Advanced Wireless Network Security

Multiplexing and Signaling

Dr. Zafar Iqbal

Assistant Professor
Department of Cyber Security, FCAI.
Air University, Islamabad.

2
Radio Spectrum

2
Spectrum Analyzer

Multimeter Spectrum Analyzer

Oscilloscope

3
 Spectrum Analyzer

What is a Spectrum Analyzer | How Does a Spectrum Analyzer Work - YouTube

4
Multiplexing

5
Multiplexing

• Whenever the bandwidth of a medium linking two or more devices is greater than
the bandwidth needs of the devices, the link can be shared.

• Multiplexing is the set of techniques that allows the simultaneous transmission of

multiple signals across a single data link.

6
Multiplexing

Multiplexing

Frequency
Time Division Statistical
Division
Multiplexing Multiplexing
Multiplexing

7
Frequency Division Multiplexing

• A number of signals are sent simultaneously at the same time allocating separate
frequency bands.

• Therefore to avoid interference between two successive channels Guard bands are
used.

8
Frequency Division Multiplexing

9
Frequency Division DeMultiplexing

10
Frequency Division DeMultiplexing

• Assume that a voice channel

occupies a bandwidth of 4 kHz.
• We need to combine three
voice channels into a link with
a bandwidth of 12 kHz, from 20
to 32 kHz.
• Show the configuration, using
the frequency domain. Assume
there are no guard bands.

11
Frequency Division DeMultiplexing

Five channels, each with a 100-kHz bandwidth, are to be multiplexed together.

What is the minimum bandwidth of the link if there is a need for a guard band of 10
kHz between the channels to prevent interference?

For five channels, we need at least four guard bands.

This means that the required bandwidth is at least
5 × 100 + 4 × 10 = 540 kHz,
12
Time Division Multiplexing

13
Interleaving

14
Digital Hierarichy

15
Digital Hierarichy

16
Digital Hierarichy

17
Digital Hierarichy

18
Statistical Multplexing

Time Division Multiplexing

• Synchronous time division multiplexing, every device which is present

in this has given the same time slot to transmit data.

• This does not consider whether the device contains data or not.
19
Statistical Time Division Multplexing (STDM)

Statistical Time Division Multiplexing

20
Statistical Time Division Multplexing (STDM)

Feature Description
Dynamically dividing bandwidth among communication
Method
channels based on actual data rate being transmitted
Increased network capacity,
Advantage reduced costs, and
effective utilization of bandwidth

21
 E1 Carriers

Anritsu (cdn-anritsu.com)
E1 Carriers

23
Digital Hierarichy

24
Signalling

Two methods are available to carrying signaling information in E1 - 2 Mb/s frames:

• In-band Signaling
• Uses the same frequency band as the voice.
• The control signals can be sent to every part where a speech signal can reach.
• Out-band Signaling
• Does not uses the same frequency band as the voice

25
Digital Hierarichy

26
Digital Hierarichy

27
Signalling

Channel associated signaling (CAS).

• the signaling data for all thirty channels is carried in TS16.
• The signaling information for each channel consists of four bits that are called
ABCD bits.
• Historically, the state of the ABCD bits represented the On-hook and Off-hook
states of a dial-pulse telephone.

28
Out-Band Signaling – Common Channel Signaling – SS7
Out-Band Signaling – Common Channel Signaling – SS7

Signal Control Points (SCPs)

• These are Databases, having
information about call processing. E.g:
Guide a toll free number where to go.

Signal Transfer Points (STPs)

• Receive and route incoming signaling messages.

Signal Switching Point (SPs)

• Telephone switches, end offices. Originate, Terminate, or

Switch calls.
Out-Band Signaling – Common Channel Signaling – SS7

SS7 is a set of protocols allowing phone networks to

exchange the information needed for passing calls and
text messages between each other and to ensure correct
billing.
It also allows users on one network to roam on another,
such as when travelling in a foreign country.
Out-Band Signaling – Common Channel Signaling – SS7
Out-Band Signaling – Common Channel Signaling – SS7
Out-Band Signaling – Common Channel Signaling – SS7
 Out-Band Signaling – Common Channel Signaling – SS7

• They can transparently forward calls, giving them

the ability to record or listen in to them.

• They can also read SMS messages sent between

phones, and

• Track the location of a phone

SS7 hack explained: what can you do about it? | Hacking | The Guardian
 SS7 Attacks

• Interception of Calls and SMS: Attackers can use SS7 vulnerabilities to intercept calls and
text messages, allowing them to listen in on conversations and read private messages.

• Call and SMS Spoofing: SS7 can be used to spoof the identity of a caller or sender of a
text message, making it appear as if the call or message is coming from a different
number.
 SS7 Attacks

• Fraudulent Charges: SS7 can be used to make unauthorized charges to a user's phone
bill. Attackers can use SS7 to make calls or send text messages that appear to come from
the victim's phone number, leading to charges for services that the victim did not use.

• Man-in-the-Middle Attacks: SS7 can be used in man-in-the-middle attacks, where an

attacker intercepts and alters communications between two parties. This can lead to
sensitive information being disclosed or altered, and can have serious security
implications.
 SS7 Attack – Location Access

• Obtaining access to an SS7 network: Attackers need access to an SS7 network in order
to be able to send location tracking requests. This can be achieved by gaining access to a
network through a vulnerability or by purchasing access from a third-party service.
• Location Tracking: SS7 can be used to track the location of a mobile device, which can
be a major security concern. Attackers can use SS7 to gather information about an
individual's whereabouts and use it for malicious purposes.
 SS7 Attack – Location Access
• Sending location tracking requests: Once the attacker has access to an SS7 network,
they can send messages that request the location of the target device. These messages
are processed by the network, and the device's location is returned in response.

• Gathering location information: The attacker can gather location information by

monitoring the responses to their location tracking requests. This information can be
used to track the target device's location in real-time.

• Using location information for malicious purposes: The location information gathered
by the attacker can be used for a variety of malicious purposes, such as tracking the
movements of a target individual, conducting surveillance, or committing crimes.
 SS7 and Diameter Signaling Threats (FYP – Research)

• A number of core telecommunication services are still powered by flawed protocols

such as SS7 (Signalling System No. 7) or Diameter. SS7 protocol, in particular, has
become one of the central cyber threats to the banking industry since hackers can
easily intercept 2FA authentication codes and drain users’ accounts.

• Newer protocols such as SIP (Session Initiation Protocol) can also be extremely
vulnerable to cyber threats without proper controls in place. For instance, in 2018
a group of attackers managed to stage a denial of service (DoS) attack on Cisco
equipment through leveraging malformed SIP traffic.

Security in Telecom: 5 Main Cyber Threats and Solutions to Them (infopulse.com)

 SIP Hacking (FYP – Research)

SIP or Session Initiation Protocol (SIP) hacking is the most common cybersecurity threat
in Voice-over-IP (VoIP) communications. Without preventive measures, hackers can
easily tap into VoIP calls and distribute SIP malware or tamper with the service. Some of
the most common types of SIP attacks in 2020 included:
• SIP toll fraud
• SIP trunk hacking
• Caller ID spoofing
• DDoS attacks on the system

Security in Telecom: 5 Main Cyber Threats and Solutions to Them (infopulse.com)

 SIP Hacking

• Back in 2019, an attacker targeted a US-based company that used an Asterisk-open

source software for VoIP.
• The attacker targeted 1500 unique getaways that were tied to almost 600 businesses.
• The cybercriminals used an injection technique over HTTP to inject a PHP shell into
the company’s server – having access to databases, call recording and more.

Security in Telecom: 5 Main Cyber Threats and Solutions to Them (infopulse.com)

 Signaling Security Testing Framework

github.com-SigPloiter-SigPloit_-_2017-06-17_01-34-12 : SigPloiter : Free Download, Borrow, and Streaming : Internet Archive

 Signaling Security Testing Framework

SS7 Sigploit (location) Kali Linux - YouTube

International Telecommunication Union (ITU)

• It is the United Nations specialized agency for information and

communication technologies – ICTs.

• Founded in 1865 to facilitate international connectivity in communications

networks.

• Allocate global radio spectrum and satellite orbits.

• Develop the technical standards that ensure networks and technologies

seamlessly interconnect.

• Every time you make a phone call via the mobile, access the Internet or send
an email, you are benefitting from the work of ITU.
 Digital Hierarichy

ITU Publications : Standardization (ITU-T)

46
 Digital Hierarichy

ITU Publications : Standardization (ITU-T)

47
 Switching and Signalling

ITU Publications : Standardization (ITU-T)

48
 Switching and Signalling

ITU Publications : Standardization (ITU-T)

49
ITUT G.763
ITUT G.763

• Digital speech interpolation (DSI): A process which, when used in the transmit unit
of a DCME, causes a trunk channel (Voice channel) to be connected to a bearer
channel (part of E1 channel) only when activity is actually present on the trunk
channel.
• Low Rate Encoding (LBR)
• System LBR voice encoders
• 64Kbps  32 Kbps or low
ITUT G.763

LRE : 64Kbps  32Kbps (ADPCM)

DSI : 1 (Channel)  2.5

Compression one channel:2*2.5 = 6

Compression E1 : 6 times
Assignment

• SS7 and Diameter Signaling Threats

• Session Initiation Protocol (SIP) Hacking / Security

 54

Thank you !