Attacks you can’t combat:

Vulnerabilities of most
robust mobile operators

Sergey Puzankov
 About me
18+ years in telecom @xigins
industry
Telecom
sergey_puzankov
[email protected]
7+ years in telecom
security
Security

Research results &

community contribution
Knowledge
sharing
 SS7 basics

SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and tear down
telephone calls, send and receive SMS messages, provide subscriber mobility, and more.

Ø  Fixed telephony
Ø  2G/3G mobile networks
Ø  Interconnection with next-
generation networks
Who are potential targets?

© GSMA Intelligence 2018, Mobile connections by technology

https://www.gsmaintelligence.com/research/2018/02/infographic-mobile-connections-by-technology/656/
Now what can a Hacker do?

Intercept private data, Take control of your

calls and SMS messages digital identity

Any mobile
Easily operator

Track location of VIPs Get access to your

and public figures email and social media

From No special
anywhere skills needed

Perform massive denial

of service attacks Steal money
History of signaling security
SS7 development

Trusted environment. No security mechanisms in the protocol stack.

SIGTRAN (SS7 over IP) introduced. Security is still missing.

Scope grows

Growing number of SS7 connections, increasing amount of SS7 traffic.

No security policies or restrictions.

Not trusted anymore

Huge number of MNOs, MVNOs, and VAS providers.

SS7 widely used, Diameter added and spreading. Still not enough security.
 Mobile operators and SS7 security

Security
configuration

Security assessment
SS7 firewall SMS Home Routing Signaling IDS
 Basic nodes and identifiers

MSISDN — Mobile Subscriber

Integrated Services Digital Number HLR — Home Location Register

GT — Global Title, address of a

core node element
MSC/VLR — Mobile Switching
Center and Visited Location
IMSI — International
Register
Mobile Subscriber Identity

STP — Signaling Transfer Point SMS-C — SMS Centre

SS7 protocol stack

Mobile Application Part

MAP is payload that contains an operation code and appropriate parameters
such as IMSI, profile information, and location data.

Transaction Capabilities Application Part

TCAP is responsible for transactions and dialogues processing.

Signaling Connection Control Part

SCCP is responsible for the routing of a signaling message by Global Titles.
SS7 security means
Signaling Transfer Point
makes simple screening of signaling messages.

SMS Home Routing

is intended to prevent SMS fraud and hide IMSI identities.

SS7 firewall
is the most sophisticated signaling security tool that protects the
network against a wide range of threats such as IMSI disclosure,
location tracking, and traffic interception.
Signaling Transfer Point
Ø  Signaling Transfer Point is a router that relays SS7 messages between
signaling end-points and other signaling transfer points.
Ø  Usually the STP is a border point in a signaling network.
Ø  It is possible to use the STP for the screening of the ineligible signaling
traffic.
Ø  Screening rules of the most STPs are simple, for instance, blocking a
signaling message by a source address or redirecting a signaling message
by an operation code.
Ø  The STP looks through a signaling message layer by layer and applies a
rule as soon as the first appropriate pattern is triggered.
 SMS delivery process
SRI4SM — SendRoutingInfoForSM

HLR

SMS-C 1. SRI4SM Request STP 1. SRI4SM Request

•  MSISDN •  MSISDN

2. SRI4SM Response 2. SRI4SM Response

•  IMSI •  IMSI
•  MSC Address •  MSC Address

3. MT-SMS 3. MT-SMS
•  IMSI •  IMSI MSC
•  SMS Text •  SMS Text
SRI4SM abuse by a malefactor

HLR

1. SRI4SM Request STP 1. SRI4SM Request

•  MSISDN •  MSISDN

2. SRI4SM Response 2. SRI4SM Response

•  IMSI •  IMSI
•  MSC Address •  MSC Address

MSC
 SMS Home Routing

HLR

1. SRI4SM Request 1. SRI4SM Request 4. SRI4SM Request

SMS-C •  MSISDN STP •  MSISDN SMS Router •  MSISDN

2. SRI4SM Response 2. SRI4SM Response 5. SRI4SM Response

•  Fake IMSI •  Fake IMSI •  Real IMSI
•  SMS-R Address •  SMS-R Address •  MSC Address

3. MT-SMS 3. MT-SMS 6. MT-SMS

•  Fake IMSI •  Fake IMSI •  Real IMSI MSC
•  SMS Text •  SMS Text •  SMS Text
SMS Home Routing against malefactors

HLR

1. SRI4SM Request 1. SRI4SM Request SMS Router

•  MSISDN
STP •  MSISDN

2. SRI4SM Response 2. SRI4SM Response

•  Fake IMSI •  Fake IMSI
•  SMS-R Address •  SMS-R Address

MSC
SS7 firewall: typical deployment scheme
STP HLR
1. SS7 message 3. SS7 message

2. SS7
message
 SS7 firewall: blocking rules
SS7 firewall
Firewall rules
HLR
Category 1
SS7 Message Block a message by an operation
code
MAP OpCode, IMSI, …
Category 2
TCAP Application Context
Block a message by an operation
SCCP Source / Destination code and correlation of a source
address and subscriber identity MSC
Category 3
Block a message by an operation
code and subscriber’s real
location
SS7 attacks and vulnerabilities

IMSI disclosure via a malformed Application Context Name (ACN) parameter

Location tracking via Operation Code Tag substitution

Voice call interception (MiTM) via a Double MAP vulnerability

IMSI disclosure

Exploitation of malformed ACN

 TCAP protocol

TCAP Message Type — mandatory

Transaction IDs — mandatory

Dialogue Portion — optional

Component Portion — optional

Changing ACN

0 – CCITT 0 – CCITT
4 – Identified Organization 4 – Identified Organization
0 – ETSI 4 – Unknown
0 – Mobile Domain 0 – Mobile Domain
1 – GSM/UMTS Network 1 – GSM/UMTS Network
0 – Application Context ID 0 – Application Context ID
20 – ShortMsgGateway 20 – ShortMsgGateway
3 – Version 3 3 – Version 3
IMSI disclosure via malformed ACN
1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN
Malformed ACN
STP HLR
Malformed ACN

SMS Router
SCCP Destination HLR
TCAP Malformed ACN
MAP OpCode, param

Malformed ACN
IMSI disclosure via malformed ACN
1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN
Malformed ACN
STP HLR
Malformed ACN

2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC

SMS Router

SMS Router bypassed

IMSI disclosure via malformed ACN
1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN
Malformed ACN
STP HLR
Malformed ACN

2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC

SMS Router

Equal IMSIs mean the

SMS Home Routing
solution is absent or not
involved.
Location tracking

Substitution of Operation Code Tag

Numbering plans

Mobile
Network
Operator

E.164 MSISDN and GT 86 854 1231237

Country Code (China) Network Destination Code

E.212 IMSI 460 80 4564567894

Mobile Country Code (China) Mobile Network Code
Blocking rule: category 2
Operation code Category 2
Block a message by an operation
code and correlation of a source
address and subscriber identity

Source address

Switzerland ≠ China

Subscriber identity
ITU-T Q.773 Recommendation
ITU-T Q.773 – Transaction capabilities formats and encoding

=2
=6
Location tracking via Global OpCode
1. PSI with Global OpCode tag 3. PSI with Global OpCode tag

STP MSC/VLR

2. PSI with The SS7 FW is looking

Global for a Local OpCode.
OpCode tag
Global OpCodes are
ignored.
Location tracking via Global OpCode
1. PSI with Global OpCode tag 3. PSI with Global OpCode tag

4. PSI Response: Cell ID 4. PSI Response: Cell ID

STP MSC/VLR

2. PSI with The VLR replies with

Global the Local OpCode and
OpCode tag
a requested cell
identity.

Equipment of four vendors

replies to signaling messages
with the Global OpCode.
Voice call interception (MiTM)

Exploitation of a Double MAP

vulnerability
Voice call interception (MiTM)
1. InsertSubscriberData Request: IMSI
STP 1. InsertSubscriberData Request: IMSI MSC/VLR
Spoofed billing platform address Spoofed billing platform address
Voice call interception (MiTM)
1. InsertSubscriberData Request: IMSI
STP 1. InsertSubscriberData Request: IMSI MSC/VLR
Spoofed billing platform address Spoofed billing platform address

2. InsertSubscriberData Response 2. InsertSubscriberData Response

3. TCAP End 3. TCAP End

Voice call interception (MiTM)
STP MSC/VLR
1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-Num
Voice call interception (MiTM)
STP MSC/VLR
1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-Num

2. Connect :PBX-Num 2. Connect :PBX-Num

Voice call interception (MiTM)
STP MSC/VLR
1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-Num

2. Connect :PBX-Num 2. Connect :PBX-Num

3. IAM: A-Num, B-Num 3. IAM: A-Num, B-Num

SS7 FW against MiTM attack
STP MSC/VLR
1.  InsertSubscriberData Request:
IMSI, Spoofed billing platform address

2. InsertSubscriberData The SS7 FW correlates the IMSI

Request: IMSI, Spoofed
and source address and blocks
billing platform address
the InsertSubscriberData
message.

Switzerland ≠ China
 TCAP protocol

TCAP Message Type — mandatory

Transaction IDs — mandatory

Dialogue Portion — optional

Component Portion — optional

 Double MAP component

TCAP Message Type — mandatory The SS7 FW checks

a subscriber’s ID in
Transaction IDs — mandatory
the first component
Dialogue Portion — optional considering the other
data as a long
Component Portion — optional payload not meant to
be inspected.
Component 1

Component 2
 Double MAP in MiTM attack
TCAP Begin
InsertSubscriberData_REQ

DeleteSubscriberData_REQ

STP MSC/VLR

Send the message

to PBX
the SS7 FW for Inspect the first
inspection component only
SS7 FW
and forward the
message to the
network
 Double MAP in MiTM attack
TCAP Begin
InsertSubscriberData_REQ

DeleteSubscriberData_REQ

STP MSC/VLR

PBX

SS7 FW
TCAP Continue

ReturnError
 Double MAP in MiTM attack
TCAP Begin TCAP Continue
InsertSubscriberData_REQ InsertSubscriberData_REQ

DeleteSubscriberData_REQ InsertSubscriberData_REQ

STP MSC/VLR

PBX Inspect the first

component only
SS7 FW
and forward the
TCAP Continue
message to the
ReturnError network.
 Double MAP in MiTM attack
TCAP Begin TCAP Continue
InsertSubscriberData_REQ InsertSubscriberData_REQ

DeleteSubscriberData_REQ InsertSubscriberData_REQ

STP MSC/VLR

PBX

SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast
 Double MAP in MiTM attack
TCAP Begin TCAP Continue
InsertSubscriberData_REQ InsertSubscriberData_REQ

DeleteSubscriberData_REQ InsertSubscriberData_REQ

STP MSC/VLR

PBX

SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast

TCAP Continue

ReturnResultLast
 Double MAP in MiTM attack
TCAP Begin TCAP Continue TCAP End

InsertSubscriberData_REQ InsertSubscriberData_REQ

DeleteSubscriberData_REQ InsertSubscriberData_REQ

STP MSC/VLR

PBX

SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast

TCAP Continue

ReturnResultLast
 Double MAP in MiTM attack
TCAP Begin TCAP Continue TCAP End

InsertSubscriberData_REQ InsertSubscriberData_REQ

DeleteSubscriberData_REQ InsertSubscriberData_REQ

STP MSC/VLR

PBX

SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast

TCAP Continue

ReturnResultLast
 Double MAP in MiTM attack
TCAP Begin TCAP Continue TCAP End

InsertSubscriberData_REQ InsertSubscriberData_REQ

DeleteSubscriberData_REQ InsertSubscriberData_REQ

STP MSC/VLR

PBX

SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast

TCAP Continue

ReturnResultLast
 Double MAP in MiTM attack
TCAP Begin TCAP Continue TCAP End

InsertSubscriberData_REQ InsertSubscriberData_REQ

DeleteSubscriberData_REQ InsertSubscriberData_REQ

STP MSC/VLR

PBX

SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast

TCAP Continue

ReturnResultLast
Main issues in SS7 security

SS7 architecture flaws

Configuration mistakes

Software bugs
Conclusion

1.  Check if your security tools are effective against new vulnerabilities.

2.  Use an intrusion detection solution alone with an SS7 firewall in order to
detect threats promptly and block a hostile source.

3.  Block TCAP Begin messages with double MAP components.

We observed only one legal pair:
BeginSubscriberActivity + ProcessUnstructuredSS-Data.

4.  Configure your STP and SS7 firewall carefully. Do not forget about
malformed Application Context Name and Global OpCodes.
 Thank you!

Sergey Puzankov for ______

[email protected]