance Companies
Surveillance companies have large resources ($$)
3 Types of Exploiters of Mobile Signalling Networks
- 5. © Copyright 2020. All rights Reserved. 5
From 2014, Industry has been recommending ways for Mobile
Operators to protect subscribers/networks
Led by GSM Association (GSMA Association), key outputs:
• 2G/3G :GSMA FS.11 Document
• 4G: GSMA FS.19 Document
+ Other documents for 5G and GTP
Mobile Operators take this as starting point to find irregular or
suspicious signalling traffic to block =>
• but this does not mean this irregular traffic is malicious
• The vast majority of this is “noise”: misconfigured nodes, local-
specific configs
Malicious traffic is a very small percentage of irregular/suspicious
• It takes a LOT of analysis, experience to attribute malicious-ness
• Easy to make mistakes (see some recent headlines)
How do we know what is Malicious?
0.04 % = Irregular/Suspicious 1.37% = Malicious
All SS7
Traffic
- 6. © Copyright 2020. All rights Reserved. 6
Surveillance!
Vast majority of confirmed malicious activity is
Location Tracking related
On average , for surveillance companies:
– SS7 Activity
• 61.89% of malicious SS7 activity is used to obtain information
(normally to help Location Tracking)
• 30.90% of malicious SS7 activity is directly used to track
location of subscribers (people/things)
• 5.13% is SS7 testing, specific attacks, uncategorised other
activity
• 2.07 % is SS7 interception of calls/text messages/data etc
– Diameter activity: very small in past, large increase
recently
– SMS: One surveillance company is also very active via SMS
What do Mobile Surveillance Companies do
- 7. © Copyright 2020. All rights Reserved. 7
How Location Tracking is done via SS7 : Example
HLR
Surveillance
Company
1) ATI (MSISDN)
Simplified views, for more public informationsee:
#31C3 Karsten Nohl, Tobias Engel
MSC Target
2) ATI-Resp (Cell-ID)
3) PSI (IMSI, MSC)
4) PSI (Cell-ID)
1) SRI-SM (MSISDN)
2) SRI-SM-Resp (IMSI, MSC)
Victim’s Network
Location Tracking
Location Tracking
Information Harvesting
Method 1: Direct
Method 2: Indirect
- 8. © Copyright 2020. All rights Reserved. 8
SS7 Location Tracking Command ‘Toolbox’ – Attacker Pros and Cons
GSM-MAP Command Pre-requisite(s) Pros Cons
ANY-TIME-
INTERROGATION
(ATI)
MSISDN (or IMSI) No other info
needed
Can often be blocked by operator
legacy equipment
PROVIDE-SUBSCRIBER-
INFO
(PSI)
IMSI, Serving
MSC
Difficult for
Operators to
block
Requires possession of IMSI and
Serving MSC
PROVIDE-SUBSCRIBER-
LOCATION
(PSL)
MSISDN (or IMSI)
Serving MSC
Gets most
precise
location
Can normally be blocked by legacy
equipment. Requires possession of
serving MSC. May not be supported
by target network
- 9. © Copyright 2020. All rights Reserved. 9
Complexity/Info Needed v Possibility to be Blocked : SS7
Possibility of Attacker to be Blocked
PSI
PSL
ATI
Amount of
Pre-requisite
info needed by
Attacker
Better/Easier
for Attacker
Worse/Harder
for Attacker
More
Greater
- 10. © Copyright 2020. All rights Reserved. 10
1. 09:01:29 = Initial SRI-SM from 2 operators (Sure Guernsey, Jersey Airtel) in UK Channels Islands
2. 09:02 = SRI , SRI-LCS
3. 09:03 -> 09:04 = SRI-SM from UK + Cameron
4. 09:04 -> 09:05 = 4 ATIs from Jersey Airtel, Cameroon, Israel, Laos
• All within 5 minute period
Sample Real Life Attempted Attack – SS7
1 2 3 4
Information
Harvesting
Location
Tracking
- 11. © Copyright 2020. All rights Reserved. 11
Target?
• Later learnt that targeted
mobile number was at (one
stage) apparently associated
with this person : Hervé
Jaubert
– French Former navy officer,
marine engineer, spy
• Working theory is this burst
was designed to try to
determine if number existed,
and obtain location of
number
https://www.thebureauinvestigates
.com/stories/2020-12-16/spy-
companies-using-channel-islands-
to-track-phones-around-the-world
- 12. © Copyright 2020. All rights Reserved. 12
How Location Tracking is done via Diameter: Example
HSS
Surveillance
Company
1) UDR (MSISDN)
MME Target
2) UDA (Cell-ID)
3) IDR (IMSI, MME)
4) IDA (Cell-ID)
1) SRI-SM (MSISDN) : SS7
2) SRI-SM-Resp (IMSI, MME) : SS7
Target’s Network
Location Tracking
Location Tracking
Information Harvesting
Method 1: Direct
Method 2: Indirect
- 13. © Copyright 2020. All rights Reserved. 13
Diameter Location Tracking Commands ‘Toolbox’ – Attacker Pros and Cons
Diameter Command Pre-requisite(s) Pros Cons
INSERT-SUBSCRIBER-
DATA-REQUEST
(IDR)
IMSI, Serving
MME
Difficult for
Operators to
block
Requires possession of serving MME
and normally IMSI
USER-DATA-REQUEST
(UDR)
MSISDN or IMSI Can track
using MSISDN
Can be blocked by legacy
equipment.
PROVIDE-LOCATION-
REQUEST
(PLR)
MSISDN or IMSI
or IMEI, Serving
MME
Gets most
precise
location, can
track using
MSISDN or
IMEI
Can be blocked by legacy
equipment. Requires possession of
serving MME. May not be
supported by target network
- 14. © Copyright 2020. All rights Reserved. 14
Complexity v Possibility to be Blocked : SS7 and Diameter,
Possibility to be Blocked
Amount of
Pre-requisite
info needed by
Attacker
IDR
UDR
PLR
Diameter
PSI
PSL
ATI
SS7
More
Greater
- 15. © Copyright 2020. All rights Reserved. 15
Sample Real Life Attempted Attack - Diameter
IDR
MNC3.MCC234 = Jersey Airtel
MCC Geographic Region 5 ->
IDR from Jersey Airtel (Channel Islands), Nov 2020
Targeted Subscriber in their home network in Asia-Pacific
IDR Flags set to retrieve location (along with other details)
- 16. © Copyright 2020. All rights Reserved. 16
Surveillance Companies see mobile technology as a tool, not as a path
Surveillance
Company Target
Time
5G Attack
4G (Diameter) Attack
3G (SS7) Attack
Variant
Simjacker
Attacks
Protective ‘Wall’
Future?
- 17. © Copyright 2020. All rights Reserved. 17
• Uses vulnerability in SIM Card library – called S@T Browser
– S@T Browser, did not validate or authorize source SMS
– Vulnerability exploited by text messages
– S@T Browser allowed access to a subset of STK (SIM Toolkit)
Commands on device
• Library present on several hundred million SIM Cards
• Actively exploited in at least 3 countries in LATAM
• CVD shared within industry June 2019, publicly reported in Sep 2019,
tech details released Oct 2019. CVD-2019-0026
– Full details in 40+ page technical paper on www.simjacker.com
• Simjacker is the first recorded spyware sent within a SMS
– + huge increase in complexity and capability
Simjacker
- 18. © Copyright 2020. All rights Reserved. 18
How Location Tracking is done via Simjacker SMS
SMSC
Surveillance
Company
1) MO-FSM (Target MSISDN, S@T CMDS)
Simplified view, for more public information see:
www.simjacker.com
MSC Target
3) MO-FSM (Exfil MSISDN, Cell-ID)
Target’s Network
Location Tracking
Method 1: Send
from Handset,
Extract to Handset
1) MT-FSM (Target MSISDN, S@T CMDS)
3) MT-FSM (Exfil MSISDN, Cell-ID)
2) ENVELOPE (S@T CMDS)
2) STK PROVIDE LOCAL INFO
2) Cell-ID
2) STK SEND SMS (Cell-ID)
SMS
SMS
- 19. © Copyright 2020. All rights Reserved. 19
Simjacker Location Tracking Commands ‘Toolbox’ – Attacker Pros and
Cons
Command Pre-
requisite(s)
Pros Cons
FORWARD-SHORT-
MESSAGE(MO-FSM/MT-
FSM)with S@T
Browser payload
MSISDN No SS7 access
required, can
track using
MSISDN
Requires Operator to have
deployed S@T Browser with
MSL=0 on their SIM Cards
- 20. © Copyright 2020. All rights Reserved. 20
Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker
Possibility to be Blocked
Amount of
Pre-requisite
info needed by
Attacker
IDR
UDR
PLR
Diameter
PSI
PSL
ATI
Simjacker*
SS7
* = requires S@T
Browser on Target SIM
More
Greater
- 21. © Copyright 2020. All rights Reserved. 21
• Vast Majority (~95%) of
Simjacker attacks are sent
from a Handset , to extract
info via SMS to another
Handset.
• But about 0.05% of
Simjacker attacks extract
info directly via a SS7
address (Global Title)
– This way, the extracted
information is not seen in the
home operator
– Same GT as SS7 attack earlier
Sample Real Life Attempted Attack - Simjacker
Location will be sent by
SMS to address registered
in Sure Guernsey
Sent from Mexican
Mobile (+52)
Contains S@T
Browser Payload,
Requesting Location
SMS sent to
Mexican Mobile
(+52)
- 22. © Copyright 2020. All rights Reserved. 22
Distribution of Location Tracking Commands
Data from H2 2019 + H1 2020 – Specific Operators
• Attacks via SS7 : 63.40%
• Attacks via Simjacker : 36.60%
– According to our intelligence only one surveillance
company uses Simjacker
– But overall stats are skewed by specific operators being
very heavily targeted by Simjacker
• Better now than in past. Prior to public announcement of
Simjacker ratio in affected operators was many times higher
• Attacks via Diameter : less than 0.01%
– However, in last 6 months has been a large escalation of
Diameter attacks used by surveillance companies (not
shown)
Working Theory : different end-users
- 23. © Copyright 2020. All rights Reserved. 23
Trends per Country – tracking rates per 100,000
Observed Simjacker Location Tracking Activity
Projected Simjacker
Location Tracking
Activity (if no discovery)
SS7 Location Tracking Activity
Conclusion: SS7 is not normally used
for bulk subscriber tracking (by
surveillance companies)
But Simjacker is (was)
- 24. © Copyright 2020. All rights Reserved. 24
Trends of SS7 Location Tracking Commands Over Time
PROVIDE-SUBSCRIBER-INFO (PSI)
PROVIDE-SUBSCRIBER-LOCATION (PSL)
ANY-TIME-INTERROGATION (ATI)
ANY-TIME-
INTERROGATION
(ATI)- Global
Opcode
PROVIDE-
SUBSCRIBER-INFO
(PSI)- Global
Opcode
For more public informationon
Global Opcode see:
Hidden Agendas: bypassing GSMA
recommendations on SS7 networks.
HITB AMS SecConf May 2019,
Positive Technologies
- 25. © Copyright 2020. All rights Reserved. 25
Multiple methods, most common:
1. Pay for Link :
– Commercial agreements via front companies , who then negotiate access to other companies reselling access to
mobile operators. Can be many layers. Works best in areas with poor regulations/oversight
How do these Surveillance Companies gain access?
2. Use Big Brother:
– Governments buy surveillance solution, mandate system to
be installed in ‘captive’ Operator, or add directly onto link
(bypassing Operator)
3. Find old link :
– Old/legacy connections - rare. Defunct companies whose
access is not completely removed. Less of an issue in
Diameter than SS7
4. Others
Pricing not opaque, access is normally between €0.02 -> €0.10
per MSU
• The more SS7/Diameter access a surveillance company has,
the more valuable it is
• Leads to some strange business cases when re-selling…
Pricing of SS7 tracking
on Darkweb
Cost per tracking
request goes up the
more you track!
- 26. © Copyright 2020. All rights Reserved. 26
• 5G Networks will be targeted for use by Mobile Surveillance companies
– Newer does not always equal better
5G and Mobile Surveillance Companies
4G
5G
• 5G Networks
– solve many security issues, (esp radio ones),
– make improvements on some core network security
issues
– But: introduces new risks (internet technologies,
slicing, additional complexity, mixed networks)
• GSMA and other organisations helping to define security from the start, for 5G core
networks
• Note: difference between IT and Mobile Network security – Attacks normally come from known, ‘legitimate’
entities
More public informationon 5G interconnect security, and GSMA 5G work:
How to Build a Secure 5G Network, and Protect Alice and Bob from each other. GSMA Fraud and Security Working Group.
https://www.gsma.com/aboutus/workinggroups/how-to-build-a-secure-5g-network-and-protect-alice-and-bob-from-each-other
- 27. © Copyright 2020. All rights Reserved. 27
5G Location Tracking Commands ‘Toolbox’ – Attacker Pros and Cons
5G HTTPS/2 Command Pre-requisite(s) Pros Cons
Nlmf_Location/DetermineL
ocation
(Nlmf_DL)
PEI or SUPI or
GPSI, AMF
Instance ID
Can track by using
GPSI (MSISDN).
Precise
Can be blocked if not part of roaming
agreement. AMF instance ID optional
but probably required
Namf_Location/ProvidePos
itioningInfo
(Namf_PPI)
SUPI or GPSI Can track by using
MSISDN
Can be blocked if not part of roaming
agreement
Namf_Location/ProvideLoc
ationInfo
(Namf_PLI)
SUPI Needs to be
permitted on
intercarrier network
Needs SUPI to be successful
Ngmlc_Location/ProvideLo
cation
(Ngmlc_PL)
SUPI or GPSI Can track by using
GPSI (MSISDN).
Precise.
Can be intercarrier
Inter-GMLC interface not very common
+ multiple new ways to get location in 5G as well: Events, Subscriptions, others
- 28. © Copyright 2020. All rights Reserved. 28
Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker & 5G
Possibility to be Blocked
Amount of
Pre-requisite
info needed
IDR
UDR
Diameter
PSI
PSL
ATI
Simjacker*
SS7
* = requires S@T
Browser on Target SIM
5G (HTTPS/2)
Namf_PLI
Nlmf_DL
PLR
Nlmf_PPI
Ngmlc_PL
More
Greater
- 29. © Copyright 2020. All rights Reserved. 29
• Surveillance companies exploit mobile Signalling networks today. They
adjust techniques based on defences and end-users (e.g Simjacker)
• 5G networks are not invulnerable, they will also be used by surveillance
companies.
• Mobile Operators can - and many do - detect and block attacks. The key to
make this successful is Intelligence.
• Why watch the watchers? What you cannot see, you cannot stop
Conclusion