The known unknowns of SS7 and beyond Siddharth Rao 1 Silke Holtmanns 2 Ian Oliver 2 Tuomas Aura 1 1 Aalto University, Finland 2 Bell Labs - Nokia Networks, Finland Telco Security Day - Troopers 15 March 2016 Sid Rao (Aalto/Nokia) Evolution of Telco Attacks TelcoSec Day, Troopers16 1 / 46
46
Embed
The known unknowns of SS7 and beyond - ERNW · 2016. 4. 7. · Exploratory analysis survey of SS7 attacks !Thesis "Analysis and mitigation of recent attacks on mobile communication
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The known unknowns of SS7 and beyond
Siddharth Rao1 Silke Holtmanns2 Ian Oliver2 Tuomas Aura1
1Aalto University, Finland 2Bell Labs - Nokia Networks, Finland
Dr. Silke Holtmanns is working forNokia Security Research, now partof Bell Labs. She has 16 years ofcellular security experience. She israpporteur of many 3GPP securityspecifications and reports and alsocontributes actively to other cellularsecurity standardization bodies e.g.GSMA, ETSI. She authored a bookand several book chapters in addi-tion to a wide range of cellular secu-rity articles.
Dr. Ian Oliver is a security re-searcher in Bell Labs working onNFV, Trusted Computing and Pri-vacy. Prior to this he worked withSemantic Web technologies at NokiaResearch and was the privacy of-ficer for Here. He holds a re-search fellow position at the Univer-sity of Brighton and is the authorof the book Privacy Engineering: ADataflow and Ontological Approach.He has published numerous papersand holds over 40 patents.
Dr. Tuomas Aura was appointedas professor of computer science atAalto University in 2008. Beforethat, he worked as a researcher atMicrosoft Research in Cambridge,England.His recent research has focused onInternet and mobility protocols, userprivacy protection and distributedsecurity policies. Tuomas took partin developing the security solutionsfor the Mobile IPv6 and SEND pro-tocol standards in the IETF.
Attacker has a stolen phone which is blacklisted and he knows theIMSI (Subsriber id) which was associated with it while blocking orlast use by the victim.
The attacker does not need to have the original SIM as it is sufficientto have just the IMSI.
Attacker has access to SS7 network.
The Global Title (GT, SS7 name of a node) of the EquipmentIdentity Register (EIR) is required.
Mobile Switching Center (MSC) GT might be needed (depending onoperator configuration).
Users loose their phones and find it again → An easy ”recovery” in EIRwanted:
MSC sends IMEI (device id) along with IMSI (subscriber id) duringMAP CHECK IMEI.
Initially the IMEI is checked to know the list it belongs to. If it isfound on the black list, an additional check of IMSI is made.
If there is a match between IMSI provisioned with IMEI in the EIRdatabase (This is the IMSI-IMEI pair in the EIR before the victimblocks his stolen device) with the IMSI found in MAP CHECK IMEImessage then this overrides the blacklist condition.
1 A CHECK IMEI* is received with IMEI = 12345678901234, andIMSI = 495867256894125.
2 An individual IMEI match is found indicating that the IMEI is on theBlack List.
3 Normally required response would be Black Listed, however; becausean IMSI is present in the message, and the IMEI is on the Black List,the IMSI is compared to the IMSI entry in the database for this IMEI.
4 In this case, the IMSI in the RTDB matches the IMSI in the query,thus the Black Listed condition is cancelled/overridden.
5 EIR formulates a CHECK IMEI* response with Equipment Status =0 whiteListed.
Figure : Source: Farrell, G. (2015). Preventing phone theft and robbery: the needfor government action and international coordination. Crime Science, 4(1), 1-11.
Research was done on protocol level and publicly availableinformation.
Not all EIRs affected.
Business case exist for the attack.
Check IMEI command can be added to the list of message to befiltered by an SS7 specific firewall in the STP at the border of thenetwork, since this is a network internal message.
2 Query the database for CellID, LAC and MSC/VLR details on specificday and time.
3 Query for the IMSIs of all the mobile users who were in the vicinity ofthat region (cell or MSC region) at that point of time - They are thepotential co-travellers.
4 Query as as in step 1 and rank the potential co-travellers to be thereal co-travellers by comparing the pattern of travel, cellular usageand life style with or without the direct connection to the selector.
P.S: They do some serious datamining and pattern analysis/matchinghere.