The document describes how to intercept mobile phone conversations and intercept text messages by exploiting vulnerabilities in the SS7 protocol. It explains how to collect a target's private information from the HLR like IMSI and location. It then shows how an attacker can spoof being an MSC or HLR to intercept calls and SMS, or conduct denial of service attacks by monopolizing the network's resources through endless signaling requests. The goal is to illustrate real threats to mobile network security from vulnerabilities in SS7 and inter-network connectivity.

2. How to Intercept a Conversation
Held on the Other Side of the
Planet

3. Who we are
Sergey Puzankov
Dmitry Kurbatov
Information Security Specialists
Positive Technologies

4. Denial of Service on Mobile Switching Center
Fraud in SS7 network
Short Message Interception
USSD Money Transfer
Subscriber’s Location
Voice Call Interception
Hot for Mobile network operators
Hot for everyone
Topics

5. All of us are subscribers
Service Availability
Quality of Service
Security

6. Mobile Services Dynamics
Voice
Mobile Data Traffic

7. Yesterday: Closed Ecosystems

8. Today: Unified Technologies

9. Today: Common Interfaces

10. Today: IP Connectivity

11. Today: Widen Borders
Get your own femtocell
• Hack it
• Upload modified firmware
• Make a call/SMS interception
• Get into IPsec
• Get into Core network

12. Tomorrow: virtualization

13. SIGTRAN
Time Machine
Through SIGTRAN back to 1970’s

14. SS7
SS7 Network
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C

15. SS7
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
Radio Part
A
B
Cell Phone
Base Transceiver Station
Base Station Controller

16. SS7
MSC/VLR
HLR
A
B
Gateway
MSC
Billing
SMS-C
MSC
VLR
Mobile Switching Center
Visitor Location Register

17. SS7
Gateway MSC
HLR
A
B
MSC
VLR
Billing
SMS-C
Gateway
MSC
Gateway Mobile Switching Center

18. SS7
SMS-C
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
Short Message Service Center

19. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
Homeу Location Register
HLR

20. SS7
Billing
A
B
MSC
VLR
Gateway
MSC SMS-C
HLR
Billing

21. SS7
IDs
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
GT – Global Title 0 123 4567890

22. SS7
IDs
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890

23. SS7
IDs
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890

24. SS7
IDs
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890
IMSI – International Mobile Subscriber Identity 15 digits

25. SS7
How to get in?
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C

26. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS Core
PS Core
IMS
Core Networks

27. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
Access Networks

28. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
Exchange Points

29. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
support
Support

30. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
support
IT IT network

31. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
support
Internet
Internet IT network

32. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
support
Internet
IT networkTraffic

33. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
support
Internet
IT networkThreats
Attacker
Attacker
Attacker
Attacker
AttackerAttacker

34. SS7
HLR
A
B
MSC
VLR
Gateway
MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTE
Wi-Fi
WiMAX
PON
DSL
Femto
GRX/IPX
OAM
Remote
support
Internet
IT networkThreat
Attacker
Attacker
Attacker
Attacker
AttackerAttacker

35. Mobile Switching Center DoS
Just like DHCP Starvation

36. SS7
Collect info
HLR
Attacker
B
Gateway
MSC
We know
B-Number 0 123 4567802
MSC
VLR

37. SS7
Collect info
HLR
Attacker
as SMSC
B
MSC
VLR
Gateway
MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-B MSISDN 0 123 4567802?

38. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC

39. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits

40. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits

41. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attacker
as SMSC

42. SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
3PRNprovideRoamingNumber
I am HLR.
My GT 1 321 4567801.
Provide MSRN for
Subscriber-B IMSI 15 digits.

43. SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
3PRN
4 provideRoamingNumber
MSRN 0 123 4560001

44. SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
3PRN
4
Default timeouts for MSRN:
• Ericsson – 30 sec
• Huawei – 45 sec
provideRoamingNumber
MSRN 0 123 4560001

45. SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
provideRoamingNumber
I am HLR.
My GT 1 321 4567801.
Provide MSRN for
Subscriber-B IMSI 15 digits.
provideRoamingNumber
I am HLR.
My GT 1 321 4567801.
Provide MSRN for
Subscriber-B IMSI 15 digits.
provideRoamingNumber
I am HLR.
My GT 1 321 4567801.
Provide MSRN for
Subscriber-B IMSI 15 digits.…
provideRoamingNumber
MSRN 0 123 4560001provideRoamingNumber
MSRN 0 123 4560001
provideRoamingNumber
MSRN 0 123 4569999…

46. SS7
Make it starve
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
provideRoamingNumber
I am HLR.
My GT 1 321 4567801.
Provide MSRN for
Subscriber-B IMSI 15 digits.

47. SS7
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
noRoamingNumberAvailable
Make it starve

48. SS7
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
noRoamingNumberAvailable
Make it starve

49. SS7
DoS
HLR
Attacker
as HLR
B
Gateway
MSC
Real
HLR
10k – 500k
MSC
VLR

50. SS7
DoS
HLR
Attacker
as HLR
Gateway
MSC
PRN
Real
HLR
B
10k – 500k
MSC
VLR
3
provideRoamingNumber
I am HLR.
My GT 1 321 4568701.
Provide MSRN for
Subscriber-ANY IMSI 15 digits.

51. SS7
DoS
HLR
Attacker
as HLR
Gateway
MSC
PRN
Real
HLR
B
10k – 500k
MSC
VLR
3
4
noRoamingNumberAvailable

52. SS7
DoS
HLR
Attacker
as HLR
Gateway
MSC
PRN
Real
HLR
B
10k – 500k
MSC
VLR
3
4
No incoming
calls
Sad calling party

53. Fraud in SS7

54. SS7
SS7 interconnection
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
Trusted environment

55. Leadership team
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
CEO
CSO CMO CCO
CLO

56. Leadership team
HLRMSC
VLR
Gateway
MSC
Billing
SMS-C
CEO
CSO CMO CCO
CLO
Really?!
Trust them?

57. Uncharged calls
1) Spoof MSC
2) Initiate «home network» call
3) Forward call anywhere

58. SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
A

59. SS7
Collect info
HLR
Attacker
as SMSC
B
MSC
VLR
Gateway
MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-B MSISDN 0 123 4567802?
A

60. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
A

61. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
A

62. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
A

63. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attacker
as SMSC
A

64. SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits

65. SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits

66. SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4

67. SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
We serve
Subscriber-B

68. SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
nothing

69. SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
5
6
sendRoutingInfo
Where is
Subscriber-B MSISDN 0 123 4567802
=
Where is Subscriber-B located?

70. SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
7 provideSubscriberInfo
I am HLR.
My GT 0 123 4567800.
Provide location for the
Subscriber-B.

71. SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
7
8
provideSubscriberInfo
Subscriber-B is in the
Home network.

72. SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows that
Subscriber-B is at home.
This information will be
sent to a billing platform.
7
8
8

73. SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
5
9
sendRoutingInfo
Where is
Subscriber-B MSISDN 0 123 4567802
located =
What is MSRN for Subscriber-B?

74. SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
provideRoamingNumber
I am HLR.
My GT 0 123 4567800.
Provide MSRN for
Subscriber-B IMSI 15 digits.
10

75. SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
provideRoamingNumber
MSRN 53 12345678
10
11

76. SS7
Forward a call
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 53 12345678
10
11
11

77. SS7
Forward a call to…
Cuba
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 53 12345678
10
11
11
12

78. SS7
Forward a call to…
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA 5
9
provideRoamingNumber
MSRN 53 12345678
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 53 12345678
10
11

79. Who pays?
ACall from to while at “home” = $ 0.05B
ACall from to = $ 1.00Cuba

80. Who pays?
ACall from to while at “home” = $ 0.05B
ACall from to = $ 1.00Cuba
$ 1.00 - $ 0.05 = $ 0.95 – Attacker profit

81. Call from to = $ 0.30
Who pays?
ACall from to while at “home” = $ 0.05B
ACall from to = $ 1.00Cuba
$ 1.00 - $ 0.05 = $ 0.95 – Attacker profit
How much Mobile operator loses? MNO Cuba

82. SMS Interception
1) Collect info
2) Spoof MSC
3) Receive incoming SMSs

83. SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
A
SMS-C

84. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
A
SRI4SMsendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-B MSISDN 0 123 4567802?
SMS-C

85. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attacker
as SMSC
A
SRI4SMsendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
SMS-C

86. SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SMS-C

87. SS7
Spoof MSC
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
We serve
Subscriber-B
SMS-C

88. SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
5
Attacker
as MSC
A
SMS-C
5
“Hi, meet at 8pm at Baker
Street”

89. SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
5 6
Attacker
as MSC
A
sendRoutingInfoForSM
I am SMSC.
My GT 0 123 4567804.
Where is
Subscriber-B MSISDN 0 123 4567802?
SMS-C
5
“Hi, meet at 8pm at Baker
Street”

90. SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
7
5 6
Attacker
as MSC
A
sendRoutingInfoForSM
I am SMSC.
My GT 0 123 4567804.
Where is
Subscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 1 321 4567801
Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker
Street”
HLR sends Attacker address
instead of real MSC!

91. SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
7
5 6
8
Attacker
as MSC
A
sendRoutingInfoForSM
I am SMSC.
My GT 0 123 4567804.
Where is
Subscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 1 321 4567801
Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker
Street”
SMS-C routes this SMS to
the received address.

92. SS7
SMS interception
HLR
B
MSC
VLR
Gateway
MSC
7
5 6
8
Attacker
as MSC
A
sendRoutingInfoForSM
I am SMSC.
My GT 0 123 4567804.
Where is
Subscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 1 321 4567801
Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker
Street”
SMS-C routes this SMS to
the received address.

93. SMS interception
1. SMS chats
2. One time passwords
3. Confirmation codes
4. Password recovery

94. Money Transfer
Using USSD
1) Collect info
2) Request account status
3) Transfer money

95. SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
A

96. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
A
SRI4SMsendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-B MSISDN 0 123 4567802?

97. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attacker
as SMSC
A
SRI4SMsendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits

98. SS7
Send USSD 1
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
*100#3
processUnstructuredSS-Request
I am MSC/VLR.
Request how much money has
subscriber with IMSI 15 digits?

99. SS7
Send USSD 1
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
processUnstructuredSS-Request
I am MSC/VLR.
Request how much money has
subscriber with IMSI 15 digits?
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
3
4
processUnstructuredSS-Request
Subscriber’s account is $$$$$.

100. SS7
Send USSD 1
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
4
processUnstructuredSS-Request
Subscriber’s account is $$$$$.
processUnstructuredSS-Request
I am MSC/VLR.
Request how much money has
subscriber with IMSI 15 digits?
3

101. SS7
Send USSD 2
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
*123*01238765400*100#
processUnstructuredSS-Request
I am MSC/VLR.
Transfer money from IMSI 15 digits to
my mobile account.
5

102. SS7
Send USSD 2
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
6
processUnstructuredSS-Request
OK.
processUnstructuredSS-Request
I am MSC/VLR.
Transfer money from IMSI 15 digits to
my mobile account.
5

103. SS7
Send USSD 2
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get
SMS notification if Attacker
combines this attack with
the previuos one.
6
processUnstructuredSS-Request
OK.
processUnstructuredSS-Request
I am MSC/VLR.
Transfer money from IMSI 15 digits to
my mobile account.
5

104. SS7
Send USSD 2
HLR
Attacker
as MSC/VLR
B
MSC
VLR
Gateway
MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get
SMS notification if Attacker
combines this attack with
the previuos one.
6
processUnstructuredSS-Request
OK.
processUnstructuredSS-Request
I am MSC/VLR.
Transfer money from IMSI 15 digits to
my mobile account.
5

105. Subscriber Location Discovery
1) Collect info
2) Receive Cell ID
3) Get point on the map

106. SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
A

107. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802
Attacker
as SMSC
A
SRI4SMsendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-B MSISDN 0 123 4567802?

108. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attacker
as SMSC
A
SRI4SMsendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits

109. SS7
Get Cell ID
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
3PSIprovideSubscriberInfo
I am HLR.
My GT 1 321 4567801.
Provide location for the
Subscriber-B.

110. SS7
Get Cell ID
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID
3PRN
4 provideSubscriberInfo
Cell ID.
provideSubscriberInfo
I am HLR.
My GT 1 321 4567801.
Provide location for the
Subscriber-B.

111. SS7
Get Cell ID
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID
3PRN
4 provideSubscriberInfo
Cell ID.
provideSubscriberInfo
I am HLR.
My GT 1 321 4567801.
Provide location for the
Subscriber-B.
MCC: 250
MNC: 90
LAC: 4A67
CID: 673D

112. SS7
Get location
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID
5
MCC: 250
MNC: 90
LAC: 4A67
CID: 673D
Search in Internet physical
location by MCC, MNC, LAC, CID

113. Get location

114. Get location

115. Voice Call Interception
1) Collect info
2) Change subscriber profile
3) Add third party into mobile call

116. SS7
Collect info
HLR
Attacker
B
MSC
VLR
Gateway
MSC
We know
A-Number 0 123 4567802
A
Billing

117. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
SRI4SM
We know
A-Number 0 123 4567802
Attacker
as SMSC
A
SRI4SM
sendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-A MSISDN 0 123 4567802?
Billing

118. SS7
Collect info
HLR
B
MSC
VLR
Gateway
MSC
1
1
2
2
SRI4SM
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Attacker
as SMSC
A
SRI4SM
sendRoutingInfoForSM
I am HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Billing
sendRoutingInfoForSM
I am SMSC.
My GT 1 321 4567801.
Where is
Subscriber-A MSISDN 0 123 4567802?

119. SS7
Collect info
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Subscriber-A IMSI 15 digits.
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Billing

120. SS7
Collect info
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Billing
4
insertSubscriberData
Subscriber’s profile:
• Allowed/prohibited services
• Forwarding settings
• Billing platform address
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Subscriber-A IMSI 15 digits.

121. SS7
Collect info
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
3
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
4
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
I serve Subscriber-A IMSI 15 digits.
insertSubscriberData
Subscriber’s profile:
• Allowed/prohibited services
• Forwarding settings
• Address of billing platform

122. SS7
Collect info
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
5
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
Subscriber-A IMSI 15 digits is served by
0 123 4567803
5

123. updateLocation
I am MSC/VLR.
My GT 1 321 4567801.
Subscriber-A IMSI 15 digits is served by
0 123 4567803
SS7
Collect info
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
5
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
5

124. SS7
Change profile
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
6
insertSubscriberData
I am HLR.
Change profile for Subscriber-A.
Billing GT 1 321 4567801.

125. SS7
Change profile
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
6
7
insertSubscriberData
OK.
insertSubscriberData
I am HLR.
Change profile for Subscriber-A.
Billing GT 1 321 4567801.

126. SS7
Change profile
HLR
Attacker
as HLR
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
6
7
insertSubscriberData
OK.
insertSubscriberData
I am HLR.
Change profile for Subscriber-A.
Billing GT 1 321 4567801.

127. SS7
Change profile
HLR
Attacker
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
6
7
insertSubscriberData
OK.
insertSubscriberData
I am HLR.
Change profile for Subscriber-A.
Billing GT 1 321 4567801.

128. SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
Subscriber A calls to
Subscriber B.
8

129. SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
9
9
HLR interrogation procedure:
• sendRoutingInfo
• provideSubscriberInfo
Subscriber A calls to
Subscriber B.
8

130. SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
InitialDP
Start billing .
Subscriber-A 0 123 4567802 calls to
Subscriber-B 0 123 4567805
10
Subscriber A calls to
Subscriber B.
8

131. SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
InitialDP
Start billing .
Subscriber-A 0 123 4567802 calls to
Subscriber-B 0 123 4567805
10
Subscriber A calls to
Subscriber B.
8

132. SS7
Call interception
HLR
Attacker
as Billing
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
Proceed billing.
ApplyCharging
RequestReportBCSMEvent
Connect
Reroute call to number
1 321 4567802
InitialDP
Start billing .
Subscriber-A 0 123 4567802 calls to
Subscriber-B 0 123 4567805
10
11
Subscriber A calls to
Subscriber B.
8

133. SS7
Call interception
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
IAM
Continue call.
Subscriber-A 0 123 4567802 calls to
Subscriber-C 1 321 4567802
12
Subscriber A calls to
Subscriber B.
8

134. SS7
Call interception
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
12
Subscriber A calls to
Subscriber B.
8
13
IAM
Continue call.
Subscriber-A 0 123 4567802 calls to
Subscriber-C 1 321 4567802

135. SS7
Call interception
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
IAM
Initiate a new call
Subscriber-A 0 123 4567802 calls to
Subscriber-B 0 123 4567805
12
14
Subscriber A calls to
Subscriber B.
8
13
IAM
Continue call.
Subscriber-A 0 123 4567802 calls to
Subscriber-C 1 321 4567802

136. SS7
Call interception
HLR
Attacker
as MSC
B
MSC
VLR
Gateway
MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
IAM
Initiate a new call
Subscriber-A 0 123 4567802 calls to
Subscriber-B 0 123 4567805
12
14
8
13
15
Subscriber A calls to
Subscriber B.
IAM
Continue call.
Subscriber-A 0 123 4567802 calls to
Subscriber-C 1 321 4567802

138. Conclusion
SS7 rules
Just the tip of the iceberg

139. The End.
Sergey Puzankov
Dmitry Kurbatov
spuzankov@ptsecurity.com
dkurbatov@ptsecurity.com
Questions?