ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ......
-
Upload
trinhhuong -
Category
Documents
-
view
222 -
download
3
Transcript of ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ......
![Page 1: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/1.jpg)
ITU Workshop on “SS7 Security”Geneva, Switzerland
29 June 2016
Observations on SS7 Network Security
Pascal DejardinRoaming Architect & Solutions Manager,
Orange group, [email protected]
![Page 2: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/2.jpg)
Agenda
• Context
• GSMA categories
• Audits results
• Conclusions
![Page 3: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/3.jpg)
Context• Trusted SS7 network is broken• Abuses:
– Tracking the location– Intercepting the calls by– Manipulating the subscribers profile– Camping subscribers in Deny of Services– Popular Spamming for fraud revenues
• Standards are not the issuebut well the confidence in the access
• Worst in the coming all-IP world
![Page 4: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/4.jpg)
Orange position
• Active in GSMA – IR82 (NG & FASG)
• Leading audits (SS7)
• Active vulnerabilities testing
• Protection with existing nodes
• Market study on Signalling Firewall
![Page 5: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/5.jpg)
GSMA – IR82
Categories Classification Operation Codes Filters
Cat. 1 Home exclusive SRI, Send IMSI, ATI,ATM, SP.. Block OpCodes
Cat. 2 Roaming Home>Visited PSI/L, PRN,CL, ISD, DSD Check HLR
Cat. 3 Roaming Visited>Home UL, FwdSM, SAI, RegSS, PrUSS Check Location
Cat. 4 SMS interconnection SRI4SM, MT-FwdSM Home Routing
Cat. 5 Call control >Home CAMEL IDP Check SCP
![Page 6: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/6.jpg)
Audits framework
• Orange Carrier
– Orange International Signalling traffic (in/out)
– Daily Analysis for 1 year (Mar 2015 > Feb 2016)
– Enriched with IR21 DB
– Focus on Orange subscribers only
![Page 7: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/7.jpg)
Category 1 – HLR target
![Page 8: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/8.jpg)
Cat 1. Top 3 of HLR attacks
![Page 9: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/9.jpg)
ATI
Massive
![Page 10: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/10.jpg)
SRI
Moderate
![Page 11: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/11.jpg)
Send IMSI
Few
![Page 12: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/12.jpg)
Cat.2 Audit
• Focus on Orange VLR
• Check if the origin is a real HLR
• Correlation between CgSCCP@ & Country IMSI
• Excluding Roaming Hubs
![Page 13: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/13.jpg)
Cat.2 – Get any subscribers Location in Orange
![Page 14: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/14.jpg)
Cat. 2 – PSI/PSL
![Page 15: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/15.jpg)
Cat.2 – ATM/ATSI/SRIforGPRS-LCS
![Page 16: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/16.jpg)
Cat.2 – Few Standalone ISD
• Difficult to state on ISD
• Origin could be faked (with real HLR@),there might be more than observed
• No DSD observed
• Few PRN observed
![Page 17: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/17.jpg)
Cat.3 - Spoofing
• Activity sent from a fake location
• Observed and well-known issue
• For each activity,we need to check the real location
• SMS-MO protected by SMS Firewall
![Page 18: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/18.jpg)
Cat.4
• SMS MT (SRI4SM and FWD-MT)
– SRI4SM without Fwd-MT – Phishing
– FWD-MT without SRI4SM – bypass
– Grey routes
• Covered by SMS Firewall
– Home Routing
– anti-SPAM
![Page 19: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/19.jpg)
Cat.5
• CAMEL profile manipulation
• (O-CSI) Marks to intercept the call
• Monitoring based onSCP@Network <> IMSI network
• Few observationsCase by case analysis
![Page 20: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/20.jpg)
Conclusions• SS7 abuses are (observed) everywhere
• Current protection is good, but not complete
![Page 21: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/21.jpg)
Next steps
• Industrialise the audits
• Improve existing network elements security
• Analyse security solutions in the market
![Page 22: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/22.jpg)
Thank you
![Page 23: ITU Workshop on “SS7 Security” · PDF fileITU Workshop on “SS7 Security ... –Enriched with IR21 DB –Focus on Orange subscribers only. Category 1](https://reader030.fdocuments.us/reader030/viewer/2022020214/5a92d5577f8b9aba4a8b74e1/html5/thumbnails/23.jpg)