mobile operators vs hackers
play

Mobile operators vs. Hackers: new security measures for new - PowerPoint PPT Presentation

May 06, 2023 •319 likes •937 views

Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com SS7 in the 20 th century SCP STP STP SSP SCP STP STP PSTN SSP SSP SS7 Signaling System #7, a set of telephony protocols

  1. Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

  2. SS7 in the 20 th century SCP STP STP SSP SCP STP STP PSTN SSP SSP SS7 – Signaling System #7, a set of telephony protocols , which is used to set up and tear down telephone calls, send and receive SMS, provide subscriber mobility, and other service

  3. SS7 nowadays SIGTRAN – Signaling Transport, an extension of the SS7 protocol family that uses IP as a transport

  4. Why SS7 is not secure LTE SIGTRAN SIGTRAN Diameter STP IWF/DEA SIGTRAN SS7 STP STP

  5. Mass media highlights the SS7 security problem

  6. Governments and global organizations' concern on SS7 security

  7. Mobile operators and SS7 security SMS Home Routing Security configuration Security assessment Security monitoring SS7 firewall

  8. Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report

  9. Network vulnerability statistics: SMS Home Routing Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection 67% of installed SMS Home Routing systems have been bypassed

  10. Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly

  11. Basic nodes and identifiers MSISDN — Mobile Subscriber HLR — Home Location Register Integrated Services Digital Number GT — Global Title, address of a core node element MSC/VLR — Mobile Switching Center alongside with Visited IMSI — International Mobile Location Register Subscriber Identity STP — Signaling Transfer Point SMS-C — SMS Center

  12. SS7 messages for IMSI retrieving SendRoutingInfo Should be blocked on the border SendIMSI May be blocked on the HLR SendRoutingInfoForLCS – SMS Home Routing as a protection tool SendRoutingInfoForSM

  13. SMS Home Routing bypass No. 1

  14. SMS Delivery with no SMS Home Routing in place SRI4SM — SendRoutingInfoForSM HLR 1. SRI4SM Request 1. SRI4SM Request SMS-C STP • MSISDN • MSISDN 2. SRI4SM Response 2. SRI4SM Response • IMSI • IMSI • MSC Address • MSC Address 3. MT-SMS 3. MT-SMS MSC • IMSI • IMSI • SMS Text • SMS Text

  15. SRI4SM abuse by a malefactor HLR 1. SRI4SM Request 1. SRI4SM Request STP • MSISDN • MSISDN 2. SRI4SM Response 2. SRI4SM Response • IMSI • IMSI • MSC Address • MSC Address MSC

  16. SMS Home Routing HLR 1. SRI4SM Request 4. SRI4SM Request 1. SRI4SM Request SMS Router SMS-C STP • MSISDN • MSISDN • MSISDN 2. SRI4SM Response 5. SRI4SM Response 2. SRI4SM Response • Fake IMSI • Fake IMSI • Real IMSI • SMS-R Address • MSC Address • SMS-R Address 3. MT-SMS 3. MT-SMS 6. MT-SMS MSC • Fake IMSI • Fake IMSI • Real IMSI • SMS Text • SMS Text • SMS Text

  17. SMS Home Routing against malefactors HLR 1. SRI4SM Request 1. SRI4SM Request SMS Router STP • MSISDN • MSISDN 2. SRI4SM Response 2. SRI4SM Response • Fake IMSI • Fake IMSI • SMS-R Address • SMS-R Address MSC

  18. Numbering plans E.164 MSISDN and GT 33 854 1231237 Country Code Network Destination Code E.212 IMSI 208 80 4564567894 Mobile Country Code Mobile Network Code E.214 Mobile GT 33 854 4564567894 Rule of GT Translation Operator HLR

  19. STP routing table STP HLR 1 SS7 Message STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … HLR 2 SMS Router

  20. STP routing table STP HLR 1 SS7 Message STP Routing Table … E.214 Global Title Numbering Plan = E.214 Translation Table … MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx OpCode = SRI4SM … HLR 2 SMS Router

  21. STP routing table STP HLR 1 SS7 Message STP Routing Table … E.214 Global Title Numbering Plan = E.214 Translation Table … MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx OpCode = SRI4SM … HLR 2 SMS Router

  22. STP routing table STP HLR 1 SS7 Message STP Routing Table … E.214 Global Title Numbering Plan = E.214 Translation Table … MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx OpCode = SRI4SM … HLR 2 SMS Router

  23. SendRoutingInfoForSM message Called Party Address = MSISDN

  24. SMS Home Routing bypass attack STP HLR 1 STP Routing Table 1. SRI4SM Request … • E.214 / Random IMSI E.214 Global Title • MSISDN Numbering Plan = E.214 Translation Table … MCC + MNC + 00xxxxxxxx 2. SRI4SM Request MCC + MNC + 20xxxxxxxx OpCode = SRI4SM • E.214 / Random IMSI • MSISDN … 3. SRI4SM Response HLR 2 • IMSI • MSC address SMS Router The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside

  25. SMS Home Routing bypass No. 2

  26. SMS Home Routing definition STP HLR 1. SRI4SM Request: MSISDN SMS Router

  27. SMS Home Routing definition STP HLR 1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN SMS Router

  28. SMS Home Routing definition STP HLR 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN SMS Router 3. SRI4SM Response: Fake IMSI, SMS-R address

  29. SMS Home Routing definition STP HLR 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN SMS Router 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved

  30. TCAP Protocol TCAP – Transaction Capabilities Application Part TCAP Message Type Begin, Continue, End, Abort Transaction IDs Source and/or Designation IDs Dialogue Portion Application Context Name (ACN) ACN Version Component Portion Operation Code Payload Application Context Name corresponds to a respective Operation Code

  31. Application Context Name

  32. Application Context Name change

  33. SMS Home Routing bypass with malformed ACN 1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN STP HLR Malformed ACN Malformed ACN SMS Router Malformed ACN

  34. SMS Home Routing bypass with malformed ACN 1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN STP HLR Malformed ACN Malformed ACN 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside

  35. SMS Home Routing bypass with malformed ACN 1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN STP HLR Malformed ACN Malformed ACN 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router Equal IMSIs means the SMS Home Routing solution is absent or not involved

  36. SS7 firewall bypass

  37. SS7 firewall typical deployment scheme STP HLR 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall

  38. SS7 firewall typical deployment scheme SRI – SendRoutingInfo STP HLR 1. SRI Request: MSISDN 2. SRI Request: MSISDN SS7 firewall The message is blocked

  39. Application Context Name change

  40. SS7 firewall bypass with malformed ACN STP HLR 2. SRI Request: MSISDN 1. SRI Request: MSISDN Malformed ACN Malformed ACN SS7 firewall Malformed ACN

  41. SS7 firewall bypass with malformed ACN STP HLR 2. SRI Request: MSISDN 1. SRI Request: MSISDN Malformed ACN Malformed ACN 3. SRI Response: IMSI, … 3. SRI Response: IMSI, … SS7 firewall SS7 firewall is aside

  42. Positioning enhancement

  43. Positioning attack idea

  44. Positioning attack idea

  45. Positioning attack idea

  46. How we discovered

  47. How we discovered

  48. Recreating the position refinement attack MSC/VLR

  49. Recreating the position refinement attack CID 0DFB ProvideSubscriberInfo MSC/VLR 1 CID: 0DFB

  50. Recreating the position refinement attack CID 0DFB ProvideSubscriberInfo MSC/VLR 1 CID: 0DFB UnstructuredSS-Notify 2

  51. Recreating the position refinement attack CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB UnstructuredSS-Notify 2

  52. Recreating the position refinement attack CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB UnstructuredSS-Notify 2

  53. Recreating the position refinement attack CID 0191 CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB Paging UnstructuredSS-Notify Response 2

  54. Recreating the position refinement attack CID 0191 CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB Paging UnstructuredSS-Notify Response 2 . . . returnError

  55. Recreating the position refinement attack CID 0191 CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB Paging UnstructuredSS-Notify Response 2 . . . returnError returnError

  56. Recreating the position refinement attack CID 0191 CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB Paging UnstructuredSS-Notify Response 2 . . . returnError returnError ProvideSubscriberInfo 4 CID: 0191

  57. On the map

  58. Main problems in SS7 security SS7 architecture flaws Configuration mistakes Software bugs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser on mobile device in WiFi communication to attack victims. Hackers send

464 views • 30 slides
Mobile Network Sharing Between Operators: Between Operators A Demand Trace-Driven Study Di

Mobile Network Sharing Between Operators: Between Operators A Demand Trace-Driven Study Di

Mobile Network Sharing Mobile Network Sharing Between Operators: Between Operators A Demand Trace-Driven Study Di Francesco et al. Outline Paolo Di Francesco, Francesco Malandrino, Luiz DaSilva Introduction Data Available Data Trinity

396 views • 14 slides
SDN-based Mobile Networking for Cellular Operators Seil Jeon,

SDN-based Mobile Networking for Cellular Operators Seil Jeon,

SDN-based Mobile Networking for Cellular Operators Seil Jeon, Carlos Guimaraes, Rui L. Aguiar Background The data explosion currently were facing with has a

760 views • 35 slides
dyne.org hackers network Denis J. Roio GNU hackers meeting, Den Haag July 2010 Denis J. Roio

dyne.org hackers network Denis J. Roio GNU hackers meeting, Den Haag July 2010 Denis J. Roio

dyne.org hackers network Denis J. Roio GNU hackers meeting, Den Haag July 2010 Denis J. Roio (2010) dyne.org hackers network July 2010 1 / 14 Dyne.org hackers network Free Software Movement Started in 1984 by Richard Stallman, with help

455 views • 14 slides
IMPORTANCE OF QOE TO OPERATORS AND CONSUMERS 26 NOVEMBER 2018 ITU-T SG12 WORKSHOP ON

IMPORTANCE OF QOE TO OPERATORS AND CONSUMERS 26 NOVEMBER 2018 ITU-T SG12 WORKSHOP ON

IMPORTANCE OF QOE TO OPERATORS AND CONSUMERS 26 NOVEMBER 2018 ITU-T SG12 WORKSHOP ON TELECOMMUNICATION SERVICE REGULATORY FRAMEWORKS AND EXPERIENCE-DRIVEN NETWORKING MOBILE CONNECTIVITY LANDSCAPE IN SINGAPORE Four Mobile Network

268 views • 9 slides
its impact on mobile virtual network operators Athanasios Lioumpas, Ph.D. C y t a H e l l a s ,

its impact on mobile virtual network operators Athanasios Lioumpas, Ph.D. C y t a H e l l a s ,

Network slicing: A key technology for 5G and its impact on mobile virtual network operators Athanasios Lioumpas, Ph.D. C y t a H e l l a s , R & D d e p a r t m e n t T h e s s a l o n i k i , G r e e c e 2 0 1 7 contents mobile

323 views • 29 slides
More Self-study Operators Unary operators, sizeof, boolean operators, comma, and operators

More Self-study Operators Unary operators, sizeof, boolean operators, comma, and operators

More Self-study Operators Unary operators, sizeof, boolean operators, comma, and operators precedence... Constant value, enumerated types Control constructs selection: if/else, switch loop: while, do/while, for...

439 views • 31 slides
Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, So

Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, So

Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, So Paulo Sebastian Porst zynamics GmbH (sebastian.porst@zynamics.com) Talk Overview Necessity of new RE methods Solutions we developed

762 views • 39 slides
VHDL VHDL - Flaxer Eli Ch 5 - 1 Operators and Attributes Outline Logical Operators

VHDL VHDL - Flaxer Eli Ch 5 - 1 Operators and Attributes Outline Logical Operators

Chapter 5 Operators and Attributes VHDL VHDL - Flaxer Eli Ch 5 - 1 Operators and Attributes Outline Logical Operators Relational Operators Shift Operators Adding Operators Multiplying Operators Miscellaneous Operators

232 views • 6 slides
Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us

Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us

Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us to modify and manipulate information. They are symbols that represent a commonly used operation, such as addition 2 + 2 http://cs.mst.edu

365 views • 17 slides
Jay Ferron The Hackers CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, MCT, NSA-IAM Tool Kit

Jay Ferron The Hackers CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, MCT, NSA-IAM Tool Kit

3/4/2020 Jay Ferron The Hackers CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, MCT, NSA-IAM Tool Kit jferron@interactivesecuritytraining.com blog.mir.net 1 Nation States China North Korea Who are the hackers Russia Iraq 2

150 views • 11 slides
Operators Swisscom (Schweiz) AG Furer Christoph 19.10.2018 C1 - Public Is QoE important for

Operators Swisscom (Schweiz) AG Furer Christoph 19.10.2018 C1 - Public Is QoE important for

Importance of QoE for Swiss Mobile Network Operators Swisscom (Schweiz) AG Furer Christoph 19.10.2018 C1 - Public Is QoE important for network operators? 2 19.10.18 "Now, in the 2017/2018 season, it are even two Swiss operators

65 views • 6 slides
GSMA Uniting Mobile Operators Worldwide M4D Utilities Programme Overview Problem Mission In

GSMA Uniting Mobile Operators Worldwide M4D Utilities Programme Overview Problem Mission In

GSMA Uniting Mobile Operators Worldwide M4D Utilities Programme Overview Problem Mission In emerging markets, close to 1 billion people live To unlock commercially sustainable business without electricity, 2.1 billion people lack access

1.73k views • 16 slides
Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by

Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by

Sam Foster sfoster@mozilla.com samfosteriam sfoster Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by Mozilla + partners + contributors Why Firefox OS? Web under threat from parallel

453 views • 13 slides
Overloading operators Why overload operators? (==, =, <, >>, +=, ) notational

Overloading operators Why overload operators? (==, =, <, >>, +=, ) notational

Overloading operators Why overload operators? (==, =, <, >>, +=, ) notational convenience match user expectations because we can (except :: and . and .*) Remember, overloaded operators are just function calls

483 views • 7 slides
More Self-study Operators Unary operators, sizeof, boolean

More Self-study Operators Unary operators, sizeof, boolean

More Self-study Operators Unary operators, sizeof, boolean operators, comma, and operators precedence... Constant value, enumerated types Control

823 views • 31 slides
CSE 543 - Computer Security (Fall 2006) Lecture 25 - Cellular Network Security Guest Lecturer:

CSE 543 - Computer Security (Fall 2006) Lecture 25 - Cellular Network Security Guest Lecturer:

CSE 543 - Computer Security (Fall 2006) Lecture 25 - Cellular Network Security Guest Lecturer: William Enck November 30, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06 CSE 543 Computer (and Network) Security - Fall 2006 - Professor

677 views • 21 slides
Ein Blick ins Aquarium Was gibt's Neues in Bean Validation 1.1 and CDI 1.1? Hardy Ferentschik

Ein Blick ins Aquarium Was gibt's Neues in Bean Validation 1.1 and CDI 1.1? Hardy Ferentschik

Ein Blick ins Aquarium Was gibt's Neues in Bean Validation 1.1 and CDI 1.1? Hardy Ferentschik Red Hat About me Hardy Ferentschik - hardy@hibernate.org Hibernate team member for 5 years Focus on Validator and Search Validator

743 views • 41 slides
Introduction to Swedish Civil Contingencies Agency (MSB) methodological support for introducing

Introduction to Swedish Civil Contingencies Agency (MSB) methodological support for introducing

Methodilogical support Prepare Analyze Assignments References Introduction to Swedish Civil Contingencies Agency (MSB) methodological support for introducing Information Security Management Systems (ISMS). Carina Bengtsson, Daniel Bosk and

1.19k views • 73 slides
Procurement and State aid update Patrick Halliday 30 November 2016 Procurement & State aid

Procurement and State aid update Patrick Halliday 30 November 2016 Procurement & State aid

Procurement and State aid update Patrick Halliday 30 November 2016 Procurement & State aid smorgasbord 1. Abnormally low tenders: FP McCann 2. Disclosure of marking method: TNS Dimarso 3. Marking challenges: Energysolutions v NDA 4.

196 views • 7 slides
1 27/02/2020 2 Cellular Connectivity Anywhere In The World (2G, 3G, 4G, LTE-M, soon NB-IoT)

1 27/02/2020 2 Cellular Connectivity Anywhere In The World (2G, 3G, 4G, LTE-M, soon NB-IoT)

1 27/02/2020 2 Cellular Connectivity Anywhere In The World (2G, 3G, 4G, LTE-M, soon NB-IoT) 180+ countries 540+ networks We are where you are In the Cloud Intra-Cloud Peering Connectivity Meta- Global Reliable and Secure for Device Data

196 views • 18 slides
Systematic Mapping Studies Marcel Heinz 23. Juli 2014 Marcel Heinz Systematic Mapping Studies

Systematic Mapping Studies Marcel Heinz 23. Juli 2014 Marcel Heinz Systematic Mapping Studies

Systematic Mapping Studies Marcel Heinz 23. Juli 2014 Marcel Heinz Systematic Mapping Studies 23. Juli 2014 1 / 44 Presentation Overview Motivation 1 Systematic Mapping Studies 2 Comparison to Systematic Reviews 3 Guidelines 4 Marcel

931 views • 44 slides
CS378 - Mobile Computing Services and Broadcast Receivers Services One of the four primary

CS378 - Mobile Computing Services and Broadcast Receivers Services One of the four primary

CS378 - Mobile Computing Services and Broadcast Receivers Services One of the four primary application components: activities content providers services broadcast receivers 2 Services Application component that performs

595 views • 35 slides
Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki

Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki

Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki Computer Science Dept. Worcester Polytechnic Institute (WPI) 1 Introduction Mobile Malware is fairly recent July 2004 Cabir virus came out on

487 views • 24 slides

More recommend