Post on 07-Apr-2018
Attacks on Telecom Operators and Mobile Subscribers via SS7
Dmitry KurbatovSecurity specialist
Positive Research
2014 was a good year for SS7 security
Hackito Ergo Sum 2014
• Locating mobile phones
Positive Hack Days IV
• How to Intercept a Conversation Held on the Other Side of the Planet
Washington Post
• Secretly track cellphones
31C3
• SS7: Locate. Track. Manipulate
• Mobile self-defense
Topics
USSD Money Transfer
Short Message Interception
DoS on Mobile Switching Center
Fraud in SS7 networkHot for mobile network operators
Hot for everyone
SS7
HLRMSCVLR
Gateway MSC
Billing
SMS-C
Radio Part
A
B
Cell Phone
Base Transceiver Station
Base Station Controller
SS7
MSC/VLR
HLR
A
B
Gateway MSC
Billing
SMS-C
MSCVLR
Mobile Switching Center
Visitor Location Register
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890
IMSI – International Mobile Subscriber Identity 15 digits
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
Access Networks
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPX
Exchange Points
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Support
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
IT IT network
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
Internet IT network
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkTraffic
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkThreats
Attacker
Attacker
Attacker
Attacker
AttackerAttacker
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkThreat
Attacker
Attacker
Attacker
Attacker
AttackerAttacker
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SMS-C
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digitsA
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SMS-C
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SMS-C
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
Attacker serves Subscriber-B
SMS-C
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
5
Attackeras MSC
A
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
5 6
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
HLR sends Attacker address instead of real MSC!
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
8
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SMS-C routes this SMS to the received address.
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
8
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SMS-C routes this SMS to the received address.
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
*100#3
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.3
4
processUnstructuredSS-RequestSubscriber’s account is $$$$$.
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
4
processUnstructuredSS-RequestSubscriber’s account is $$$$$.
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
3
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
*123*01238765400*100#
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get SMS notification if Attacker combines this attack and the previous one.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get SMS notification if Attacker combines this attack and the previous one.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Collect info
HLR
Attackeras SMSC
B
MSCVLR
Gateway MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
1
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
3PRNprovideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 45600013PRN
4 provideRoamingNumberMSRN 0 123 4560001
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 45600013PRN
4
Default timeouts for MSRN:
• Ericsson – 30 sec
• Huawei – 45 secprovideRoamingNumberMSRN 0 123 4560001
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.…
provideRoamingNumberMSRN 0 123 4560001provideRoamingNumber
MSRN 0 123 4560001provideRoamingNumberMSRN 0 123 4569999…
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
SS7
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
noRoamingNumberAvailable
Make it starve
SS7
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
noRoamingNumberAvailable
Make it starve
SS7
DoS
HLR
Attackeras HLR
Gateway MSC
PRNRealHLR
B
10k – 500k
MSCVLR
3
provideRoamingNumberI am HLR.My GT 1 321 4568701.Provide MSRN forSubscriber-ANY IMSI 15 digits.
SS7
DoS
HLR
Attackeras HLR
Gateway MSC
PRNRealHLR
B
10k – 500k
MSCVLR
3
4
No incoming calls
Sad calling party
SS7
SS7 interconnection
HLRMSCVLR
Gateway MSC
Billing
SMS-C
HLRMSCVLR
Gateway MSC
Billing
SMS-C
HLRMSCVLR
Gateway MSC
Billing
SMS-C
Trusted environment
SS7
Collect info
HLR
Attackeras SMSC
B
MSCVLR
Gateway MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
A
1
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
Attacker serves Subscriber-B
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
nothing
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
5
6
sendRoutingInfoWhere isSubscriber-B MSISDN 0 123 4567802=Where is Subscriber-B located?
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
7 provideSubscriberInfoI am HLR.My GT 0 123 4567800.Provide location for theSubscriber-B.
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
7
8
provideSubscriberInfoSubscriber-B is in the Home network.
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows that
Subscriber-B is at home.
This information will be sent to a billing platform.
7
8
8
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
5
9
sendRoutingInfoWhere isSubscriber-B MSISDN 0 123 4567802located =What is MSRN for Subscriber-B?
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
provideRoamingNumberI am HLR.My GT 0 123 4567800.Provide MSRN forSubscriber-B IMSI 15 digits.
10
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
provideRoamingNumberMSRN 39 0 654832169
10
11
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 39 0 654832169
10
11
11
SS7
Forward a call to…Italy
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 39 0 654832169
10
11
11
12
SS7
Forward a call to…
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
provideRoamingNumber
MSRN 39 0 65483..
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 39 0 654832169
10
11
Who pays?
₽ 30,00 - ₽ 1,60 = ₽ 28,40 – Attacker profit
ACall from to while at “home” = ₽ 1,60B
ACall from to = ₽ 30,00Italy
Who pays?
How much does a mobile operator lose?
₽ 30,00 - ₽ 1,60 = ₽ 28,40 – Attacker’s profit
ACall from to while at “home” = ₽ 1,60B
ACall from to = ₽ 30,00Italy
International calls on 5,3% of original price
IDS Scheme
SS7 IDS & Event correlation
SS7 National
SS7 International
SS7 Other PLMNs
STP
STPSS7 taps
SS7 taps
SS7 taps
Duplicate traffic
Duplicate traffic
Duplicate traffic
Research Updates
• SS7 security threats
• Mobile Internet vulnerabilities (GPRS)
• SIM vulnerabilities
www.ptsecurity.com
http://blog.ptsecurity.com/