Sergey Puzankov
Invisible threat in SS7 networks –attacks based on caller ID spoofing
ptsecurity.com
About Positive Technologies
É 700 people in nine offices across North America, Asia, Africa and Europe and expanding
É Portfolio securing large organizations and infrastructure providers from targeted attacks through vulnerability detection and management
É 21% group yearly revenue increase
É 60 – 70% reinvested back into research, feeding directly through to products
É Partners include Check Point, Cisco, Microsoft, Google, Oracle, Siemens and IBM
É 1,000 customers
SIGTRAN is a Time Machine
SIGTRAN
Through SIGTRAN back to 1970’s
Micro Computer as an SS7 Node
SIGTRAN – TDM
SIG
TRAN
TDM
SIGTRAN
Telecom Security in International Non-commercial Organizations
Fraud and Security Group
IR.82 SS7 Security Network Implementation GuidelinesFS.07 SS7 and SIGTRAN Network SecurityFS.11 SS7 Interconnect Security Monitoring and Firewall GuidelinesFS.19 Diameter Interconnect SecurityFS.20 GPRS Tunnelling Protocol (GTP) SecurityFS.21 Interconnect Signalling Security Recommendations
Classification: Answer Necessity
• Identity request (e.g. IMSI)• Location request• Network information request
Answer is required
Classification: Answer Necessity
Answer is not required
• Service disruption (DoS)• Data injection• Service manipulation
Caller ID spoofingis possible
Caller ID Spoofing at Position Refinement Attack
LocationRequest1
CID:1111SilentUSSDFromABC
LocationRequest2
CID:2222
1
2
3
5
Paging
MSC/VLR
CID2222
CID1111
4ABC
Caller ID Spoofing at SMS Interception Attack
UpdateLocation From ABC• Fake MSC
Fake MSC SMS-C
1
HLR
3
2
4
5
ABC
PKI in SS7 Networks: Encryption
SS7 Message• Calling Address• Encrypted payload
2
3
4
CertificationCentre
1Private Key Initiation
Public Key Request
Public Key
Thank you!
ptsecurity.com