Trojans in SS7 - how they bypass all security measures

Similar documents
Mobile operators vs. Hackers: new security measures for new bypassing techniques

Effective SS7 protection ITU Workshop on SS7 Security, June 29 th 2016

Positive Technologies Telecom Attack Discovery DATA SHEET

Signaling System 7 (SS7) By : Ali Mustafa

Fractured Backbones Incidents Detection and Forensics in Telco Networks

Taking Over Telecom Networks

PRIMARY SECURITY THREATS FOR SS7 CELLULAR NETWORKS

Stealthy SS7 Attacks

Cyber Security Threats to Telecom Networks. Rosalia D Alessandro Hardik Mehta Loay Abdelrazek

Express Monitoring 2019

TELECOMMUNICATION SYSTEMS

THREATS TO PACKET CORE SECURITY OF 4G NETWORK

Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or tshark) and Snort

MAP - Mobile Application Part

Communication Networks 2 Signaling 2 (Mobile)

10 Call Set-up. Objectives After this chapter the student will: be able to describe the activities in the network during a call set-up.

Three kinds of number portability

TELECOMMUNICATION SYSTEMS

Prototyping and evaluation of TCAPsec

5. Execute the attack and obtain unauthorized access to the system.

SS7. Mercantec H2 2009

Oracle Communications Convergent Charging Controller. Messaging Manager Navigator Technical Guide Release 6.0

TSGS#27(05)0138. Technical Specification Group Services and System Aspects Meeting #27, March 2005, Tokyo, Japan

Dialogic DSI SS7G41 Signaling Server

Secure Telephony Enabled Middle-box (STEM)

Mavenir Keynote. Think Smarter Secure communication Innovate Services. By Mohamed Issa Regional Head of Africa Sales

GSM security country report: Estonia

Mobile network security report: Ukraine

3GPP TS V ( )

Intel NetStructure SS7 Protocols MAP Programmer s Manual. Document Reference: U14SSS

GSM and IN Architecture

GPRS security. Helsinki University of Technology S Security of Communication Protocols

INSE 7110 Winter 2004 Value Added Services Engineering in Next Generation Networks Week #1. Roch H. Glitho- Ericsson/Concordia University

Telecommunication Services Engineering Lab

3GPP TR V7.0.0 ( )

The Next Generation Signaling Transfer Point

Change Requests to GSM Clarification and Modification of SMS handling

Course 5 The SS7 signaling systems.

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

New and Current Approaches for Secure VoIP Service

GSM V8.0.0 ( )

Chapter 9. Firewalls

Telecommunication Services Engineering Lab

Understand iwag Solution for 3G Mobile Data

Outstanding Communications Solutions. Root Canal. A new class of SS7 vulnerabilities

3GPP TS V6.0.0 ( )

Trends and Developments in Telecommunication Security

JP-3GA (R99) Support of GSM Mobile Number Portability (MNP) stage 2

An Agency Under MOSTI SECURITY ASSURANCE. Securing Our Cyberspace. Copyright 2008 CyberSecurity Malaysia

ETSI TS V7.1.0 ( )

COMPUTER NETWORK SECURITY

3GPP TS V7.6.0 ( )

ETSI TS V ( )

We Know Where You Are!

WIRELESS INTELLIGENT NETWORKING (WIN) FATİH ERTÜRK

Basic Concepts in Intrusion Detection

ETSI TS V ( )

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

PCS (GSM) 1900 Service Provider Number Portability

MAP Service Configuration Mode Commands

Advanced Mobile Technology Certification

SUA. Kalpana Uppalapati Swathi Paladugu Atmaram Palakodety

Oracle Communications Convergent Charging Controller. Mobile Application Part (MAP) Protocol Implementation Conformance Statement Release 6.

Advanced Intelligent Network for Wireless Communications

Interworking Internet Telephony and Wireless

COPYRIGHTED MATERIAL. Global System for Mobile Communications (GSM) 1.1 Circuit-Switched Data Transmission

EUROPEAN ETS TELECOMMUNICATION November 1996 STANDARD

PROACTIVE APPROACH. INTELLIGENT CYBERSECURITY. ptsecurity.com

Oracle Communications Network Charging and Control. Mobile Application Part (MAP) Protocol Implementation Conformance Statement Release 5.0.

Integrating Non Call-Related User Interactions in SIP Environment

2000 Performance Technologies, Inc.

Signaling System No. 7 (Zeichengabesystem Nr. 7)

Dimensioning, configuration and deployment of Radio Access Networks. part 1: General considerations. Mobile Telephony Networks

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

MNPTF PT2. NPM2V1F 17 july Mobile Number Portability Task Force : PT2 : Network Architecture and Signalling

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

Convergence of IP and Mobile Communications. Albert Coronel RedLink Communications Co., Ltd. MMNOG, November 21, 2015

HLR Configuration Mode Commands

3GPP TS V9.4.0 ( )

3GPP TS V ( )

Cybersecurity for Service Providers

OUR PRODUCTS. PT Application Firewall. PT Application Inspector. MaxPatrol

IC32E - Pre-Instructional Survey

Client Server Programming and GSM Networking Protocols (SS7 Signaling)

Oracle Communications Network Charging and Control. Messaging Manager Navigator Technical Guide Release: 4.4

Bypassing Web Application Firewalls

3GPP TS V ( )

Oracle Communications Network Charging and Control

SDN-Based Network Security Functions for VoIP and VoLTE Services

VeriSign Communications Services. IP Network Solutions. Outsourcing the Softswitch Functionality. Where it all comes together.

CONTENTS. Subscriber denial of service...9 Causes of vulnerabilities Recommendations for protection Conclusion... 13

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Transport of (Legacy) Signaling over IP. Summary of course scope

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

JP-3GA (R99) Technical realisation of Operator Determined Barring (ODB)

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

3GPP TS V8.1.0 ( )

EUROPEAN ETS TELECOMMUNICATION December 1991 STANDARD

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Transcription:

Sergey Puzankov Trojans in SS7 - how they bypass all security measures ptsecurity.com

SS7 in the 20 th century SCP STP STP SSP SCP SSP STP PSTN STP SSP SS7 (Signaling System #7): a set of telephony protocols used to set up and tear down telephone calls, send and receive SMS messages, provide subscriber mobility, and more

SS7 nowadays SIGTRAN (Signaling Transport): an extension of the SS7 protocol family that uses IP as transport

Why SS7 is not secure SIGTRAN LTE SIGTRAN Diameter Once a hacker connects to the SS7 network of a mobile operator, they can attack subscribers of any operator around the world IWF/DEA

Governments and global organizations worried by SS7 security

Mobile operators and SS7 security Security configuration Security assessment SMS Home Routing Security monitoring SS7 firewall

Research and publications 2014 Signaling System 7 (SS7) security report 2014 Vulnerabilities of mobile Internet (GPRS) 2016 Primary security threats for SS7 cellular networks 2017 Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 Threats to packet core security of 4G network 2018 SS7 vulnerabilities and attack exposure report

Network vulnerability statistics: SMS Home Routing Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection 67% of installed SMS Home Routing systems have been bypassed

Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 0% 2016 7% 2017 33% Filtering system alone cannot protect the network thoroughly

Basic nodes and identifiers MSISDN Mobile Subscriber Integrated Services Digital Number HLR Home Location Register GT Global Title, address of a core node element IMSI International Mobile Subscriber Identity MSC/VLR Mobile Switching Center and Visited Location Register STP Signaling Transfer Point SMS-C SMS Centre

IMSI An IMSI identifier, by itself, is not valuable to an intruder But intruders can carry out many malicious actions against subscribers when they know the IMSI, such as: Location tracking Service disturbance SMS interception Voice call eavesdropping The IMSI is considered personal data as per GDPR.

SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR SMS Home Routing as a protection tool

SMS Home Routing bypass No. 1

SMS delivery with no SMS Home Routing in place SRI4SM SendRoutingInfoForSM HLR SMS-C 1. SRI4SM Request MSISDN STP 1. SRI4SM Request MSISDN 2. SRI4SM Response IMSI MSC Address 2. SRI4SM Response IMSI MSC Address 3. MT-SMS IMSI SMS Text 3. MT-SMS IMSI SMS Text MSC

SRI4SM abuse by a malefactor HLR 1. SRI4SM Request MSISDN 2. SRI4SM Response IMSI MSC Address STP 1. SRI4SM Request MSISDN 2. SRI4SM Response IMSI MSC Address MSC

SMS Home Routing HLR SMS-C 1. SRI4SM Request MSISDN STP 1. SRI4SM Request MSISDN SMS Router 4. SRI4SM Request MSISDN 2. SRI4SM Response Fake IMSI SMS-R Address 2. SRI4SM Response Fake IMSI SMS-R Address 5. SRI4SM Response Real IMSI MSC Address 3. MT-SMS Fake IMSI SMS Text 3. MT-SMS Fake IMSI SMS Text 6. MT-SMS Real IMSI SMS Text MSC

SMS Home Routing against malefactors HLR 1. SRI4SM Request MSISDN STP 1. SRI4SM Request MSISDN SMS Router 2. SRI4SM Response Fake IMSI SMS-R Address 2. SRI4SM Response Fake IMSI SMS-R Address MSC

Numbering plans E.164 MSISDN and GT 352 854 1231237 Country Code (Luxembourg) Network Destination Code E.212 IMSI 270 80 4564567894 Mobile Country Code (Luxembourg) Mobile Network Code E.214 Mobile GT 352 854 4564567894 Rule of GT Translation Operator HLR

STP routing table SS7 Message STP Routing Table STP HLR 1 Numbering Plan = E.214 OpCode = SRI4SM HLR 2 SMS Router

STP routing table SS7 Message STP Routing Table STP HLR 1 Numbering Plan = E.214 OpCode = SRI4SM E.214 Global Title Translation Table 352 + 854 + 0xxxxxxxxx 352 + 854 + 4xxxxxxxxx HLR 2 SMS Router

STP routing table SS7 Message STP Routing Table STP HLR 1 Numbering Plan = E.214 OpCode = SRI4SM E.214 Global Title Translation Table 352 + 854 + 0xxxxxxxxx 352 + 854 + 4xxxxxxxxx HLR 2 SMS Router

STP routing table SS7 Message STP Routing Table STP HLR 1 Numbering Plan = E.214 OpCode = SRI4SM E.214 Global Title Translation Table 352 + 854 + 0xxxxxxxxx 352 + 854 + 4xxxxxxxxx HLR 2 SMS Router

SendRoutingInfoForSM message Called Party Address = MSISDN

SMS Home Routing bypass attack STP HLR 1 STP Routing Table 1. SRI4SM Request E.214 / Random IMSI MSISDN 3. SRI4SM Response IMSI MSC address Numbering Plan = E.214 OpCode = SRI4SM E.214 Global Title Translation Table 352 + 854 + 0xxxxxxxxx 352 + 854 + 4xxxxxxxxx 2. SRI4SM Request E.214 / Random IMSI MSISDN HLR 2 SMS Router The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside

SMS Home Routing bypass No. 2

SMS Home Routing definition 1. SRI4SM Request: MSISDN STP HLR SMS Router

SMS Home Routing definition 1. SRI4SM Request: MSISDN STP HLR 2. SRI4SM Request: MSISDN SMS Router

SMS Home Routing definition 1. SRI4SM Request: MSISDN STP HLR 2. SRI4SM Request: MSISDN SMS Router 3. SRI4SM Response: Fake IMSI, SMS-R address

SMS Home Routing definition 1. SRI4SM Request: MSISDN STP HLR 2. SRI4SM Request: MSISDN SMS Router 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved

TCAP Protocol TCAP Transaction Capabilities Application Part TCAP Message Type Begin, Continue, End, Abort Transaction IDs Source and/or Destination IDs Dialogue Portion Application Context Name (ACN) ACN Version Component Portion Operation Code Payload Application Context Name corresponds to a respective Operation Code

Application Context 0 CCITT 4 Identified Organization 0 ETSI 0 Mobile Domain 1 GSM/UMTS Network 0 Application Context ID 20 ShortMsgGateway 3 Version 3

Application Context change 0 CCITT 4 Identified Organization 0 ETSI 0 Mobile Domain 1 GSM/UMTS Network 0 Application Context ID 20 ShortMsgGateway 3 Version 3 0 CCITT 4 Identified Organization x Unknown 0 Mobile Domain 1 GSM/UMTS Network 0 Application Context ID 20 ShortMsgGateway 3 Version 3

SMS Home Routing bypass with malformed Application Context 1. SRI4SM Request: MSISDN Malformed ACN STP 1. SRI4SM Request: MSISDN Malformed ACN HLR SMS Router Malformed Application Context

SMS Home Routing bypass with malformed Application Context 1. SRI4SM Request: MSISDN Malformed ACN STP 1. SRI4SM Request: MSISDN Malformed ACN HLR 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside

SMS Home Routing bypass with malformed Application Context 1. SRI4SM Request: MSISDN Malformed ACN STP 1. SRI4SM Request: MSISDN Malformed ACN HLR 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router Equal IMSIs means the SMS Home Routing solution is absent or not involved

SS7 firewall bypass

SS7 firewall: typical deployment scheme STP 1. SS7 message 3. SS7 message HLR 2. SS7 message SS7 firewall

SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR SMS Home Routing as a protection tool

SS7 firewall: typical deployment scheme SRI SendRoutingInfo 1. SRI Request: MSISDN STP HLR 2. SRI Request: MSISDN SS7 firewall The message is blocked

Application Context change 0 CCITT 4 Identified Organization 0 ETSI 0 Mobile Domain 1 GSM/UMTS Network 0 Application Context ID 20 ShortMsgGateway 3 Version 3 0 CCITT 4 Identified Organization x Unknown 0 Mobile Domain 1 GSM/UMTS Network 0 Application Context ID 20 ShortMsgGateway 3 Version 3

SS7 firewall: bypass with malformed Application Context 1. SRI Request: MSISDN Malformed ACN STP 2. SRI Request: MSISDN Malformed ACN HLR SS7 firewall Malformed Application Context

SS7 firewall bypass with malformed Application Context 1. SRI Request: MSISDN Malformed ACN STP 2. SRI Request: MSISDN Malformed ACN HLR 3. SRI Response: IMSI, 3. SRI Response: IMSI, SS7 firewall SS7 firewall is aside

SS7 Trojan for location tracking

SMS delivery HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 MSC 1 1. Mo-ForwardSM: A-Num, B-Num SMS-C 4. Mt-ForwardSM: A-Num, IMSI MSC 2 5. ReturnResultLast 5. ReturnResultLast

SMS spam through SS7 HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 MSC 1 SMS-C MSC 2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast 5. ReturnResultLast

TCAP handshake as a protection measure HLR 4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2 MSC 1 1. TCAP Begin: ACN = MoSMRelay 2. TCAP Continue 3. Mo-ForwardSM: A-Num, B-Num 9. ReturnResultLast SMS-C MSC 2 6. TCAP Begin: ACN = MtSMRelay 7. TCAP Continue 8. Mt-ForwardSM:A-Num, IMSI 9. ReturnResultLast

Location retrieval for intelligent network services AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving cell in order to perform a location-based service. This message is allowed for internal operations only. It should be prohibited in external connections. IN 1. AnyTimeInterrogation: MSISDN HLR 2. ProvideSubscriberInfo: IMSI MSC/VLR 4. AnyTimeInterrogation: CellID 3. ProvideSubscriberInfo: CellID

Blocking an illegitimate location request 1. AnyTimeInterrogation: MSISDN STP HLR 2. AnyTimeInterrogation: MSISDN SS7 firewall The message is blocked

TCAP handshake as an SS7 Trojan Is it possible to encapsulate a malformed location request into the protection mechanism and receive result?

SS7 firewall: bypass within a TCAP handshake 1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP HLR SS7 firewall MSC/VLR The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation operation that responds with the serving Cell identity, which provides subscriber location to within ~100 meters

SS7 firewall: bypass within a TCAP handshake 1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 1. TCAP Begin: ACN = AnyTimeInfoEnquiry HLR SS7 firewall MSC/VLR The incoming signaling message does not contain an operation code, so the STP does not send it to the SS7 firewall for inspection

SS7 firewall: bypass within a TCAP handshake STP 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry HLR 2. TCAP Continue 2. TCAP Continue SS7 firewall MSC/VLR

SS7 firewall: bypass within a TCAP handshake STP 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry HLR 2. TCAP Continue 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message.

SS7 firewall: bypass within a TCAP handshake STP 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry HLR 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. The STP routes this message to the node that is involved into the initial transaction.

SS7 firewall: bypass within a TCAP handshake 1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue HLR SS7 firewall 4. ProvideSubscriberInfo IMSI Cell ID MSC/VLR

SS7 firewall: bypass within a TCAP handshake 1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 5. AnyTimeinterrogation: Cell ID TCAP End 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 5. AnyTimeInterrogation: Cell ID TCAP End HLR SS7 firewall 4. ProvideSubscriberInfo IMSI Cell ID MSC/VLR SS7 firewall is aside

Main problems in SS7 security SS7 architecture flaws Configuration mistakes Software bugs

Things to remember 1. Deploying security tool does not mean the network is secure. About 67% of SMS Home Routing solutions on tested networks were bypassed. 2. Test the network. Penetration testing is a good practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them. 3. Know the perimeter. Continuous security monitoring enables a mobile operator to know which vulnerabilities are exploited and, therefore, protect the network.

Thank you! Sergey Puzankov spuzankov@ptsecurity.com ptsecurity.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback