How to Intercept a Conversation Held on the Other Side of the Planet
140
-
Upload
positive-hack-days -
Category
Technology
-
view
87.370 -
download
9
Transcript of How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Who we are
Sergey Puzankov
Dmitry Kurbatov
Information Security Specialists Positive Technologies
Denial of Service on Mobile Switching Center
Fraud in SS7 network
Short Message Interception
USSD Money Transfer
Subscriber’s Location
Voice Call Interception
Hot for Mobile network operators
Hot for everyone
Topics
All of us are subscribers
Service Availability
Quality of Service
Security
Mobile Services Dynamics
Voice
Mobile Data Traffic
Yesterday: Closed Ecosystems
Today: Unified Technologies
Today: Common Interfaces
Today: IP Connectivity
Today: Widen Borders
Get your own femtocell
• Hack it
• Upload modified firmware
• Make a call/SMS interception
• Get into IPsec
• Get into Core network
Tomorrow: virtualization
SIGTRAN
Time Machine
Through SIGTRAN back to 1970’s
SS7
SS7 Network
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
SS7
HLRMSCVLR
Gateway MSC
Billing
SMS-C
Radio Part
A
B
Cell Phone
Base Transceiver Station
Base Station Controller
SS7
MSC/VLR
HLR
A
B
Gateway MSC
Billing
SMS-C
MSCVLR
Mobile Switching Center
Visitor Location Register
SS7
Gateway MSC
HLR
A
B
MSCVLR
Billing
SMS-CGateway
MSC
Gateway Mobile Switching Center
SS7
SMS-C
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
Short Message Service Center
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
Homeу Location Register
HLR
SS7
Billing
A
B
MSCVLR
Gateway MSC SMS-C
HLR
Billing
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890
IMSI – International Mobile Subscriber Identity 15 digits
SS7
How to get in?
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS Core
PS Core
IMS
Core Networks
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
Access Networks
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPX
Exchange Points
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Support
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
IT IT network
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
Internet IT network
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkTraffic
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkThreats
Attacker
Attacker
Attacker
Attacker
AttackerAttacker
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkThreat
Attacker
Attacker
Attacker
Attacker
AttackerAttacker
Mobile Switching Center DoSJust like DHCP Starvation
SS7
Collect info
HLR
Attacker
B
Gateway MSC
We know
B-Number 0 123 4567802
MSCVLR
SS7
Collect info
HLR
Attackeras SMSC
B
MSCVLR
Gateway MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
3PRNprovideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 45600013PRN
4 provideRoamingNumberMSRN 0 123 4560001
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 45600013PRN
4
Default timeouts for MSRN:
• Ericsson – 30 sec
• Huawei – 45 secprovideRoamingNumberMSRN 0 123 4560001
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.…
provideRoamingNumberMSRN 0 123 4560001provideRoamingNumber
MSRN 0 123 4560001provideRoamingNumberMSRN 0 123 4569999…
SS7
Make it starve
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
provideRoamingNumberI am HLR.My GT 1 321 4567801.Provide MSRN forSubscriber-B IMSI 15 digits.
SS7
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
noRoamingNumberAvailable
Make it starve
SS7
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
MSRN 0 123 4560001
…
MSRN 0 123 4569999
3PRN
4
noRoamingNumberAvailable
Make it starve
SS7
DoS
HLR
Attackeras HLR
B
Gateway MSC
RealHLR
10k – 500k
MSCVLR
SS7
DoS
HLR
Attackeras HLR
Gateway MSC
PRNRealHLR
B
10k – 500k
MSCVLR
3
provideRoamingNumberI am HLR.My GT 1 321 4568701.Provide MSRN forSubscriber-ANY IMSI 15 digits.
SS7
DoS
HLR
Attackeras HLR
Gateway MSC
PRNRealHLR
B
10k – 500k
MSCVLR
3
4
noRoamingNumberAvailable
SS7
DoS
HLR
Attackeras HLR
Gateway MSC
PRNRealHLR
B
10k – 500k
MSCVLR
3
4
No incoming calls
Sad calling party
Fraud in SS7
SS7
SS7 interconnection
HLRMSCVLR
Gateway MSC
Billing
SMS-C
HLRMSCVLR
Gateway MSC
Billing
SMS-C
HLRMSCVLR
Gateway MSC
Billing
SMS-C
Trusted environment
Leadership team
HLRMSCVLR
Gateway MSC
Billing
SMS-C
CEO
CSO CMO CCOCLO
Leadership team
HLRMSCVLR
Gateway MSC
Billing
SMS-C
CEO
CSO CMO CCOCLO
Really?!
Trust them?
Uncharged calls1) Spoof MSC
2) Initiate «home network» call
3) Forward call anywhere
SS7
Collect info
HLR
Attacker
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
A
SS7
Collect info
HLR
Attackeras SMSC
B
MSCVLR
Gateway MSC
1
We know
B-Number 0 123 4567802
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
A
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digitsA
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digitsA
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
We serve Subscriber-B
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
nothing
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
5
6
sendRoutingInfoWhere isSubscriber-B MSISDN 0 123 4567802=Where is Subscriber-B located?
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
7 provideSubscriberInfoI am HLR.My GT 0 123 4567800.Provide location for theSubscriber-B.
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
7
8
provideSubscriberInfoSubscriber-B is in the Home network.
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
6
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows that
Subscriber-B is at home.
This information will be sent to a billing platform.
7
8
8
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
5
9
sendRoutingInfoWhere isSubscriber-B MSISDN 0 123 4567802located =What is MSRN for Subscriber-B?
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
provideRoamingNumberI am HLR.My GT 0 123 4567800.Provide MSRN forSubscriber-B IMSI 15 digits.
10
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
provideRoamingNumberMSRN 53 12345678
10
11
SS7
Forward a call
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 53 12345678
10
11
11
SS7
Forward a call to…Cuba
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 53 12345678
10
11
11
12
SS7
Forward a call to…
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA 5
9
provideRoamingNumber
MSRN 53 12345678
HLR stores
Subscriber-B
MSISDN 0 123 4567802
IMSI 15 digits
MSC/VLR 1 321 4567801
GatewayMSC knows
Subscriber-B
MSRN 53 12345678
10
11
Who pays?
ACall from to while at “home” = $ 0.05B
ACall from to = $ 1.00Cuba
Who pays?
ACall from to while at “home” = $ 0.05B
ACall from to = $ 1.00Cuba
$ 1.00 - $ 0.05 = $ 0.95 – Attacker profit
Call from to = $ 0.30
Who pays?
ACall from to while at “home” = $ 0.05B
ACall from to = $ 1.00Cuba
$ 1.00 - $ 0.05 = $ 0.95 – Attacker profit
How much Mobile operator loses? MNO Cuba
SMS Interception1) Collect info
2) Spoof MSC
3) Receive incoming SMSs
SS7
Collect info
HLR
Attacker
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
A
SMS-C
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SMS-C
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SMS-C
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SMS-C
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
We serve Subscriber-B
SMS-C
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
5
Attackeras MSC
A
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
5 6
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
HLR sends Attacker address instead of real MSC!
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
8
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SMS-C routes this SMS to the received address.
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
8
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SMS-C routes this SMS to the received address.
SMS interception
1. SMS chats
2. One time passwords
3. Confirmation codes
4. Password recovery
Money Transfer Using USSD
1) Collect info
2) Request account status
3) Transfer money
SS7
Collect info
HLR
Attacker
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
A
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
*100#3
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.3
4
processUnstructuredSS-RequestSubscriber’s account is $$$$$.
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
4
processUnstructuredSS-RequestSubscriber’s account is $$$$$.
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
3
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
*123*01238765400*100#
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get SMS notification if Attacker combines this attack with the previuos one.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get SMS notification if Attacker combines this attack with the previuos one.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
Subscriber Location Discovery1) Collect info
2) Receive Cell ID
3) Get point on the map
SS7
Collect info
HLR
Attacker
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
A
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Get Cell ID
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits3PSIprovideSubscriberInfo
I am HLR.My GT 1 321 4567801.Provide location for theSubscriber-B.
SS7
Get Cell ID
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID
3PRN
4 provideSubscriberInfoCell ID.
provideSubscriberInfoI am HLR.My GT 1 321 4567801.Provide location for theSubscriber-B.
SS7
Get Cell ID
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID
3PRN
4 provideSubscriberInfoCell ID.
provideSubscriberInfoI am HLR.My GT 1 321 4567801.Provide location for theSubscriber-B.
MCC: 250
MNC: 90
LAC: 4A67
CID: 673D
SS7
Get location
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID5
MCC: 250
MNC: 90
LAC: 4A67
CID: 673D
Search in Internet physical location by MCC, MNC, LAC, CID
Get location
Get location
Voice Call Interception1) Collect info
2) Change subscriber profile
3) Add third party into mobile call
SS7
Collect info
HLR
Attacker
B
MSCVLR
Gateway MSC
We know
A-Number 0 123 4567802
A
Billing
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
A-Number 0 123 4567802Attackeras SMSC
A
SRI4SM
sendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-A MSISDN 0 123 4567802?
Billing
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Attackeras SMSC
A
SRI4SM
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-A IMSI 15 digits
Billing
sendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-A MSISDN 0 123 4567802?
SS7
Collect info
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-A IMSI 15 digits.
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Billing
SS7
Collect info
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Billing
4
insertSubscriberDataSubscriber’s profile: • Allowed/prohibited services • Forwarding settings• Billing platform address
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-A IMSI 15 digits.
SS7
Collect info
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
4
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-A IMSI 15 digits.
insertSubscriberDataSubscriber’s profile: • Allowed/prohibited services • Forwarding settings• Address of billing platform
SS7
Collect info
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
5
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
updateLocationI am MSC/VLR.My GT 1 321 4567801.Subscriber-A IMSI 15 digits is served by0 123 4567803
5
updateLocationI am MSC/VLR.My GT 1 321 4567801.Subscriber-A IMSI 15 digits is served by0 123 4567803
SS7
Collect info
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
5
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
5
SS7
Change profile
HLR
Attackeras HLR
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
6
insertSubscriberDataI am HLR.Change profile for Subscriber-A. Billing GT 1 321 4567801.
SS7
Change profile
HLR
Attackeras HLR
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
6
7
insertSubscriberDataOK.
insertSubscriberDataI am HLR.Change profile for Subscriber-A. Billing GT 1 321 4567801.
SS7
Change profile
HLR
Attackeras HLR
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
6
7
insertSubscriberDataOK.
insertSubscriberDataI am HLR.Change profile for Subscriber-A. Billing GT 1 321 4567801.
SS7
Change profile
HLR
Attacker
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
6
7
insertSubscriberDataOK.
insertSubscriberDataI am HLR.Change profile for Subscriber-A. Billing GT 1 321 4567801.
SS7
Call interception
HLR
Attackeras Billing
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
Subscriber A calls to Subscriber B.
8
SS7
Call interception
HLR
Attackeras Billing
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
9
9
HLR interrogation procedure:• sendRoutingInfo• provideSubscriberInfo
Subscriber A calls to Subscriber B.
8
SS7
Call interception
HLR
Attackeras Billing
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
Billing
InitialDPStart billing .Subscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
10
Subscriber A calls to Subscriber B.
8
SS7
Call interception
HLR
Attackeras Billing
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
InitialDPStart billing .Subscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
10
Subscriber A calls to Subscriber B.
8
SS7
Call interception
HLR
Attackeras Billing
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
Proceed billing.ApplyChargingRequestReportBCSMEventConnectReroute call to number1 321 4567802
InitialDPStart billing .Subscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
10
11
Subscriber A calls to Subscriber B.
8
SS7
Call interception
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
IAMContinue call.Subscriber-A 0 123 4567802 calls toSubscriber-C 1 321 4567802
12
Subscriber A calls to Subscriber B.
8
SS7
Call interception
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
12
Subscriber A calls to Subscriber B.
8
13
IAMContinue call.Subscriber-A 0 123 4567802 calls toSubscriber-C 1 321 4567802
SS7
Call interception
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
IAMInitiate a new callSubscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
12
14
Subscriber A calls to Subscriber B.
8
13
IAMContinue call.Subscriber-A 0 123 4567802 calls toSubscriber-C 1 321 4567802
SS7
Call interception
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
We know
A-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
Subscriber-A profile
Billing 0 123 4567808
B-Number 0 123 4567805
Billing
IAMInitiate a new callSubscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
12
14
8
13
15
Subscriber A calls to Subscriber B.
IAMContinue call.Subscriber-A 0 123 4567802 calls toSubscriber-C 1 321 4567802
Conclusion
SS7 rules
Just the tip of the iceberg
