cheaper by the dozenhitcon.org/2019/cmt/slide-files/d1_s3_r2.pdf · 2019-09-02 · signaling basics...
TRANSCRIPT
![Page 1: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/1.jpg)
Cheaper by
the dozen:
Simultaneous attacks on SS7 and Diameter
Sergey Puzankov
![Page 2: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/2.jpg)
About the team
Sergey Mashukov Alexandr Onegov Sergey [email protected]@positive-tech.com [email protected]
The main point of interest is security of
the Diameter protocol. Sergey performs
Diameter security audits for international
MNOs and conducts research on the
protocol weaknesses. Sergey is also the
general developer of the Telecom
Vulnerability Scanner tool and member of
the Telecom Attack Discovery
development team.
Alexander researched both SS7
and Diameter signaling protocols
from security point of view and
developed algorithms for an
intrusion detection system. He
also performs security
assessments for mobile
operators and conducts research
on the network vulnerabilities.
Sergey conducted research
of by-design vulnerabilities
in SS7 networks, discovered
a number of critical
vulnerabilities in mobile
network equipment, and
showed how an intruder
is able to bypass mobile
operators' protection means.
![Page 3: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/3.jpg)
Signaling basics
SS7 (Signaling System No. 7) is a set
of telephony protocols used to set up
and tear down telephone calls, send
and receive SMS messages, provide
subscriber mobility, and more.
The basic unit in signaling
is a message.
Diameter is an authentication, authorization, and
accounting protocol for computer networks. RFC 5516
defines a set of IANA Diameter Command Codes to be
used in new vendor-specific Diameter applications
defined for the 3GPP Evolved Packet System (EPS).
![Page 4: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/4.jpg)
Who are potential targets?
© GSMA Intelligence 2018, Mobile connections by technology
https://www.gsmaintelligence.com/research/2018/02/infographic-mobile-connections-by-technology/656/
![Page 5: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/5.jpg)
Now what can a hacker do?
Easily
From
anywhere
Any mobile
operator
No special
skills needed
Get access to your
email and social media
Track location of VIPsand public figures
Perform massive denial
of service attacks
Intercept private data,
calls, and SMS messages
Steal money
Take control of your
digital identity
![Page 6: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/6.jpg)
History of signaling security
SS7 development Scope grows Not trusted anymore
Trusted environment. No security
mechanisms in the protocol stack.
SIGTRAN (SS7 over IP) introduced.
Security is still missing
Growing number of SS7
connections, increasing
amount of SS7 traffic.
No security policies
or restrictions
Huge number of MNOs,
MVNOs, and VAS providers.
SS7 widely used, Diameter
added and spreading.
Still not enough security
![Page 7: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/7.jpg)
Mobile operators and signaling security
Security assessment
Signaling IDSSMS Home Routing
Security
configuration
Signaling firewall
![Page 8: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/8.jpg)
Nodes and identifiers in GSM/UMTS
HLR — Home Location Register
SGSN — Serving GPRS Support Node
STP — Signaling Transfer Point
MSC/VLR — Mobile Switching
Center and Visited Location Register
SMS-C — SMS Centre
MSISDN — Mobile Subscriber Integrated
Services Digital Number
IMSI — International Mobile Subscriber
Identity
GT — Global Title, address of a core node
element
![Page 9: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/9.jpg)
Nodes and identifiers in LTE
Realm — standardized network identity
epc.mnc070.mcc466.3gppnetwork.org
HostID — name of a node within the network
mme01.epc.mnc070.mcc466.3gppnetwork.org
HSS — Home Subscriber Server
SGW — Serving Gateway
DEA — Diameter Edge Agent
MME — Mobile Management Entity
IMS — IP Multimedia System
EPC — Evolved Packet Core
![Page 10: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/10.jpg)
Mobile networks evolution
MSC/VLR
SGSN
HLRSTP
HSSMME/SGW DEAIMS
2G
3G
4G
![Page 11: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/11.jpg)
SS7 protocol stack
TCAP
MAP
SCCPSignaling Connection Control Part is responsible for the routing of a signaling message by Global Titles.
Transaction Capabilities Application Part is responsible for transactions and dialogues processing.
Mobile Application Part is payload that contains an operation code and appropriate parameters
such as IMSI, profile information, and location data.
![Page 12: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/12.jpg)
Diameter protocol stack
SCTP
Diameter
IPInternet Protocolis responsible for the node internetworking at the internet layer.
Stream Control Transmission Protocolis a transport protocol that provides some of the features of both
UDP and TCP.
Diameteris payload that contains a command code, application ID, and
appropriate parameters within Attribute-Value Pairs (AVP) blocks.
![Page 13: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/13.jpg)
Signaling security means
SS7/Diameter firewall
is the most sophisticated signaling security tool that protects the
network against a wide range of threats such as IMSI disclosure,
location tracking, and traffic interception.
SMS Home Routing
is intended to prevent SMS fraud and hide IMSI identities.
STP/DEA
makes simple screening of signaling messages.
![Page 14: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/14.jpg)
STP and DEA
Signaling Transfer Point and Diameter Edge Agent are routers that
relays signaling messages between signaling points.
Usually the STP and DEA are border points in a signaling network.
It is possible to use the STP and DEA for the screening of the
ineligible signaling traffic.
Screening rules of the most STPs and DEAs are simple, for
instance, blocking a signaling message by a source address or
redirecting a signaling message by an operation code.
![Page 15: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/15.jpg)
SRI4SM — SendRoutingInfoForSM
STP
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request• MSISDN
2. SRI4SM Response• IMSI• MSC Address
2. SRI4SM Response • IMSI• MSC Address
3. MT-SMS • IMSI• SMS Text
3. MT-SMS • IMSI• SMS Text
HLR
SMS-C
SMS delivery process
SMS Home Routing
![Page 16: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/16.jpg)
STP
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request• MSISDN
2. SRI4SM Response• IMSI• MSC Address
2. SRI4SM Response • IMSI• MSC Address
HLR
SRI4SM abuse by a malefactor
SMS Home Routing
![Page 17: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/17.jpg)
SMS Home Routing
SMS RouterSTP
HLR
MSC
1. SRI4SM Request • MSISDN
SMS-C
TCAP Begin
SCCP Destination HLR
MAP OpCode = SRI4SM
![Page 18: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/18.jpg)
SMS Home Routing
SMS RouterSTP
HLR
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request• MSISDN
3. MT-SMS • Fake IMSI• SMS Text
3. MT-SMS • Fake IMSI• SMS Text
4. SRI4SM Request• MSISDN
6. MT-SMS • Real IMSI• SMS Text
SMS-C
5. SRI4SM Response• Real IMSI• MSC Address
2. SRI4SM Response• Fake IMSI• SMS-R Address
2. SRI4SM Response • Fake IMSI• SMS-R Address
TCAP Begin
SCCP Destination HLR
MAP OpCode = SRI4SM
Destination SMS-R
![Page 19: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/19.jpg)
SMS Home Routing
against malefactors
SMS RouterSTP
HLR
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request• MSISDN
2. SRI4SM Response• Fake IMSI• SMS-R Address
2. SRI4SM Response • Fake IMSI• SMS-R Address
![Page 20: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/20.jpg)
SS7 firewall: typical deployment scheme
HLRSTP
1. SS7 message 3. SS7 message
2. SS7 message
![Page 21: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/21.jpg)
Diameter firewall: typical deployment scheme
HSS
DEA1. Diametermessage
3. Diameter message
2. Diametermessage
![Page 22: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/22.jpg)
Signaling firewall: blocking rules
Firewall rules
Category 1
Block a message by an operation and application ID
Signaling MessageHSS
MSC
Category 2
Block a message by an operation code and correlationof a source address and subscriber identity
Category 3
Block a message by an operation code and subscriber real location
SCCP Source / Dest GT
TCAP Application Context
MAP OpCode, IMSI…
Signaling firewall
Category 0
Block an inconsistent message
IP Source / Dest IP
SCTP Ports
Diameter Cmd Code, AppID…
![Page 23: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/23.jpg)
SS7 and Diameter firewall penetration
SS7 firewall penetration growth Diameter firewall penetration
0%
0%
0%
0%
%
![Page 24: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/24.jpg)
Attack cases on signaling networks
IMSI disclosure Location tracking Voice call
interception (MITM) Attack on SS7 network with
SMS Home Routing bypassing
Attack on Diameter
network Attack via VoLTE suppression
and SS7 firewall bypassing
![Page 25: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/25.jpg)
IMSI disclosure
Attack on SS7
network with
SMS Home Routing
bypassing
![Page 26: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/26.jpg)
IMSI
An IMSI identifier, by itself, is not valuable to an intruder.
But intruders can carry out many malicious actions
against subscribers when they know the IMSI, such as:
Location tracking
Service disturbance
SMS interception
Voice call eavesdropping
The IMSI is considered personal data as per GDPR.
![Page 27: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/27.jpg)
TCAP protocol
TCAP Message Type — mandatory
Transaction IDs — mandatory
Dialogue Portion — optional
Component Portion — optional
![Page 28: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/28.jpg)
Changing ACN
0 – CCITT
4 – Identified Organization
0 – ETSI
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
0 – CCITT
4 – Identified Organization
4 – Unknown
0 – Mobile Domain
1 – GSM/UMTS Network
0 – Application Context ID
20 – ShortMsgGateway
3 – Version 3
![Page 29: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/29.jpg)
IMSI disclosure via malformed ACN
TCAP Malformed ACN
HLR1. SRI4SM Request: MSISDNMalformed ACN
1. SRI4SM Request: MSISDNMalformed ACN
STP
SMS Router
Malformed ACN
SCCP Destination HLR
MAP OpCode = SRI4SM
![Page 30: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/30.jpg)
IMSI disclosure via malformed ACN
HLR1. SRI4SM Request: MSISDNMalformed ACN
1. SRI4SM Request: MSISDNMalformed ACN
STP
SMS Router
SMS Router bypassed
2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC
![Page 31: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/31.jpg)
Location tracking
Attack on
Diameter network
![Page 32: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/32.jpg)
Cell Global Identity
Mobile Country Code (MCC) 466 – Taiwan
Mobile Network Code (MNC) 70 – Operator ID
Location Area Code (LAC) 00001
Cell Identity (CID) 00001
![Page 33: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/33.jpg)
DEA
MME
Location tracking on Diameter
ISR
ISR – Insert-Subscriber-Data Request
ISR
![Page 34: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/34.jpg)
DEA
MME
Location tracking on Diameter
ISR
ISA – Insert-Subscriber-Data Answer
ISR
ISA
ISA
![Page 35: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/35.jpg)
Location tracking on SS7
Signaling messages used for
the location tracking
ProvideSubscriberInfo
ProvideSubscriberLocation
AnyTimeInterrogation
SendRoutingInfo
InsertSubscriberData
AnyTimeModification
![Page 36: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/36.jpg)
Voice call interception (MITM)
Attack via VoLTE
suppression and
SS7 firewall
bypassing
![Page 37: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/37.jpg)
Voice call interception (MITM)
1. InsertSubscriberData Request: IMSI
Spoofed billing platform address1. InsertSubscriberData Request: IMSI
Spoofed billing platform addressSTP MSC/VLR
![Page 38: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/38.jpg)
Voice call interception (MITM)
1. InsertSubscriberData Request: IMSI
Spoofed billing platform address1. InsertSubscriberData Request: IMSI
Spoofed billing platform addressSTP
2. InsertSubscriberData Response 2. InsertSubscriberData Response
MSC/VLR
3. TCAP End 3. TCAP End
![Page 39: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/39.jpg)
Voice call interception (MITM)
1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-NumSTP MSC/VLR
![Page 40: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/40.jpg)
Voice call interception (MITM)
1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-NumSTP
2. Connect: PBX-Num 2. Connect: PBX-Num
MSC/VLR
![Page 41: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/41.jpg)
MSC/VLR
Voice call interception (MITM)
1. InitialDP: IMSI, A-Num, B-Num 1. InitialDP: IMSI, A-Num, B-NumSTP
2. Connect: PBX-Num 2. Connect: PBX-Num
3. IAM: A-Num, B-Num 3. IAM: A-Num, B-Num
![Page 42: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/42.jpg)
Numbering plans
Mobile
network
operator
Country code (Taiwan) Network destination code
Mobile country code (Taiwan) Mobile network code
E.164 MSISDN and GT 886 54 1234567
E.212 IMSI 466 70 9876543210
![Page 43: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/43.jpg)
Blocking rule: Category 2
Source address
Subscriber identity
Operation code
Switzerland ≠ Taiwan
Category 2
Block a message by an operation code and correlation of a source address and subscriber identity
![Page 44: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/44.jpg)
Blocking rule: Category 2
Source address
Subscriber identity
Operation code
Switzerland ≠ Taiwan
Category 2
Block a message by an operation code and correlation of a source address and subscriber identity
![Page 45: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/45.jpg)
SS7 FW against MITM attack
1. InsertSubscriberData Request:
IMSI, Spoofed billing platform address
2. InsertSubscriberData
Request: IMSI, Spoofed
billing platform address
The SS7 FW correlates the IMSI and source address and blocks the InsertSubscriberData message
Switzerland ≠ Taiwan
STP MSC/VLR
![Page 46: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/46.jpg)
VoLTE against MITM attack
1. InsertSubscriberData Request: IMSI
Spoofed billing platform addressSTP
2. InsertSubscriberData Response
MSC/VLR
3. TCAP End
DEA MME IMS
![Page 47: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/47.jpg)
VoLTE service suppression
STP
SS7 FW
MSC/VLR
PBX
DEA MME IMSCLR
CLR – Cancel-Location Request
![Page 48: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/48.jpg)
VoLTE service suppression
DEA MME IMS
STP MSC/VLR
PBX
SS7 FW
CLR
CLR – Cancel-Location Answer
CLA
![Page 49: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/49.jpg)
VoLTE service suppression
PBX
CLR
CLR – Cancel-Location Answer
CLA
STP MSC/VLR
DEA MME IMS
SS7 FW
![Page 50: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/50.jpg)
TCAP protocol
TCAP Message Type — mandatory
Transaction IDs — mandatory
Dialogue Portion — optional
Component Portion — optional
![Page 51: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/51.jpg)
Double MAP component
TCAP Message Type — mandatory
Transaction IDs — mandatory
Dialogue Portion — optional
Component Portion — optional
Component 1
Component 2
The SS7 FW
checks a
subscriber's ID in
the first component
considering the
other data as a
long payload not
meant to be
inspected
![Page 52: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/52.jpg)
STP
SS7 FW
MSC/VLR
PBX
DEA MME IMS
Double MAP in MITM attack
TCAP Begin
DeleteSubscriberData_REQ
InsertSubscriberData_REQ
Inspect the first
component only and
forward the
message to the
network
Send the message to
the SS7 FW for
inspection
![Page 53: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/53.jpg)
STP MSC/VLR
DEA MME IMS
Double MAP in MITM attack
TCAP Begin
DeleteSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Continue
ReturnError
PBX
SS7 FW
![Page 54: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/54.jpg)
STP MSC/VLR
DEA MME IMS
Double MAP in MITM attack
TCAP Continue
InsertSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Begin
DeleteSubscriberData_REQ
InsertSubscriberData_REQ
Inspect the first
component only and
forward the
message to the
network.TCAP Continue
ReturnError
PBX
SS7 FW
![Page 55: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/55.jpg)
STP MSC/VLR
DEA MME IMS
Double MAP in MITM attack
TCAP Continue
InsertSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Begin
DeleteSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Continue
ReturnError
PBX
SS7 FWTCAP Continue
ReturnResultLast
![Page 56: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/56.jpg)
STP MSC/VLR
DEA MME IMS
Double MAP in MITM attack
TCAP Continue
InsertSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Begin
DeleteSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Continue
ReturnError
PBX
SS7 FWTCAP Continue
ReturnResultLast
![Page 57: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/57.jpg)
STP MSC/VLR
DEA MME IMS
Double MAP in MITM attack
TCAP Continue
ReturnError
TCAP EndTCAP Continue
InsertSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Begin
DeleteSubscriberData_REQ
InsertSubscriberData_REQ
PBX
SS7 FWTCAP Continue
ReturnResultLast
![Page 58: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/58.jpg)
STP MSC/VLR
DEA MME IMS
Double MAP in MITM attack
TCAP EndTCAP Continue
InsertSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Begin
DeleteSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Continue
ReturnError
PBX
SS7 FWTCAP Continue
ReturnResultLast
![Page 59: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/59.jpg)
STP MSC/VLR
MME IMS
Double MAP in MITM attack
TCAP EndTCAP Continue
InsertSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Begin
DeleteSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Continue
ReturnError
PBX
SS7 FWTCAP Continue
ReturnResultLast
![Page 60: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/60.jpg)
STP MSC/VLR
MME IMS
Double MAP in MITM attack
TCAP EndTCAP Continue
InsertSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Begin
DeleteSubscriberData_REQ
InsertSubscriberData_REQ
TCAP Continue
ReturnError
PBX
SS7 FWTCAP Continue
ReturnResultLast
![Page 61: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/61.jpg)
Contribution to GSMA
Information about discovered
vulnerabilities has been reported to
the GSMA Coordinated
Vulnerability Programme in
December 2018.
Vulnerability ID – CVD-2018-0015.
Information about the vulnerabilities
appeared in a new version of the
"SS7 Interconnect Security
Monitoring and Firewall
Guidelines" document that is
effective from May 2019.
![Page 62: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/62.jpg)
Main issues in signaling security
Architecture flaws
Configuration mistakes
Software bugs
![Page 63: Cheaper by the dozenhitcon.org/2019/CMT/slide-files/d1_s3_r2.pdf · 2019-09-02 · Signaling basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and](https://reader034.vdocuments.us/reader034/viewer/2022042115/5e91f7e21c968552003f8e92/html5/thumbnails/63.jpg)
Protection
measures
Check if your security tools are
effective against new vulnerabilities.
Use an intrusion detection solution along with an
SS7 and Diameter firewalls in order to detect
threats promptly and block a hostile source.
Configure your STP, DEA, and signaling firewall
carefully. Do not forget about reported
vulnerabilities such as malformed Application
Context Name and double MAP encapsulation.
1
2
3Assess
Monitor
Pro
te
ct
Auditing provides the essential
visibility to fully understand your
ever changing network risks.
Continual real time monitoring
is essential to measure network
security efficiency and provide
rapid detection and mitigation.
Completely secure
your network by
addressing both
generic
vulnerabilities
(GSMA) and the
threats that actually
effect you as an
ongoing process.