Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7...
Transcript of Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7...
![Page 1: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/1.jpg)
Sergey Puzankov
Trojans in SS7 - how they
bypass all security measures
ptsecurity.com
![Page 2: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/2.jpg)
SS7 in the 20th century
PSTN
STP STP
STPSTP
SSP
SCP
SSP
SSP
SCP
SS7 (Signaling System #7): a set of telephony protocols used to set up and tear down
telephone calls, send and receive SMS messages, provide subscriber mobility, and more
![Page 3: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/3.jpg)
SS7 nowadays
SIGTRAN (Signaling Transport): an extension of the SS7 protocol family that uses IP as transport
![Page 4: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/4.jpg)
Why SS7 is not secure
SIGTRAN
SIGTRAN
IWF/DEA
Diameter
LTE
Once a hacker connects to
the SS7 network of a mobile
operator, they can attack
subscribers of any operator
around the world
![Page 5: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/5.jpg)
Governments and global organizations worried by SS7 security
![Page 6: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/6.jpg)
Mobile operators and SS7 security
Security assessment
SS7 firewall
Security monitoringSMS Home Routing
Security
configuration
![Page 7: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/7.jpg)
Research and publications
2014 – Signaling System 7 (SS7) security report
2014 – Vulnerabilities of mobile Internet (GPRS)
2016 – Primary security threats for SS7 cellular networks
2017 – Next-generation networks, next-level
cybersecurity problems (Diameter vulnerabilities)
2017 – Threats to packet core security of 4G network
2018 – SS7 vulnerabilities and attack exposure report
![Page 8: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/8.jpg)
Network vulnerability statistics: SMS Home Routing
67%of installed SMS Home
Routing systems have
been bypassed
Possibility of
exploitation of some
threats in networks
with SMS Home
Routing installed is
greater than in
networks without
protection
![Page 9: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/9.jpg)
Network vulnerability statistics: SS7 firewall
Penetration level of SS7
firewalls on mobile
networks:
2015 — 0%
2016 — 7%
2017 — 33%
Filtering system alone
cannot protect the network
thoroughly
![Page 10: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/10.jpg)
Basic nodes and identifiers
HLR — Home Location Register
MSC/VLR — Mobile Switching
Center and Visited Location
Register
SMS-C — SMS Centre
MSISDN — Mobile Subscriber
Integrated Services Digital Number
IMSI — International Mobile
Subscriber Identity
STP — Signaling Transfer Point
GT — Global Title, address of a
core node element
![Page 11: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/11.jpg)
IMSI
An IMSI identifier, by itself, is not valuable to an intruder
But intruders can carry out many malicious actions
against subscribers when they know the IMSI, such as:
Location tracking
Service disturbance
SMS interception
Voice call eavesdropping
The IMSI is considered personal data as per GDPR.
![Page 12: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/12.jpg)
SS7 messages for IMSI retrieval
SendRoutingInfo
SendIMSI
SendRoutingInfoForLCS
SendRoutingInfoForSM
Should be blocked on the network border
May be blocked on the HLR
– SMS Home Routing as a protection tool
![Page 13: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/13.jpg)
SMS Home Routing bypass No. 1
![Page 14: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/14.jpg)
SMS delivery with no SMS Home Routing in place
STP
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request• MSISDN
2. SRI4SM Response• IMSI
• MSC Address
2. SRI4SM Response • IMSI
• MSC Address
3. MT-SMS • IMSI
• SMS Text
3. MT-SMS • IMSI
• SMS Text
SRI4SM — SendRoutingInfoForSM
HLR
SMS-C
![Page 15: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/15.jpg)
SRI4SM abuse by a malefactor
STP
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request• MSISDN
2. SRI4SM Response• IMSI
• MSC Address
2. SRI4SM Response • IMSI
• MSC Address
HLR
![Page 16: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/16.jpg)
SMS Router
SMS Home Routing
STP
HLR
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request• MSISDN
3. MT-SMS • Fake IMSI
• SMS Text
3. MT-SMS • Fake IMSI
• SMS Text
4. SRI4SM Request• MSISDN
6. MT-SMS • Real IMSI
• SMS Text
SMS-C
5. SRI4SM Response• Real IMSI
• MSC Address
2. SRI4SM Response• Fake IMSI
• SMS-R Address
2. SRI4SM Response • Fake IMSI
• SMS-R Address
![Page 17: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/17.jpg)
SMS Router
SMS Home Routing against malefactors
STP
HLR
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request• MSISDN
2. SRI4SM Response• Fake IMSI
• SMS-R Address
2. SRI4SM Response • Fake IMSI
• SMS-R Address
![Page 18: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/18.jpg)
Numbering plans
Country Code (Luxembourg) Network Destination Code
Mobile Country Code (Luxembourg) Mobile Network Code
Operator HLRRule of GT Translation
E.164 MSISDN and GT 352 854 1231237
E.212 IMSI 270 80 4564567894
E.214 Mobile GT 352 854 4564567894
![Page 19: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/19.jpg)
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STPSS7 Message
HLR 1
HLR 2
SMS Router
![Page 20: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/20.jpg)
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STPSS7 Message
HLR 1
HLR 2
E.214 Global Title
Translation Table
352 + 854 + 0xxxxxxxxx
352 + 854 + 4xxxxxxxxx
SMS Router
![Page 21: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/21.jpg)
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STPSS7 Message
HLR 1
HLR 2
SMS Router
E.214 Global Title
Translation Table
352 + 854 + 0xxxxxxxxx
352 + 854 + 4xxxxxxxxx
![Page 22: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/22.jpg)
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STPSS7 Message
HLR 1
HLR 2
SMS Router
E.214 Global Title
Translation Table
352 + 854 + 0xxxxxxxxx
352 + 854 + 4xxxxxxxxx
![Page 23: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/23.jpg)
SendRoutingInfoForSM message
Called Party Address = MSISDN
![Page 24: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/24.jpg)
SMS Home Routing bypass attack
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP HLR 1
HLR 2
1. SRI4SM Request• E.214 / Random IMSI
• MSISDN
2. SRI4SM Request• E.214 / Random IMSI
• MSISDN3. SRI4SM Response
• IMSI
• MSC address
The malefactor needs to guess any IMSI
from a HLR serving the target subscriber
SMS Router is aside
SMS Router
E.214 Global Title
Translation Table
352 + 854 + 0xxxxxxxxx
352 + 854 + 4xxxxxxxxx
![Page 25: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/25.jpg)
SMS Home Routing bypass No. 2
![Page 26: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/26.jpg)
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN STP
![Page 27: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/27.jpg)
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN
2. SRI4SM Request: MSISDN
STP
![Page 28: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/28.jpg)
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN
2. SRI4SM Request: MSISDN
STP
3. SRI4SM Response: Fake IMSI, SMS-R address
![Page 29: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/29.jpg)
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN
2. SRI4SM Request: MSISDN
STP
3. SRI4SM Response: Fake IMSI, SMS-R address
Different IMSIs mean SMS Home Routing procedure is involved
![Page 30: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/30.jpg)
TCAP Protocol
TCAP Message Type
Transaction IDs
Dialogue Portion
Component Portion
Begin, Continue, End, Abort
Source and/or Destination IDs
Application Context Name (ACN)
ACN Version
Operation Code
Payload
Application Context Name
corresponds to a respective
Operation Code
TCAP – Transaction Capabilities Application Part
![Page 31: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/31.jpg)
Application Context
0 – CCITT
4 – Identified Organization
0 – ETSI
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
![Page 32: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/32.jpg)
Application Context change
0 – CCITT
4 – Identified Organization
0 – ETSI
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
0 – CCITT
4 – Identified Organization
x – Unknown
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
![Page 33: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/33.jpg)
SMS Home Routing bypass with malformed Application Context
HLR1. SRI4SM Request: MSISDN
Malformed ACN
1. SRI4SM Request: MSISDN
Malformed ACNSTP
SMS Router
Malformed Application Context
![Page 34: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/34.jpg)
SMS Home Routing bypass with malformed Application Context
HLR1. SRI4SM Request: MSISDN
Malformed ACN
1. SRI4SM Request: MSISDN
Malformed ACNSTP
2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC
SMS Router
SMS Router is aside
![Page 35: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/35.jpg)
SMS Home Routing bypass with malformed Application Context
HLR
SMS Router
1. SRI4SM Request: MSISDN
Malformed ACNSTP
2. SRI4SM Response: IMSI, MSC
Equal IMSIs means the SMS
Home Routing solution is absent
or not involved
1. SRI4SM Request: MSISDN
Malformed ACN
2. SRI4SM Response: IMSI, MSC
![Page 36: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/36.jpg)
SS7 firewall bypass
![Page 37: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/37.jpg)
SS7 firewall: typical deployment scheme
HLRSTP
1. SS7 message 3. SS7 message
2. SS7
message
SS7 firewall
![Page 38: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/38.jpg)
SS7 messages for IMSI retrieval
SendRoutingInfo
SendIMSI
SendRoutingInfoForLCS
SendRoutingInfoForSM
Should be blocked on the network border
May be blocked on the HLR
– SMS Home Routing as a protection tool
![Page 39: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/39.jpg)
SS7 firewall: typical deployment scheme
HLRSTP
1. SRI Request: MSISDN
SS7 firewall
2. SRI Request: MSISDN
The message is blocked
SRI – SendRoutingInfo
![Page 40: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/40.jpg)
Application Context change
0 – CCITT
4 – Identified Organization
0 – ETSI
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
0 – CCITT
4 – Identified Organization
x – Unknown
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
![Page 41: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/41.jpg)
SS7 firewall: bypass with malformed Application Context
HLRSTP1. SRI Request: MSISDN
Malformed ACN
SS7 firewall
2. SRI Request: MSISDN
Malformed ACN
Malformed Application Context
![Page 42: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/42.jpg)
SS7 firewall bypass with malformed Application Context
HLRSTP1. SRI Request: MSISDN
Malformed ACN
2. SRI Request: MSISDN
Malformed ACN
3. SRI Response: IMSI, …3. SRI Response: IMSI, …
SS7 firewall is aside
SS7 firewall
![Page 43: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/43.jpg)
SS7 Trojan for location tracking
![Page 44: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/44.jpg)
SMS delivery
HLR
MSC 2SMS-CMSC 11. Mo-ForwardSM: A-Num, B-Num
2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2
4. Mt-ForwardSM: A-Num, IMSI
5. ReturnResultLast5. ReturnResultLast
![Page 45: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/45.jpg)
SMS spam through SS7
HLR
2. SRI4SM:
B-Num
3. SRI4SM: IMSI, MSC2
4. Mt-ForwardSM: A-Num, IMSI
5. ReturnResultLast5. ReturnResultLast
SMS-C MSC 2MSC 1
![Page 46: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/46.jpg)
TCAP handshake as a protection measure
HLR
1. TCAP Begin: ACN = MoSMRelay
4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2
2. TCAP Continue
3. Mo-ForwardSM: A-Num,
B-Num
9. ReturnResultLast
6. TCAP Begin: ACN = MtSMRelay
7. TCAP Continue
8. Mt-ForwardSM:A-Num,
IMSI
9. ReturnResultLast
SMS-C MSC 2MSC 1
![Page 47: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/47.jpg)
Location retrieval for intelligent network services
HLR1. AnyTimeInterrogation: MSISDN
4. AnyTimeInterrogation: CellID
2. ProvideSubscriberInfo: IMSI
3. ProvideSubscriberInfo: CellID
MSC/VLRIN
AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving
cell in order to perform a location-based service.
This message is allowed for internal operations only. It should be prohibited in external connections.
![Page 48: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/48.jpg)
Blocking an illegitimate location request
HLRSTP
1. AnyTimeInterrogation: MSISDN
The message is blocked
SS7 firewall
2. AnyTimeInterrogation: MSISDN
![Page 49: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/49.jpg)
TCAP handshake as an SS7 Trojan
Is it possible to encapsulate a malformed
location request into the protection mechanism
and receive result?
![Page 50: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/50.jpg)
SS7 firewall: bypass within a TCAP handshake
HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry
The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation
operation that responds with the serving Cell identity, which
provides subscriber location to within ~100 meters
SS7 firewallMSC/VLR
![Page 51: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/51.jpg)
SS7 firewall: bypass within a TCAP handshake
The incoming signaling message does not contain an operation
code, so the STP does not send it to the SS7 firewall for inspection
HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry
SS7 firewallMSC/VLR
![Page 52: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/52.jpg)
SS7 firewall: bypass within a TCAP handshake
HLRSTP
2. TCAP Continue 2. TCAP Continue
1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry
SS7 firewallMSC/VLR
![Page 53: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/53.jpg)
SS7 firewall: bypass within a TCAP handshake
HLRSTP
2. TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
2. TCAP Continue
The AnyTimeInterrogation operation is encapsulated into
TCAP Continue instead of normal TCAP Begin message.
1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry
SS7 firewallMSC/VLR
![Page 54: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/54.jpg)
SS7 firewall: bypass within a TCAP handshake
HLRSTP
2. TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
The AnyTimeInterrogation operation is encapsulated into
TCAP Continue instead of normal TCAP Begin message.
The STP routes this message to the node that is involved into
the initial transaction.
2. TCAP Continue
1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry
SS7 firewallMSC/VLR
![Page 55: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/55.jpg)
SS7 firewall: bypass within a TCAP handshake
HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP
2. TCAP Continue
1. TCAP Begin: ACN = AnyTimeInfoEnquiry
2. TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
SS7 firewallMSC/VLR
4. ProvideSubscriberInfo Cell IDIMSI
![Page 56: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/56.jpg)
SS7 firewall: bypass within a TCAP handshake
SS7 firewall is aside
HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP
2. TCAP Continue
1. TCAP Begin: ACN = AnyTimeInfoEnquiry
2. TCAP Continue
5. AnyTimeinterrogation: Cell ID
TCAP End
5. AnyTimeInterrogation: Cell ID
TCAP End
4. ProvideSubscriberInfo Cell IDIMSI
3. AnyTimeInterrogation: MSISDN
TCAP Continue
3. AnyTimeInterrogation: MSISDN
TCAP Continue
SS7 firewallMSC/VLR
![Page 57: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/57.jpg)
Main problems in SS7 security
SS7 architecture flaws
Configuration mistakes
Software bugs
![Page 58: Trojans in SS7 - how they bypass all security …archive.hack.lu/2018/HackLu_SS7_Trojan_pdf.pdfSS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 (Signaling System](https://reader030.fdocuments.in/reader030/viewer/2022033121/5e4807f262119466d31eee24/html5/thumbnails/58.jpg)
Things to remember
1. Deploying security tool does not mean the network is
secure. About 67% of SMS Home Routing solutions on
tested networks were bypassed.
2. Test the network. Penetration testing is a good practice
to discover a lot of vulnerabilities. Discover and close
existing vulnerabilities before hackers find and exploit
them.
3. Know the perimeter. Continuous security monitoring
enables a mobile operator to know which vulnerabilities
are exploited and, therefore, protect the network.