SlideShare uma empresa Scribd logo

Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

DefCamp
DefCamp

Kirill Puzankov in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Tecnologia
1 de 62
Baixar para ler offline
Kirill Puzankov Mobile signaling threats and vulnerabilities - real cases from our experience
Signaling System 7 (SS7) is the control plane that is used for exchanging data between network devices in telecommunications networks Call control functions: establish and release Subscriber mobility management: roaming possibilities, location- based services, seamless calls for moving subscribers Short message service Supplementary service control: call forwarding, call waiting, call hold SS7 introduces: Signaling System 7
History of Signaling Security The state of signaling security has not changed for almost 40 years Trusted ecosystem SS7 network developed. Trusted environment. No security mechanisms in the protocol stack No security Scope grows SIGTRAN (SS7 over IP) introduced. Number of operators grows. Security is still missing Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security Not trusted anymore Growing number of SS7 interconnections, increasing amount of SS7 traffic. No security policies or restrictions 1980 2018 2000 Innovations of TODAY rely on OBSOLETE technologies from YESTERDAY
Why SS7 is not secure SIGTRAN SIGTRAN IWF/DEA Diameter LTE Once a hacker connects to the SS7 network of a mobile operator, they can attack subscribers of any operator around the world
Governments and global organizations worried by SS7 security
Mobile operators and SS7 security Security assessment SS7 firewall Security monitoringSMS Home Routing Security configuration
Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report 2018 – Diameter vulnerabilities exposure report
SS7 Security Audit. Common Facts and Figures • Subscribers could be geotracked on 75% of analyzed networks • Incoming SMS messages could be intercepted in 90% of cases • Voice calls could be intercepted in 53% of cases Threat 2015 2016 2017 Subscriber information disclosure 100% 100% 100% Network information disclosure 100% 92% 63% Subscriber traffic interception 100% 100% 89% Fraud 100% 85% 78% Denial of service 100% 100% 100%
SS7 vs Diameter comparison 4G networks are nearly equally vulnerable
Signaling Monitoring. Common Facts and Figures Almost 99% of attacks are connected with disclosing confidential subscriber data
Network vulnerability statistics: SMS Home Routing 67% of installed SMS Home Routing systems have been bypassed Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection
Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly
Basic nodes and identifiers HLR — Home Location Register MSC/VLR — Mobile Switching Center and Visited Location Register SMS-C — SMS Centre MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity STP — Signaling Transfer Point GT — Global Title, address of a core node element
IMSI An IMSI identifier, by itself, is not valuable to an intruder But intruders can carry out many malicious actions against subscribers when they know the IMSI, such as:  Location tracking  Service disturbance  SMS interception  Voice call eavesdropping The IMSI is considered personal data as per GDPR.
SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
SMS Home Routing bypass
SMS delivery with no SMS Home Routing in place STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text SRI4SM — SendRoutingInfoForSM HLR SMS-C
SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
SMS Router SMS Home Routing STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
SMS Router SMS Home Routing against malefactors STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
Numbering plans Country Code (Romania) Network Destination Code Mobile Country Code (Romania) Mobile Network Code Operator HLRRule of GT Translation E.164 MSISDN and GT 40 700 1231237 E.212 IMSI 226 99 4564567894 E.214 Mobile GT 40 700 4564567894
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx SMS Router
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
SendRoutingInfoForSM message Called Party Address = MSISDN
SMS Home Routing bypass attack STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP HLR 1 HLR 2 1. SRI4SM Request • E.214 / Random IMSI • MSISDN 2. SRI4SM Request • E.214 / Random IMSI • MSISDN 3. SRI4SM Response • IMSI • MSC address The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
Another way to bypass the Home Router
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN STP
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved
TCAP Protocol TCAP Message Type Transaction IDs Dialogue Portion Component Portion Begin, Continue, End, Abort Source and/or Destination IDs Application Context Name (ACN) ACN Version Operation Code Payload Application Context Name corresponds to a respective Operation Code TCAP – Transaction Capabilities Application Part
Application Context 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed Application Context
SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside
SMS Home Routing bypass with malformed Application Context HLR SMS Router 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC Equal IMSIs means the SMS Home Routing solution is absent or not involved 1. SRI4SM Request: MSISDN Malformed ACN 2. SRI4SM Response: IMSI, MSC
Firewall bypass
SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall
SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
SS7 firewall: typical deployment scheme HLRSTP 1. SRI Request: MSISDN SS7 firewall 2. SRI Request: MSISDN The message is blocked SRI – SendRoutingInfo
Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
SS7 firewall: bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN SS7 firewall 2. SRI Request: MSISDN Malformed ACN Malformed Application Context
SS7 firewall bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN 2. SRI Request: MSISDN Malformed ACN 3. SRI Response: IMSI, …3. SRI Response: IMSI, … SS7 firewall is aside SS7 firewall
Tricky location tracking
SMS delivery HLR MSC 2SMS-CMSC 1 1. Mo-ForwardSM: A-Num, B-Num 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast
SMS spam through SS7 HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast SMS-C MSC 2MSC 1
TCAP handshake as a protection measure HLR 1. TCAP Begin: ACN = MoSMRelay 4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2 2. TCAP Continue 3. Mo-ForwardSM: A-Num, B-Num 9. ReturnResultLast 6. TCAP Begin: ACN = MtSMRelay 7. TCAP Continue 8. Mt-ForwardSM:A-Num, IMSI 9. ReturnResultLast SMS-C MSC 2MSC 1
Location retrieval for intelligent network services HLR1. AnyTimeInterrogation: MSISDN 4. AnyTimeInterrogation: CellID 2. ProvideSubscriberInfo: IMSI 3. ProvideSubscriberInfo: CellID MSC/VLRIN AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving cell in order to perform a location-based service. This message is allowed for internal operations only. It should be prohibited in external connections.
Blocking an illegitimate location request HLRSTP 1. AnyTimeInterrogation: MSISDN The message is blocked SS7 firewall 2. AnyTimeInterrogation: MSISDN
TCAP handshake exploit Is it possible to encapsulate a malformed location request into the protection mechanism and receive result?
SS7 firewall: bypass within a TCAP handshake HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation operation that responds with the serving Cell identity, which provides subscriber location to within ~100 meters SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake The incoming signaling message does not contain an operation code, so the STP does not send it to the SS7 firewall for inspection HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 2. TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. The STP routes this message to the node that is involved into the initial transaction. 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR 4. ProvideSubscriberInfo Cell IDIMSI
SS7 firewall: bypass within a TCAP handshake SS7 firewall is aside HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 5. AnyTimeinterrogation: Cell ID TCAP End 5. AnyTimeInterrogation: Cell ID TCAP End 4. ProvideSubscriberInfo Cell IDIMSI 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR
Main problems Architecture flaws Configuration mistakes Software bugs
Things to remember 1. Deploying security tool does not mean the network is secure. About 67% of SMS Home Routing solutions on tested networks were bypassed. 2. Test the network. Penetration testing is a good practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them. 3. Know the perimeter. Continuous security monitoring enables a mobile operator to know which vulnerabilities are exploited and, therefore, protect the network.
Thank you! ptsecurity.com Kirill Puzankov kpuzankov@ptsecurity.com

Recomendados

Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX networkAlexandre De Oliveira
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 

Recomendados

Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX networkAlexandre De Oliveira
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkPositiveTechnologies
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li Inmhaviv
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI GatewayMatrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI GatewayMatrix Comsec
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyPositiveTechnologies
 
GSM architecture - How the cellular network works? | 1G & 2G | Arun
GSM architecture - How the cellular network works? | 1G & 2G | ArunGSM architecture - How the cellular network works? | 1G & 2G | Arun
GSM architecture - How the cellular network works? | 1G & 2G | ArunArun Murugan
 
IMS Core Elements
IMS Core ElementsIMS Core Elements
IMS Core ElementsKent Loh
 
ENUM Theory, Implementation, VoIP and Routing SolutionsGary Richenaker
ENUM Theory, Implementation, VoIP and Routing SolutionsGary RichenakerENUM Theory, Implementation, VoIP and Routing SolutionsGary Richenaker
ENUM Theory, Implementation, VoIP and Routing SolutionsGary Richenakerenumplatform
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnelArunKumar Subbiah
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilityPositiveTechnologies
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdfAbubakar416712
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
Sip architecture
Sip architectureSip architecture
Sip architectureRaghunath M D
 
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Siddharth Rao
 
Advanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive StateAdvanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive State3G4G
 
Computaris SS7 Firewall
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 FirewallComputaris
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
 

Mais conteúdo relacionado

Mais procurados

Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li Inmhaviv
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI GatewayMatrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI GatewayMatrix Comsec
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyPositiveTechnologies
 
GSM architecture - How the cellular network works? | 1G & 2G | Arun
GSM architecture - How the cellular network works? | 1G & 2G | ArunGSM architecture - How the cellular network works? | 1G & 2G | Arun
GSM architecture - How the cellular network works? | 1G & 2G | ArunArun Murugan
 
IMS Core Elements
IMS Core ElementsIMS Core Elements
IMS Core ElementsKent Loh
 
ENUM Theory, Implementation, VoIP and Routing SolutionsGary Richenaker
ENUM Theory, Implementation, VoIP and Routing SolutionsGary RichenakerENUM Theory, Implementation, VoIP and Routing SolutionsGary Richenaker
ENUM Theory, Implementation, VoIP and Routing SolutionsGary Richenakerenumplatform
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilityPositiveTechnologies
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdfAbubakar416712
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Siddharth Rao
 
Advanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive StateAdvanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive State3G4G
 

Mais procurados (20)

Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
 
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI GatewayMatrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case study
 
GSM architecture - How the cellular network works? | 1G & 2G | Arun
GSM architecture - How the cellular network works? | 1G & 2G | ArunGSM architecture - How the cellular network works? | 1G & 2G | Arun
GSM architecture - How the cellular network works? | 1G & 2G | Arun
 
IMS Core Elements
IMS Core ElementsIMS Core Elements
IMS Core Elements
 
ENUM Theory, Implementation, VoIP and Routing SolutionsGary Richenaker
ENUM Theory, Implementation, VoIP and Routing SolutionsGary RichenakerENUM Theory, Implementation, VoIP and Routing SolutionsGary Richenaker
ENUM Theory, Implementation, VoIP and Routing SolutionsGary Richenaker
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerability
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
 
Sip architecture
Sip architectureSip architecture
Sip architecture
 
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
 
Advanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive StateAdvanced: 5G NR RRC Inactive State
Advanced: 5G NR RRC Inactive State
 

Semelhante a Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

Computaris SS7 Firewall
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 FirewallComputaris
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
 
Небезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтраНебезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтраPositive Hack Days
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm networkAzri Randy
 
Gsm.....ppt
Gsm.....pptGsm.....ppt
Gsm.....pptbalu008
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresPositiveTechnologies
 
Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...Xura
 
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPROIDEA
 
Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCBRawand Jaf
 
Fighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraudFighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraudMartyn Sukys
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...Xura
 

Semelhante a Mobile signaling threats and vulnerabilities - real cases and statistics from our experience (20)

Computaris SS7 Firewall
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 Firewall
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
 
Небезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтраНебезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтра
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm network
 
Rk 3 gsm network @guddu
Rk 3 gsm network @gudduRk 3 gsm network @guddu
Rk 3 gsm network @guddu
 
GSM Network
GSM NetworkGSM Network
GSM Network
 
Gsm.....ppt
Gsm.....pptGsm.....ppt
Gsm.....ppt
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
 
Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...
 
Gsm
GsmGsm
Gsm
 
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
 
Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCB
 
ppt of gsm network
ppt of gsm networkppt of gsm network
ppt of gsm network
 
Fighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraudFighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraud
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
 
report
reportreport
report
 
Gsm1
Gsm1Gsm1
Gsm1
 
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
 
Introduction to GSM
Introduction to GSMIntroduction to GSM
Introduction to GSM
 
GSM
GSMGSM
GSM
 

Mais de DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

Mais de DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Último

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Último (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

  • 1. Kirill Puzankov Mobile signaling threats and vulnerabilities - real cases from our experience
  • 2. Signaling System 7 (SS7) is the control plane that is used for exchanging data between network devices in telecommunications networks Call control functions: establish and release Subscriber mobility management: roaming possibilities, location- based services, seamless calls for moving subscribers Short message service Supplementary service control: call forwarding, call waiting, call hold SS7 introduces: Signaling System 7
  • 3. History of Signaling Security The state of signaling security has not changed for almost 40 years Trusted ecosystem SS7 network developed. Trusted environment. No security mechanisms in the protocol stack No security Scope grows SIGTRAN (SS7 over IP) introduced. Number of operators grows. Security is still missing Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security Not trusted anymore Growing number of SS7 interconnections, increasing amount of SS7 traffic. No security policies or restrictions 1980 2018 2000 Innovations of TODAY rely on OBSOLETE technologies from YESTERDAY
  • 4. Why SS7 is not secure SIGTRAN SIGTRAN IWF/DEA Diameter LTE Once a hacker connects to the SS7 network of a mobile operator, they can attack subscribers of any operator around the world
  • 5. Governments and global organizations worried by SS7 security
  • 6. Mobile operators and SS7 security Security assessment SS7 firewall Security monitoringSMS Home Routing Security configuration
  • 7. Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report 2018 – Diameter vulnerabilities exposure report
  • 8. SS7 Security Audit. Common Facts and Figures • Subscribers could be geotracked on 75% of analyzed networks • Incoming SMS messages could be intercepted in 90% of cases • Voice calls could be intercepted in 53% of cases Threat 2015 2016 2017 Subscriber information disclosure 100% 100% 100% Network information disclosure 100% 92% 63% Subscriber traffic interception 100% 100% 89% Fraud 100% 85% 78% Denial of service 100% 100% 100%
  • 9. SS7 vs Diameter comparison 4G networks are nearly equally vulnerable
  • 10. Signaling Monitoring. Common Facts and Figures Almost 99% of attacks are connected with disclosing confidential subscriber data
  • 11. Network vulnerability statistics: SMS Home Routing 67% of installed SMS Home Routing systems have been bypassed Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection
  • 12. Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly
  • 13. Basic nodes and identifiers HLR — Home Location Register MSC/VLR — Mobile Switching Center and Visited Location Register SMS-C — SMS Centre MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity STP — Signaling Transfer Point GT — Global Title, address of a core node element
  • 14. IMSI An IMSI identifier, by itself, is not valuable to an intruder But intruders can carry out many malicious actions against subscribers when they know the IMSI, such as:  Location tracking  Service disturbance  SMS interception  Voice call eavesdropping The IMSI is considered personal data as per GDPR.
  • 15. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  • 17. SMS delivery with no SMS Home Routing in place STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text SRI4SM — SendRoutingInfoForSM HLR SMS-C
  • 18. SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
  • 19. SMS Router SMS Home Routing STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 20. SMS Router SMS Home Routing against malefactors STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 21. Numbering plans Country Code (Romania) Network Destination Code Mobile Country Code (Romania) Mobile Network Code Operator HLRRule of GT Translation E.164 MSISDN and GT 40 700 1231237 E.212 IMSI 226 99 4564567894 E.214 Mobile GT 40 700 4564567894
  • 22. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router
  • 23. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx SMS Router
  • 24. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 25. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 27. SMS Home Routing bypass attack STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP HLR 1 HLR 2 1. SRI4SM Request • E.214 / Random IMSI • MSISDN 2. SRI4SM Request • E.214 / Random IMSI • MSISDN 3. SRI4SM Response • IMSI • MSC address The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 28. Another way to bypass the Home Router
  • 29. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN STP
  • 30. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP
  • 31. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address
  • 32. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved
  • 33. TCAP Protocol TCAP Message Type Transaction IDs Dialogue Portion Component Portion Begin, Continue, End, Abort Source and/or Destination IDs Application Context Name (ACN) ACN Version Operation Code Payload Application Context Name corresponds to a respective Operation Code TCAP – Transaction Capabilities Application Part
  • 34. Application Context 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 35. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 36. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed Application Context
  • 37. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside
  • 38. SMS Home Routing bypass with malformed Application Context HLR SMS Router 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC Equal IMSIs means the SMS Home Routing solution is absent or not involved 1. SRI4SM Request: MSISDN Malformed ACN 2. SRI4SM Response: IMSI, MSC
  • 40. SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall
  • 41. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  • 42. SS7 firewall: typical deployment scheme HLRSTP 1. SRI Request: MSISDN SS7 firewall 2. SRI Request: MSISDN The message is blocked SRI – SendRoutingInfo
  • 43. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 44. SS7 firewall: bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN SS7 firewall 2. SRI Request: MSISDN Malformed ACN Malformed Application Context
  • 45. SS7 firewall bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN 2. SRI Request: MSISDN Malformed ACN 3. SRI Response: IMSI, …3. SRI Response: IMSI, … SS7 firewall is aside SS7 firewall
  • 47. SMS delivery HLR MSC 2SMS-CMSC 1 1. Mo-ForwardSM: A-Num, B-Num 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast
  • 48. SMS spam through SS7 HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast SMS-C MSC 2MSC 1
  • 49. TCAP handshake as a protection measure HLR 1. TCAP Begin: ACN = MoSMRelay 4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2 2. TCAP Continue 3. Mo-ForwardSM: A-Num, B-Num 9. ReturnResultLast 6. TCAP Begin: ACN = MtSMRelay 7. TCAP Continue 8. Mt-ForwardSM:A-Num, IMSI 9. ReturnResultLast SMS-C MSC 2MSC 1
  • 50. Location retrieval for intelligent network services HLR1. AnyTimeInterrogation: MSISDN 4. AnyTimeInterrogation: CellID 2. ProvideSubscriberInfo: IMSI 3. ProvideSubscriberInfo: CellID MSC/VLRIN AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving cell in order to perform a location-based service. This message is allowed for internal operations only. It should be prohibited in external connections.
  • 51. Blocking an illegitimate location request HLRSTP 1. AnyTimeInterrogation: MSISDN The message is blocked SS7 firewall 2. AnyTimeInterrogation: MSISDN
  • 52. TCAP handshake exploit Is it possible to encapsulate a malformed location request into the protection mechanism and receive result?
  • 53. SS7 firewall: bypass within a TCAP handshake HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation operation that responds with the serving Cell identity, which provides subscriber location to within ~100 meters SS7 firewall MSC/VLR
  • 54. SS7 firewall: bypass within a TCAP handshake The incoming signaling message does not contain an operation code, so the STP does not send it to the SS7 firewall for inspection HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 55. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 56. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 2. TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 57. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. The STP routes this message to the node that is involved into the initial transaction. 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 58. SS7 firewall: bypass within a TCAP handshake HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR 4. ProvideSubscriberInfo Cell IDIMSI
  • 59. SS7 firewall: bypass within a TCAP handshake SS7 firewall is aside HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 5. AnyTimeinterrogation: Cell ID TCAP End 5. AnyTimeInterrogation: Cell ID TCAP End 4. ProvideSubscriberInfo Cell IDIMSI 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR
  • 61. Things to remember 1. Deploying security tool does not mean the network is secure. About 67% of SMS Home Routing solutions on tested networks were bypassed. 2. Test the network. Penetration testing is a good practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them. 3. Know the perimeter. Continuous security monitoring enables a mobile operator to know which vulnerabilities are exploited and, therefore, protect the network.
  • 62. Thank you! ptsecurity.com Kirill Puzankov kpuzankov@ptsecurity.com