SlideShare a Scribd company logo

Worldwide attacks on SS7/SIGTRAN network

P
P1Security

Publication performed by Alexandre De Oliveira and Pierre-Olivier Vauboin during Hackito Ergo Sum 2014 Mobile telecommunication networks are complex and provide a wide range of services, making them a tempting target for fraudsters and for intelligence agencies. Moreover, the architecture, equipment and protocols used on these networks were never designed with security in mind, availability being the first concern. Today, even though some telecom operators are investing money into securing their network, events confirm that for most of them maturity in term of security is yet to come, as recently shown with the example of massive traffic interception on compromised SCCP and GRX providers like Belgacom’s BICS. Here we present the most typical and legitimate telecom callflows from making a mobile phone call to sending a SMS. Then we describe the protocol layers involved and how to abuse them, which fields can be manipulated in order to attack both the operator infrastructure and its subscribers. Finally, we show a real life example of scan performed from an international SS7 interconnection and practical attacks on subscribers such as spam, spoofed SMS and user location tracking.

TechnologyBusiness
1 of 50
Download to read offline
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Worldwide attacks on SS7 network P1 Security – Hackito Ergo Sum 26th April 2014 Pierre-Olivier Vauboin (po@p1sec.com) Alexandre De Oliveira (alex@p1sec.com)
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Telecom Overview Evolution from 2G to 3G
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Practical Attack Scenarios SS7 Attack Vectors
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Siemens MSC MSC: 5-50 per MNO Connected to 20-50 BSC In charge of call establishment Interfaces the BSC toward the rest of the network Connects the calls of the mobile users UE is attached to one MSC MAP Protocol Generates CDR (Charging Data Record) Security impact: Key compromise, content compromise, regional DoS, location tracking, … MSC Mobile Switching Center
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved HLR: 1-20 per MNO “Heart” of SS7 / SIGTRAN Subscriber database IMSI Authentication (AuC) : Ki Current subscriber location Supplementary services Queries from international partners (roaming) MAP Protocol Security impact: Key compromise, global DoS HLR / HSS Home Location Register Home Subscriber Server NSN HLR / HSS
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved HLR / HSS Home Location Register Home Subscriber Server I’m Root !
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Global SS7 network • Private and secure SS7 network ? • Interconnects many actors • Different views depending on interconnection point • Malicious entry point to SS7 network: • Through any unsecure operator and attack other operators from there • From Network Element OAM interface exposed on Internet • Through compromised Femto Cell • … and more …
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SS7 / SIGTRAN Stack Protocol Layers SIGTRAN MAP Stack SIGTRAN Adaptation Layer SS7 Session Layer Routing Layer Application Layer
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SS7 / SIGTRAN Stack Addressing schemes Point Code (PC) 14 or 24 bits address. Equivalent to MAC address. Global Title (GT) Length up to 15 digits. Looks like a phone number. Equivalent to IP address. SubSystem Number (SSN) Identifies application or service on Network Elements. Equivalent to TCP port. In Telecom networks a multitude of addressing schemes are used to identify Network Elements, subscribers, applications International Mobile Subscriber Identity (IMSI) SIM card number International Mobile Equipment Identity (IMEI) Device serial number Mobile Subscriber ISDN Number (MSISDN) Phone number SS7 Routing criteria: PC / GT / SSN or combo STP NE NE
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved • Abusing legitimate messages (SRISM, SRI, ATI, …) • Sending from any international SS7 interconnection • Steps: • Discovery scan and GT mapping: SCCP + TCAP • Advanced attacks: specific MAP messages • Targets: • Attacking operators infrastructure • Attacking subscribers Practical Attack Scenarios Scan methodology
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Discovery phase • Publicly available information • International PC lists • GT prefix / country / operator • Subscriber MSISDN lists • Probing from UE • SS codes: *#61# • Send SMS to your own SMSC to find your current MSC • Changing GT prefix length • Scan around confirmed targets Finding the first targets
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Discovery phase TCAP scan example Scan ! HLR Found!
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved 2G / 3G Network Mapping Active Network Mapping
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Spying on users
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Tracking user location • Based on non filtered MAP messages • SRISM / SRI • PSI / PSL • ATI … • Targeted towards HLR or MSC / VLR • Accuracy: • Depending on type of message allowed • MSC GT (Accuracy: City / Region) • CellID (Accuracy: Street)
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Tracking user locationGet MSC / VLR / CellID from SS7 (Example with MAP ATI) $ python src/p1ss7ng/mapgsm_cellid.py 02f8xx002c9084 Mobile Country Code (MCC) : 208 (France) Mobile Network Code (MNC) : xx (French Operator) Location Area Code (LAC) : 194 Cell ID : 23 VLR GT12345000123 12345000123 MSC GT 02f802002c9084 Cell ID
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Tracking user locationOpen CellID databases
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Tracking user location Low accuracy (MSC based location) Source: Tobias Engel (CCC)
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Sending SMS MO / MT ForwardSM • MAP messages • MO: Mobile Originating • MT: Mobile Terminating • SMSC: SMS Center (SMSC GT list is public) MSCMSC SMSC MAP MO ForwardSM MAP MT ForwardSM
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Sending SMS Prerequisite to SMS: MAP SRISM SMSC MSC MT MT
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SendRoutingInfoForSM SS7 MAP SRISM SCCP Dst GT == MSISDN Destination phone number (MSISDN): 12340000001 SSN HLR
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Answer to SRISM RoutingInfoForSM-Res ::= SEQUENCE { imsi IMSI, locationInfoWithLMSI[0] LocationInfoWithLMSI, extensionContainer [4] ExtensionContainer OPTIONAL, ..., ip-sm-gwGuidance [5] IP-SM-GW-Guidance OPTIONAL } Answer comes from HLR Get IMSI for requested MSISDN Contains MSC GT • Both IMSI and MSC GT are required to send MAP MT Forward SM
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Answer to SRISM SRISM answer reveals MSC GT and IMSI MSC GT IMSI
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS attacks • Sending spam SMS • Sending spoof SMS • Bypassing SMS firewall • Anti Spam protections • MT FSM directly targeting MSC • Directly sent from signalling protocol
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS attacks Based on MAP MT-FSM (Mobile Terminated Forward Short Message) Originating phone number MAP MT FSM SMS content Spoof here ! 12345000123 IMSI MSC GT
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Originating Address Try different encodings ! (Different screening rules) 12345000001 Hackito
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS spoofing Spoofing police ! Also works with other special numbers: • Emergency number • Voice Mail number • Operators services • Other subscribers
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Counter measures • SMS home routing • SMS firewalls • All incoming MAP MT Forward SM are routed to SMS firewall for inspection • Prevents against SMS attacks: • SMS spam is detected and rejected • SMS spoofed is detected and rejected Protecting against SMS attacks
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS Home Routing Protecting users privacy / Protecting against spam SMS SMSC
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved MSC MT MT SMS Home Routing SMS are routed to SMS firewall for inspection SMS FirewallSMSC
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Counter Counter measures ? • Can you actually bypass SMS firewalls ? • YES ! • How ? • Directly sending MT Forward SM to MSC • Route through SMS firewall is usually not enforced ! • This requires to scan and discover all available MSC prior to send SMS • Possible in a few hours • MSC number: typically < 50 • Also require target IMSI (SRI / SRISM / sendIMSI) How to bypass protections
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS Firewall bypassed https://saas.p1sec.com/vulns/112 P1 Vulnerability Knowledge Base P1VID#112
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Telcomap project
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Worldwide discovery • Discovery scan from international SS7 interconnection • Targets: all operators / all countries • Currently implemented testcases: • GT/SSN discovery scan (SCCP / TCAP) • MSISDN range scan (MAP SRI) • More to come… SS7map: Scanning the worldwide SS7 network
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SS7 Map Telecom Networks SS7 Exposure
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved GRX Map PS, GPRS, LTE http://sniffmap.telcomap.org/grx/
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Galaxy Map ShodanHQ-like but for Telco Shodan is only 10% coverage of Telco OAM and Signaling But useful to “prove” the seriousness: anyone can get access… from Internet
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Sniffmap Map of Five Eyes interception http://sniffmap.telcomap.org/
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Attack surface Telcomaps Sniff Map SS7 Map GRX Map Galaxy Map
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Going further • MAP specification: 3GPP TS 29.002 http://www.3gpp.org/DynaReport/29002.htm • SMS specification: 3GPP TS 23.040 http://www.3gpp.org/DynaReport/23040.htm • SMS Home routing specification: 3GPP TS 23.840 http://www.3gpp.org/DynaReport/23840.htm • Locating mobile phones using MSC GT (CCC) http://events.ccc.de/congress/2008/Fahrplan/attachments/1262_25c3-locating-mobile- phones.pdf • Description of MAP usual callflows http://www.netlab.tkk.fi/opetus/s383115/2007/kalvot/3115L7-9e.pdf • P1 Security SaaS and Vulnerability Knowledge Base https://saas.p1sec.com/ • SMS Gateways http://www.vianett.com/ • Open Cell ID databases / API http://opencellids.org/
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Thank you ! Questions ? Thanks to P1 Security team Questions to: po@p1sec.com alex@p1sec.com
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Back up demo
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Back up demo
P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Back up demo

Recommended

Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
P1Security
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
P1Security
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
DefCamp
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 

Recommended

Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
P1Security
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
P1Security
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
DefCamp
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
P1Security
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
PositiveTechnologies
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Alejandro Corletti Estrada
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
Alexandre De Oliveira
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
PositiveTechnologies
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
PositiveTechnologies
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
Jim Geovedi
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
3G4G
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
PositiveTechnologies
 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks
3G4G
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
PositiveTechnologies
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
PositiveTechnologies
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerability
PositiveTechnologies
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
Shakacon
 
Beginners: UICC & SIM
Beginners: UICC & SIMBeginners: UICC & SIM
Beginners: UICC & SIM
3G4G
 
Packet core network basics
Packet core network basicsPacket core network basics
Packet core network basics
Mustafa Golam
 
IMS ENUM & DNS Mechanism
IMS ENUM & DNS MechanismIMS ENUM & DNS Mechanism
IMS ENUM & DNS Mechanism
Houman Sadeghi Kaji
 
Basic GSM Call Flows
Basic GSM Call FlowsBasic GSM Call Flows
Basic GSM Call Flows
emyl97
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
mhaviv
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)
Hamidreza Bolhasani
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2016
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
EC-Council
 

More Related Content

What's hot

Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Alejandro Corletti Estrada
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
Alexandre De Oliveira
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
PositiveTechnologies
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
PositiveTechnologies
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
Shakacon
 

What's hot (20)

Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerability
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Beginners: UICC & SIM
Beginners: UICC & SIMBeginners: UICC & SIM
Beginners: UICC & SIM
 
Packet core network basics
Packet core network basicsPacket core network basics
Packet core network basics
 
IMS ENUM & DNS Mechanism
IMS ENUM & DNS MechanismIMS ENUM & DNS Mechanism
IMS ENUM & DNS Mechanism
 
Basic GSM Call Flows
Basic GSM Call FlowsBasic GSM Call Flows
Basic GSM Call Flows
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)
 

Similar to Worldwide attacks on SS7/SIGTRAN network

festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2016
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
EC-Council
 
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PROIDEA
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
Chrysostomos Christofi
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
EC-Council
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
OWASP Foundation
 

Similar to Worldwide attacks on SS7/SIGTRAN network (20)

festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
 
NEETU CV .
NEETU CV .NEETU CV .
NEETU CV .
 
IBM z/OS Communications Server z/OS Encryption Readiness Technology (zERT)
IBM z/OS Communications Server z/OS Encryption Readiness Technology (zERT)IBM z/OS Communications Server z/OS Encryption Readiness Technology (zERT)
IBM z/OS Communications Server z/OS Encryption Readiness Technology (zERT)
 
SMEC ICT Business Division
SMEC ICT Business DivisionSMEC ICT Business Division
SMEC ICT Business Division
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Netfors - general presentation
Netfors - general presentationNetfors - general presentation
Netfors - general presentation
 
Telecom Security
Telecom SecurityTelecom Security
Telecom Security
 
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdfAttacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
 
SS7/Sigtran Applications ( HLR, EIR, INSCP, USSD, SMSC etc)
SS7/Sigtran Applications ( HLR, EIR, INSCP, USSD, SMSC etc)SS7/Sigtran Applications ( HLR, EIR, INSCP, USSD, SMSC etc)
SS7/Sigtran Applications ( HLR, EIR, INSCP, USSD, SMSC etc)
 
Netfors - STP/ITP and Signaling Gateway
Netfors - STP/ITP and Signaling GatewayNetfors - STP/ITP and Signaling Gateway
Netfors - STP/ITP and Signaling Gateway
 

Recently uploaded

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Worldwide attacks on SS7/SIGTRAN network

  • 1. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Worldwide attacks on SS7 network P1 Security – Hackito Ergo Sum 26th April 2014 Pierre-Olivier Vauboin (po@p1sec.com) Alexandre De Oliveira (alex@p1sec.com)
  • 2. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
  • 3. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Telecom Overview Evolution from 2G to 3G
  • 4. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Practical Attack Scenarios SS7 Attack Vectors
  • 5. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
  • 6. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Siemens MSC MSC: 5-50 per MNO Connected to 20-50 BSC In charge of call establishment Interfaces the BSC toward the rest of the network Connects the calls of the mobile users UE is attached to one MSC MAP Protocol Generates CDR (Charging Data Record) Security impact: Key compromise, content compromise, regional DoS, location tracking, … MSC Mobile Switching Center
  • 7. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved HLR: 1-20 per MNO “Heart” of SS7 / SIGTRAN Subscriber database IMSI Authentication (AuC) : Ki Current subscriber location Supplementary services Queries from international partners (roaming) MAP Protocol Security impact: Key compromise, global DoS HLR / HSS Home Location Register Home Subscriber Server NSN HLR / HSS
  • 8. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved HLR / HSS Home Location Register Home Subscriber Server I’m Root !
  • 9. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
  • 10. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Global SS7 network • Private and secure SS7 network ? • Interconnects many actors • Different views depending on interconnection point • Malicious entry point to SS7 network: • Through any unsecure operator and attack other operators from there • From Network Element OAM interface exposed on Internet • Through compromised Femto Cell • … and more …
  • 11. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SS7 / SIGTRAN Stack Protocol Layers SIGTRAN MAP Stack SIGTRAN Adaptation Layer SS7 Session Layer Routing Layer Application Layer
  • 12. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SS7 / SIGTRAN Stack Addressing schemes Point Code (PC) 14 or 24 bits address. Equivalent to MAC address. Global Title (GT) Length up to 15 digits. Looks like a phone number. Equivalent to IP address. SubSystem Number (SSN) Identifies application or service on Network Elements. Equivalent to TCP port. In Telecom networks a multitude of addressing schemes are used to identify Network Elements, subscribers, applications International Mobile Subscriber Identity (IMSI) SIM card number International Mobile Equipment Identity (IMEI) Device serial number Mobile Subscriber ISDN Number (MSISDN) Phone number SS7 Routing criteria: PC / GT / SSN or combo STP NE NE
  • 13. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
  • 14. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved • Abusing legitimate messages (SRISM, SRI, ATI, …) • Sending from any international SS7 interconnection • Steps: • Discovery scan and GT mapping: SCCP + TCAP • Advanced attacks: specific MAP messages • Targets: • Attacking operators infrastructure • Attacking subscribers Practical Attack Scenarios Scan methodology
  • 15. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Discovery phase • Publicly available information • International PC lists • GT prefix / country / operator • Subscriber MSISDN lists • Probing from UE • SS codes: *#61# • Send SMS to your own SMSC to find your current MSC • Changing GT prefix length • Scan around confirmed targets Finding the first targets
  • 16. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Discovery phase TCAP scan example Scan ! HLR Found!
  • 17. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved 2G / 3G Network Mapping Active Network Mapping
  • 18. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
  • 19. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Spying on users
  • 20. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Tracking user location • Based on non filtered MAP messages • SRISM / SRI • PSI / PSL • ATI … • Targeted towards HLR or MSC / VLR • Accuracy: • Depending on type of message allowed • MSC GT (Accuracy: City / Region) • CellID (Accuracy: Street)
  • 21. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Tracking user locationGet MSC / VLR / CellID from SS7 (Example with MAP ATI) $ python src/p1ss7ng/mapgsm_cellid.py 02f8xx002c9084 Mobile Country Code (MCC) : 208 (France) Mobile Network Code (MNC) : xx (French Operator) Location Area Code (LAC) : 194 Cell ID : 23 VLR GT12345000123 12345000123 MSC GT 02f802002c9084 Cell ID
  • 22. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Tracking user locationOpen CellID databases
  • 23. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Tracking user location Low accuracy (MSC based location) Source: Tobias Engel (CCC)
  • 24. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Agenda Overall telecom architecture Architecture diagrams for 2G / 3G Most important Network Elements SS7 stack and interconnections Practical attack scenarios Mapping the SS7 network Tracking user location Sending spoofed SMS Demo
  • 25. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Sending SMS MO / MT ForwardSM • MAP messages • MO: Mobile Originating • MT: Mobile Terminating • SMSC: SMS Center (SMSC GT list is public) MSCMSC SMSC MAP MO ForwardSM MAP MT ForwardSM
  • 26. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Sending SMS Prerequisite to SMS: MAP SRISM SMSC MSC MT MT
  • 27. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SendRoutingInfoForSM SS7 MAP SRISM SCCP Dst GT == MSISDN Destination phone number (MSISDN): 12340000001 SSN HLR
  • 28. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Answer to SRISM RoutingInfoForSM-Res ::= SEQUENCE { imsi IMSI, locationInfoWithLMSI[0] LocationInfoWithLMSI, extensionContainer [4] ExtensionContainer OPTIONAL, ..., ip-sm-gwGuidance [5] IP-SM-GW-Guidance OPTIONAL } Answer comes from HLR Get IMSI for requested MSISDN Contains MSC GT • Both IMSI and MSC GT are required to send MAP MT Forward SM
  • 29. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Answer to SRISM SRISM answer reveals MSC GT and IMSI MSC GT IMSI
  • 30. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS attacks • Sending spam SMS • Sending spoof SMS • Bypassing SMS firewall • Anti Spam protections • MT FSM directly targeting MSC • Directly sent from signalling protocol
  • 31. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS attacks Based on MAP MT-FSM (Mobile Terminated Forward Short Message) Originating phone number MAP MT FSM SMS content Spoof here ! 12345000123 IMSI MSC GT
  • 32. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Originating Address Try different encodings ! (Different screening rules) 12345000001 Hackito
  • 33. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS spoofing Spoofing police ! Also works with other special numbers: • Emergency number • Voice Mail number • Operators services • Other subscribers
  • 34. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Counter measures • SMS home routing • SMS firewalls • All incoming MAP MT Forward SM are routed to SMS firewall for inspection • Prevents against SMS attacks: • SMS spam is detected and rejected • SMS spoofed is detected and rejected Protecting against SMS attacks
  • 35. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS Home Routing Protecting users privacy / Protecting against spam SMS SMSC
  • 36. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved MSC MT MT SMS Home Routing SMS are routed to SMS firewall for inspection SMS FirewallSMSC
  • 37. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Counter Counter measures ? • Can you actually bypass SMS firewalls ? • YES ! • How ? • Directly sending MT Forward SM to MSC • Route through SMS firewall is usually not enforced ! • This requires to scan and discover all available MSC prior to send SMS • Possible in a few hours • MSC number: typically < 50 • Also require target IMSI (SRI / SRISM / sendIMSI) How to bypass protections
  • 38. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SMS Firewall bypassed https://saas.p1sec.com/vulns/112 P1 Vulnerability Knowledge Base P1VID#112
  • 39. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Telcomap project
  • 40. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Worldwide discovery • Discovery scan from international SS7 interconnection • Targets: all operators / all countries • Currently implemented testcases: • GT/SSN discovery scan (SCCP / TCAP) • MSISDN range scan (MAP SRI) • More to come… SS7map: Scanning the worldwide SS7 network
  • 41. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved SS7 Map Telecom Networks SS7 Exposure
  • 42. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved GRX Map PS, GPRS, LTE http://sniffmap.telcomap.org/grx/
  • 43. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Galaxy Map ShodanHQ-like but for Telco Shodan is only 10% coverage of Telco OAM and Signaling But useful to “prove” the seriousness: anyone can get access… from Internet
  • 44. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Sniffmap Map of Five Eyes interception http://sniffmap.telcomap.org/
  • 45. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Attack surface Telcomaps Sniff Map SS7 Map GRX Map Galaxy Map
  • 46. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Going further • MAP specification: 3GPP TS 29.002 http://www.3gpp.org/DynaReport/29002.htm • SMS specification: 3GPP TS 23.040 http://www.3gpp.org/DynaReport/23040.htm • SMS Home routing specification: 3GPP TS 23.840 http://www.3gpp.org/DynaReport/23840.htm • Locating mobile phones using MSC GT (CCC) http://events.ccc.de/congress/2008/Fahrplan/attachments/1262_25c3-locating-mobile- phones.pdf • Description of MAP usual callflows http://www.netlab.tkk.fi/opetus/s383115/2007/kalvot/3115L7-9e.pdf • P1 Security SaaS and Vulnerability Knowledge Base https://saas.p1sec.com/ • SMS Gateways http://www.vianett.com/ • Open Cell ID databases / API http://opencellids.org/
  • 47. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Thank you ! Questions ? Thanks to P1 Security team Questions to: po@p1sec.com alex@p1sec.com
  • 48. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Back up demo
  • 49. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Back up demo
  • 50. P1 Security – Hackito Ergo Sum 2014 © 2014 - P1 Security, All Rights Reserved Back up demo