SlideShare a Scribd company logo

D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf

A
AliAlwesabi

Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols

Technology
1 of 42
Download to read offline
Telecommunications Infrastructure Security
 SS7 Basics  Example of SS7 protocol (ISUP) and related attacks  SS7 and IP: the SIGTRAN evolution and problems  A practical SS7 attack: Disabling incoming calls to any subscriber  Connecting to 7bone: Using SS7 stacks to conduct Security Research on SS7 & SIGTRANVPN  SS7 stack demo
Introduction to SS7 in the PSTN SS7 links types and SS7 signal units
 Service Switching Points (SSP) are the telephone “switches” that are interconnected to each other by SS7 links.The SSPs perform call processing on calls that originate, tandem, or terminate at that site.  SignalTransfer Points (STP) are “routers” that relay messages between network switches and databases.Their main function is to route SS7 messages to the correct outgoing signaling link, based on information contained in the SS7 message address fields.  Service Control Points (SCP) contains centralized network databases for providing enhanced services. Examples of services include toll-free numbers and prepaid subscriptions.
 Peer relationships between operators  STP connectivity  SIGTRAN protocols  VAS systems e.g. SMSC, IN  Signalling Gateways, MGW  SS7 Service providers  GTT translation  SIP encapsulation  ISDN terminals  LIG  And of course… GSM phones
To meet the stringent reliability requirements of public telecommunications networks, a number of safeguards are built into the SS7 protocol:  STPs and SCPs are normally provisioned in mated pairs. On the failure of individual components, this duplication allows signaling traffic to be automatically diverted to an alternate resource, minimizing the impact on service.  Signaling links are provisioned with some level of redundancy. Signaling traffic is automatically diverted to alternate links in the case of link failures.  The SS7 protocol has built-in error recovery mechanisms to ensure reliable transfer of signaling messages in the event of a network failure.  Management messages (Link Status Signal Units) are constantly sent over the links to monitor its status.
 MTP (MessageTransfer Part) Layers 1-3: lower level functionality at the Physical, Data Link and Network Level.They serve as a signaling transfer point, and support multiple congestion priority, message discrimination, distribution and routing.  ISUP (Integrated Services Digital Network User Part): network side protocol for the signaling functions required to support voice, data, text and video services in ISDN. ISUP supports the call control function for the control of analog or digital circuit switched network connections carrying voice or data traffic.  SCCP (SignalingControl Connection Part): supports higher protocol layers such asTCAP with an array of data transfer services including connection-less and connection oriented services. SCCP supports global title translation (routing based on directory number or application title rather than point codes), and ensures reliable data transfer independent of the underlying hardware.  TCAP (Transaction Capabilities Application Part): provides the signaling function for communication with network databases.TCAP provides non-circuit transaction based information exchange between network entities.  MAP (MobileApplication Part): provides inter-system connectivity between wireless systems, and was specifically developed as part of the GSM standard.  INAP (Intelligent Network Application Part): runs on top ofTCAP and provides high-level services interacting with SSP, SCP and SDP in an SS7 network.
Scanning Vulnerability, injection
ISUP message types ISUP call flows
 An initial address message (IAM) is sent in the “forward” direction by each switch in the circuit between the calling party and the destination switch of the called party.  An IAM contains the called party number in the mandatory variable part and may contain the calling party name and number in the optional part.  Attack: Capacity DoS
 An address complete message (ACM) is sent in the “backward” direction to indicate that the remote end of a trunk circuit has been reserved.  The originating switch responds to an ACM message by connecting the calling party’s line to the trunk to complete the voice circuit from the calling party to the called party.  The calling party hears ringing on the voice trunk.
 A release message (REL) is sent in either direction indicating that the circuit is being released due to a specified cause indicator.  An REL is sent when either calling or called party hangs up the call (cause = 16).  An REL is also sent back to the calling party if the called party is busy (cause = 17).  Attack: Selective DoS
 A release complete message (RLC) is sent in the opposite direction of an REL to acknowledge the release of the remote end of a trunk circuit and to end the billing cycle, if appropriate.
DPC Scanning GTT Scanning SSN Scanning
Basics of IP telephony SIGTRAN protocols
 Media Gateway (MGW) terminates voice calls on inter-switch trunks from the PSTN, compresses and packetizes the voice data, and delivers voice packets to the IP network. For ISDN calls from the PSTN, Q.931 signaling information is transported from the MGW to the media gateway controller for call processing.  Media Gateway Controller (MGC) handles the registration and management of resources at the media gateways.An MGC exchanges ISUP messages with CO switches via a signaling gateway. Sometimes called a softswitch.  Signaling Gateway (SGW) provides transparent interworking of signaling between switched circuit and IP networks.The SGW may terminate SS7 signaling or translate and relay messages over an IP network to an MGC or another SGW.
 The SIGTRAN protocols specify the means by which SS7 messages can be reliably transported over IP networks.  The architecture identifies two components: a common transport protocol for the SS7 protocol layer being carried and an adaptation module to emulate lower layers of the protocol. For example:  If the native protocol is MTP (MessageTransport Layer) Level 3, the SIGTRAN protocols provide the equivalent functionality of MTP Level 2.  If the native protocol is ISUP or SCCP, the SIGTRAN protocols provide the same functionality as MTP Levels 2 and 3.  If the native protocol isTCAP, the SIGTRAN protocols provide the functionality of SCCP (connectionless classes) and MTP Levels 2 and 3.
Disabling incoming calls to any subscriber
 The MAP updateLocation (UL) message contains subscriber's IMSI and MSC/VLR addresses.  Once UL reaches the HLR, it changes the serving MSC/VLR address in subscriber's profile using MAP insertSubscriberData messages.  From then on the HLR will use MSC/VLR addresses from it as addresses of real MSC/VLR.  It's not even necessary to complete whole UL-ISD- ISDack-ULack transaction!  The HLR will complete the operation by sending a MAP cancelLocation message to the servingVLR to delete subscriber's information from it.
IMSI scanning / querying needed !
Using SS7 stacks to connect to the Security Research SS7 & SIGTRANVPN
 OpenSS7 is a SS7 and SIGTRAN protocol stack which provides GPL'ed and LGPL'ed source.  Open source implementation of the SS7 stack as specified by ITU-T, ETSI,ANSI, and other standards bodies. It derives primarily from an implementation of the ITU-T Q.700-Series Recommendations  ISUP andTCAP support  Supports a variety of E1/T1 boards. Runs on Kernel 2.4 and 2.6 (specific kernel versions!)  Project not yet suitable for carrier-grade implementations.
 Mature commercial SS7 stack implementing most protocols  SupportsWintel, Linux and Solaris environments. Standalone, virtually no dependencies  Can handle a variety of hardware interfaces  Can be freely downloaded and run in “trial mode” (stack resets after 10 hours of use)  Fully documented APIs and numerous code examples, test programs and scripts  Ideal for testbed development, with the ability to scale up to carrier environments  Actively maintained
 SCTPscan includes its own SCTP spoof & sniff implementation, can be used to build custom SCTP queries and security tools  The sctplib library is a fairly complete userland implementation of the SCTP stack, open source and actively maintained.  HP OpenCall SS7. Used in several carrier deployments, provides a well documented API but cannot operate in trial mode.  Telesys MACH-SS7 stack. Robust, well documented commercial stack.  Proprietary stacks (NSN, Alcatel, Huawei, …)  Attack: several closed source implementations, room for vulns?
 SS7 is not as closed as telco think  Coding new attack tools, often specific, during pentests  Discovering new techniques thanks to the 7BONEVPN  Telco infrastructure security is coming out of obscurity
 Questions welcome  Philippe pl@tstf.net, Emmanuel eg@tstf.net  Contact us to join the 7bone.net project
 Skyper and theTHC SS7 project  Bogdan Iusukhno  All the 7bone security researchers  CISCO SS7 fundamentals,CISCO press  Introduction to SS7 and IP, by Lawrence Harte & David Bowler  Signaling System No. 7 (SS7/C7) - Protocol,Architecture and Services, by Lee Dryburgh, Jeff Hewett

Recommended

Signaling system 7
Signaling system 7 Signaling system 7
Signaling system 7
Dhrubaji Mandal ♛
 
Rk 4 signaling system
Rk 4 signaling systemRk 4 signaling system
Rk 4 signaling system
Vishal Pandey
 
RK-4 Signaling System.ppt
RK-4 Signaling System.pptRK-4 Signaling System.ppt
RK-4 Signaling System.ppt
FaisalShahzad201901
 
Signaling system 7 (ss7)
Signaling system 7 (ss7)Signaling system 7 (ss7)
Signaling system 7 (ss7)
usman zulfqar
 
Red SS7 Conceptos claves
Red SS7 Conceptos clavesRed SS7 Conceptos claves
Red SS7 Conceptos claves
edgarjgonzalezg
 
Core_Day3.pptx
Core_Day3.pptxCore_Day3.pptx
Core_Day3.pptx
MOHAMEDABDULJABAR1
 
Switching systems lecture4
Switching systems lecture4Switching systems lecture4
Switching systems lecture4
Jumaan Ally Mohamed
 
SIGTRAN-Products-Presentation.pdf
SIGTRAN-Products-Presentation.pdfSIGTRAN-Products-Presentation.pdf
SIGTRAN-Products-Presentation.pdf
prasadharinandan20
 

Recommended

Signaling system 7
Signaling system 7 Signaling system 7
Signaling system 7
Dhrubaji Mandal ♛
 
Rk 4 signaling system
Rk 4 signaling systemRk 4 signaling system
Rk 4 signaling system
Vishal Pandey
 
RK-4 Signaling System.ppt
RK-4 Signaling System.pptRK-4 Signaling System.ppt
RK-4 Signaling System.ppt
FaisalShahzad201901
 
Signaling system 7 (ss7)
Signaling system 7 (ss7)Signaling system 7 (ss7)
Signaling system 7 (ss7)
usman zulfqar
 
Red SS7 Conceptos claves
Red SS7 Conceptos clavesRed SS7 Conceptos claves
Red SS7 Conceptos claves
edgarjgonzalezg
 
Core_Day3.pptx
Core_Day3.pptxCore_Day3.pptx
Core_Day3.pptx
MOHAMEDABDULJABAR1
 
Switching systems lecture4
Switching systems lecture4Switching systems lecture4
Switching systems lecture4
Jumaan Ally Mohamed
 
SIGTRAN-Products-Presentation.pdf
SIGTRAN-Products-Presentation.pdfSIGTRAN-Products-Presentation.pdf
SIGTRAN-Products-Presentation.pdf
prasadharinandan20
 
Digital switching system ppt
Digital switching system pptDigital switching system ppt
Digital switching system ppt
GopalakrishnaM4
 
Study on Performance of Simulation Analysis on Multimedia Network
Study on Performance of Simulation Analysis on Multimedia NetworkStudy on Performance of Simulation Analysis on Multimedia Network
Study on Performance of Simulation Analysis on Multimedia Network
IRJET Journal
 
Ss7 briefp
Ss7 briefpSs7 briefp
Ss7 briefp
jcbenitezp
 
MC0087 Internal Assignment (SMU)
MC0087 Internal Assignment (SMU)MC0087 Internal Assignment (SMU)
MC0087 Internal Assignment (SMU)
Krishan Pareek
 
An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7
irjes
 
An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7
IJRES Journal
 
Networking Brief Overview
Networking Brief OverviewNetworking Brief Overview
Networking Brief Overview
Kristof De Brouwer
 
SS7
SS7SS7
SS7
denys.pozniak
 
Signaling System 7 (SS7)
Signaling System 7 (SS7)Signaling System 7 (SS7)
Signaling System 7 (SS7)
shire ali
 
WLAN - IEEE 802.11
WLAN - IEEE 802.11WLAN - IEEE 802.11
WLAN - IEEE 802.11
Rahul Hada
 
01 pengenalan
01 pengenalan01 pengenalan
01 pengenalan
Hattori Sidek
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
mhaviv
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
Asish Verma
 
EWSD Switching Systems
EWSD Switching Systems EWSD Switching Systems
EWSD Switching Systems
Arun Rajput
 
U 4215 L Switching Signaling1 2
U 4215 L Switching Signaling1 2U 4215 L Switching Signaling1 2
U 4215 L Switching Signaling1 2
randalbrazelton
 
group11_DNAA:protocol stack and addressing
group11_DNAA:protocol stack and addressinggroup11_DNAA:protocol stack and addressing
group11_DNAA:protocol stack and addressing
Anitha Selvan
 
S5850 datasheet
S5850 datasheetS5850 datasheet
S5850 datasheet
Teresa Huang
 
S5850 3-datasheet
S5850 3-datasheetS5850 3-datasheet
S5850 3-datasheet
Teresa Huang
 
S5850 datasheet
S5850 datasheetS5850 datasheet
S5850 datasheet
Teresa Huang
 
S5850 3-datasheet
S5850 3-datasheetS5850 3-datasheet
S5850 3-datasheet
Teresa Huang
 
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
AliAlwesabi
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
AliAlwesabi
 

More Related Content

Similar to D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf

An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7
irjes
 
An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7
IJRES Journal
 
group11_DNAA:protocol stack and addressing
group11_DNAA:protocol stack and addressinggroup11_DNAA:protocol stack and addressing
group11_DNAA:protocol stack and addressing
Anitha Selvan
 

Similar to D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf (20)

Digital switching system ppt
Digital switching system pptDigital switching system ppt
Digital switching system ppt
 
Study on Performance of Simulation Analysis on Multimedia Network
Study on Performance of Simulation Analysis on Multimedia NetworkStudy on Performance of Simulation Analysis on Multimedia Network
Study on Performance of Simulation Analysis on Multimedia Network
 
Ss7 briefp
Ss7 briefpSs7 briefp
Ss7 briefp
 
MC0087 Internal Assignment (SMU)
MC0087 Internal Assignment (SMU)MC0087 Internal Assignment (SMU)
MC0087 Internal Assignment (SMU)
 
An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7
 
An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7An Investigation on Standards and Applications of Signalling System No.7
An Investigation on Standards and Applications of Signalling System No.7
 
Networking Brief Overview
Networking Brief OverviewNetworking Brief Overview
Networking Brief Overview
 
SS7
SS7SS7
SS7
 
Signaling System 7 (SS7)
Signaling System 7 (SS7)Signaling System 7 (SS7)
Signaling System 7 (SS7)
 
WLAN - IEEE 802.11
WLAN - IEEE 802.11WLAN - IEEE 802.11
WLAN - IEEE 802.11
 
01 pengenalan
01 pengenalan01 pengenalan
01 pengenalan
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
 
EWSD Switching Systems
EWSD Switching Systems EWSD Switching Systems
EWSD Switching Systems
 
U 4215 L Switching Signaling1 2
U 4215 L Switching Signaling1 2U 4215 L Switching Signaling1 2
U 4215 L Switching Signaling1 2
 
group11_DNAA:protocol stack and addressing
group11_DNAA:protocol stack and addressinggroup11_DNAA:protocol stack and addressing
group11_DNAA:protocol stack and addressing
 
S5850 datasheet
S5850 datasheetS5850 datasheet
S5850 datasheet
 
S5850 3-datasheet
S5850 3-datasheetS5850 3-datasheet
S5850 3-datasheet
 
S5850 datasheet
S5850 datasheetS5850 datasheet
S5850 datasheet
 
S5850 3-datasheet
S5850 3-datasheetS5850 3-datasheet
S5850 3-datasheet
 

More from AliAlwesabi

More from AliAlwesabi (18)

pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
 
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
 
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
 
lte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdflte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdf
 
Securing the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdfSecuring the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdf
 
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
 
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdfeu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
 
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdfCCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
 
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfD1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdf
 
VPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasuresVPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasures
 
zero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdfzero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdf
 
Foot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurityFoot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurity
 
Guide to Network Defense Router Security
Guide to Network Defense Router SecurityGuide to Network Defense Router Security
Guide to Network Defense Router Security
 
DNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS SecurityDNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS Security
 
Intrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdfIntrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdf
 
ISP Network Design workshops how to design networks
ISP Network Design workshops how to design networksISP Network Design workshops how to design networks
ISP Network Design workshops how to design networks
 

Recently uploaded

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
UXDXConf
 

Recently uploaded (20)

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 

D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf

  • 2.  SS7 Basics  Example of SS7 protocol (ISUP) and related attacks  SS7 and IP: the SIGTRAN evolution and problems  A practical SS7 attack: Disabling incoming calls to any subscriber  Connecting to 7bone: Using SS7 stacks to conduct Security Research on SS7 & SIGTRANVPN  SS7 stack demo
  • 3. Introduction to SS7 in the PSTN SS7 links types and SS7 signal units
  • 4.  Service Switching Points (SSP) are the telephone “switches” that are interconnected to each other by SS7 links.The SSPs perform call processing on calls that originate, tandem, or terminate at that site.  SignalTransfer Points (STP) are “routers” that relay messages between network switches and databases.Their main function is to route SS7 messages to the correct outgoing signaling link, based on information contained in the SS7 message address fields.  Service Control Points (SCP) contains centralized network databases for providing enhanced services. Examples of services include toll-free numbers and prepaid subscriptions.
  • 5.
  • 6.
  • 7.  Peer relationships between operators  STP connectivity  SIGTRAN protocols  VAS systems e.g. SMSC, IN  Signalling Gateways, MGW  SS7 Service providers  GTT translation  SIP encapsulation  ISDN terminals  LIG  And of course… GSM phones
  • 8. To meet the stringent reliability requirements of public telecommunications networks, a number of safeguards are built into the SS7 protocol:  STPs and SCPs are normally provisioned in mated pairs. On the failure of individual components, this duplication allows signaling traffic to be automatically diverted to an alternate resource, minimizing the impact on service.  Signaling links are provisioned with some level of redundancy. Signaling traffic is automatically diverted to alternate links in the case of link failures.  The SS7 protocol has built-in error recovery mechanisms to ensure reliable transfer of signaling messages in the event of a network failure.  Management messages (Link Status Signal Units) are constantly sent over the links to monitor its status.
  • 9.
  • 10.  MTP (MessageTransfer Part) Layers 1-3: lower level functionality at the Physical, Data Link and Network Level.They serve as a signaling transfer point, and support multiple congestion priority, message discrimination, distribution and routing.  ISUP (Integrated Services Digital Network User Part): network side protocol for the signaling functions required to support voice, data, text and video services in ISDN. ISUP supports the call control function for the control of analog or digital circuit switched network connections carrying voice or data traffic.  SCCP (SignalingControl Connection Part): supports higher protocol layers such asTCAP with an array of data transfer services including connection-less and connection oriented services. SCCP supports global title translation (routing based on directory number or application title rather than point codes), and ensures reliable data transfer independent of the underlying hardware.  TCAP (Transaction Capabilities Application Part): provides the signaling function for communication with network databases.TCAP provides non-circuit transaction based information exchange between network entities.  MAP (MobileApplication Part): provides inter-system connectivity between wireless systems, and was specifically developed as part of the GSM standard.  INAP (Intelligent Network Application Part): runs on top ofTCAP and provides high-level services interacting with SSP, SCP and SDP in an SS7 network.
  • 11.
  • 14.
  • 15.
  • 16.  An initial address message (IAM) is sent in the “forward” direction by each switch in the circuit between the calling party and the destination switch of the called party.  An IAM contains the called party number in the mandatory variable part and may contain the calling party name and number in the optional part.  Attack: Capacity DoS
  • 17.  An address complete message (ACM) is sent in the “backward” direction to indicate that the remote end of a trunk circuit has been reserved.  The originating switch responds to an ACM message by connecting the calling party’s line to the trunk to complete the voice circuit from the calling party to the called party.  The calling party hears ringing on the voice trunk.
  • 18.
  • 19.  A release message (REL) is sent in either direction indicating that the circuit is being released due to a specified cause indicator.  An REL is sent when either calling or called party hangs up the call (cause = 16).  An REL is also sent back to the calling party if the called party is busy (cause = 17).  Attack: Selective DoS
  • 20.  A release complete message (RLC) is sent in the opposite direction of an REL to acknowledge the release of the remote end of a trunk circuit and to end the billing cycle, if appropriate.
  • 22. Basics of IP telephony SIGTRAN protocols
  • 23.  Media Gateway (MGW) terminates voice calls on inter-switch trunks from the PSTN, compresses and packetizes the voice data, and delivers voice packets to the IP network. For ISDN calls from the PSTN, Q.931 signaling information is transported from the MGW to the media gateway controller for call processing.  Media Gateway Controller (MGC) handles the registration and management of resources at the media gateways.An MGC exchanges ISUP messages with CO switches via a signaling gateway. Sometimes called a softswitch.  Signaling Gateway (SGW) provides transparent interworking of signaling between switched circuit and IP networks.The SGW may terminate SS7 signaling or translate and relay messages over an IP network to an MGC or another SGW.
  • 24.
  • 25.  The SIGTRAN protocols specify the means by which SS7 messages can be reliably transported over IP networks.  The architecture identifies two components: a common transport protocol for the SS7 protocol layer being carried and an adaptation module to emulate lower layers of the protocol. For example:  If the native protocol is MTP (MessageTransport Layer) Level 3, the SIGTRAN protocols provide the equivalent functionality of MTP Level 2.  If the native protocol is ISUP or SCCP, the SIGTRAN protocols provide the same functionality as MTP Levels 2 and 3.  If the native protocol isTCAP, the SIGTRAN protocols provide the functionality of SCCP (connectionless classes) and MTP Levels 2 and 3.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. Disabling incoming calls to any subscriber
  • 31.  The MAP updateLocation (UL) message contains subscriber's IMSI and MSC/VLR addresses.  Once UL reaches the HLR, it changes the serving MSC/VLR address in subscriber's profile using MAP insertSubscriberData messages.  From then on the HLR will use MSC/VLR addresses from it as addresses of real MSC/VLR.  It's not even necessary to complete whole UL-ISD- ISDack-ULack transaction!  The HLR will complete the operation by sending a MAP cancelLocation message to the servingVLR to delete subscriber's information from it.
  • 32.
  • 33. IMSI scanning / querying needed !
  • 34.
  • 35. Using SS7 stacks to connect to the Security Research SS7 & SIGTRANVPN
  • 36.  OpenSS7 is a SS7 and SIGTRAN protocol stack which provides GPL'ed and LGPL'ed source.  Open source implementation of the SS7 stack as specified by ITU-T, ETSI,ANSI, and other standards bodies. It derives primarily from an implementation of the ITU-T Q.700-Series Recommendations  ISUP andTCAP support  Supports a variety of E1/T1 boards. Runs on Kernel 2.4 and 2.6 (specific kernel versions!)  Project not yet suitable for carrier-grade implementations.
  • 37.  Mature commercial SS7 stack implementing most protocols  SupportsWintel, Linux and Solaris environments. Standalone, virtually no dependencies  Can handle a variety of hardware interfaces  Can be freely downloaded and run in “trial mode” (stack resets after 10 hours of use)  Fully documented APIs and numerous code examples, test programs and scripts  Ideal for testbed development, with the ability to scale up to carrier environments  Actively maintained
  • 38.  SCTPscan includes its own SCTP spoof & sniff implementation, can be used to build custom SCTP queries and security tools  The sctplib library is a fairly complete userland implementation of the SCTP stack, open source and actively maintained.  HP OpenCall SS7. Used in several carrier deployments, provides a well documented API but cannot operate in trial mode.  Telesys MACH-SS7 stack. Robust, well documented commercial stack.  Proprietary stacks (NSN, Alcatel, Huawei, …)  Attack: several closed source implementations, room for vulns?
  • 39.
  • 40.  SS7 is not as closed as telco think  Coding new attack tools, often specific, during pentests  Discovering new techniques thanks to the 7BONEVPN  Telco infrastructure security is coming out of obscurity
  • 41.  Questions welcome  Philippe pl@tstf.net, Emmanuel eg@tstf.net  Contact us to join the 7bone.net project
  • 42.  Skyper and theTHC SS7 project  Bogdan Iusukhno  All the 7bone security researchers  CISCO SS7 fundamentals,CISCO press  Introduction to SS7 and IP, by Lawrence Harte & David Bowler  Signaling System No. 7 (SS7/C7) - Protocol,Architecture and Services, by Lee Dryburgh, Jeff Hewett