Security breaches in SS7 networks: threats, solutions and open issues. Computaris has already implemented a firewall solution filtering all traffic which can damage the network. The firewall can hide the subscribers’ information and therefore, when the attacker tries to use fake subscriber information, the network does not respond to the operations.
2. /
...
• robust, proven, reliable
• working for decades
But …
• interconnect is based on trust
• no protocol level security
• … no equivalent in SS7 of IP TLS, IPSec
The SS7 Network is
3. /
...
• your calls could be recorded and you wouldn’t know about this?
• your subscriber’s location (cell id) could be tracked?
• somebody could deny your subscribers access to the network?
• somebody could alter the identity in the VLR when your users place calls?
What if…
4. /
...
• Government US Congress/FCC
• http://grayson.house.gov/index.php/newsroom/press-releases/314-grayson-asks-
fcc-to-protect-privacy-of-americans-phone-calls
• Research
• http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-
researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-
read-your-texts/
• Press
• http://www.washingtonpost.com/business/technology/for-sale-systems-that-can-
secretly-track-where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8a-
f003-11e3-bf76-447a5df6411f_story.html
Where can I find
public information?
6. /
...
• The roaming MSC (Visited MSC) requires network access from HLR
• The HLR pushes subscriber data into Visited MSC
• The HLR keeps record that subscriber roams in the given Visited MSC
VMSC B HLR B
(1) LOCATION UPDATE
CgPA = VMSC B
CdPA = HLR
[IMSI, VMSC]
(3) INSERT SUBSCRIBER DATA
CgPA = HLR
CdPA = VMSC B
[MSISDN, SubscriberData]
(2) LOCATION UPDATE ACCEPTED
CgPA = HLR
CdPA = VMSC B
Legitimate scenario
location update in HPLMN
7. /
...
• Foreign SMSC requests the VMSC & IMSI of the recipient (your subscriber)
• The HLR returns the VMSC address and IMSI
• The foreign SMSC connects to the VMSC and submits the SMS
SMSC A
HLR B
(1) SRI-SM
CgPA = SMSC
CdPA = MSIDN
[Service Centre, MSISDN]
(2) SRI-SM ANSWER
CgPA = HLR
CdPA = SMSC
[VMSC, IMSI]
VMSC B
(3) MT-FORWARD-SM
CgPA = SMSC
CdPA = VMSC B
[IMSI, SMS]
Legitimate SMS delivery
from foreign network
9. /
...
• The breached network has roaming agreement with target network
• The malicious application is any application capable of sending MAP
messages with SS7/SIGTRAN access to an STP
• The Malicious Application is able to impersonate the real SMSC by setting
the CgPA
• The HLR is target network receives the same SRI-SM as the one originate
Malicious
Application
HLR B
SRI-SM
CgPA = SMSC
CdPA = MSIDN
[Service Centre, MSISDN]SRI-SM
CgPA = HLR
CdPA = SMSC
[VMSC, IMSI]
Obtain subscriber
IMSI & Roaming MSC
10. /
...
• The malicious application uses the previously obtained IMSI and VMSC
• The malicious application modifies subscriber data in the Visited MSC – in
this case the O-CSI
• The VMSC has no standard mechanism to detect if this is a legitimate
request or not
• Whenever the target subscriber originates a call the call control is given by
VMSC (via CAP) to the node defined within the O-CSI. This node can
perform a record function and connect the call to the intended destination.
VMSC B
INSERT-SUBSCRIBER-DATA
CgPA = SMSC
CdPA = VMSC B
[SubscriberData(O-CSI)]
Malicious
Application
Modify O-CSI in VMSC
Your calls can be recorded
11. /
...
• The Malicious Application uses the previously obtained IMSI and VMSC
• The Malicious Application request current location information from Visited
MSC
• The VMSC has no standard mechanism to detect if this a legitimate request
or not
VMSC B
PROVIDE SUBSCRIPTION INFORMATION
CgPA = GMSC
CdPA = VMSC B
[requestedInfo (currentLocation)]
Malicious
Application
SUBSCRIPTION INFORMATION
CgPA = VMSC B
CdPA = GMSC
[CellId]
Retrieve subscriber location
Your location can be tracked
12. /
...
• The malicious application uses the previously obtained IMSI and VMSC
• The malicious application modifies subscriber data in the Visited MSC – in
this case the MSISDN
• The VMSC has no standard mechanism to detect if this is a legitimate
request or not
• Whenever the target subscriber originates a call the modified MSIDN is used
as calling party
VMSC B
INSERT-SUBSCRIBER-DATA
CgPA = SMSC
CdPA = VMSC B
[SubscriberData(MSISDN)]
Malicious
Application
Modify MSISDN in VMSC
You can spoof your MSISDN
13. /
...
• The malicious application uses the previously obtained IMSI and VMSC
• The malicious application modifies subscriber data in the Visited MSC – in
this case the MSISDN
• The VMSC has no standard mechanism to detect if this is a legitimate
request or not
• Whenever the target subscriber tries to originates a call the BAOC setting
will not allow the call to take place
VMSC B
INSERT-SUBSCRIBER-DATA
CgPA = SMSC
CdPA = VMSC B
[SubscriberData(BAOC)]
Malicious
Application
Modify ODB in VMSC
Somebody can block your calls
14. /
...
• Blocking SRI-SM requests in STP
• Can’t block all SRI-SM messages since we would kill the SMS service for all
our subscribers
• Block all SRI-SM requests in coming from unknown addresses
• The MAP allows an application to spoof the SCCP CgPA
Easy
answers?
15. /
...
• Block ISD requests in STP
• Can’t block all ISD messages since we would kill the voice service for all our
subscribers
• Block all ISD requests coming from interconnect links
• Can’t block all ISD messages since we would kill the voice service for all our
in-roamers
Easy
answers?
16. /
...
• Protects your subscribers data in MSC
• Protects your subscribers location in the network
• Allows the legitimate traffic to flow without disruption
What a SS7 firewall
does…
17. /
...
• All SRI-SM requests are routed by STP towards the MAP filter
• The MAP filtering decides the current request is un-trustworthy and forwards
the request to the HLR and stores the real IMSI and VMSC received from
the HLR
• The MAP Filter will provide back to the un-trusted application a fake IMSI
and a fake VMSC address. The fake VMSC address is the MAP filter
address.
Un-trusted
Application
HLR B
SRI-SM
CgPA = SMSC
CdPA = MSIDN
[Service Centre, MSISDN]
SRI-SM
CgPA = HLR
CdPA = SMSC
[VMSC, IMSI]
MAP
Filter
SRI-SM
CgPA = SMSC
CdPA = MSIDN
[Service Centre, MSISDN]
SRI-SM
CgPA = HLR
CdPA = SMSC
[Fake VMSC, Fake IMSI]
Never expose real IMSI
to untrusted entities
18. /
...
• If the un-trusted application is in fact a legitimate SMSC trying to deliver an
MT SMS then after the SRI-SM the SMSC will deliver the MT SMS to the
VMSC address obtained at SRI-SM (the MAP Filter)
• The MAP filtering decides that this is a legitimate request, retrieves the real
IMSI and real VMSC based on the received fake IMSI and then delivers the
MT SMS to the real VMSC using real IMSI
• The MT SMS response is proxied back to the SMSC
Legitimate
SMSC
VMSC B
MT-FORWARD-SM
CgPA = SMSC
CdPA = MAP Filter
[Fake IMSI, MT-SMS]
MT-FORWARD-SM
CgPA = VMSC B
CdPA = MAP Filter
[Delivery Status]
MAP
Filter
MT-FORWARD-SM
CgPA = SMSC
CdPA = VMSC B
[IMSI, MT-SMS]
MT-FORWARD-SM
CgPA = MAP Filter; CdPA =
SMSC
[Delivery Status]
Untrusted application is
in fact legitimate
19. /
...
• If the un-trusted application is in fact a malicious application trying to alter
subscriber data in VMSC then after the SRI-SM the malicious application
tries to insert data into the VMSC obtained at SRI-SM (the MAP Filter)
• The MAP Filtering decides that this is a malicious request and it can provide
a fake answer back to malicious application (ok I have inserted the data), it
can reject the ISD or it can drop silently the request
• The subscriber data in VMSC is thus protected
Malicious
Application Protected
VMSC B
MAP
Filter
INSERT-SUBSCRIBER-DATA
CgPA = MAP Filter
CdPA = SMSC
[OK]
INSERT-SUBSCRIBER-DATA
CgPA = SMSC
CdPA = MAP Filter
[SubscriberData(O-CSI)]
Untrusted application is
in fact malicious
20. /
...
• If the un-trusted application is in fact a malicious application trying to retrieve
subscriber location from VMSC, then after the SRI-SM the malicious
application tries to request current location data from the VMSC obtained at
SRI-SM (the MAP Filter)
• The MAP filtering decides that this is a malicious request and it can provide
a fake answer back to malicious application (here is some fake cell id), it can
reject the PSIor it can drop silently the request
• The subscriber location is thus protected
Malicious
Application
Protected
VMSC B
MAP
Filter
PROVIDE SUBSCRIPTION
INFORMATION
CgPA = MAP Filter
CdPA = GMSC
[fake cell id]
PROVIDE SUBSCRIPTION
INFORMATION
CgPA = GMSC
CdPA = VMSC B
[requested info (current Location)]
Untrusted application is
in fact malicious…
21. /
...
• The message is received and decoded ,incoming parameters are extracted
(SCCP CgPA, CdPA, TCAP Context, MAP Parameters)
• Context data (fake IMSI in request) is extracted from in-memory data store
• Rule Engine decides based on input parameters and based on context data
what treatment should be applied to the incoming message
• Action returned by the Rule Engine is applied
MAP
filter
MAP REQUEST
CgPA
CdPA
[MAP Parameters]
In-memory
data store
Rule engine
Get
context data
Determine treatment
of current request
Action
How does
this work?
22. /
...
• RELAY – the incoming request is relayed at SCCP level towards the
requested destination
• ABORT – the incoming request is responded with a TCAP_U_ABORT
• DROP – the incoming request is silently dropped, no response is provided
back
• FAKE – the incoming request is answered with a default fake answer (fake
answer message is configurable per MAP Operation)
• PROXY – the incoming message is proxied by the MAP Filter to the
destination node; the MAP filter proxies also the responses back and hides
real data (e.g. fake IMSI)
SS7 firewall
behaviour