SS7: Locate -Track - Manipulate

SS7: Locate -Track - Manipulate
Content List
You have a remote-controlled tracking device in your pocket: Signalling System Protocol suite used by most telecommunications network operators throughout

  • the world to talk to each other
  • Standardized in the 1980s in ITU-T Q.700 series
  • When it was designed, there were only a few telecoms operators, and they were
  • either state controlled or really big corporations
  • Walled Garden” approach: trusted each other, so no authentication built-in
  • Signalling System #7 today
  • New protocols added in the 1990s and 2000s by ETSI and 3GPP to support
  • mobile phones and the services they need (roaming, SMS, data...)
  • Mobile Application Part (MAP)
  • Contains everything mobile phones need that is not calls signaling
  • CAMEL Application Part (CAP)
  • A new protocol that allows the network operator to build custom services that
  • are not possible with MAP
  • still no authentication for any of this
  • Getting access is easier than ever
  • Can be bought from telcos or roaming hubs for a few hundred euros a month
  • Usually (not always), roaming agreements with other networks are needed,
  • but some telcos are reselling their roaming agreements
  • Some network operators leave their equipment unsecured on the internet
  • Femtocells are part of the core network and have been shown to be hackable

SS7 Procotol Stack

SS7: Locate -Track - Manipulate

Network overview

Network overview

Network overview

Network overview

Cell-Level Tracking

The network needs to know which base station (“cell”) is closest to the subscriber to deliver calls, SMS...

If you can find out the ID of that cell, its geographical position can be looked up in one of several databases

The location of the cell tower is also a good approximation of the subscriber’s location In cities, cell towers are so close that subscriber tracking down to street level is possible

Commercial Tracking Providers

Several commercial providers offer cell-level tracking as a service, claim coverage of about 70% of worldwide mobile subscribers (with some restrictions...) Only the MSISDN (phone number) is required to locate a subscriber

Commercial Tracking Providers

Cell-Level Tracking with SS7/MAP

MAP’s anyTimeInterrogation (ATI) service can query the subscriber’s HLR for her Cell-Id and IMEI (phone serial number, can be used to look up phone type)

Cell-Level Tracking with SS7/MAP

Cell-Level Tracking with SS7/MAP

Only meant as a network-internal service (e.g. to implement “home zones”). External networks should not be able to invoke it but still...

Many networks actually block ATI by now

Many networks actually block ATI by now

Many networks actually block ATI by now

Instead, query the MSC/VLR directly

But MSC/VLR use IMSIs (International Mobile Subscriber Identifiers), not phone numbers, to identify subscribers

ask the HLR for the subscriber’s IMSI and Global Title of the current MSC/VLR

Instead, query the MSC/VLR directly

When the attacker knows the IMSI of the subscriber and the Global Title, the MSC/VLR can be asked for the cell id of the subscriber

IMSI

  • Works for a lot of networks
  • Most VLR/MSC accept requests from anywhere
  • no plausibility checks

no plausibility checks

Real-life tracking

We tracked some folks (but only after asking for permission)

For about two weeks, cell id was queried once per hour

Many, many thanks to Sascha for his work on the maps!

Observations of a German network operator

The Operator started filtering all network-internal messages at the network’s borders

This (combined with SMS home routing, which the operator has in place) essentially eliminated the simple form of tracking as seen before

Attack traffic dropped more than 80%:

Some of that traffic was due to misconfiguration at other networks

Commercial use cases:

a shipping company was tracking its vehicles an SMS service provider for banks who use text messages as a second form of authentication (mTAN) was using the MAP send IMSI request to find out if the SIM was recently swapped

Observations of a German network operator

Some of the network operators where the attacks originated either did not respond or played dumb when the issue was addressed by the German operator

The operator believes that those attacks are being performed by state actors or the other network’s operators themselves

Some attacks are still happening, which requires other information sources or brute-forcing to get VLR/MSC and IMSI

Location Services (LCS)

In the US, E911 mandates: “Wireless network operators must provide the latitude and longitude of callers within 300 meters, within six minutes of a request by a Public Safety Answering Point”

LCS can use triangulation to further narrow down a subscriber’s position or even request a GPS position from the phone (via RRLP)

Emergency services request a subscriber’s location from the Gateway Mobile Location Center (GMLC)

GMLC requires authentication

Real-life tracking

Real-life tracking

Authentication at the GMLC can also be circumvented by directly querying the VLR

GMLC

Verifying the sender, MAP-style

Problem:

SCCP doesn’t know anything about MAP or what entities should be able to use which MAP services

“Solution”:

Have the sender(!) put another copy of its “Calling Party Address” in an extra field in the MAP layer, so it can be verified

• Routing will still happen to addresses from the network layer

Problem:

If we tell the truth:

If we tell the truth:

If we enter an address from the same network that we sent the request to:

address from the same network

Denial of Service

It is not only possible to read subscriber data - it can also be modified, since most network’s VLR/MSC don’t do any plausibility checks

Control every aspect of what a subscriber is allowed to do: enable or disable incoming and/or outgoing calls / SMS or data or delete the subscriber from the VLR altogether

GMLC

CAMEL

“Customised Applications for Mobile networks Enhanced Logic”

Specified in 3GPP TS 23.078

Like an overlay over usual MAP logic

Defines a set of events, for which the VLR should contact the CAMEL entity in the subscriber’s home network (gsmSCF = “GSM Service Control Function)

The gsmSCF then decides if the desired action can continue unmodified or modified or will be aborted

CAMEL

Example: German subscriber is roaming in France

German HLR tells French VLR “notify my gsmSCF at address +4917... whenever the subscriber wants to make a call

CAMEL

Subscriber wants to make a phone call, but dials number in German national format (0317654...)

• MSC asks gsmSCF in home network what to do with the call

gsmSCF rewrites number to international format (+49317654...) and tells MSC to continue with the new number

gsmSCF

Intercepting calls with CAMEL

Attacker overwrites gsmSCF address in subscriber’s MSC/VLR with it’s own,“fake gsmSCF” address

Intercepting calls with CAMEL

Subscriber wants to call +345678..., but the MSC now contacts the attacker instead of the subscriber’s gsmSCF

Subscriber wants to call

Attacker rewrites number to +210987..., his recording proxy (e.g. an Asterisk PBX)

MSC sets up call to +210987..., which bridges it to the original +345678...

Both subscribers can talk to each other, while the attacker records the conversation

HLR: Location Update

When a subscriber travels to another region or country, the VLR/MSC sends a MAP updateLocation request to the subscriber’s HLR

HLR: Location Update

The HLR sends a copy of the subscriber’s data to the VLR/MSC and saves the address of the VLR/MSC

Now, when somebody wants to call or text the subscriber, the HLR gets asked for routing information (sendRoutingInfo...) and hands out the address of the VLR/ MSC

HLR: Stealing Subscribers

• The updateLocation procedure is also not authenticated

• An attacker can simply pretend that a subscriber is in his “network” by sending the updateLocation with his Global Title to the subscriber’s HLR

HLR: Stealing Subscribers

Now, calls and SMS for that subscriber are routed to the attacker

Example: Subscriber’s bank sends text with mTAN. Attacker intercepts message and transfers money to his own account


USSD codes can be executed for other subscribers

‣ Some carriers offer transfer of prepaid credits via

USSD

• Call forwardings can be set/deleted

‣ An attacker could forward a subscriber’s calls to a

premium rate number controlled by him and then call the subscriber’s number, billing all the premium rate calls to the subscriber

• Switch active SIM in case of Multi-SIM

Requests can even be sent without a previous updateLocation procedure, because the HLR does not check if the subscriber is in the network that is sending the request

Hybrid Attacks: TMSI De-anonymization

An attacker can find out the phone numbers of subscribers around him:

Paging of subscribers (e.g. to notify them of an incoming call) has to happen unencrypted

‣ TMSI (Temporary Mobile Subscriber Identifier) is normally used for paging so that the real identity of the subscriber (IMSI) does not have to be sent over the air unencrypted

Hybrid Attacks: TMSI De-anonymization

Hybrid Attacks: TMSI De-anonymization

Attacker captures TMSI over the air, e.g. with OsmocomBB

The MSC can be asked to hand out the IMSI if the TMSI is known With updateLocation, the attacker can figure out the MSISDN belonging to the IMSI

Hybrid Attacks: Intercept Calls

The MSC can be also be asked for the session key for of the subscriber!

Hybrid Attacks: TMSI De-anonymization

If the attacker captures an encrypted GSM or UMTS call, he can then decrypt it using the session key

Passive attack, no IMSI catcher necessary

LTE


LTE

LTE uses the Diameter protocol in the core network

SS7 is becoming a legacy protocol, but:

A lot of the SS7 design has been ported to Diameter, including its flaws

E.g. there is still no end-to-end authentication for subscribers

GSM/UMTS (and with them SS7) will be around for a long time to come (probably around 20 years)

To be able to have connections from GSM/UMTS to LTE, there are interfaces mapping most of the SS7 functionality (including its flaws) onto Diameter

Summary

• An attacker needs SS7 access and (most of the time) SCCP roaming with his victim’s network

• Then, with only his victim’s phone number, he can

‣ Track his victim’s movements (in some networks with GPS precision)

‣ Intercept his victim’s calls, text messages (and probably data connections, not verified)

‣ Disable calls, SMS, data

‣ Re-route calls, at the victim’s expense

• With only a TMSI, captured over the air interface, he can

‣ decrypt calls captured off the air (GSM, UMTS)

‣ find out the IMSI and phone number belonging to the TMSI

Countermeasures (for operators)

• Network operators should remove all necessities to hand out a subscriber’s IMSI and current VLR/MSC to other networks

‣ With SMS Home Routing, all text messages traverse an SMS router in the subscriber’s home network

‣ When the HLR receives sendRoutingInfoForSM request, it only needs to hand out the address of the SMS router instead of the MSC address

‣ Instead of the subscriber’s IMSI, only a correlation id will be returned (that can be resolved by the SMS router)

• All MAP and CAP messages only needed internally in the network should be filtered at the network’s borders

‣ If Optimal Routing is not used, sendRoutingInfo (the one for voice calls, another source of MSC and IMSI), can also be filtered

Countermeasures (for subscribers)

• Tell your operator to take action

• Throw away phone

• (Sorry, there really isn’t that much you can do)

A Step by Step Guide to SS7 Attacks

Global mobile use has been on a major upswing for quite some time. From toddlers who learn to operate a mobile phone before they can even speak to professionals whose phones contain sensitive information. Mobile devices are now like opinions: everyone has at least one they hold very dear.

As 5G technology propagates and expands to reach new audiences and devices, the opportunities for mobile cyber attacks grow exponentially. While the YouTube browsing history of a toddler may be of little interest to hackers, anyone holding sensitive data or communicating privileged information is at risk. All thanks to legacy network protocols of global telecommunications.

The aging of legacy protocols with the evolution of hacking techniques create the perfect conditions to empower malicious activities on increasing crowded mobile networks. So it’s no wonder mobile malware attacks increased by 50% in 2019, and in 2020 are expected to continue to wreak mobile security havoc at an exponential rate.

Let’s meet one of the most prominent mobile network vulnerabilities threatening mobile service providers and users in the past years: SS7 loopholes.

Rather than target specific devices, sophisticated attacks are being perpetrated on entire networks. From a mobile service provider perspective, once your network’s SS7 protocol is successfully compromised, hackers are privy to your subscriber’s personal information. They can access text messages, phone calls, track device location, and all without your or the subscriber’s knowledge.

What is SS7?

Introduced and adopted in the mid 70s, SS7 (Common Channel Signaling System No. 7 or C7) has been the industry standard since, and hasn’t advanced much in decades. It’s outdated security concepts make it especially vulnerable to hackers.

SS7’s success has also, in a way, been its curse. At least when it comes to cyber security. The SS7 protocol is used everywhere, and is the leading protocol for connecting network communication worldwide. Because it is so prevalent, used by both intelligence agencies and mobile operators. From a surveillance perspective, it is considerably effective. As such, SS7 is an attacker’s best friend, enabling them access to the same surveillance capabilities held by law enforcement and intelligence agencies.

How does SS7 work?

The set of SS7 telephony signaling protocols is responsible for setting up and terminating telephone calls over a digital signaling network to enable wireless cellular and wired connectivity. It is used to initiate most of the world’s public telephone calls over PSTN (Public Switched Telephone Network).

call setup example

Over time other applications were integrated into SS7. This allowed for the introduction of new services like SMS, number translation, prepaid billing, call waiting/forwarding, conference calling, local number portability, and other mass-market services.

Components and elements that make up the SS7 Protocol Stack –

ss7 protocol setup

What are SS7 attacks?

SS7 attacks are mobile cyber attacks that exploit security vulnerabilities in the SS7 protocol to compromise and intercept voice and SMS communications on a cellular network. Similar to a Man In the Middle attack, SS7 attacks target mobile phone communications rather than wifi transmissions.

How do SS7 attacks work?

SS7 attacks exploit the authentication capability of communication protocols running atop the SS7 protocol to eavesdrop on voice and text communications. According to telecommunications experts, all a cyber criminal would need to successfully launch an SS7 attack are a computer running Linux and the SS7 SDK – both free to download from the Internet.

Once connected to an SS7 network, the hacker can target subscribers on the network while fooling the network into thinking the hacker device is actually an MSC/VLR node.

sms interception stage 1

sms interception step 2

What’s in it for the Hackers?

When a hacker successfully performs a MitM phishing attack, they gain access to the same amounts and types of information that are usually reserved for the use of security services. Having the ability to eavesdrop on calls and text messages, as well as device locations empowers hackers to gain valuable information.

A common security precaution used by many is one of the targets of SS7 attacks. Two-factor authentication (also known as 2FA) via SMS using SS7 is inherently flawed as these SMS messages are unencrypted and hackers know how to intercept them. With the code from the SMS in their hand, a cyber-criminal can potentially reset your password to Google, Facebook, WhatsApp account, or even your bank account.

The Risks to Digital Businesses

It doesn’t take an expert to see that it takes little skill and equipment for a hacker to successfully mount a man-in-the-middle MitM phishing attack. With most businesses managing their communications over cellular connections, it’s clear that SS7 attacks pose a significant risk. It’s important to remember that isn’t not only proprietary or confidential information hackers are interested in. The growing prevalence of IoT devices relyant on mobile networks to transmit data is expanding the risk playing field.

An enterprise’s IoT infrastructure, critical services can be prime targets. Such attacks can lead to potentially damaging breaches of confidential information as well as hijacking or disabling of mission-critical devices and services.

Considering how high the risks are, manufacturers are doing too little to warn businesses using IoT devices about potential security vulnerabilities in their products. This exposes network operators to attacks through compromised customer IoT devices on their network.

What can mobile operators do to prevent SS7 attacks?

The flaws and vulnerabilities inherent in the SS7 protocol are out of the jurisdiction of enterprises, small businesses as well as consumers. Being that, SS7 vulnerabilities cannot simply be removed or fixed.

The GSMA recommends that mobile network operations focus on consumer education. With consumers paying more attention to the security of their smartphones and IoT devices they are more likely to take action to secure their devices. Especially when it comes to critical applications and services like Smart Homes and Offices.

1. User Password Security

Two factor SMS authentication, flawed as it is, is still widely used. Security conscious businesses and services are gradually moving away from SMS and offer other methods of authenticating users which do not rely on antiquated telephone protocols like SS7.

2. Monitoring & Event Analysis

If an SS7 network is successfully compromised, companies need to have the ability to monitor the activity during the attack. They need to be informed on security events in the context of what is happening on corporate servers as well as devices. This needs to be part of any enterprise mobile security strategy. Ultimately, businesses need to implement a defense that identifies threats and takes action before any damage occurs.

3. Regular Updates

Cyber security is not a set it and forget it deal even if you employ automation. Cybercriminals are always coming up with new exploits and approaches to compromise systems to get their hands on confidential data or hijack devices for ransom. Effective Patch Management is critical and complements adaptive defense. By employing real time analysis of endpoint security, business can ensure known vulnerabilities are sealed as soon as possible through software and firmware updates.

What can YOU do?

The only way to be fully safe from SS7 attacks is to simply shut your smartphone off. You and I both know that’s not an option. So what you can do is “know the enemy”. Being aware that malicious activities like SS7 attacks are prevalent and common is simply a necessity in 2020.

That said, with the billions of mobile phone users worldwide, the risk of you being targeted for surveillance by cyber-criminals is probably small. But if you happen to be a president, queen or even doctor holding sensitive patient information on their mobile, your chances are much higher than those of an average Joe. If you’re still using 2FA for banking services, you might very well be in danger of having your account compromised.

Considering just how easy it is to execute an SS7 attack and how much damage a successful one can do to both the victim and their service provider, one can only hope that innovation in telecom will protect us, the end users. For enterprises, government agencies and MSPs today there are numerous solutions ranging from complex customized mobile VPN systems, to innovative plug-and-play solutions like FirstPoint SIM-based user level protection

Protect people, IPs and devices from SS7 attacks with FirstPoint