/
...
/SS7 Firewall
February 2016
/
...
• robust, proven, reliable
• working for decades
But …
• interconnect is based on trust
• no protocol level security
• … no equivalent in SS7 of IP TLS, IPSec
The SS7 Network is
/
...
• your calls could be recorded and you wouldn’t know about this?
• your subscriber’s location (cell id) could be tracked?
• somebody could deny your subscribers access to the network?
• somebody could alter the identity in the VLR when your users place calls?
What if…
/
...
• Government US Congress/FCC
• http://grayson.house.gov/index.php/newsroom/press-releases/314-grayson-asks-fcc-to-protect-privacy-of-americans-phone-calls
• Research
• http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/
• Press
• http://www.washingtonpost.com/business/technology/for-sale-systems-that-can-secretly-track-where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8a-f003-11e3-bf76-447a5df6411f_story.html
Where can I find public information?
/
...
SS7 Network Legitimate Scenarios
01
/
...
• The roaming MSC (Visited MSC) requires network access from HLR
• The HLR pushes subscriber data into Visited MSC
• The HLR keeps record that subscriber roams in the given Visited MSC
VMSC B HLR B
(1) LOCATION UPDATE
CgPA = VMSC B
CdPA = HLR
[IMSI, VMSC]
(3) INSERT SUBSCRIBER DATA
CgPA = HLR
CdPA = VMSC B
[MSISDN, SubscriberData]
(2) LOCATION UPDATE ACCEPTED
CgPA = HLR
CdPA = VMSC B
Legitimate scenario location update in HPLMN
/
...
• Foreign SMSC requests the VMSC & IMSI of the recipient (your subscriber)
• The HLR returns the VMSC address and IMSI
• The foreign SMSC connects to the VMSC and submits the SMS
SMSC A
HLR B
(1) SRI-SM
CgPA = SMSC
CdPA = MSIDN
[Service Centre, MSISDN]
(2) SRI-SM ANSWER
CgPA = HLR
CdPA = SMSC
[VMSC, IMSI]
VMSC B
(3) MT-FORWARD-SM
CgPA = SMSC
CdPA = VMSC B
[IMSI, SMS]
Legitimate SMS delivery from foreign network
/
...
Malicious Usage On ‘Trusted’ SS7 Links
02
/
...
• The breached network has roaming agreement with target network
• The malicious application is any application capable of sending MAP messages with SS7/SIGTRAN access to an STP
• The Malicious Application is able to impersonate the real SMSC by setting the CgPA
• The HLR is target network receives the same SRI-SM as the one originate
Malicious
ApplicationHLR B
SRI-SM
CgPA = SMSC
CdPA = MSIDN
[Service Centre, MSISDN]SRI-SM
CgPA = HLR
CdPA = SMSC
[VMSC, IMSI]
Obtain subscriber IMSI & Roaming MSC
/
...
• The malicious application uses the previously obtained IMSI and VMSC
• The malicious application modifies subscriber data in the Visited MSC – in this case the O-CSI
• The VMSC has no standard mechanism to detect if this is a legitimate request or not
• Whenever the target subscriber originates a call the call control is given by VMSC (via CAP) to the node defined within the O-CSI. This node can perform a record function and connect the call to the intended destination.
VMSC B
INSERT-SUBSCRIBER-DATA
CgPA = SMSC
CdPA = VMSC B
[SubscriberData(O-CSI)]
Malicious
Application
Modify O-CSI in VMSCYour calls can be recorded
/
...
• The Malicious Application uses the previously obtained IMSI and VMSC
• The Malicious Application request current location information from Visited MSC
• The VMSC has no standard mechanism to detect if this a legitimate request or not
VMSC B
PROVIDE SUBSCRIPTION INFORMATION
CgPA = GMSC
CdPA = VMSC B
[requestedInfo (currentLocation)]Malicious
Application
SUBSCRIPTION INFORMATION
CgPA = VMSC B
CdPA = GMSC
[CellId]
Retrieve subscriber location Your location can be tracked
/
...
• The malicious application uses the previously obtained IMSI and VMSC
• The malicious application modifies subscriber data in the Visited MSC – in this case the MSISDN
• The VMSC has no standard mechanism to detect if this is a legitimate request or not
• Whenever the target subscriber originates a call the modified MSIDN is used as calling party
VMSC B
INSERT-SUBSCRIBER-DATA
CgPA = SMSC
CdPA = VMSC B
[SubscriberData(MSISDN)]Malicious
Application
Modify MSISDN in VMSCYou can spoof your MSISDN
/
...
• The malicious application uses the previously obtained IMSI and VMSC
• The malicious application modifies subscriber data in the Visited MSC – in this case the MSISDN
• The VMSC has no standard mechanism to detect if this is a legitimate request or not
• Whenever the target subscriber tries to originates a call the BAOC setting will not allow the call to take place
VMSC B
INSERT-SUBSCRIBER-DATA
CgPA = SMSC
CdPA = VMSC B
[SubscriberData(BAOC)]Malicious
Application
Modify ODB in VMSC Somebody can block your calls
/
...
• Blocking SRI-SM requests in STP
• Can’t block all SRI-SM messages since we would kill the SMS service for all our subscribers
• Block all SRI-SM requests in coming from unknown addresses
• The MAP allows an application to spoof the SCCP CgPA
Easy answers?
/
...
• Block ISD requests in STP
• Can’t block all ISD messages since we would kill the voice service for all our subscribers
• Block all ISD requests coming from interconnect links
• Can’t block all ISD messages since we would kill the voice service for all our in-roamers
Easy answers?
/
...
• Protects your subscribers data in MSC
• Protects your subscribers location in the network
• Allows the legitimate traffic to flow without disruption
What a SS7 firewall does…
/
...
• All SRI-SM requests are routed by STP towards the MAP filter
• The MAP filtering decides the current request is un-trustworthy and forwards the request to the HLR and stores the real IMSI and VMSC received from the HLR
• The MAP Filter will provide back to the un-trusted application a fake IMSI and a fake VMSC address. The fake VMSC address is the MAP filter address.
Un-trusted
ApplicationHLR B
SRI-SM
CgPA = SMSC
CdPA = MSIDN
[Service Centre, MSISDN]
SRI-SM
CgPA = HLR
CdPA = SMSC
[VMSC, IMSI]
MAP
Filter
SRI-SM
CgPA = SMSC
CdPA = MSIDN
[Service Centre, MSISDN]
SRI-SM
CgPA = HLR
CdPA = SMSC
[Fake VMSC, Fake IMSI]
Never expose real IMSI to untrusted entities
/
...
• If the un-trusted application is in fact a legitimate SMSC trying to deliver an MT SMS then after the SRI-SM the SMSC will deliver the MT SMS to the VMSC address obtained at SRI-SM (the MAP Filter)
• The MAP filtering decides that this is a legitimate request, retrieves the real IMSI and real VMSC based on the received fake IMSI and then delivers the MT SMS to the real VMSC using real IMSI
• The MT SMS response is proxied back to the SMSC
Legitimate
SMSCVMSC B
MT-FORWARD-SM
CgPA = SMSC
CdPA = MAP Filter
[Fake IMSI, MT-SMS]
MT-FORWARD-SM
CgPA = VMSC B
CdPA = MAP Filter
[Delivery Status]
MAP
Filter
MT-FORWARD-SM
CgPA = SMSC
CdPA = VMSC B
[IMSI, MT-SMS]
MT-FORWARD-SM
CgPA = MAP Filter; CdPA =
SMSC
[Delivery Status]
Untrusted application is in fact legitimate
/
...
• If the un-trusted application is in fact a malicious application trying to alter subscriber data in VMSC then after the SRI-SM the malicious application tries to insert data into the VMSC obtained at SRI-SM (the MAP Filter)
• The MAP Filtering decides that this is a malicious request and it can provide a fake answer back to malicious application (ok I have inserted the data), it can reject the ISD or it can drop silently the request
• The subscriber data in VMSC is thus protected
Malicious
Application Protected
VMSC B
MAP
Filter
INSERT-SUBSCRIBER-DATA
CgPA = MAP Filter
CdPA = SMSC
[OK]
INSERT-SUBSCRIBER-DATA
CgPA = SMSC
CdPA = MAP Filter
[SubscriberData(O-CSI)]
Untrusted application is in fact malicious
/
...
• If the un-trusted application is in fact a malicious application trying to retrieve subscriber location from VMSC, then after the SRI-SM the malicious application tries to request current location data from the VMSC obtained at SRI-SM (the MAP Filter)
• The MAP filtering decides that this is a malicious request and it can provide a fake answer back to malicious application (here is some fake cell id), it can reject the PSIor it can drop silently the request
• The subscriber location is thus protected
Malicious
ApplicationProtected
VMSC B
MAP
Filter
PROVIDE SUBSCRIPTION
INFORMATION
CgPA = MAP Filter
CdPA = GMSC
[fake cell id]
PROVIDE SUBSCRIPTION
INFORMATION
CgPA = GMSC
CdPA = VMSC B
[requested info (current Location)]
Untrusted application is in fact malicious…
/
...
• The message is received and decoded ,incoming parameters are extracted (SCCP CgPA, CdPA, TCAP Context, MAP Parameters)
• Context data (fake IMSI in request) is extracted from in-memory data store
• Rule Engine decides based on input parameters and based on context data what treatment should be applied to the incoming message
• Action returned by the Rule Engine is applied
MAP
filter
MAP REQUEST
CgPA
CdPA
[MAP Parameters]
In-memory
data storeRule engine
Get
context data
Determine treatment
of current request
Action
How does this work?
/
...
• RELAY – the incoming request is relayed at SCCP level towards the requested destination
• ABORT – the incoming request is responded with a TCAP_U_ABORT
• DROP – the incoming request is silently dropped, no response is provided back
• FAKE – the incoming request is answered with a default fake answer (fake answer message is configurable per MAP Operation)
• PROXY – the incoming message is proxied by the MAP Filter to the destination node; the MAP filter proxies also the responses back and hides real data (e.g. fake IMSI)
SS7 firewall behaviour
/
...
/Thankyou!
/
[+44]20.7193.9189
www.computaris.com