Professional Documents
Culture Documents
Signalling System #7
When it was designed, there were only few telecoms operators, and they were
either state controlled or really big corporations
New protocols added in the 1990s and 2000s by ETSI and 3GPP to support
mobile phones and the services they need (roaming, SMS, data...)
New protocol that allows the network operator to build custom services that
are not possible with MAP
still no authentication for any of this
Can be bought from telcos or roaming hubs for a few hundred euros a month
Usually (not always), roaming agreements with other networks are needed,
but some telcos are reselling their roaming agreements
Femtocells are part of the core network and have been shown to be hackable
CAP
ISUP
MAP
TCAP
SCCP
MTP Level 3
MTP Level 2
M2UA
SCTP
MTP Level 1
IP
SIGTRAN (example):
SS7 transport over IP
Ethernet
SS7: Locate. Track. Manipulate.
Network overview
MSC/
VLR
SMSC
SS7
BSC/
RNC
Core Network
BSC/
RNC
SS7
HLR
HLR
Basestation Subsystem
SMSC
SS7 interconnect
MSC/
VLR
MSC/
VLR
MSC/
VLR
Core Network
Carrier A
Basestation Subsystem
Carrier B
This talk
SS7: Locate. Track. Manipulate.
Network overview
Home Location Register
Database containing all dataMSC/
VLR
on a subscriber:
SMSC
SMSC
phone number
post-paid or
contract
SS7
BSC/
pre-paid
RNC
call forwardings
Basestation Subsystem
where is the subscriber,
SS7 interconnect
MSC/
VLR
HLR
HLR
Core Network
BSC/
RNC
SS7
MSC/
VLR
Core Network
MSC/
VLR
Basestation Subsystem
Carrier B
...
SS7: Locate. Track. Manipulate.
Network overview
Home Location Register
Database containing all dataMSC/
VLR
on a subscriber:
SMSC
SMSC
phone number
post-paid or
contract
SS7
BSC/
pre-paid
RNC
Basestation Subsystem
where is the subscriber,
i.e. MSC/VLR that is
Carrier A
currently serving the
subscriber
...
SS7
SS7 interconnect
BSC/
RNC
MSC/
VLR
HLR
HLR
MSC/
Database
close
to
subscribers
VLR
current geographical location
call forwardings
MSC/
VLR
Core Network
Network overview
+13123149810
+491700140000
MSC/
VLR
MSC/
VLR
SMSC
SMSC
+12404494110
+491710760000
SS7
BSC/
RNC
HLR
HLR
+491700360000
+491700960314
Basestation Subsystem
Carrier A
SS7
SS7 interconnect
MSC/
VLR
Core Network
BSC/
RNC
MSC/
VLR
+12404493120
+12404494085
Core Network
Basestation Subsystem
Carrier B
10
Cell-Level Tracking
If you can find out the ID of that cell, its geographical position
can be looked up in one of several databases
11
12
MAPs anyTimeInterrogation (ATI) service can query the subscribers HLR for
her Cell-Id and IMEI (phone serial number, can be used to look up phone type)
Home
network
HLR
Visited network
MSC/
VLR
anyTimeInterrogation
req
provideSubscriberInfo
req
provideSubscriberInfo
resp
anyTimeInterrogation
resp
Paging Request
Paging Response
13
but still...
14
Visited network
MSC/
VLR
anyTimeInterrogation
req
returnError
ati-not-allowed
15
ask the HLR for the subscribers IMSI and Global Title of the current MSC/VLR
But MSC/VLR use IMSIs (International Mobile Subscriber Identifiers), not phone
numbers, to identify subscribers
Home
network
HLR
Visited network
MSC/
VLR
sendRoutingInfoForSM
req
sendRoutingInfoForSM
resp
16
When the attacker knows the IMSI of the subscriber and the Global Title, the
MSC/VLR can be asked for the cell id of the subscriber
Home
network
Visited network
MSC/
VLR
HLR
sendRoutingInfoForSM
req
sendRoutingInfoForSM
resp
provideSubscriberInfo req
provideSubscriberInfo resp
Paging Request
Paging Response
17
no plausibility checks
18
Real-life tracking
For about two weeks, cell id was queried once per hour
19
This (combined with SMS home routing, which the operator has in place)
essentially eliminated the simple form of tracking as seen before
20
Some of the network operators where the attacks originated either did not
respond or played dumb when the issue was addressed by the German
operator
The operator believes that those attacks are being performed by state actors or
the other networks operators themselves
Some attacks are still happening, which requires other information sources or
brute-forcing to get VLR/MSC and IMSI
21
In the US, E911 mandates: Wireless network operators must provide the
latitude and longitude of callers within 300 meters, within six minutes of a
request by a Public Safety Answering Point
22
E.g. police
Client
GMLC
HLR/
HSS
66
VMSC/
MSC SERVER
RAN
UE
3. Location Request
Requires authentication
5. Location Report
Figure 9.3: Positioning for a Emergency Services MT-LR without HLR Query
1) Same as step 1 in figure 9.1 but with
theLocate.
LCS client
(PSAP)
identifying first the target UE and the serving VSS7:
Track.
Manipulate.
GMLC by previously supplied correlation information for the emergency call.
23
E.g. police
Client
GMLC
HLR/
HSS
66
VMSC/
MSC SERVER
RAN
UE
3. Location Request
Requires authentication
5. Location Report
Figure 9.3: Positioning for a Emergency Services MT-LR without HLR Query
1) Same as step 1 in figure 9.1 but with
theLocate.
LCS client
(PSAP)
identifying first the target UE and the serving VSS7:
Track.
Manipulate.
GMLC by previously supplied correlation information for the emergency call.
24
Visited network
MSC/
VLR
HLR
sendRoutingInfoForSM
req
sendRoutingInfoForSM
resp
provideSubscriberLocation req
RRLP Requests
provideSubscriberLocation resp
25
MAP
TCAP
SCCP
26
Problem:
Response will
be routed to
this address
This address
gets verified
27
Same address
28
If we enter an address from the same network that we sent the request to:
Similar
addresses
Response still
gets routed
back to this
address
29
Denial of Service
It is not only possible to read subscriber data - it can also be modified, since
most networks VLR/MSC dont do any plausibility checks
X
30
CAMEL
???
The gsmSCF then decides if the desired action can continue unmodified or
modified or will be aborted
31
CAMEL
Home network
HLR
gsm
SCF
Visited network
MSC/
VLR
insertSubscriberData req
with gsmSCF address and list of events
to report (Detection Points)
32
CAMEL
Subscriber wants to make a phone call, but dials number in German national format
(0317654...)
HLR
Visited network
MSC/
VLR
gsm
SCF
initialDP
0317654...
connect
+49317654...
Setup
0317654...
Call setup to
rewritten number
SS7: Locate. Track. Manipulate.
33
Caller network
MSC/
VLR
insertSubscriberData req
with address of attacker
as gsmSCF
34
Subscriber wants to call +345678..., but the MSC now contacts the attacker
instead of the subscribers gsmSCF
+345678...
Caller network
+210987...
MSC/
VLR
Setup
+345678...
initialDP
+345678...
35
Caller network
+210987...
MSC/
VLR
Setup
+345678...
initialDP
+345678...
connect
+210987...
36
Caller network
+210987...
MSC/
VLR
Setup
+345678...
initialDP
+345678...
connect
+210987...
Voicecall to
+210987...
Voicecall to
+345678...
37
Visited network
MSC/
VLR
updateLocation req
Location Updating
Request
38
The HLR sends a copy of the subscribers data to the VLR/MSC and saves the
address of the VLR/MSC
Home
network
Visited network
MSC/
VLR
HLR
updateLocation req
Location Updating
Request
39
Now, when somebody wants to call or text the subscriber, the HLR gets asked for
routing information (sendRoutingInfo...) and hands out the address of the VLR/
MSC
Some
network
SMSC
Home
network
HLR
Visited network
MSC/
VLR
sendRoutingInfoForSM
req
sendRoutingInfoForSM
resp
mt-forwardSM
req
SMS-DELIVER
40
Home
network
Visited network
MSC/
VLR
HLR
updateLocation req
Saves attackers address
insertSubscriberData req
41
Now, calls and SMS for that subscriber are routed to the attacker
Example: Subscribers bank sends text with mTAN. Attacker intercepts
message and transfers money to his own account
Some
network
SMSC
Home
network
HLR
Visited network
MSC/
VLR
sendRoutingInfoForSM
req
sendRoutingInfoForSM
resp
mt-forwardSM
req
42
43
44
An attacker can find out the phone numbers of subscribers around him:
Paging Request
contains TMSI
45
MSC/
VLR
Paging Request
contains TMSI
46
The MSC can be asked to hand out the IMSI if the TMSI is known
With updateLocation, the attacker can figure out the MSISDN belonging to
the IMSI
MSC/
VLR
Paging Request
contains TMSI
sendIdentification req
sendIdentification resp
containing IMSI
SS7: Locate. Track. Manipulate.
47
The MSC can be also be asked for the session key for of the subscriber!
MSC/
VLR
48
If the attacker captures an encrypted GSM or UMTS call, he can then decrypt
it using the session key
MSC/
VLR
49
LTE
A lot of the SS7 design has been ported to Diameter, including its flaws
E.g. there is still no end-to-end authentication for subscribers
GSM/UMTS (and with them SS7) will be around for a long time to come
(probably around 20 years)
To be able to have connections from GSM/UMTS to LTE, there are interfaces
mapping most of the SS7 functionality (including its flaws) onto Diameter
50
Summary
An attacker needs SS7 access and (most of the time) SCCP roaming with his
victims network
Track his victims movements (in some networks with GPS precision)
Intercept his victims calls, text messages (and probably data connections, not
verified)
51
With SMS Home Routing, all text messages traverse an SMS router in the
subscribers home network
All MAP and CAP messages only needed internally in the network should be
filtered at the networks borders
If Optimal Routing is not used, sendRoutingInfo (the one for voice calls,
another source of MSC and IMSI), can also be filtered
SS7: Locate. Track. Manipulate.
52
53
Thank you!
Questions?
54
References
osmocomBB: http://bb.osmocom.org/trac/
Study into routeing of MT-SMs via the HPLMN, 3GPP TR 23.840: http://www.3gpp.org/ftp/Specs/archive/23_series/23.840/
Evolved Packet System (EPS): MME and SGSN related interfaces based on Diameter protocol, 3GPP TS 29.272: http://
www.3gpp.org/ftp/Specs/archive/29_series/29.272/
Sergey Puzankov and Dmitry Kurbatov, How to Intercept a Conversation Held on the Other Side of the Planet: http://
www.slideshare.net/phdays/phd4-pres-callinterception119
SS7: Locate. Track. Manipulate.
55