Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Worldwide attacks on SS7 network

Alexandre De Oliveira
April 26, 2014
Research
0
450

Worldwide attacks on SS7 network

Presented by Pierre-Olivier Vauboin & Alexandre De Oliveira at Hackito Ergo Sum 2014
http://2014.hackitoergosum.org/

Mobile telecommunication networks are complex and provide a wide range of services, making them a tempting target for fraudsters and for intelligence agencies. Moreover, the architecture, equipment and protocols used on these networks were never designed with security in mind, availability being the first concern. Today, even though some telecom operators are investing money into securing their network, events confirm that for most of them maturity in term of security is yet to come, as recently shown with the example of massive traffic interception on compromised SCCP and GRX providers like Belgacom’s BICS. Here we present the most typical and legitimate telecom callflows from making a mobile phone call to sending a SMS. Then we describe the protocol layers involved and how to abuse them, which fields can be manipulated in order to attack both the operator infrastructure and its subscribers. Finally, we show a real life example of scan performed from an international SS7 interconnection and practical attacks on subscribers such as spam, spoofed SMS and user location tracking.

Alexandre De Oliveira

April 26, 2014
Tweet

More Decks by Alexandre De Oliveira

See All by Alexandre De Oliveira
Telecom MISP - Building a Telecom Information Sharing Platform
yodresh
1
510
TIDS: A Framework for Detecting Threats in Telecom Networks
yodresh
1
610
Defending, monitoring & detecting exploits on my telecom network
yodresh
0
21
Assaulting IPX Diameter roaming network
yodresh
0
1.7k

Other Decks in Research

See All in Research
FOSS4G 山陰 Meetup 2024@砂丘 はじめの挨拶
wata909
1
110
KDD論文読み会2024: False Positive in A/B Tests
ryotoitoi
0
200
尺度開発における質的研究アプローチ(自主企画シンポジウム7:認知行動療法における尺度開発のこれから)
litalicolab
0
350
Global Evidence Summit (GES) 参加報告
daimoriwaki
0
160
Matching 2D Images in 3D: Metric Relative Pose from Metric Correspondences
sgk
1
320
システムから変える 自分と世界を変えるシステムチェンジの方法論 / Systems Change Approaches
dmattsun
3
870
Isotropy, Clusters, and Classifiers
hpprc
3
630
20240918 交通くまもとーく 未来の鉄道網編(こねくま)
trafficbrain
0
230
20241115都市交通決起集会 趣旨説明・熊本事例紹介
trafficbrain
0
260
メールからの名刺情報抽出におけるLLM活用 / Use of LLM in extracting business card information from e-mails
sansan_randd
2
140
MetricSifter:クラウドアプリケーションにおける故障箇所特定の効率化のための多変量時系列データの特徴量削減 / FIT 2024
yuukit
2
120
RSJ2024「基盤モデルの実ロボット応用」チュートリアルA(河原塚)
haraduka
3
650

Featured

See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Adopting Sorbet at Scale
ufuk
73
9.1k
Producing Creativity
orderedlist
PRO
341
39k
Music & Morning Musume
bryan
46
6.2k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Six Lessons from altMBA
skipperchong
27
3.5k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Large-scale JavaScript Application Architecture
addyosmani
510
110k

Transcript

  1. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Worldwide attacks on SS7 network P1 Security – Hackito Ergo Sum 26th April 2014 Pierre-Olivier Vauboin ([email protected]) Alexandre De Oliveira ([email protected])

  2. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo

  3. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Telecom Overview Evolution from 2G to 3G

  4. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Practical Attack Scenarios SS7 Attack Vectors

  5. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo

  6. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Siemens MSC MSC: 5-50 per MNO Connected to 20-50 BSC In charge of call establishment Interfaces the BSC toward the rest of the network Connects the calls of the mobile users UE is attached to one MSC MAP Protocol Generates CDR (Charging Data Record) Security impact: Key compromise, content compromise, regional DoS, location tracking, … MSC Mobile Switching Center

  7. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved HLR: 1-20 per MNO “Heart” of SS7 / SIGTRAN Subscriber database IMSI Authentication (AuC) : Ki Current subscriber location Supplementary services Queries from international partners (roaming) MAP Protocol Security impact: Key compromise, global DoS HLR / HSS Home Location Register Home Subscriber Server NSN HLR / HSS

  8. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved HLR / HSS Home Location Register Home Subscriber Server I’m Root !

  9. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo

  10. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Global SS7 network • Private and secure SS7 network ? • Interconnects many actors • Different views depending on interconnection point • Malicious entry point to SS7 network: • Through any unsecure operator and attack other operators from there • From Network Element OAM interface exposed on Internet • Through compromised Femto Cell • … and more …

  11. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved SS7 / SIGTRAN Stack Protocol Layers SIGTRAN MAP Stack SIGTRAN Adaptation Layer SS7 Session Layer Routing Layer Application Layer

  12. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved SS7 / SIGTRAN Stack Addressing schemes Point Code (PC) 14 or 24 bits address. Equivalent to MAC address. Global Title (GT) Length up to 15 digits. Looks like a phone number. Equivalent to IP address. SubSystem Number (SSN) Identifies application or service on Network Elements. Equivalent to TCP port. In Telecom networks a multitude of addressing schemes are used to identify Network Elements, subscribers, applications International Mobile Subscriber Identity (IMSI) SIM card number International Mobile Equipment Identity (IMEI) Device serial number Mobile Subscriber ISDN Number (MSISDN) Phone number SS7 Routing criteria: PC / GT / SSN or combo STP NE NE

  13. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo

  14. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved • Abusing legitimate messages (SRISM, SRI, ATI, …) • Sending from any international SS7 interconnection • Steps: • Discovery scan and GT mapping: SCCP + TCAP • Advanced attacks: specific MAP messages • Targets: • Attacking operators infrastructure • Attacking subscribers Practical Attack Scenarios Scan methodology

  15. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Discovery phase • Publicly available information • International PC lists • GT prefix / country / operator • Subscriber MSISDN lists • Probing from UE • SS codes: *#61# • Send SMS to your own SMSC to find your current MSC • Changing GT prefix length • Scan around confirmed targets Finding the first targets

  16. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Discovery phase TCAP scan example Scan ! HLR Found!

  17. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved 2G / 3G Network Mapping Active Network Mapping

  18. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo

  19. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Spying on users

  20. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Tracking user location • Based on non filtered MAP messages • SRISM / SRI • PSI / PSL • ATI … • Targeted towards HLR or MSC / VLR • Accuracy: • Depending on type of message allowed • MSC GT (Accuracy: City / Region) • CellID (Accuracy: Street)

  21. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Tracking user location Get MSC / VLR / CellID from SS7 (Example with MAP ATI) $ python src/p1ss7ng/mapgsm_cellid.py 02f8xx002c9084 Mobile Country Code (MCC) : 208 (France) Mobile Network Code (MNC) : xx (French Operator) Location Area Code (LAC) : 194 Cell ID : 23 VLR GT 12345000123 12345000123 MSC GT 02f802002c9084 Cell ID

  22. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Tracking user location Open CellID databases

  23. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Tracking user location Low accuracy (MSC based location) Source: Tobias Engel (CCC)

  24. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo

  25. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Sending SMS MO / MT ForwardSM • MAP messages • MO: Mobile Originating • MT: Mobile Terminating • SMSC: SMS Center (SMSC GT list is public) MSC MSC SMSC MAP MO ForwardSM MAP MT ForwardSM

  26. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Sending SMS Prerequisite to SMS: MAP SRISM SMSC MSC MT MT

  27. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved SendRoutingInfoForSM SS7 MAP SRISM SCCP Dst GT == MSISDN Destination phone number (MSISDN): 12340000001 SSN HLR

  28. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Answer to SRISM RoutingInfoForSM-Res ::= SEQUENCE { imsi IMSI, locationInfoWithLMSI [0] LocationInfoWithLMSI, extensionContainer [4] ExtensionContainer OPTIONAL, ..., ip-sm-gwGuidance [5] IP-SM-GW-Guidance OPTIONAL } Answer comes from HLR Get IMSI for requested MSISDN Contains MSC GT • Both IMSI and MSC GT are required to send MAP MT Forward SM

  29. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Answer to SRISM SRISM answer reveals MSC GT and IMSI MSC GT IMSI

  30. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved SMS attacks • Sending spam SMS • Sending spoof SMS • Bypassing SMS firewall • Anti Spam protections • MT FSM directly targeting MSC • Directly sent from signalling protocol

  31. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved SMS attacks Based on MAP MT-FSM (Mobile Terminated Forward Short Message) Originating phone number MAP MT FSM SMS content Spoof here ! 12345000123 IMSI MSC GT

  32. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Originating Address Try different encodings ! (Different screening rules) 12345000001 Hackito

  33. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved SMS spoofing Spoofing police ! Also works with other special numbers: • Emergency number • Voice Mail number • Operators services • Other subscribers

  34. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Counter measures • SMS home routing • SMS firewalls • All incoming MAP MT Forward SM are routed to SMS firewall for inspection • Prevents against SMS attacks: • SMS spam is detected and rejected • SMS spoofed is detected and rejected Protecting against SMS attacks

  35. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved SMS Home Routing Protecting users privacy / Protecting against spam SMS SMSC

  36. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved MSC MT MT SMS Home Routing SMS are routed to SMS firewall for inspection SMS Firewall SMSC

  37. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Counter Counter measures ? • Can you actually bypass SMS firewalls ? • YES ! • How ? • Directly sending MT Forward SM to MSC • Route through SMS firewall is usually not enforced ! • This requires to scan and discover all available MSC prior to send SMS • Possible in a few hours • MSC number: typically < 50 • Also require target IMSI (SRI / SRISM / sendIMSI) How to bypass protections

  38. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved SMS Firewall bypassed https://saas.p1sec.com/vulns/112 P1 Vulnerability Knowledge Base P1VID#112

  39. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Telcomap project

  40. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Worldwide discovery • Discovery scan from international SS7 interconnection • Targets: all operators / all countries • Currently implemented testcases: • GT/SSN discovery scan (SCCP / TCAP) • MSISDN range scan (MAP SRI) • More to come… SS7map: Scanning the worldwide SS7 network

  41. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved SS7 Map Telecom Networks SS7 Exposure

  42. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved GRX Map PS, GPRS, LTE http://sniffmap.telcomap.org/grx/

  43. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Galaxy Map ShodanHQ-like but for Telco Shodan is only 10% coverage of Telco OAM and Signaling But useful to “prove” the seriousness: anyone can get access… from Internet

  44. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Sniffmap Map of Five Eyes interception http://sniffmap.telcomap.org/

  45. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Attack surface Telcomaps Sniff Map SS7 Map GRX Map Galaxy Map

  46. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Going further • MAP specification: 3GPP TS 29.002 http://www.3gpp.org/DynaReport/29002.htm • SMS specification: 3GPP TS 23.040 http://www.3gpp.org/DynaReport/23040.htm • SMS Home routing specification: 3GPP TS 23.840 http://www.3gpp.org/DynaReport/23840.htm • Locating mobile phones using MSC GT (CCC) http://events.ccc.de/congress/2008/Fahrplan/attachments/1262_25c3-locating-mobile- phones.pdf • Description of MAP usual callflows http://www.netlab.tkk.fi/opetus/s383115/2007/kalvot/3115L7-9e.pdf • P1 Security SaaS and Vulnerability Knowledge Base https://saas.p1sec.com/ • SMS Gateways http://www.vianett.com/ • Open Cell ID databases / API http://opencellids.org/

  47. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Thank you ! Questions ? Thanks to P1 Security team Questions to: [email protected] [email protected]

  48. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Back up demo

  49. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Back up demo

  50. P1 Security – Hackito Ergo Sum 2014 © 2014 -

    P1 Security, All Rights Reserved Back up demo