Professional Documents
Culture Documents
SS7 Vulnerabilities, Security Threats, SMS Fraud Solutions & Signaling
SS7 Vulnerabilities, Security Threats, SMS Fraud Solutions & Signaling
1. Introduction .....................................................................................3
2. Market Drivers and Business Challenges ..................................5
2.1 History of SS7 ..................................................................................................................... 5
2.2 Evolution to Diameter ......................................................................................................... 6
6- Glossary......................................................................................... 51
Page 2
1. Introduction
Page 3
The ability to intercept Subscribers Short Message Service (SMS)
messages
The ability to implement Denial of Service attacks at Mobile Switching
Centers (MSC)
The ability to manipulate Subscribers Unstructured Supplementary
Service Data (USSD)
All of these attacks and threats are based on SS7 messages that are required
for both intra and inter network calls. Moreover, these attacks can be launched
with equipment costing as little as a few hundred dollars using commonly
available information making access to the SS7 network is easier that ever.
SS7 security topics and other related challenges faced by Mobile Network
Operators will be discussed in this paper.
Page 4
2. Market Drivers and Business Challenges
The Global mobile Suppliers Association states in their study “Evolution to LTE
Report, January 7, 2015 that there are currently 360 commercially launched
LTE networks in 124 countries with 373 million subscribers. GSMA Intelligence
reports that as of February 9, 2015 there are 3.67 Billion unique mobile
subscribers worldwide. These subscriber numbers indicate that currently only
10% of the mobile subscribers worldwide are LTE -- the remaining 90% or 3.3
billion are served by 2G/3G Signaling System 7 based networks. These
network and subscriber deployment research indicate that the SS7 network will
be used for quite some time thus any issues need to addressed to ensure the
integrity of the network.
The SS7/C7 protocol and its associated overlay, out of band signaling network
was designed in the early 1980s with major deployment starting in the mid
1980s. During this time there were a limited number of network operators
worldwide and the relationship between operators was one of trust. The
networks were typically wireline and SS7/C7 access was through physical
connectivity creating a walled garden approach to security. SS7 became the
major inter office inter operator signaling methodology providing call setup and
tear down, and enhanced services such as free call and Advanced Intelligent
Services (AIN).
In the late 1980s new upper protocol levels were defined to support mobile
telecommunications. These layers were Mobile Application Part (MAP) and
CAMEL Application Part (CAP).
Page 5
Message Transport Part1, 2, 3 (MTP1, MTP 2, MTP3) are the transport levels for
SS7/C7.
ISDN User Part (ISUP) is used to setup and tear down calls in a circuit switched
environment.
Signaling Connection Control Part (SCCP) contains the source and destination
addresses for TCAP/MAP/CAP messages. SCCP also provides for Global Title
Translations capabilities.
Page 6
implementation of Voice over LTE (VoLTE) services. The Diameter Protocol
defined by both the Internet Engineering Task Force (IETF) and the Third
Generation Project Partnership (3GPP) is providing the functionality of TCAP,
MAP and CAP layers of SS7.
Page 7
3. SS7 Security Threats
The concept of open source software also had an unintended impact on the
intruder’s ability to attack the SS7 network. Today the ability to build and send
messages in the SS7 network is essentially free and can be placed on everyday
personal computers. Intruders can also source equipment to gain information
from the air interface side of the mobile network from the hundreds of dollars
to not much over a thousand dollars.
The ease of access and the inexpensive equipment opens the door to security
breaches to the SS7 network, exposing subscribers and network operators to
extensive fraud and financial losses.
Page 8
information regarding the network and protocol was limited and costly to
obtain.
Today one can obtain specifications for the SS7 network and protocols very
easily and by downloading the specification from the telecommunication
standards bodies for free.
All of the information and knowledge required to perform intrusive fraud and
network / subscriber attacks is available to anyone.
Page 9
Since the SMSC does not know the location of the terminating subscriber
– the SMSC requests this information from the HLR containing the
information pertinent to the terminating subscriber. This is accomplished
using the MAP-Send-Routing-Info-For-SM query message (SRI-For-SM).
The terminating subscribers’ Mobile Station International Directory
Number (MSISDN) is included in the SRI-For-SM to be used in the HLR
query.
Page 10
Short Message Service Call Flow
Threat Setup
Page 11
3.3.1.3 Attack Call Flow:
In the scenario the intruder is posing as an SMSC wishing to deliver
an SMS message to a subscriber. To deliver the SMS message the
“Fake SMSC” requires the address of the MSC/VLR currently serving
the target subscriber.
Page 12
3.3.1.4 Result of Attack:
The intruder currently has the following as a result of the attack:
1. MSISDN of Subscriber
2. IMSI of Subscriber
3. MSC/VLR currently serving Subscriber
4. SS7 Point Code Address of HLR in Subscribers home network
One example of SS7 Location Bases Services is shown in the graphic below.
A brief explanation of the service follows.
Cell Id.
Mobile Country Code (MCC)
Page 13
Mobile Network Code (MNC)
Location Area Code (LAC)
This information can be used to find out longitude and latitude of the
subscriber – there are applications available on the web that will
translate this information into locations on a map. If the subscriber in
question is located in an urban area the location accuracy can be
within a few hundred feet due to the close proximity of cell sites.
Intruders were sending ATI messages to the HLR, for there are SS7 networks
providing easy access to network and subscriber information, however, most
operators have stopped responding to ATI messages received from foreign
networks.
Page 14
3.3.2.2 Requirements For Attack:
1. SS7 Network Access – fairly easy to obtain
2. SS7 message generation capability – open source and easy to
obtain
3. IMSI of target subscriber (Obtained in Threat 3.3.1)
4. Address of Serving MSC/VLR (Obtained in Threat 3.3.1)
The premise for this attack is -- the intruder will pose as an HLR and send
MAP-Provide-Subscriber-Info (PSI) Request message directly to the
MCS/VLR serving the subscriber. This is possible due to the fact that in
the previous threat the intruder received the address of the MSC/VLR,
the IMSI of the subscriber
Threat Setup
Page 15
Discovery of Subscribers Location Call Flow
1. Cell Id.
2. Mobile Country Code (MCC)
3. Mobile Network Code (MNC)
4. Location Area Code (LAC)
Page 16
The new MSC needs to authenticate the user therefore it sends Send Auth.
Info to the HLR. The HLR responds with the authentication triplets.
The HLR sends a copy of the subscriber information using the Insert
Subscriber Data to the MSC – the MSC acknowledges its receipt with an Insert
Subscriber Data Acknowledgement message.
The HLR then initiates a Cancel Location sequence with the previous serving
MSC.
The HLR then sends an Update Location Acknowledgement to the new MSC.
This is used to inform the new MSC that it is now considered the serving MSC
for the subscriber and that the network portion of the Update Location is
complete.
The New MSC sends a Location Update Response to the Mobile station
completing the Update Location process.
Page 17
GSM Update Location Call Flow
The premise for this attack is -- the intruder will pose as an MSC/VLR and
send MAP-Update-Location- (UL) Request message directly to the
subscribers HLR. Once the Update Location procedures are complete
the Subscriber will not be able to receive incoming messages or calls
until they move to another MSC/VLR or reboot the phone or place an
outgoing call.
Page 18
Threat Setup
Page 19
Disruption of Subscribers Availability Call Flow
Page 20
The intruder can use both of these to fraudulent financial gain.
The premise for this attack is -- the intruder will pose as an MSC/VLR and
send MAP-Update-Location- (UL) Request message directly to the
subscribers HLR. Once the Update Location procedures are complete
the intruder will capture the Subscribers SMS messages.
Threat Setup
Page 21
Once the Update Location procedures are complete normal SMS
delivery message flow occurs:
1. The Mobile Originating messages are sent from the originating
subscribers MSC/VLR to its associated SMSC.
2. The SMSC then queries the HLR for the location of the terminating
subscriber using the SRI-For-SM (Req.) message.
3. The HLR responds with SRI-For-SM (Resp.) message containing
the current location of the terminating subscriber.
4. The SMSC uses the MT-Forward-SM to send the SMS message to
the terminating MSC/VLR that in this case is the “Fake MSC/VLR”
created by the intruder.
5. The “Fake MSC/VLR” responds with the appropriate MT-Forward-
SM ACK. This final sequence provides the feedback to the
originator that the message was received by the recipient,
however, in this case the intruder – not the intended subscriber.
Page 22
messages will be sent to the Fake MSC/VLR and can be used by the
intruder.
The premise for this attack is for the intruder to gain the information
required (HLR address, Target Subscribers IMSI and Balance of Target
Subscriber account) in order for the intruder to transfer target
subscriber’s funds to intruders account. This is a multi-stage attack.
Page 23
Stage 1
Stage 2
Page 24
Stage 2 – Threat Setup
Stage 3
Page 25
subscriber to the attack. However if the intruder coupled this attack
with the one described in “Attack 3.3.4 Intercepting SMS Messages” the
target subscriber would never receive the SMS message.
Threat Setup
Page 26
provided in the message.. This message is sent to HLR. The HLR
responds with a Process-Unstructured-SS (Response) that includes
the confirmation that the process has been completed.
Page 27
3. IMSI of Subscriber
4. Account balance in target subscriber’s account
Note: After receiving the subscriber profile information from the attack
detailed in 3.3.3 the attacker understands the target subscribers profile
information received for the HLR.
The premise for this attack is -- the intruder will pose as an HLR and send
a fraudulent subscriber profile to the serving MSC/VLR invoking intruder
desired services. These services can include:
Page 28
Bypassing billing services
Turning on or off call forwarding
Barring calls to the target subscriber
And many, many more
Threat Setup
Page 29
Manipulation of Subscriber Profile in VLR Call Flow
Page 30
implements the CAMEL logic. The gsmSCF is usually located in the
subscriber’s home network.
Purpose of Attack:
This attack is used to intercept a subscribers outgoing call for the
purpose of eavesdropping, including listening and or recording of
conversations.
Page 31
Stage 1
Posing as a Fake HLR acting on behalf of the subscriber has the address
of his Fake gsmSCF placed in the VLR. Also the VLR is instructed to
contact the Fake gsmSCF while the target subscriber starts to initiate a
call.
Page 32
Stage 2
Posing as aFake gsmSCF, the intruder receives a call request from the
MSC/VLR acting on behalf of subscriber “XXX” to call “YYY”– the Fake
gsmSCF instructs the MSC/VLR to place the call to his eavesdropping
system (“ZZZ”) instead.
Page 33
Stage 3
Posing as a Bridging and recording system the intruder receives the call
from subscriber “XXX”. The intruder places a call to the original called
subscriber (“YYY”).
Page 34
Threat Setup Completion
The intruder then bridges these two calls together and is able to listen
to and/or record the conversation.
Page 35
subscriber is placing a call. This message contains all relevant call
information including the CALLing and CALLed subscriber number
information. The Fake gsmSCF responds with a Connect Message. The
Connect Messages indicates to the MSC that it should send the call to
“ZZZ” rather than to the original CALLed subscriber (YYY).
In the next stage the MSC/VLR uses normal call setup procedures to
connect the call to ZZZ, which is the intruder’s bridging and recording
system. Upon receipt of the call from XXX the intruder connects this call
leg to the bridging and recording system. The intruder then places a call
to YYY, connects it to the bridging and recording system and bridges the
two call legs together.
The completion of the previous stages allows the intruder to both record
and listen to the conversation between XXX and YYY without their
knowledge.
Page 36
Intercepting and Redirecting Outgoing Calls with CAMEL
Application Part (CAP)
Page 37
the “Forward to Number” and sends this message to the HLR. The HLR
responds with a MAP-Register-SS (CFU) response message. This
acknowledgement is received by the MSC, which in turn sends an
acknowledgment to the mobile station triggering the conformation tone to the
user.
To deactivate call forwarding the user dials a * code plus two digits. The
serving MSC receives this indication and builds a MAP-Erase-SS (CFU)
message and sends this message to the HLR. The HLR responds with a MAP-
Erase-SS (CFU) response message. This acknowledgement is received by the
MSC, which in turn sends an acknowledgment to the mobile station triggering
the conformation tone to the user.
Page 38
3.3.8.1 Redirecting incoming calls for recording
Purpose of Attack:
This attack is used to place the intruder or the intruder devices in the
middle of an incoming call so the conversation can be monitored or
recorded.
Page 39
The premise for this attack is:
Stage 1.
The intruder posing as the serving MSC for the target subscriber will
send the Call Forwarding information to the HLR. The “Forward to
Number will be the number for the Bridging and Recording Equipment.
Page 40
Stage 2.
The intruder receives a forwarded call from the target subscriber. This
call is connected to the intruder’s bridging and recording system.
Page 41
Stage 3.
The intruder, acting as the serving MSC/VLR for the target subscriber,
sends Cancel Call Forwarding information to the HLR.
Page 42
Stage 4.
The intruder will place a call to the original CALLed party (Target
Subscriber) and bridge the two call legs together through their
monitoring and bridging system.
Page 43
Attack Call Flow:
To start this scenario the intruder poses as the Fake Serving MSC/VLR.
The intruder sends a MAP-Register-SS (CFU) to the HLR of the target
subscriber. This message indicates that the target subscriber has call
forwarded their phone unconditionally to the intruders Bridging and
Monitoring system.
Upon placing a call (to the target subscriber) the originating party’s MSC
or Gateway MSC contacts the HLR of the target subscriber to get their
current location. The HLR responds with the call forwarding information
the intruder has inserted. The call is then routed to the intruders Bridging
and Monitoring System.
When the intruder receives the call they use a MAP-Erase-SS (CFU) to
cancel the call forwarding information for the target subscriber.
The intruder then places a call to the target subscriber and bridges the
two call legs together using the Bridging and Monitoring System.
Now the intruder is in the middle of the call for bridging, monitoring, and
recording.
Page 44
Result of Attack:
The intruders can place themselves in the middle of a call.
The intruders can use their position in the call to listen and/or record
the conversation.
3.4 Conclusion
It is quite evident that the SS7 protocol and network implementation is
open to intrusion and threats for both internal and external threats.
Given the vast deployments of SS7 and the voluminous quantity of nodes
that implement the SS7 protocol it is too late to implement changes to
the protocol and nodal implementation of the protocol. Additionally the
security threats are beyond Gate Screening capabilities of network
based Signaling Transfer Points (STP). Given the severity of the security
issues a need has arisen to implement intelligent, rules based systems
that can monitor, develop rules and implement policies to stop or limit
the impact of these attacks. These signaling firewalls will be the
protection mechanism for the legacy-signaling network until it is totally
replaced by LTE/EPC diameter based networks. This could be upwards
of 20 years.
Page 45
4. What to look for in a Signaling Firewall Solution
It seems evident that security in the SS7 network is and will continue to be a big
issue. Being that SS7 is the mostly widely deployed signaling methodology in
telecommunication history -- changing the protocol at this stage is out of the
question. To solve the security issues intelligent security firewalls need to be
implemented. These firewalls should address today’s threats as well as have
the flexibility to address new threats as they arise. The following items should
be included in any security solution or security vendor.
Page 46
extremely important that any SS7 security vendor have both experience and
solutions to address issues concerning SMS security and fraud.
Page 47
5. Cellusys Signaling Firewall Advantages
MTP
Page 48
SCCP
TCAP
MAP
CAP
The rules system gives the operator a powerful system that will
limit the exposure of subscribers and the rework to outside
security threats.
Page 49
5.4 Scalable and Fault Tolerant
The architecture of the Cellusys Signaling Firewall solution is designed
to provide operators with a near-real-time, highly scalable fault tolerant
solution to the SS7 security issues.
Page 50
6- Glossary
2G Second Generation
3G Third Generation
3GPP Third Generation Project Partnership
AIN Advanced Intelligent Services
ATI Anytime Interrogation
C7 CCITT Seven
CAMEL Customized Applications for Mobile networks Enhanced
Logic
CAP Camel Application Part
CFU Call Forward Unconditional
CGI Cell Global Identity
EPC Evolved Packet Core
GSM Global System for Mobile Communications
gsmSCF GSM Service Control Function
GTT Global Title Translations
HLR Home Location Register
IETF Internet Engineering Task Force
IMSI International Mobile Subscriber Identity
IP Internet Protocol
ISUP ISDN User Part
LAC Location Area Code
LTE Long Term Evolution
M2PA MTP 2 Peer to Peer Adaption
M2UA MTP 2 User Adaption
M3UA MTP 3 User Adaption
MAP Mobile Application Part
MAP-Erase-SS MAP Erase Supplemental Service
MAP-Register-SS MAP Register Supplemental Service
MCC Mobile Country Code
MNO Mobile Network Operator
MO-Forward-SM MAP Mobile Originating Short Message Service
MS Mobile Station
MSC Mobile Switching Center
MSISDN Mobile Station International Directory Number
MTP 1 Message Transfer Part 1
MTP 2 Message Transfer Part 2
MTP 3 Message Transfer Part 3
PLMN Public Land Mobile Network
PSI Provide Subscriber Information
SCCP Signaling Connection Control Part
SCTP Stream Control Transmission Protocol
SIP Session Initiation Protocol
SMS Short Message Service
Page 51
SMSC Short Message Service Center
SRI-For-SM Send Routing Information for Short Message Service
SS7 Signaling System Seven
STP Signal Transfer Point
SUA SCCP User Adaption
TCAP Transaction Capabilities Application Part
UL Update Location
UMTS Universal Mobile Telecommunication Systems
USSD Subscribers Unstructured Supplementary Service
VLR Visitor Location Register
VoLTE Voice over LTE
Page 52
Cellusys founded in 2004 is a privately held company, based in
Dublin, Ireland
Research & Development
Signalling Solution & Circuit Switched Engineering
Berlin, Germany
Research & Development
Bangkok, Thailand
Sales & Technical Support Asia Pacific
Atlanta, USA
Sales & Technical Presales
Dubai, UAE
Sales & Technical Presales