Scribd
Upload
732 views46 pages

Hacking Mobile Network Via SS7: Interception, Shadowing and More

This document summarizes security issues with SS7, the signaling system used for routing calls and SMS messages between mobile networks. It outlines how attackers can exploit SS7 to track user locations, intercept calls and SMS, and conduct denial of service attacks. The document discusses how attackers can query the home location register to get a target's IMSI and location details. It also explains how attackers can register as the fake mobile switching center to intercept SMS messages intended for a target. The document notes that securing SS7 is difficult as vulnerabilities allow unauthorized access via compromised border devices or corrupt insiders who can be found in the underground market.

Uploaded by

sachin177
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
732 views46 pages

Hacking Mobile Network Via SS7: Interception, Shadowing and More

This document summarizes security issues with SS7, the signaling system used for routing calls and SMS messages between mobile networks. It outlines how attackers can exploit SS7 to track user locations, intercept calls and SMS, and conduct denial of service attacks. The document discusses how attackers can query the home location register to get a target's IMSI and location details. It also explains how attackers can register as the fake mobile switching center to intercept SMS messages intended for a target. The document notes that securing SS7 is difficult as vulnerabilities allow unauthorized access via compromised border devices or corrupt insiders who can be found in the underground market.

Uploaded by

sachin177
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Hacking mobile network via SS7:

interception, shadowing and more


Dmitry Kurbatov
Vladimir Kropotov
Positive Research

Agenda

Intro
Attacks prerequisites, costs and case studies
Official and underground market brief
Possible Security measures
Forecasts

In Service LTE Networks

VoLTE Networks

http://ltemaps.org/

The most of the world performs


HANGDOVER
LTE only for web browsing

To perform a call subscriber is downgraded to 3G (handover)

Interconnect / roaming
2G /
3G
SS7

GRX

IPX

E1

IP

IP

3G /
4G

3G /
4G

Kind of IPv4 vs IPv6 dilemma

SS7 is still most used interconnect/


roaming network
Mobility
Call control
Billing
Crypto

SS7
SMS-C

A
MSC
VLR

Gateway
MSC

SS7
Billing

HLR

2014 - year of SS7 security issues


Hackito Ergo Sum 2014
Locating mobile phones

Positive Hack Days IV


How to Intercept a Conversation Held on the
Other Side of the Planet
Washington Post
Secretly track cellphones
31C3
SS7: Locate. Track. Manipulate
Mobile self-defense

SS7 for (bad) guys


Tracking
Locating mobile phones and secretly tracking

Denial of Service
Disrupt subscriber connectivity and service availability

Interception
Listen to calls, intercept short messages

Threats to Operator
Threats to IoT

Basic Terms

IMSI
IMEI
MSISDN
HLR
MSC

~
~
~
~
~

SIM Card
Device
Your Number
Subscriber DB
Call Processing

Tracking / ()

Common Step 0 for Any Attack


I am
SMSC

SMS-C
2

MSC

HLR

Bob

1. Attacker sends request


SendRoutingInfoForSM
addressing MAP message
by MSISDN
2. HLR replies with:
own address
serving MSC address
IMSI

Get Cell ID
I am
SMSC
1

SMS-C
2

MSC

HLR

Bob

1. Attacker sends request


provideSubscriberInfo
addressing MAP message
by IMSI and asking for
subscriber location
2. MSC replies with Cell ID:
MCC - 250
MNC - 90
LAC 4A67
CID 673D

Get Location
Search in Internet for physical
location by MCC, MNC, LAC,
CID
1

MCC:
MNC:
LAC:
CID:

250
90
4A67
673D

Bob

and Track User Just Like SkyLock

http://s3.documentcloud.org/documents/1275167/skylock-product-description-2013.pdf

Underground market demands

Tracking subscriber
using the phone
number

Yep, Even in 2010

Tracking

Nobody wants to be constantly


monitored.
Tracking is a violation of Personal data
protection laws.

Very hard to stop:


AnyTimeInterrogation

ProvideSubscriberInfo
ProvideSubscriberLocation

DoS /
To make someone unavailable

To stop data leakage


What else?

Common Step 0 for Any Attack


Fake
MSC

SMS-C
2

MSC

HLR

Bob

1. Attacker sends request


SendRoutingInfoForSM
addressing MAP message
by MSISDN
2. HLR replies with:
own address
serving MSC address
IMSI

Denial of Service. Step 1


Fake
MSC

SMS-C
2

MSC

HLR

Bob

1. Attacker registers Bob on


the fake MSC
2. HLR sets up new location
for Bob
3. HLR asks real MSC to
release a memory

Denial of Service. Step 2


Fake
MSC

SMS-C

Alex

3
2

MSC

HLR

Bob

1. Alex calls Bob


2. MSC is looking for Bob
and asks HLR to provide
information
3. HLR asks fake MSC to
provide Roaming
Number

demo

Interception /

How to Intercept SMS ()


A virus on a smartphone and what if a certain subscriber is a
target? How to infect him particularly?
Reissue SIM? It works only once.
Radio signal interception (GSM A5/1)? You need to be nearby.
Via SS7 network

A Cheap Way For Tapping


10$ + OpenSource

(f)or

$$7

Common Step 0 for Any Attack


Fake
MSC

SMS-C
2

MSC

HLR

Bob

1. Attacker sends request


SendRoutingInfoForSM
addressing MAP message
by MSISDN
2. HLR replies with:
own address
serving MSC address
IMSI

SMS Interception. Step 1


Fake
MSC

SMS-C
2

MSC

HLR

Bob

1. Attacker registers Bob on


the fake MSC
2. HLR sets up new location
for Bob
3. HLR asks real MSC to
release a memory

SMS Interception. Step 2


Fake
MSC

5
1

SMS-C

Alex
MSC

HLR

Bob

1. Alex sends SMS to Bob


2. MSC translates the SMS
to SMS-C
3. SMS-C requests HLR for
Bob`s location
4. HLR replies with a fake
MSC address
5. SMS-C translates SMS to
the fake MSC

demo

SMS Interception, We Really Missed You


Access to payment service
Recover passwords for email and
social networks
Online banking OTP

Illegal cases

SMS Interception

TBD
Payment confirmation
SMS Interception

Devices for
SMS Interception

Active actions and Impersonation


Mobile balance transfer over USSD
Premium Rate SMS Subscriptions
Credit cards money transfers via phone
Even fake calls from Victim number

How to Get Into SS7

How They Can Get Into SS7

Legal with license


Semi legal without

Find a guy

Hack border device

Find a Guy

Find a Guy

Find a Guy

Hack border device

Today: IP Connectivity

Misconfiguration Example

Critical

Research Updates
SS7 security threats
Mobile Internet vulnerabilities (GPRS)
SIM vulnerabilities

http://www.ptsecurity.com/library/whitepapers/

http://blog.ptsecurity.com/

Questions?
Dmitry Kurbatov

Vladimir Kropotov

[email protected]

[email protected]

You might also like