Mobile operators vs. Hackers: new security measures for new - - PowerPoint PPT Presentation
Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com SS7 in the 20 th century SCP STP STP SSP SCP STP STP PSTN SSP SSP SS7 Signaling System #7, a set of telephony protocols
Sergey Puzankov
ptsecurity.com
SS7 in the 20th century
PSTN
STP STP STP STP SSP SCP SSP SSP SCP
SS7 – Signaling System #7, a set of telephony protocols, which is used to set up and tear down telephone calls, send and receive SMS, provide subscriber mobility, and other service
SS7 nowadays
SIGTRAN – Signaling Transport, an extension of the SS7 protocol family that uses IP as a transport
Why SS7 is not secure
SIGTRAN SIGTRAN SS7 SIGTRAN IWF/DEA Diameter LTE STP STP STP
Mass media highlights the SS7 security problem
Governments and global organizations' concern on SS7 security
Mobile operators and SS7 security
SMS Home Routing Security monitoring Security assessment SS7 firewall Security configuration
Research and publications
2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report
Network vulnerability statistics: SMS Home Routing
Routing systems have been bypassed Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection
Network vulnerability statistics: SS7 firewall
Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly
Basic nodes and identifiers
HLR — Home Location Register MSC/VLR — Mobile Switching Center alongside with Visited Location Register SMS-C — SMS Center MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity STP — Signaling Transfer Point GT — Global Title, address of a core node element
SS7 messages for IMSI retrieving SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the border May be blocked on the HLR – SMS Home Routing as a protection tool
SMS Delivery with no SMS Home Routing in place
STP MSC
SRI4SM — SendRoutingInfoForSM HLR SMS-C
SRI4SM abuse by a malefactor
STP MSC
HLR
SMS Router
SMS Home Routing
STP HLR MSC
SMS-C
SMS Router
SMS Home Routing against malefactors
STP HLR MSC
Numbering plans
Country Code Network Destination Code Mobile Country Code Mobile Network Code
E.164 MSISDN and GT 33 854 1231237 E.212 IMSI 208 80 4564567894 E.214 Mobile GT 33 854 4564567894
Operator HLR Rule of GT Translation
STP routing table
STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM …
STP
SS7 Message
HLR 1 HLR 2 SMS Router
STP routing table
STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM …
STP
SS7 Message
HLR 1 HLR 2 SMS Router
E.214 Global Title Translation Table MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx
STP routing table
STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM …
STP
SS7 Message
HLR 1 HLR 2 SMS Router
E.214 Global Title Translation Table MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx
STP routing table
STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM …
STP
SS7 Message
HLR 1 HLR 2 SMS Router
E.214 Global Title Translation Table MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx
SendRoutingInfoForSM message Called Party Address = MSISDN
SMS Home Routing bypass attack
STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM …
STP
HLR 1 HLR 2 SMS Router
E.214 Global Title Translation Table MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx
The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside
SMS Home Routing definition
HLR SMS Router
STP
SMS Home Routing definition
HLR SMS Router
STP
SMS Home Routing definition
HLR SMS Router
STP
SMS Home Routing definition
HLR SMS Router
STP
Different IMSIs mean SMS Home Routing procedure is involved
TCAP Protocol
TCAP Message Type Transaction IDs Dialogue Portion Component Portion Begin, Continue, End, Abort Source and/or Designation IDs Application Context Name (ACN) ACN Version Operation Code Payload Application Context Name corresponds to a respective Operation Code
TCAP – Transaction Capabilities Application Part
Application Context Name
Application Context Name change
SMS Home Routing bypass with malformed ACN
HLR
Malformed ACN
Malformed ACN
STP SMS Router
Malformed ACN
SMS Home Routing bypass with malformed ACN
HLR
Malformed ACN
Malformed ACN
STP
SMS Router
SMS Router is aside
SMS Home Routing bypass with malformed ACN
HLR SMS Router
Malformed ACN
STP
Equal IMSIs means the SMS Home Routing solution is absent
Malformed ACN
SS7 firewall typical deployment scheme
HLR STP
SS7 firewall
message
SS7 firewall typical deployment scheme
HLR STP
SS7 firewall
The message is blocked
SRI – SendRoutingInfo
Application Context Name change
SS7 firewall bypass with malformed ACN
HLR STP
1. SRI Request: MSISDN Malformed ACN
SS7 firewall
Malformed ACN
Malformed ACN
SS7 firewall bypass with malformed ACN
HLR STP
1. SRI Request: MSISDN Malformed ACN
Malformed ACN
SS7 firewall is aside
SS7 firewall
Positioning attack idea
Positioning attack idea
Positioning attack idea
How we discovered
How we discovered
Recreating the position refinement attack
MSC/VLR
Recreating the position refinement attack
CID 0DFB
ProvideSubscriberInfo CID: 0DFB
1
MSC/VLR
Recreating the position refinement attack
CID 0DFB
ProvideSubscriberInfo CID: 0DFB UnstructuredSS-Notify
1 2
MSC/VLR
Recreating the position refinement attack
CID 0DFB
ProvideSubscriberInfo CID: 0DFB UnstructuredSS-Notify
1 2
MSC/VLR
3
Paging
Recreating the position refinement attack
CID 0DFB
ProvideSubscriberInfo CID: 0DFB UnstructuredSS-Notify
1 2
MSC/VLR
3
Paging
Recreating the position refinement attack
CID 0191 CID 0DFB
ProvideSubscriberInfo CID: 0DFB UnstructuredSS-Notify
1 2
MSC/VLR
3
Paging Paging Response
Recreating the position refinement attack
CID 0191 CID 0DFB
ProvideSubscriberInfo CID: 0DFB UnstructuredSS-Notify
1 2
MSC/VLR
3
Paging Paging Response
. . .
returnError
Recreating the position refinement attack
CID 0191 CID 0DFB
ProvideSubscriberInfo CID: 0DFB UnstructuredSS-Notify
1 2
returnError
MSC/VLR
3
Paging Paging Response
. . .
returnError
Recreating the position refinement attack
ProvideSubscriberInfo CID: 0DFB UnstructuredSS-Notify
1 2 3 4
Paging ProvideSubscriberInfo CID: 0191 returnError Paging Response
. . .
MSC/VLR
CID 0DFB CID 0191
returnError
On the map
Main problems in SS7 security
Things to remember
is secure. About 67% of SMS Home Routing solutions in tested networks were bypassed.
practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them.
monitoring allows a mobile operator to know which vulnerabilities are exploited and they are able to protect the network.
ptsecurity.com
Sergey Puzankov spuzankov@ptsecurity.com