Attacks on Telecom Operators and Mobile Subscribers via SS7 Dmitry Kurbatov Security specialist Positive Research
Attacks on Telecom Operators and Mobile Subscribers via SS7
Dmitry KurbatovSecurity specialist
Positive Research
2014 was a good year for SS7 security
Hackito Ergo Sum 2014
• Locating mobile phones
Positive Hack Days IV
• How to Intercept a Conversation Held on the Other Side of the Planet
Washington Post
• Secretly track cellphones
31C3
• SS7: Locate. Track. Manipulate
• Mobile self-defense
Topics
USSD Money Transfer
Short Message Interception
DoS on Mobile Switching Center
Fraud in SS7 networkHot for mobile network operators
Hot for everyone
SS7
HLRMSCVLR
Gateway MSC
Billing
SMS-C
Radio Part
A
B
Cell Phone
Base Transceiver Station
Base Station Controller
SS7
MSC/VLR
HLR
A
B
Gateway MSC
Billing
SMS-C
MSCVLR
Mobile Switching Center
Visitor Location Register
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890
IMSI – International Mobile Subscriber Identity 15 digits
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
Access Networks
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPX
Exchange Points
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Support
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
IT IT network
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
Internet IT network
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkTraffic
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkThreats
Attacker
Attacker
Attacker
Attacker
AttackerAttacker
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkThreat
Attacker
Attacker
Attacker
Attacker
AttackerAttacker
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SMS-C
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digitsA
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SMS-C
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SMS-C
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
Attacker serves Subscriber-B
SMS-C
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
5
Attackeras MSC
A
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
5 6
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
HLR sends Attacker address instead of real MSC!
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
8
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SMS-C routes this SMS to the received address.
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
8
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SMS-C routes this SMS to the received address.
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
*100#3
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.3
4
processUnstructuredSS-RequestSubscriber’s account is $$$$$.
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
4
processUnstructuredSS-RequestSubscriber’s account is $$$$$.
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
3
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
*123*01238765400*100#
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get SMS notification if Attacker combines this attack and the previous one.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get SMS notification if Attacker combines this attack and the previous one.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Collect info
HLR
Attackeras SMSC
B
MSCVLR
Gateway MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
1
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
3PRNprovideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 45600013PRN
4 provideRoamingNumberMSRN 0 123 4560001
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 45600013PRN
4
Default timeouts for MSRN:
• Ericsson – 30 sec
• Huawei – 45 secprovideRoamingNumberMSRN 0 123 4560001
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.…
provideRoamingNumberMSRN 0 123 4560001provideRoamingNumber
MSRN 0 123 4560001provideRoamingNumberMSRN 0 123 4569999…
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
SS7
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
noRoamingNumberAvailable
Make it starve
SS7
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
noRoamingNumberAvailable
Make it starve
SS7
DoS
HLR
Attackeras HLR
Gateway MSC
PRNRealHLR
B
10k – 500k
MSCVLR
3
provideRoamingNumberI am HLR.My GT 1 321 4568701.Provide MSRN forSubscriber-ANY IMSI 15 digits.
SS7
DoS
HLR
Attackeras HLR
Gateway MSC
PRNRealHLR
B
10k – 500k
MSCVLR
3
4
No incoming calls
Sad calling party
SS7
SS7 interconnection
HLRMSCVLR
Gateway MSC
Billing
SMS-C
HLRMSCVLR
Gateway MSC
Billing
SMS-C
HLRMSCVLR
Gateway MSC
Billing
SMS-C
Trusted environment
SS7
Collect info
HLR
Attackeras SMSC
B
MSCVLR
Gateway MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
A
1
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
Attacker serves Subscriber-B
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
nothing
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
5
6
sendRoutingInfoWhere isSubscriber-B MSISDN 0 123 4567802=Where is Subscriber-B located?
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
7 provideSubscriberInfoI am HLR.My GT 0 123 4567800.Provide location for theSubscriber-B.
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
7
8
provideSubscriberInfoSubscriber-B is in the Home network.
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows that
Subscriber-B is at home.
This information will be sent to a billing platform.
7
8
8
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
5
9
sendRoutingInfoWhere isSubscriber-B MSISDN 0 123 4567802located =What is MSRN for Subscriber-B?
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
provideRoamingNumberI am HLR.My GT 0 123 4567800.Provide MSRN forSubscriber-B IMSI 15 digits.
10
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
provideRoamingNumberMSRN 39 0 654832169
10
11
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 39 0 654832169
10
11
11
SS7
Forward a call to…Italy
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 39 0 654832169
10
11
11
12
SS7
Forward a call to…
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
provideRoamingNumber
MSRN 39 0 65483..
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 39 0 654832169
10
11
Who pays?
₽ 30,00 - ₽ 1,60 = ₽ 28,40 – Attacker profit
ACall from to while at “home” = ₽ 1,60B
ACall from to = ₽ 30,00Italy
Who pays?
How much does a mobile operator lose?
₽ 30,00 - ₽ 1,60 = ₽ 28,40 – Attacker’s profit
ACall from to while at “home” = ₽ 1,60B
ACall from to = ₽ 30,00Italy
International calls on 5,3% of original price
IDS Scheme
SS7 IDS & Event correlation
SS7 National
SS7 International
SS7 Other PLMNs
STP
STPSS7 taps
SS7 taps
SS7 taps
Duplicate traffic
Duplicate traffic
Duplicate traffic
Research Updates
• SS7 security threats
• Mobile Internet vulnerabilities (GPRS)
• SIM vulnerabilities
www.ptsecurity.com
http://blog.ptsecurity.com/