SS7: Locate -Track - Manipulate

SS7: Locate -Track - Manipulate
Content List

What is an attack on SS7? An SS7 attack is a security breach that takes advantage of a flaw in the way SS7 (Signaling System 7) was built so that data can be stolen, conversations can listen in on, texts can be stolen, and a person's location can be tracked.

SS7 attacks are different from other types of cyberattacks because they can use many vulnerabilities to do bad things, most of which can be done from anywhere in the world. With these methods, attackers may be able to record and listen in on conversations and read text messages without being caught. Different kinds of SS7 attacks can also be used to track someone's location, commit fraud, or stop service.

How does an attack using SS7 work?

The SS7 protocol makes it easier for 2G and 3G wireless networks to talk to each other. It allows for the exchange of information needed to make and receive calls and text messages on a mobile phone, keeps track of billing information, and lets smartphone users roam while they are traveling. At first, SS7 networks were made to be a closed, trusted system between phone companies. Providers also worked with government agencies to allow for state surveillance by giving a lot of user information to anyone who had access to the SS7 system. When mobile devices and apps became more popular, another set of communication protocols was added on top. This created a lot of entry points and weak spots that hackers could use to get to private data and change it.

In 2014, security researchers in Germany showed that SS7 had flaws by showing that man-in-the-middle attacks could be used to track the movements and communications of cell phone users and listen in on their conversations. In 2017, hackers took money from their victim's bank accounts and put it in their own. They did this by getting access to SS7 and rerouting the two-factor authentication codes that were supposed to verify the account holders.

The effects of SS7's security flaws

Because the SS7 network has built-in surveillance tools, hackers can get a lot of useful information from SS7 attacks. This makes it easy for network operators, governments, cybercriminals, and hobbyists to track and hack smartphones, but businesses can reduce their risk by using best practices like virtual private networks, encryption, and security awareness training.

Even though the problems with SS7 were known, phone companies were slow to put protections in place, and some never did. By adding new security protocols, 4G and 5G telecommunications networks have made the threat less of a problem, but they still need to work with older technology. In its 2021 mobile report, the GSMA, an organization for telecommunications, said that 2G and 3G network access are used by 30% of mobile phone connections. 5G is becoming more popular, but SS7 attacks will still be a problem as long as 2G and 3G networks are still in use.

You have a tracking device in your pocket that you can control with a remote: Most telecommunications network operators around the world use the Signalling System Protocol suite to talk to each other. It was standardized in the 1980s in the ITU-T Q.700 series.
When it was made, there were only a few telecom companies, and they were either run by the government or were very large companies. Since they trusted each other, Signalling System #7 doesn't have any kind of authentication built in.
In the 1990s and 2000s, ETSI and 3GPP added new protocols to help mobile phones and the services they need (roaming, SMS, data...)
Mobile Application Part (MAP) is a list of all the things that mobile phones need that aren't calls.
Part of the CAMEL Application (CAP)
A new protocol that lets network operators build custom services that they couldn't do with MAP. However, none of this can be secured yet.
It's easier than ever to get in.
Can be bought for a few hundred euros a month from telcos or roaming hubs
Most of the time (but not always), roaming agreements with other networks are needed. However, some telcos are selling their roaming agreements to other companies.
Some network owners leave their equipment on the internet where anyone can use it.
Femtocells are part of the core network, and hackers have shown that they can be broken into.

SS7 Procotol Stack

SS7: Locate -Track - ManipulateSS7 Attacks: Locate -Track - Manipulate Attack" role="">

Network Overview

Network overview

Network overview

Network overview

Tracking on a Cell-Level

For calls, text messages, and other services, the network needs to know which base station ("cell") is closest to the subscriber.
If you know the ID of the cell, you can look up its location in one of several databases.

The location of the cell tower can also be used to get a good idea of where the subscriber is. In cities, cell towers are so close together that it is possible to track a subscriber down to the street level.

Providers of commercial tracking

Several businesses offer cell-level tracking as a service and claim to cover about 70% of all mobile subscribers in the world (with some restrictions...) To find a subscriber, all you need is their MSISDN (phone number).

Commercial Tracking Providers

Cell-Level Tracking with SS7/MAP:

MAP's anyTimeInterrogation (ATI) service can ask the subscriber's HLR for her Cell-Id and IMEI (phone serial number, which can be used to look up phone type)

Cell-Level Tracking with SS7/MAP

With SS7/MAP, you can track down a cell.

Only meant as a service for the network itself (for example, to set up "home zones"). It shouldn't be possible for other networks to use it, but...

Many networks actually block ATI by now

Many networks actually block ATI by now

Many networks actually block ATI by now

Instead, directly ask the MSC/VLR

But MSC/VLR doesn't use phone numbers to find subscribers. Instead, they use IMSIs (International Mobile Subscriber Identifiers).

Ask the HLR for the subscriber's IMSI and the current MSC/Global VLR's Title.

Instead, query the MSC/VLR directly

When the attacker knows the IMSI of the subscriber and the Global Title, the MSC/VLR can be asked for the cell id of the subscriber

IMSI

  • Works for a lot of networks
  • Most VLR/MSC accept requests from anywhere
  • no plausibility checks

no plausibility checks

Tracking in real life

We tracked some folks (but only after asking for permission)

Cell id was asked about once an hour for about two weeks.

Thanks a lot to Sascha for all the work he did on the maps!

What a German network operator has to say

At the network's edges, the Opera Tor began to filter all messages sent within the network.

This, along with the operator's SMS home routing, pretty much got rid of the simple way of tracking that had been used before.

The number of attacks dropped by more than 80%:

Some of that traffic was caused by mistakes in how other networks were set up.

A shipping company was keeping track of its vehicles, and an SMS service provider for banks that use text messages as a second form of authentication (mTAN) was using the MAP send IMSI request to find out if the SIM had recently been changed.

What a German network operator has to say

When the problem was brought up by the German operator, some of the network operators where the attacks came from either didn't answer or pretended not to hear.
The operator thinks that these attacks are coming from the government or from the operators of the other network.

Some attacks are still going on and getting VLR/MSC and IMSI requires other information sources or brute force.

Services for locating (LCS)

In the US, E911 says that "wireless network operators must provide the latitude and longitude of callers within 300 meters within six minutes of a request by a Public Safety Answering Point."

LCS can use triangulation to get a better idea of where a subscriber is or even ask the phone for its GPS position (via RRLP)

The Gateway Mobile Location Center is where emergency services can find out where a subscriber is (GMLC)

GMLC needs to know who you are.

Real-life tracking

Real-life tracking

Authentication at the GMLC can also be circumvented by directly querying the VLR

GMLC

Verifying the sender, MAP-style

Problem:

SCCP doesn’t know anything about MAP or what entities should be able to use which MAP services

“Solution”:

Have the sender(!) put another copy of its “Calling Party Address” in an extra field in the MAP layer, so it can be verified

• Routing will still happen to addresses from the network layer

Problem:

If we tell the truth:

If we tell the truth:

If we enter an address from the same network that we sent the request to:

address from the same network

Denial of Service

It is not only possible to read subscriber data - but it can also be modified since most network’s VLR/MSC don’t do any plausibility checks

Control every aspect of what a subscriber is allowed to do: enable or disable incoming and/or outgoing calls / SMS or data or delete the subscriber from the VLR altogether

GMLC

CAMEL

“Customised Applications for Mobile networks Enhanced Logic”

Specified in 3GPP TS 23.078

Like an overlay over usual MAP logic

Defines a set of events, for which the VLR should contact the CAMEL entity in the subscriber’s home network (gsmSCF = “GSM Service Control Function)

The gsmSCF then decides if the desired action can continue unmodified or modified or will be aborted

CAMEL

Example: German subscriber is roaming in France

German HLR tells French VLR “notify my gsmSCF at address +4917... whenever the subscriber wants to make a call

 

CAMEL

The subscriber wants to make a phone call but dials the number in German national format (0317654...)

• MSC asks gsmSCF in home network what to do with the call SMSF rewrites the number to international format (+49317654...) and tells MSC to continue with the new number

gsmSCF

Intercepting calls with CAMEL

Attacker overwrites gsmSCF address in subscriber’s MSC/VLR with its own, “fake gsmSCF” address

Intercepting calls with CAMEL

The subscriber wants to call +345678..., but the MSC now contacts the attacker instead of the subscriber’s gsmSCF

Subscriber wants to call

Attacker rewrites number to +210987..., his recording proxy (e.g. an Asterisk PBX)

MSC sets up call to +210987..., which bridges it to the original +345678...

Both subscribers can talk to each other, while the attacker records the conversation

HLR: Location Update

When a subscriber travels to another region or country, the VLR/MSC sends a MAP update location request to the subscriber’s HLR

HLR: Location Update

The HLR sends a copy of the subscriber’s data to the VLR/MSC and saves the address of the VLR/MSC

Now, when somebody wants to call or text the subscriber, the HLR gets asked for routing information (sendRoutingInfo...) and hands out the address of the VLR/ MSC

HLR: Stealing Subscribers

• The update location procedure is also not authenticated

• An attacker can simply pretend that a subscriber is in his “network” by sending the update location with his Global Title to the subscriber’s HLR

HLR: Stealing Subscribers

Now, calls and SMS for that subscriber are routed to the attacker

Example: Subscriber’s bank sends a text with mTAN. The attacker intercepts message and transfers money to his own account

 

USSD codes can be executed for other subscribers

‣ Some carriers offer a transfer of prepaid credits via

USD

• Call forwardings can be set/deleted

‣ An attacker could forward a subscriber’s calls to a

premium rate number controlled by him and then call the subscriber’s number, billing all the premium rate calls to the subscriber

• Switch active SIM in case of Multi-SIM

Requests can even be sent without a previous update location procedure because the HLR does not check if the subscriber is in the network that is sending the request

Hybrid Attacks: TMSI De-anonymization

An attacker can find out the phone numbers of subscribers around him:

Paging of subscribers (e.g. to notify them of an incoming call) has to happen unencrypted

‣ TMSI (Temporary Mobile Subscriber Identifier) is normally used for paging so that the real identity of the subscriber (IMSI) does not have to be sent over the air unencrypted

Hybrid Attacks: TMSI De-anonymization

Hybrid Attacks: TMSI De-anonymization

The attacker captures TMSI over the air, e.g. with OsmocomBB

The MSC can be asked to hand out the IMSI if the TMSI is known With updated location, the attacker can figure out the MSISDN belonging to the IMSI

Hybrid Attacks: Intercept Calls

The MSC can also be asked for the session key for the subscriber!

Hybrid Attacks: TMSI De-anonymization

 

If the attacker captures an encrypted GSM or UMTS call, he can then decrypt it using the session key

Passive attack, no IMSI catcher necessary

LTE

LTE: The Diameter protocol is used in the core network of LTE.

The SS7 protocol is getting old, but:

A lot of the design of the SS7 has been put into the Diameter, even its flaws.

For example, subscribers still don't have end-to-end authentication.

GSM and UMTS, and SS7 along with them, will be around for a long time (probably around 20 years)

There are interfaces that map most of the SS7 functionality (including its flaws) onto Diameter so that GSM/UMTS can connect to LTE.

• An attacker needs SS7 access and (most of the time) SCCP roaming with his victim's network.

• Then, he can call his victim with only his phone number.

watch where his victim goes (in some networks with GPS precision)

intercept his victim's phone calls and texts (and probably data connections, not verified)

‣ Disable calls, SMS, data

Calls should be redirected at the cost of the victim.

• All he needs is a TMSI, which he can get over the air interface.

decode calls that were picked up on the air (GSM, UMTS)

Find out the TMSI's IMSI and phone number.

Countermeasures (for operators): • Network operators should get rid of all the things that make it possible for other networks to get a subscriber's IMSI and current VLR/MSC.

‣ With SMS Home Routing, all text messages go through an SMS router in the subscriber's home network.

‣ When the HLR gets a sendRoutingInfoForSM request, it only needs to give out the address of the SMS router, not the address of the MSC.

The subscriber's IMSI will not be returned; only a correlation id will (that can be resolved by the SMS router)

• At the network's borders, all MAP and CAP messages that are only needed inside the network should be filtered out.

If Optimal Routing is not used, sendRoutingInfo, which is used for voice calls and is another source of MSC and IMSI, can also be filtered.

Actions (for subscribers): Tell your operator to do something

• Get rid of the phone

• (I'm sorry, but there's not much you can do)

A Step-by-Step Guide to SS7 Attacks The use of mobile phones around the world has been growing rapidly for a long time. From toddlers who learn how to use a cell phone before they can even talk to adults whose phones have sensitive information on them. Everyone now has at least one mobile device that they hold very dear.

As 5G technology spreads and grows to reach more people and devices, the chances of mobile cyber attacks increase by a factor of ten. Even though hackers might not be interested in a toddler's YouTube history, they could be interested in anyone who has sensitive data or shares privileged information. All of this is because of the old network protocols used in global communications.

The fact that old protocols are getting old and that hacking techniques are getting better make it easy for bad things to happen on mobile networks that are getting more and more crowded. So it's not surprising that mobile malware attacks went up by 50% in 2019, and in 2020, they're expected to keep wreaking havoc on mobile security at an even faster rate.

Let's talk about SS7 loopholes, which are one of the biggest threats to mobile service providers and users in the past few years.

Instead of going after individual devices, sophisticated attacks are now being done on whole networks. From the point of view of a mobile service provider, once hackers get access to your network's SS7 protocol, they can see personal information about your subscribers. They can read your text messages, listen to your phone calls, and find out where your device is without you or the subscriber knowing.

What does SS7 mean?

C7 (Common Channel Signaling System No. 7) has been the industry standard since the middle of the 1970s. It hasn't changed much in the last few decades. It is easy for hackers to get into because its security is based on old ideas.

In a way, SS7's success has also been its curse. At least when it comes to protecting computers online. The SS7 protocol is used everywhere and is the most common way for networks to talk to each other around the world. Because it is so common, both intelligence agencies and cell phone companies use it. From the point of view of surveillance, it works very well. So, SS7 is the best friend of an attacker because it gives them access to the same surveillance tools that law enforcement and intelligence agencies have.

How does SS7 work?

The SS7 set of telephony signaling protocols is used to set up and end phone calls over a digital signaling network. This makes it possible for wired and wireless connections to work. It is used to start most public phone calls over PSTN around the world (Public Switched Telephone Network).

call setup example

Over time, other programs have been added to SS7. This made it possible to add new services like SMS, number translation, prepaid billing, call waiting/forwarding, conference calling, local number portability, and other mass-market services.

The SS7 Protocol Stack is made up of different parts and pieces.

ss7 protocol setup

How do SS7 attacks work?

SS7 attacks are mobile cyberattacks that take advantage of security holes in the SS7 protocol to break into a cellular network and listen in on voice and SMS conversations. SS7 attacks, which are similar to "Man in the Middle" attacks, target mobile phone communications instead of wifi transmissions.

How do attacks SS7 work?

The authentication feature of communication protocols that run on top of the SS7 protocol is used by SS7 attacks to listen in on voice and text communications. Experts in telecommunications say that all a cybercriminal needs to launch a successful SS7 attack is a computer that runs Linux and the SS7 SDK, which can be downloaded for free from the Internet.

Once a hacker is connected to an SS7 network, they can target subscribers while making the network think the hacker's device is an MSC/VLR node.

Stage 1 of intercepting an SMS

Step 2: Getting an SMS

What do the hackers get out of it?

When a MitM phishing attack works, the hacker gets the same kinds and amounts of information that are usually only available to security services. Hackers can get useful information if they can listen in on phone calls, text messages, and the locations of devices.

One thing that SS7 attacks go after is a common security measure that many people use. Two-factor authentication, or 2FA, via SMS with SS7 is flawed because SMS messages are not encrypted and hackers know how to read them. If a cybercriminal gets the code from the SMS, they might be able to change your password on Google, Facebook, WhatsApp, or even your bank account.

What could go wrong for online businesses

It doesn't take an expert to see that a man-in-the-middle (MitM) phishing attack doesn't need a lot of skill or equipment to work. Since most businesses use cellular connections to handle their communications, it's clear that SS7 attacks are a major risk. It is important to remember that hackers are interested in more than just private or secret information. As more Internet of Things (IoT) devices use mobile networks to send and receive data, the risks are growing.

Critical services and the IoT infrastructure of a business can be easy targets. When these kinds of attacks happen, mission-critical devices and services could be taken over or stopped working, which could be very bad.

When you think about how high the risks are, manufacturers aren't doing enough to warn businesses that use IoT devices about possible security holes in their products. This leaves network operators open to attacks from IoT devices on their networks that have been hacked by customers.

What can cell phone companies do to stop SS7 attacks?
The SS7 protocol has flaws and security holes that are not the responsibility of businesses, small businesses, or consumers. Because of this, SS7 vulnerabilities can't just be fixed or taken away.

The GSMA suggests that mobile network operators put their attention on educating customers. When people pay more attention to the security of their smartphones and Internet of Things (IoT) devices, they are more likely to take steps to protect them. Especially when it comes to important applications and services like Smart Homes and Offices.

1. Security for user passwords

Even though it has problems, two-factor SMS authentication is still widely used. Businesses and services that care about security are slowly moving away from SMS and offering other ways to verify users that don't use old phone protocols like SS7.

2. Monitoring and Analysis of Events

If an SS7 network is successfully broken into, companies need to be able to watch what is going on while the attack is happening. They need to know about security events in the context of what's going on with devices and corporate servers. This needs to be a part of any mobile security plan for a business. In the end, businesses need to set up a defense that can spot threats and act on them before they do any damage.

3. Regular Updates

Even if you automate your cybersecurity, you can't just set it and forget it. Cybercriminals are always coming up with new ways to break into systems and steal sensitive information or take over devices for ransom. Patch Management is very important and goes well with adaptive defense. By using real-time analysis of endpoint security, businesses can make sure that software and firmware updates close known security holes as soon as possible.

How can YOU help?

The only way to completely avoid SS7 attacks is to turn off your phone. Both of us know that's not a choice. So, the best thing to do is "know your enemy." In 2020, you have to be aware that bad things like SS7 attacks happen all the time and are common.

Still, there are billions of cell phone users around the world, so it's probably not likely that cybercriminals will target you for surveillance. But if you are a president, queen, or doctor with sensitive patient information on your phone, your chances are much higher than if you are just a regular person. If you're still using 2FA for banking, your account could very well be at risk of being hacked.

When you think about how easy it is to do an SS7 attack and how much damage it can do to both the victim and their service provider, you can only hope that innovation in telecom will protect us, the end users. There are a lot of options for businesses, government agencies, and MSPs today, from complex, custom-built mobile VPN systems to innovative plug-and-play solutions like FirstPoint SIM-based user-level protection.