Professional Documents
Culture Documents
Vulnerabilities of most
robust mobile operators
Sergey Puzankov
About me
18+ years in telecom @xigins
industry
Telecom
sergey_puzankov
spuzankov@ptsecurity.com
7+ years in telecom
security
Security
SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and tear down
telephone calls, send and receive SMS messages, provide subscriber mobility, and more.
Ø Fixed telephony
Ø 2G/3G mobile networks
Ø Interconnection with next-
generation networks
Who are potential targets?
Any mobile
Easily operator
From No special
anywhere skills needed
Scope grows
SS7 widely used, Diameter added and spreading. Still not enough security.
Mobile operators and SS7 security
Security
configuration
Security assessment
SS7 firewall SMS Home Routing Signaling IDS
Basic nodes and identifiers
SS7 firewall
is the most sophisticated signaling security tool that protects the
network against a wide range of threats such as IMSI disclosure,
location tracking, and traffic interception.
Signaling Transfer Point
Ø Signaling Transfer Point is a router that relays SS7 messages between
signaling end-points and other signaling transfer points.
Ø Usually the STP is a border point in a signaling network.
Ø It is possible to use the STP for the screening of the ineligible signaling
traffic.
Ø Screening rules of the most STPs are simple, for instance, blocking a
signaling message by a source address or redirecting a signaling message
by an operation code.
Ø The STP looks through a signaling message layer by layer and applies a
rule as soon as the first appropriate pattern is triggered.
SMS delivery process
SRI4SM — SendRoutingInfoForSM
HLR
3. MT-SMS 3. MT-SMS
• IMSI • IMSI MSC
• SMS Text • SMS Text
SRI4SM abuse by a malefactor
HLR
MSC
SMS Home Routing
HLR
HLR
MSC
SS7 firewall: typical deployment scheme
STP HLR
1. SS7 message 3. SS7 message
2. SS7
message
SS7 firewall: blocking rules
SS7 firewall
Firewall rules
HLR
Category 1
SS7 Message Block a message by an operation
code
MAP OpCode, IMSI, …
Category 2
TCAP Application Context
Block a message by an operation
SCCP Source / Destination code and correlation of a source
address and subscriber identity MSC
Category 3
Block a message by an operation
code and subscriber’s real
location
SS7 attacks and vulnerabilities
0 – CCITT 0 – CCITT
4 – Identified Organization 4 – Identified Organization
0 – ETSI 4 – Unknown
0 – Mobile Domain 0 – Mobile Domain
1 – GSM/UMTS Network 1 – GSM/UMTS Network
0 – Application Context ID 0 – Application Context ID
20 – ShortMsgGateway 20 – ShortMsgGateway
3 – Version 3 3 – Version 3
IMSI disclosure via malformed ACN
1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN
Malformed ACN
STP HLR
Malformed ACN
SMS Router
SCCP Destination HLR
TCAP Malformed ACN
MAP OpCode, param
Malformed ACN
IMSI disclosure via malformed ACN
1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN
Malformed ACN
STP HLR
Malformed ACN
SMS Router
SMS Router
Mobile
Network
Operator
Source address
Switzerland ≠ China
Subscriber identity
ITU-T Q.773 Recommendation
ITU-T Q.773 – Transaction capabilities formats and encoding
=2
=6
Location tracking via Global OpCode
1. PSI with Global OpCode tag 3. PSI with Global OpCode tag
STP MSC/VLR
STP MSC/VLR
Switzerland ≠ China
TCAP protocol
Component 2
Double MAP in MiTM attack
TCAP Begin
InsertSubscriberData_REQ
DeleteSubscriberData_REQ
STP MSC/VLR
DeleteSubscriberData_REQ
STP MSC/VLR
PBX
SS7 FW
TCAP Continue
ReturnError
Double MAP in MiTM attack
TCAP Begin TCAP Continue
InsertSubscriberData_REQ InsertSubscriberData_REQ
DeleteSubscriberData_REQ InsertSubscriberData_REQ
STP MSC/VLR
DeleteSubscriberData_REQ InsertSubscriberData_REQ
STP MSC/VLR
PBX
SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast
Double MAP in MiTM attack
TCAP Begin TCAP Continue
InsertSubscriberData_REQ InsertSubscriberData_REQ
DeleteSubscriberData_REQ InsertSubscriberData_REQ
STP MSC/VLR
PBX
SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast
TCAP Continue
ReturnResultLast
Double MAP in MiTM attack
TCAP Begin TCAP Continue TCAP End
InsertSubscriberData_REQ InsertSubscriberData_REQ
DeleteSubscriberData_REQ InsertSubscriberData_REQ
STP MSC/VLR
PBX
SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast
TCAP Continue
ReturnResultLast
Double MAP in MiTM attack
TCAP Begin TCAP Continue TCAP End
InsertSubscriberData_REQ InsertSubscriberData_REQ
DeleteSubscriberData_REQ InsertSubscriberData_REQ
STP MSC/VLR
PBX
SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast
TCAP Continue
ReturnResultLast
Double MAP in MiTM attack
TCAP Begin TCAP Continue TCAP End
InsertSubscriberData_REQ InsertSubscriberData_REQ
DeleteSubscriberData_REQ InsertSubscriberData_REQ
STP MSC/VLR
PBX
SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast
TCAP Continue
ReturnResultLast
Double MAP in MiTM attack
TCAP Begin TCAP Continue TCAP End
InsertSubscriberData_REQ InsertSubscriberData_REQ
DeleteSubscriberData_REQ InsertSubscriberData_REQ
STP MSC/VLR
PBX
SS7 FW
TCAP Continue TCAP Continue
ReturnError ReturnResultLast
TCAP Continue
ReturnResultLast
Main issues in SS7 security
Configuration mistakes
Software bugs
Conclusion
1. Check if your security tools are effective against new vulnerabilities.
2. Use an intrusion detection solution alone with an SS7 firewall in order to
detect threats promptly and block a hostile source.
4. Configure your STP and SS7 firewall carefully. Do not forget about
malformed Application Context Name and Global OpCodes.
Thank you!
spuzankov@ptsecurity.com