Effective SS7 protection ITU Workshop on SS7 Security, June 29 th 2016 Luca Melette <luca@srlabs.de> SRLabs Template v12
Motivation: Operators and their users still vulnerable to SS7 attacks
Agenda 3 attack scenarios 10 attack messages 4 defense measures 3
SS7 enables mobile abuse on different frontiers Attacker objective A Tracking Find subscriber s whereabouts B C Intercept Fraud Listen to calls, read short messages, intercept Internet traffic Make illegitimate calls/send SMS; disable usage limits 4
A Tracking through ATI has become commonplace Phone number (MSISDN) Subscriber location (LAC or Cell ID or GPS) AnytimeInterrogation 5
AnytimeInterrogation is blocked now in a lot of places. Tracking still works, though! 6
A Accurate tracking is possible with standard messages Shown in 60 Minutes Attack Probe MSC for subscriber location MSC HLR STP Attacker LAC/CID database SRI-SM [MSISDN] ACK [MSC, IMSI] Variant: Start here and send PSI to all MSCs PSI [IMSI] ACK [LAC,CID] 7
A Tracking can happen using many more signaling messages Send to phone number or all HLRs or directly to MSC Phone number (MSISDN) Subscriber location (LAC or Cell ID or GPS) AnytimeInterrogation SRI/-SM IMSI & MSC Impersonate HLR towards MSC: SendIMSI Brute-force all MSCs ProvideRN InsertSubData ForwardSM SRI-GPRS IMSI MSC PSI PSL 8
B Remote intercept is possible through Camel Shown in 60 Minutes Attack Rewrite numbers over Camel 2. Phone calls, is called, or sends an SMS MSC Call out Call in SMS out 1.InsertSubscriber- Data(Camel server) sets triggering points 3. Sends destination number to Camel server for verification SMS in Call intercept works for all Camel versions SMS intercept requires Camel v3 SS7 STP 4. Corrects number gsmscf Attacker MITM server 5.Connects call or sends SMS to attacker 9
B Location update also achieves remote intercept Shown in 60 Minutes Attack Register as subscriber HLR Real MSC Attacker MSC Call out Call in UpdateLocation [IMSI] SMS out SMS in Connects all incoming calls and SMS Forward call/sms to reach subscriber 10
C Selective denial-of-service is possible remotely Signaling message CancelLocation DeleteSubData InsertSubData PurgeMS Send to MSC MSC MSC HLR Effect For some phones: No service until reboot Nothing works until next LU No Incoming SMS / Calls 11
Agenda 3 attack scenarios 10 attack messages 4 defense measures 12
SS7 attacks are happening across the words Some Thousands Millions Observed attacks [GSMA FASG reports] Attack message Orange 22 countries Vodafone 19 cntrs Deutsche Telekom (Germany) NTT (Japan) 1. ATI 2. SRI-(SM) Tracking 3. PSI? 4. PSL? - 5. SendIMSI Remote intercept 6. ActivateSS 7. Update location 8. ISD? No measurements reported to the FASG so far Fraud 9. DSD 10. SendID 13
Attacks originate in a diverse set of networks Attacking network Africa Middle East South America Other Orange Vodafone Deutsche Telekom Morocco Seychelles Gabon Egypt Madagascar Ghana Niger Morocco Seychelles Ethiopia Morocco Nigeria NTT Ethiopia Saudi Arabia Qatar Qatar Qatar Iran Iran Oman Bolivia Peru Chile Mexico Bolivia Peru UK Albania Bosnia China 14
Agenda 3 attack scenarios 10 attack messages 4 defense measures 15
An SS7 firewall is necessary to defend from advanced attacks Defense Drop these messages Messages 1. ATI Where 1 Block 2. SRI 5. SendIMSI STP 10.SendID Re-route Home-routing + IMSI obfuscation 2. SRI-SM 2 HLR Check origin Check location Compare GT and IMSI: Is the operator asking about their own subscriber? Compare GT with subscriber location: Is your subscriber in that country? 3. PSI 8. ISD 9. DSD 6. ActivateSS 7. UpdateLoc 3 Simple SS7 firewall State-full SS7 firewall -orsimple firewall + ATI 4 + Monitor, Monitor, Monitor! 16
Take away It s about time to solve 99% of the current SS7 problem by addressing 3 attack scenarios (Track, Intercept, Fraud)... which rely on 10 SS7 messages... that we can rejected using just 4 defense measures: STP, HLR, SS7 Firewall, and Monitoring! Questions? Luca Melette <luca@srlabs.de> 17
18
Protection from SS7 threats varies; can be improved Exposure scan available from SRLabs Threat category Unprotected Standard attacks prevented Illustrative Advanced attacks prevented A B C Tracking Remotely query subscriber location Intercept Read SMS or listen to calls, locally or remotely Denial-of-service Remotely disrupt subscribers service D Fraud Add premium number charges to bill E Spam Subscribers with SMS $Operator protection level 19
B Local and remote intercept is enabled through various signaling messages Objective Attack path Local intercept (calls and SMS; in and out) Passive intercept (2G/3G) Fake base station (2G/3G) Intercepted calls/sms including IMSI Attacked phone; IMSI SendIdentification SendIdentification SendAuthInfo Encryption key Authentication & encryption key Remote intercept (starting from IMSI + MSC) Calls (incoming) Calls (in & out) Phone number Phone number SS_activate UpdateLocation InsertSubscriberData (expires with LU) Receive call and forward to correct MSC (or do SS_erase) Man-in-the-middle -or- Spoof voicemail and forward later SMS (incoming) Phone number UpdateLocation Receive (and forward) SMS RestoreData Find phone number IMSI Update- Location InsertSubscriber- Data MSISDN 20
Not all SS7 attacks can simply be blocked Abuse scenario 1 Local passive intercept Example SS7 attack message SendIdentification Mitigation effort Easy Block message at network boundary 2 3 IMSI Catcher Rerouting attacks SendAuthenticationInfo SS_activate/register UpdateLocation Camel messages (Probably others) More complex Messages are required for operations, need to be plausibility-checked 21
STP is the central instance for SS7 filtering Interconnect Core network Roaming partners SCP Other networks SCCP carriers STP MSC HLR Attacker SMSC Attacker strategy STP defense Impersonate interconnect partners Address target elements by GT or SSN Issue unexpected MAP commands Block. Verify that CgPA belongs to a trusted partner L3 Firewall. Enforce GT / SSN relationships L7 Firewall. Enforce MAP / GT relationships 22