SlideShare a Scribd company logo

CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf

A
AliAlwesabi

CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL

Technology
1 of 30
Download to read offline
© Copyright 2020. All rights Reserved. Watching the Watchers Cathal Mc Daid @mcdaidc #rc3
© Copyright 2020. All rights Reserved. 2 Surveillance Companies are in the News (again)
© Copyright 2020. All rights Reserved. 3 •2G/3G Core Network uses Signalling System 7 (SS7) • Main security problem: – Assumes trust between mobile phone operators worldwide • 4G Core Network uses Diameter Protocol – Same security problem exists! Why are we here “Age is just a number”. Issue is underlying trust model. • SS7 (GSM-MAP) – early 90s, Diameter – early 2010s
© Copyright 2020. All rights Reserved. 4 1) Surveillance Companies 2) Governments 3) Criminals • Considerable overlap between sources used by Surveillance Companies and Governments • Criminal activity is the smallest activity, some overlap between sources used by these and Surveillance Companies Surveillance companies have large resources ($$) 3 Types of Exploiters of Mobile Signalling Networks
© Copyright 2020. All rights Reserved. 5 From 2014, Industry has been recommending ways for Mobile Operators to protect subscribers/networks Led by GSM Association (GSMA Association), key outputs: • 2G/3G :GSMA FS.11 Document • 4G: GSMA FS.19 Document + Other documents for 5G and GTP Mobile Operators take this as starting point to find irregular or suspicious signalling traffic to block => • but this does not mean this irregular traffic is malicious • The vast majority of this is “noise”: misconfigured nodes, local- specific configs Malicious traffic is a very small percentage of irregular/suspicious • It takes a LOT of analysis, experience to attribute malicious-ness • Easy to make mistakes (see some recent headlines) How do we know what is Malicious? 0.04 % = Irregular/Suspicious 1.37% = Malicious All SS7 Traffic
© Copyright 2020. All rights Reserved. 6 Surveillance! Vast majority of confirmed malicious activity is Location Tracking related On average , for surveillance companies: – SS7 Activity • 61.89% of malicious SS7 activity is used to obtain information (normally to help Location Tracking) • 30.90% of malicious SS7 activity is directly used to track location of subscribers (people/things) • 5.13% is SS7 testing, specific attacks, uncategorised other activity • 2.07 % is SS7 interception of calls/text messages/data etc – Diameter activity: very small in past, large increase recently – SMS: One surveillance company is also very active via SMS What do Mobile Surveillance Companies do
© Copyright 2020. All rights Reserved. 7 How Location Tracking is done via SS7 : Example HLR Surveillance Company 1) ATI (MSISDN) Simplified views, for more public informationsee: #31C3 Karsten Nohl, Tobias Engel MSC Target 2) ATI-Resp (Cell-ID) 3) PSI (IMSI, MSC) 4) PSI (Cell-ID) 1) SRI-SM (MSISDN) 2) SRI-SM-Resp (IMSI, MSC) Victim’s Network Location Tracking Location Tracking Information Harvesting Method 1: Direct Method 2: Indirect
© Copyright 2020. All rights Reserved. 8 SS7 Location Tracking Command ‘Toolbox’ – Attacker Pros and Cons GSM-MAP Command Pre-requisite(s) Pros Cons ANY-TIME- INTERROGATION (ATI) MSISDN (or IMSI) No other info needed Can often be blocked by operator legacy equipment PROVIDE-SUBSCRIBER- INFO (PSI) IMSI, Serving MSC Difficult for Operators to block Requires possession of IMSI and Serving MSC PROVIDE-SUBSCRIBER- LOCATION (PSL) MSISDN (or IMSI) Serving MSC Gets most precise location Can normally be blocked by legacy equipment. Requires possession of serving MSC. May not be supported by target network
© Copyright 2020. All rights Reserved. 9 Complexity/Info Needed v Possibility to be Blocked : SS7 Possibility of Attacker to be Blocked PSI PSL ATI Amount of Pre-requisite info needed by Attacker Better/Easier for Attacker Worse/Harder for Attacker More Greater
© Copyright 2020. All rights Reserved. 10 1. 09:01:29 = Initial SRI-SM from 2 operators (Sure Guernsey, Jersey Airtel) in UK Channels Islands 2. 09:02 = SRI , SRI-LCS 3. 09:03 -> 09:04 = SRI-SM from UK + Cameron 4. 09:04 -> 09:05 = 4 ATIs from Jersey Airtel, Cameroon, Israel, Laos • All within 5 minute period Sample Real Life Attempted Attack – SS7 1 2 3 4 Information Harvesting Location Tracking
© Copyright 2020. All rights Reserved. 11 Target? • Later learnt that targeted mobile number was at (one stage) apparently associated with this person : Hervé Jaubert – French Former navy officer, marine engineer, spy • Working theory is this burst was designed to try to determine if number existed, and obtain location of number https://www.thebureauinvestigates .com/stories/2020-12-16/spy- companies-using-channel-islands- to-track-phones-around-the-world
© Copyright 2020. All rights Reserved. 12 How Location Tracking is done via Diameter: Example HSS Surveillance Company 1) UDR (MSISDN) MME Target 2) UDA (Cell-ID) 3) IDR (IMSI, MME) 4) IDA (Cell-ID) 1) SRI-SM (MSISDN) : SS7 2) SRI-SM-Resp (IMSI, MME) : SS7 Target’s Network Location Tracking Location Tracking Information Harvesting Method 1: Direct Method 2: Indirect
© Copyright 2020. All rights Reserved. 13 Diameter Location Tracking Commands ‘Toolbox’ – Attacker Pros and Cons Diameter Command Pre-requisite(s) Pros Cons INSERT-SUBSCRIBER- DATA-REQUEST (IDR) IMSI, Serving MME Difficult for Operators to block Requires possession of serving MME and normally IMSI USER-DATA-REQUEST (UDR) MSISDN or IMSI Can track using MSISDN Can be blocked by legacy equipment. PROVIDE-LOCATION- REQUEST (PLR) MSISDN or IMSI or IMEI, Serving MME Gets most precise location, can track using MSISDN or IMEI Can be blocked by legacy equipment. Requires possession of serving MME. May not be supported by target network
© Copyright 2020. All rights Reserved. 14 Complexity v Possibility to be Blocked : SS7 and Diameter, Possibility to be Blocked Amount of Pre-requisite info needed by Attacker IDR UDR PLR Diameter PSI PSL ATI SS7 More Greater
© Copyright 2020. All rights Reserved. 15 Sample Real Life Attempted Attack - Diameter IDR MNC3.MCC234 = Jersey Airtel MCC Geographic Region 5 -> IDR from Jersey Airtel (Channel Islands), Nov 2020 Targeted Subscriber in their home network in Asia-Pacific IDR Flags set to retrieve location (along with other details)
© Copyright 2020. All rights Reserved. 16 Surveillance Companies see mobile technology as a tool, not as a path Surveillance Company Target Time 5G Attack 4G (Diameter) Attack 3G (SS7) Attack Variant Simjacker Attacks Protective ‘Wall’ Future?
© Copyright 2020. All rights Reserved. 17 • Uses vulnerability in SIM Card library – called S@T Browser – S@T Browser, did not validate or authorize source SMS – Vulnerability exploited by text messages – S@T Browser allowed access to a subset of STK (SIM Toolkit) Commands on device • Library present on several hundred million SIM Cards • Actively exploited in at least 3 countries in LATAM • CVD shared within industry June 2019, publicly reported in Sep 2019, tech details released Oct 2019. CVD-2019-0026 – Full details in 40+ page technical paper on www.simjacker.com • Simjacker is the first recorded spyware sent within a SMS – + huge increase in complexity and capability Simjacker
© Copyright 2020. All rights Reserved. 18 How Location Tracking is done via Simjacker SMS SMSC Surveillance Company 1) MO-FSM (Target MSISDN, S@T CMDS) Simplified view, for more public information see: www.simjacker.com MSC Target 3) MO-FSM (Exfil MSISDN, Cell-ID) Target’s Network Location Tracking Method 1: Send from Handset, Extract to Handset 1) MT-FSM (Target MSISDN, S@T CMDS) 3) MT-FSM (Exfil MSISDN, Cell-ID) 2) ENVELOPE (S@T CMDS) 2) STK PROVIDE LOCAL INFO 2) Cell-ID 2) STK SEND SMS (Cell-ID) SMS SMS
© Copyright 2020. All rights Reserved. 19 Simjacker Location Tracking Commands ‘Toolbox’ – Attacker Pros and Cons Command Pre- requisite(s) Pros Cons FORWARD-SHORT- MESSAGE(MO-FSM/MT- FSM)with S@T Browser payload MSISDN No SS7 access required, can track using MSISDN Requires Operator to have deployed S@T Browser with MSL=0 on their SIM Cards
© Copyright 2020. All rights Reserved. 20 Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker Possibility to be Blocked Amount of Pre-requisite info needed by Attacker IDR UDR PLR Diameter PSI PSL ATI Simjacker* SS7 * = requires S@T Browser on Target SIM More Greater
© Copyright 2020. All rights Reserved. 21 • Vast Majority (~95%) of Simjacker attacks are sent from a Handset , to extract info via SMS to another Handset. • But about 0.05% of Simjacker attacks extract info directly via a SS7 address (Global Title) – This way, the extracted information is not seen in the home operator – Same GT as SS7 attack earlier Sample Real Life Attempted Attack - Simjacker Location will be sent by SMS to address registered in Sure Guernsey Sent from Mexican Mobile (+52) Contains S@T Browser Payload, Requesting Location SMS sent to Mexican Mobile (+52)
© Copyright 2020. All rights Reserved. 22 Distribution of Location Tracking Commands Data from H2 2019 + H1 2020 – Specific Operators • Attacks via SS7 : 63.40% • Attacks via Simjacker : 36.60% – According to our intelligence only one surveillance company uses Simjacker – But overall stats are skewed by specific operators being very heavily targeted by Simjacker • Better now than in past. Prior to public announcement of Simjacker ratio in affected operators was many times higher • Attacks via Diameter : less than 0.01% – However, in last 6 months has been a large escalation of Diameter attacks used by surveillance companies (not shown) Working Theory : different end-users
© Copyright 2020. All rights Reserved. 23 Trends per Country – tracking rates per 100,000 Observed Simjacker Location Tracking Activity Projected Simjacker Location Tracking Activity (if no discovery) SS7 Location Tracking Activity Conclusion: SS7 is not normally used for bulk subscriber tracking (by surveillance companies) But Simjacker is (was)
© Copyright 2020. All rights Reserved. 24 Trends of SS7 Location Tracking Commands Over Time PROVIDE-SUBSCRIBER-INFO (PSI) PROVIDE-SUBSCRIBER-LOCATION (PSL) ANY-TIME-INTERROGATION (ATI) ANY-TIME- INTERROGATION (ATI)- Global Opcode PROVIDE- SUBSCRIBER-INFO (PSI)- Global Opcode For more public informationon Global Opcode see: Hidden Agendas: bypassing GSMA recommendations on SS7 networks. HITB AMS SecConf May 2019, Positive Technologies
© Copyright 2020. All rights Reserved. 25 Multiple methods, most common: 1. Pay for Link : – Commercial agreements via front companies , who then negotiate access to other companies reselling access to mobile operators. Can be many layers. Works best in areas with poor regulations/oversight How do these Surveillance Companies gain access? 2. Use Big Brother: – Governments buy surveillance solution, mandate system to be installed in ‘captive’ Operator, or add directly onto link (bypassing Operator) 3. Find old link : – Old/legacy connections - rare. Defunct companies whose access is not completely removed. Less of an issue in Diameter than SS7 4. Others Pricing not opaque, access is normally between €0.02 -> €0.10 per MSU • The more SS7/Diameter access a surveillance company has, the more valuable it is • Leads to some strange business cases when re-selling… Pricing of SS7 tracking on Darkweb Cost per tracking request goes up the more you track!
© Copyright 2020. All rights Reserved. 26 • 5G Networks will be targeted for use by Mobile Surveillance companies – Newer does not always equal better 5G and Mobile Surveillance Companies 4G 5G • 5G Networks – solve many security issues, (esp radio ones), – make improvements on some core network security issues – But: introduces new risks (internet technologies, slicing, additional complexity, mixed networks) • GSMA and other organisations helping to define security from the start, for 5G core networks • Note: difference between IT and Mobile Network security – Attacks normally come from known, ‘legitimate’ entities More public informationon 5G interconnect security, and GSMA 5G work: How to Build a Secure 5G Network, and Protect Alice and Bob from each other. GSMA Fraud and Security Working Group. https://www.gsma.com/aboutus/workinggroups/how-to-build-a-secure-5g-network-and-protect-alice-and-bob-from-each-other
© Copyright 2020. All rights Reserved. 27 5G Location Tracking Commands ‘Toolbox’ – Attacker Pros and Cons 5G HTTPS/2 Command Pre-requisite(s) Pros Cons Nlmf_Location/DetermineL ocation (Nlmf_DL) PEI or SUPI or GPSI, AMF Instance ID Can track by using GPSI (MSISDN). Precise Can be blocked if not part of roaming agreement. AMF instance ID optional but probably required Namf_Location/ProvidePos itioningInfo (Namf_PPI) SUPI or GPSI Can track by using MSISDN Can be blocked if not part of roaming agreement Namf_Location/ProvideLoc ationInfo (Namf_PLI) SUPI Needs to be permitted on intercarrier network Needs SUPI to be successful Ngmlc_Location/ProvideLo cation (Ngmlc_PL) SUPI or GPSI Can track by using GPSI (MSISDN). Precise. Can be intercarrier Inter-GMLC interface not very common + multiple new ways to get location in 5G as well: Events, Subscriptions, others
© Copyright 2020. All rights Reserved. 28 Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker & 5G Possibility to be Blocked Amount of Pre-requisite info needed IDR UDR Diameter PSI PSL ATI Simjacker* SS7 * = requires S@T Browser on Target SIM 5G (HTTPS/2) Namf_PLI Nlmf_DL PLR Nlmf_PPI Ngmlc_PL More Greater
© Copyright 2020. All rights Reserved. 29 • Surveillance companies exploit mobile Signalling networks today. They adjust techniques based on defences and end-users (e.g Simjacker) • 5G networks are not invulnerable, they will also be used by surveillance companies. • Mobile Operators can - and many do - detect and block attacks. The key to make this successful is Intelligence. • Why watch the watchers? What you cannot see, you cannot stop Conclusion
© Copyright 2020. All rights Reserved.

Recommended

Cloud based Anti-Theft Application for Android Devices: A Literature Review
Cloud based Anti-Theft Application for Android Devices: A Literature ReviewCloud based Anti-Theft Application for Android Devices: A Literature Review
Cloud based Anti-Theft Application for Android Devices: A Literature Review
IJSRD
 
Cloud based Anti-Theft Application for Android Devices: A Literature Review
Cloud based Anti-Theft Application for Android Devices: A Literature ReviewCloud based Anti-Theft Application for Android Devices: A Literature Review
Cloud based Anti-Theft Application for Android Devices: A Literature Review
IJSRD
 
Importance of Electronic Surveillance in Criminal Investigation
Importance of Electronic Surveillance in Criminal InvestigationImportance of Electronic Surveillance in Criminal Investigation
Importance of Electronic Surveillance in Criminal Investigation
IRJET Journal
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
Luca Bongiorni
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SPY24
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2016
 
SecurityGen-Article-Cloning-SimCard.pdf
SecurityGen-Article-Cloning-SimCard.pdfSecurityGen-Article-Cloning-SimCard.pdf
SecurityGen-Article-Cloning-SimCard.pdf
Security Gen
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
PositiveTechnologies
 

Recommended

Cloud based Anti-Theft Application for Android Devices: A Literature Review
Cloud based Anti-Theft Application for Android Devices: A Literature ReviewCloud based Anti-Theft Application for Android Devices: A Literature Review
Cloud based Anti-Theft Application for Android Devices: A Literature Review
IJSRD
 
Cloud based Anti-Theft Application for Android Devices: A Literature Review
Cloud based Anti-Theft Application for Android Devices: A Literature ReviewCloud based Anti-Theft Application for Android Devices: A Literature Review
Cloud based Anti-Theft Application for Android Devices: A Literature Review
IJSRD
 
Importance of Electronic Surveillance in Criminal Investigation
Importance of Electronic Surveillance in Criminal InvestigationImportance of Electronic Surveillance in Criminal Investigation
Importance of Electronic Surveillance in Criminal Investigation
IRJET Journal
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
Luca Bongiorni
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SPY24
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2016
 
SecurityGen-Article-Cloning-SimCard.pdf
SecurityGen-Article-Cloning-SimCard.pdfSecurityGen-Article-Cloning-SimCard.pdf
SecurityGen-Article-Cloning-SimCard.pdf
Security Gen
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
PositiveTechnologies
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
PositiveTechnologies
 
new Algorithm1
new Algorithm1new Algorithm1
new Algorithm1
asmita satpute
 
Gsm security
Gsm securityGsm security
Gsm security
maicuong8
 
Location based encryption in gsm cellular network
Location based encryption in gsm cellular networkLocation based encryption in gsm cellular network
Location based encryption in gsm cellular network
IAEME Publication
 
National Mobile Device Registration
National Mobile Device RegistrationNational Mobile Device Registration
National Mobile Device Registration
Commonwealth Telecommunications Organisation
 
GSM Security
GSM SecurityGSM Security
GSM Security
smita gupta
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
PositiveTechnologies
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
PositiveTechnologies
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
PositiveTechnologies
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
Siddharth Rao
 
Smart cities - Open to cyber attacks
Smart cities - Open to cyber attacksSmart cities - Open to cyber attacks
Smart cities - Open to cyber attacks
Rohan Patil
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
40120130405021
4012013040502140120130405021
40120130405021
IAEME Publication
 
Mobile Theft Tracking Application
Mobile Theft Tracking ApplicationMobile Theft Tracking Application
Mobile Theft Tracking Application
IRJET Journal
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfD1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
AliAlwesabi
 
Amm Icict 12 2005
Amm Icict 12 2005Amm Icict 12 2005
Amm Icict 12 2005
Mervat AbuElkheir
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
PositiveTechnologies
 
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
SecurityGen1
 
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
AliAlwesabi
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
AliAlwesabi
 

More Related Content

Similar to CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf

Location based encryption in gsm cellular network
Location based encryption in gsm cellular networkLocation based encryption in gsm cellular network
Location based encryption in gsm cellular network
IAEME Publication
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
PositiveTechnologies
 
Smart cities - Open to cyber attacks
Smart cities - Open to cyber attacksSmart cities - Open to cyber attacks
Smart cities - Open to cyber attacks
Rohan Patil
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
PositiveTechnologies
 

Similar to CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf (20)

SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
 
new Algorithm1
new Algorithm1new Algorithm1
new Algorithm1
 
Gsm security
Gsm securityGsm security
Gsm security
 
Location based encryption in gsm cellular network
Location based encryption in gsm cellular networkLocation based encryption in gsm cellular network
Location based encryption in gsm cellular network
 
National Mobile Device Registration
National Mobile Device RegistrationNational Mobile Device Registration
National Mobile Device Registration
 
GSM Security
GSM SecurityGSM Security
GSM Security
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
 
Smart cities - Open to cyber attacks
Smart cities - Open to cyber attacksSmart cities - Open to cyber attacks
Smart cities - Open to cyber attacks
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
40120130405021
4012013040502140120130405021
40120130405021
 
Mobile Theft Tracking Application
Mobile Theft Tracking ApplicationMobile Theft Tracking Application
Mobile Theft Tracking Application
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfD1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
 
Amm Icict 12 2005
Amm Icict 12 2005Amm Icict 12 2005
Amm Icict 12 2005
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
 
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...Secure Your Network with Confidence Understanding - GTP Protocols by Security...
Secure Your Network with Confidence Understanding - GTP Protocols by Security...
 

More from AliAlwesabi

More from AliAlwesabi (17)

pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
 
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
 
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
 
lte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdflte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdf
 
Securing the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdfSecuring the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdf
 
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
 
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdfeu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
 
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdfD2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdf
 
VPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasuresVPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasures
 
zero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdfzero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdf
 
Foot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurityFoot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurity
 
Guide to Network Defense Router Security
Guide to Network Defense Router SecurityGuide to Network Defense Router Security
Guide to Network Defense Router Security
 
DNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS SecurityDNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS Security
 
Intrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdfIntrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdf
 
ISP Network Design workshops how to design networks
ISP Network Design workshops how to design networksISP Network Design workshops how to design networks
ISP Network Design workshops how to design networks
 

Recently uploaded

Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
Hiroshi SHIBATA
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 

Recently uploaded (20)

Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 

CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf

  • 1. © Copyright 2020. All rights Reserved. Watching the Watchers Cathal Mc Daid @mcdaidc #rc3
  • 2. © Copyright 2020. All rights Reserved. 2 Surveillance Companies are in the News (again)
  • 3. © Copyright 2020. All rights Reserved. 3 •2G/3G Core Network uses Signalling System 7 (SS7) • Main security problem: – Assumes trust between mobile phone operators worldwide • 4G Core Network uses Diameter Protocol – Same security problem exists! Why are we here “Age is just a number”. Issue is underlying trust model. • SS7 (GSM-MAP) – early 90s, Diameter – early 2010s
  • 4. © Copyright 2020. All rights Reserved. 4 1) Surveillance Companies 2) Governments 3) Criminals • Considerable overlap between sources used by Surveillance Companies and Governments • Criminal activity is the smallest activity, some overlap between sources used by these and Surveillance Companies Surveillance companies have large resources ($$) 3 Types of Exploiters of Mobile Signalling Networks
  • 5. © Copyright 2020. All rights Reserved. 5 From 2014, Industry has been recommending ways for Mobile Operators to protect subscribers/networks Led by GSM Association (GSMA Association), key outputs: • 2G/3G :GSMA FS.11 Document • 4G: GSMA FS.19 Document + Other documents for 5G and GTP Mobile Operators take this as starting point to find irregular or suspicious signalling traffic to block => • but this does not mean this irregular traffic is malicious • The vast majority of this is “noise”: misconfigured nodes, local- specific configs Malicious traffic is a very small percentage of irregular/suspicious • It takes a LOT of analysis, experience to attribute malicious-ness • Easy to make mistakes (see some recent headlines) How do we know what is Malicious? 0.04 % = Irregular/Suspicious 1.37% = Malicious All SS7 Traffic
  • 6. © Copyright 2020. All rights Reserved. 6 Surveillance! Vast majority of confirmed malicious activity is Location Tracking related On average , for surveillance companies: – SS7 Activity • 61.89% of malicious SS7 activity is used to obtain information (normally to help Location Tracking) • 30.90% of malicious SS7 activity is directly used to track location of subscribers (people/things) • 5.13% is SS7 testing, specific attacks, uncategorised other activity • 2.07 % is SS7 interception of calls/text messages/data etc – Diameter activity: very small in past, large increase recently – SMS: One surveillance company is also very active via SMS What do Mobile Surveillance Companies do
  • 7. © Copyright 2020. All rights Reserved. 7 How Location Tracking is done via SS7 : Example HLR Surveillance Company 1) ATI (MSISDN) Simplified views, for more public informationsee: #31C3 Karsten Nohl, Tobias Engel MSC Target 2) ATI-Resp (Cell-ID) 3) PSI (IMSI, MSC) 4) PSI (Cell-ID) 1) SRI-SM (MSISDN) 2) SRI-SM-Resp (IMSI, MSC) Victim’s Network Location Tracking Location Tracking Information Harvesting Method 1: Direct Method 2: Indirect
  • 8. © Copyright 2020. All rights Reserved. 8 SS7 Location Tracking Command ‘Toolbox’ – Attacker Pros and Cons GSM-MAP Command Pre-requisite(s) Pros Cons ANY-TIME- INTERROGATION (ATI) MSISDN (or IMSI) No other info needed Can often be blocked by operator legacy equipment PROVIDE-SUBSCRIBER- INFO (PSI) IMSI, Serving MSC Difficult for Operators to block Requires possession of IMSI and Serving MSC PROVIDE-SUBSCRIBER- LOCATION (PSL) MSISDN (or IMSI) Serving MSC Gets most precise location Can normally be blocked by legacy equipment. Requires possession of serving MSC. May not be supported by target network
  • 9. © Copyright 2020. All rights Reserved. 9 Complexity/Info Needed v Possibility to be Blocked : SS7 Possibility of Attacker to be Blocked PSI PSL ATI Amount of Pre-requisite info needed by Attacker Better/Easier for Attacker Worse/Harder for Attacker More Greater
  • 10. © Copyright 2020. All rights Reserved. 10 1. 09:01:29 = Initial SRI-SM from 2 operators (Sure Guernsey, Jersey Airtel) in UK Channels Islands 2. 09:02 = SRI , SRI-LCS 3. 09:03 -> 09:04 = SRI-SM from UK + Cameron 4. 09:04 -> 09:05 = 4 ATIs from Jersey Airtel, Cameroon, Israel, Laos • All within 5 minute period Sample Real Life Attempted Attack – SS7 1 2 3 4 Information Harvesting Location Tracking
  • 11. © Copyright 2020. All rights Reserved. 11 Target? • Later learnt that targeted mobile number was at (one stage) apparently associated with this person : Hervé Jaubert – French Former navy officer, marine engineer, spy • Working theory is this burst was designed to try to determine if number existed, and obtain location of number https://www.thebureauinvestigates .com/stories/2020-12-16/spy- companies-using-channel-islands- to-track-phones-around-the-world
  • 12. © Copyright 2020. All rights Reserved. 12 How Location Tracking is done via Diameter: Example HSS Surveillance Company 1) UDR (MSISDN) MME Target 2) UDA (Cell-ID) 3) IDR (IMSI, MME) 4) IDA (Cell-ID) 1) SRI-SM (MSISDN) : SS7 2) SRI-SM-Resp (IMSI, MME) : SS7 Target’s Network Location Tracking Location Tracking Information Harvesting Method 1: Direct Method 2: Indirect
  • 13. © Copyright 2020. All rights Reserved. 13 Diameter Location Tracking Commands ‘Toolbox’ – Attacker Pros and Cons Diameter Command Pre-requisite(s) Pros Cons INSERT-SUBSCRIBER- DATA-REQUEST (IDR) IMSI, Serving MME Difficult for Operators to block Requires possession of serving MME and normally IMSI USER-DATA-REQUEST (UDR) MSISDN or IMSI Can track using MSISDN Can be blocked by legacy equipment. PROVIDE-LOCATION- REQUEST (PLR) MSISDN or IMSI or IMEI, Serving MME Gets most precise location, can track using MSISDN or IMEI Can be blocked by legacy equipment. Requires possession of serving MME. May not be supported by target network
  • 14. © Copyright 2020. All rights Reserved. 14 Complexity v Possibility to be Blocked : SS7 and Diameter, Possibility to be Blocked Amount of Pre-requisite info needed by Attacker IDR UDR PLR Diameter PSI PSL ATI SS7 More Greater
  • 15. © Copyright 2020. All rights Reserved. 15 Sample Real Life Attempted Attack - Diameter IDR MNC3.MCC234 = Jersey Airtel MCC Geographic Region 5 -> IDR from Jersey Airtel (Channel Islands), Nov 2020 Targeted Subscriber in their home network in Asia-Pacific IDR Flags set to retrieve location (along with other details)
  • 16. © Copyright 2020. All rights Reserved. 16 Surveillance Companies see mobile technology as a tool, not as a path Surveillance Company Target Time 5G Attack 4G (Diameter) Attack 3G (SS7) Attack Variant Simjacker Attacks Protective ‘Wall’ Future?
  • 17. © Copyright 2020. All rights Reserved. 17 • Uses vulnerability in SIM Card library – called S@T Browser – S@T Browser, did not validate or authorize source SMS – Vulnerability exploited by text messages – S@T Browser allowed access to a subset of STK (SIM Toolkit) Commands on device • Library present on several hundred million SIM Cards • Actively exploited in at least 3 countries in LATAM • CVD shared within industry June 2019, publicly reported in Sep 2019, tech details released Oct 2019. CVD-2019-0026 – Full details in 40+ page technical paper on www.simjacker.com • Simjacker is the first recorded spyware sent within a SMS – + huge increase in complexity and capability Simjacker
  • 18. © Copyright 2020. All rights Reserved. 18 How Location Tracking is done via Simjacker SMS SMSC Surveillance Company 1) MO-FSM (Target MSISDN, S@T CMDS) Simplified view, for more public information see: www.simjacker.com MSC Target 3) MO-FSM (Exfil MSISDN, Cell-ID) Target’s Network Location Tracking Method 1: Send from Handset, Extract to Handset 1) MT-FSM (Target MSISDN, S@T CMDS) 3) MT-FSM (Exfil MSISDN, Cell-ID) 2) ENVELOPE (S@T CMDS) 2) STK PROVIDE LOCAL INFO 2) Cell-ID 2) STK SEND SMS (Cell-ID) SMS SMS
  • 19. © Copyright 2020. All rights Reserved. 19 Simjacker Location Tracking Commands ‘Toolbox’ – Attacker Pros and Cons Command Pre- requisite(s) Pros Cons FORWARD-SHORT- MESSAGE(MO-FSM/MT- FSM)with S@T Browser payload MSISDN No SS7 access required, can track using MSISDN Requires Operator to have deployed S@T Browser with MSL=0 on their SIM Cards
  • 20. © Copyright 2020. All rights Reserved. 20 Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker Possibility to be Blocked Amount of Pre-requisite info needed by Attacker IDR UDR PLR Diameter PSI PSL ATI Simjacker* SS7 * = requires S@T Browser on Target SIM More Greater
  • 21. © Copyright 2020. All rights Reserved. 21 • Vast Majority (~95%) of Simjacker attacks are sent from a Handset , to extract info via SMS to another Handset. • But about 0.05% of Simjacker attacks extract info directly via a SS7 address (Global Title) – This way, the extracted information is not seen in the home operator – Same GT as SS7 attack earlier Sample Real Life Attempted Attack - Simjacker Location will be sent by SMS to address registered in Sure Guernsey Sent from Mexican Mobile (+52) Contains S@T Browser Payload, Requesting Location SMS sent to Mexican Mobile (+52)
  • 22. © Copyright 2020. All rights Reserved. 22 Distribution of Location Tracking Commands Data from H2 2019 + H1 2020 – Specific Operators • Attacks via SS7 : 63.40% • Attacks via Simjacker : 36.60% – According to our intelligence only one surveillance company uses Simjacker – But overall stats are skewed by specific operators being very heavily targeted by Simjacker • Better now than in past. Prior to public announcement of Simjacker ratio in affected operators was many times higher • Attacks via Diameter : less than 0.01% – However, in last 6 months has been a large escalation of Diameter attacks used by surveillance companies (not shown) Working Theory : different end-users
  • 23. © Copyright 2020. All rights Reserved. 23 Trends per Country – tracking rates per 100,000 Observed Simjacker Location Tracking Activity Projected Simjacker Location Tracking Activity (if no discovery) SS7 Location Tracking Activity Conclusion: SS7 is not normally used for bulk subscriber tracking (by surveillance companies) But Simjacker is (was)
  • 24. © Copyright 2020. All rights Reserved. 24 Trends of SS7 Location Tracking Commands Over Time PROVIDE-SUBSCRIBER-INFO (PSI) PROVIDE-SUBSCRIBER-LOCATION (PSL) ANY-TIME-INTERROGATION (ATI) ANY-TIME- INTERROGATION (ATI)- Global Opcode PROVIDE- SUBSCRIBER-INFO (PSI)- Global Opcode For more public informationon Global Opcode see: Hidden Agendas: bypassing GSMA recommendations on SS7 networks. HITB AMS SecConf May 2019, Positive Technologies
  • 25. © Copyright 2020. All rights Reserved. 25 Multiple methods, most common: 1. Pay for Link : – Commercial agreements via front companies , who then negotiate access to other companies reselling access to mobile operators. Can be many layers. Works best in areas with poor regulations/oversight How do these Surveillance Companies gain access? 2. Use Big Brother: – Governments buy surveillance solution, mandate system to be installed in ‘captive’ Operator, or add directly onto link (bypassing Operator) 3. Find old link : – Old/legacy connections - rare. Defunct companies whose access is not completely removed. Less of an issue in Diameter than SS7 4. Others Pricing not opaque, access is normally between €0.02 -> €0.10 per MSU • The more SS7/Diameter access a surveillance company has, the more valuable it is • Leads to some strange business cases when re-selling… Pricing of SS7 tracking on Darkweb Cost per tracking request goes up the more you track!
  • 26. © Copyright 2020. All rights Reserved. 26 • 5G Networks will be targeted for use by Mobile Surveillance companies – Newer does not always equal better 5G and Mobile Surveillance Companies 4G 5G • 5G Networks – solve many security issues, (esp radio ones), – make improvements on some core network security issues – But: introduces new risks (internet technologies, slicing, additional complexity, mixed networks) • GSMA and other organisations helping to define security from the start, for 5G core networks • Note: difference between IT and Mobile Network security – Attacks normally come from known, ‘legitimate’ entities More public informationon 5G interconnect security, and GSMA 5G work: How to Build a Secure 5G Network, and Protect Alice and Bob from each other. GSMA Fraud and Security Working Group. https://www.gsma.com/aboutus/workinggroups/how-to-build-a-secure-5g-network-and-protect-alice-and-bob-from-each-other
  • 27. © Copyright 2020. All rights Reserved. 27 5G Location Tracking Commands ‘Toolbox’ – Attacker Pros and Cons 5G HTTPS/2 Command Pre-requisite(s) Pros Cons Nlmf_Location/DetermineL ocation (Nlmf_DL) PEI or SUPI or GPSI, AMF Instance ID Can track by using GPSI (MSISDN). Precise Can be blocked if not part of roaming agreement. AMF instance ID optional but probably required Namf_Location/ProvidePos itioningInfo (Namf_PPI) SUPI or GPSI Can track by using MSISDN Can be blocked if not part of roaming agreement Namf_Location/ProvideLoc ationInfo (Namf_PLI) SUPI Needs to be permitted on intercarrier network Needs SUPI to be successful Ngmlc_Location/ProvideLo cation (Ngmlc_PL) SUPI or GPSI Can track by using GPSI (MSISDN). Precise. Can be intercarrier Inter-GMLC interface not very common + multiple new ways to get location in 5G as well: Events, Subscriptions, others
  • 28. © Copyright 2020. All rights Reserved. 28 Complexity v Possibility to be Blocked : SS7, Diameter, Simjacker & 5G Possibility to be Blocked Amount of Pre-requisite info needed IDR UDR Diameter PSI PSL ATI Simjacker* SS7 * = requires S@T Browser on Target SIM 5G (HTTPS/2) Namf_PLI Nlmf_DL PLR Nlmf_PPI Ngmlc_PL More Greater
  • 29. © Copyright 2020. All rights Reserved. 29 • Surveillance companies exploit mobile Signalling networks today. They adjust techniques based on defences and end-users (e.g Simjacker) • 5G networks are not invulnerable, they will also be used by surveillance companies. • Mobile Operators can - and many do - detect and block attacks. The key to make this successful is Intelligence. • Why watch the watchers? What you cannot see, you cannot stop Conclusion
  • 30. © Copyright 2020. All rights Reserved.