Posted Tuesday, October 20th, 2015 by Brendan Cleary
Wow, SS7 has been in the network controlling wire-line and wireless calls since the mid 1980s and now we are talking about its vulnerabilities. A lot of people think we should only be focused of the evolution to LTE/EPC Diameter based networks however; the legacy SS7 protocol based networks serve the vast majority of wireless subscribers. Current indications are SS7 will be around for quite some time and as such any vulnerabilities should be addressed immediately. Before we can address these threats we must first understand them and how they are even possible given the longevity of the network and protocol. The topic of discussion in this post will be limited to those threats that are directly related to subscribers. Additional threats such as denial of service against networks elements such as Mobile Switching Centers will be discussed in subsequent posts.
In this discussion I will group these 8 threats into 4 broad categories so the impact to the subscriber and ultimately the network operator can be easily determined. These categories are:
This post is merely an overview of these eight threats, during the research for this post and the associated eBook “SS7 Vulnerabilities” I quickly found my mind wondering mind — I was able to take these threats and extend them and the knowledge gained and come up with many more.
Note: In my of experience with the SS7 protocol and network, I have never seen access to the network, technical protocol and network information, and protocol message generation capabilities as easy and inexpensive to obtain.
The information gained in the threats associated with this category open the door to the remaining threats discussed in this post. Additionally, this information can be used by the attacker or sold on the open market as a source of revenue. There are two types of information gained in this category: the International Mobile Subscriber Identity (IMSI) and the location of the subscriber whether at home or roaming.
The IMSI uniquely identifies a subscriber within the mobile network. Since the IMSI can lead to other threats it is not transmitted over the “Air Interface” rather a randomized Temporary Mobile Subscriber Identity (TMSI) is used over the air. However, if an attacker is able to obtain the TMSI over the air interface and has access to the SS7 network, all they have to do is use the SS7 protocol and ask what the IMSI is that is associated with the TMSI. Enough said about the TMSI and the air interface – we are going to focus on the SS7 protocol and messaging for this discussion. An attacker can use the SS7 Mobile Application Part (MAP) and its normal procedure for delivering a text message to a subscriber to obtain the IMSI. Once the attacker knows the IMSI, due to its format they also know the home country where subscriber resides and their home mobile network operator. All the attacker had to have is the telephone number of the target subscriber, access to the SS7 network, and a little knowledge about the target subscriber’s home SS7 network – all of which are readily available.
There are at least two SS7 methods for determining a subscriber’s location within the global mobile network. The first utilizes a message and procedure known as Any Time Interrogation, which would return the subscribers location parameters. However a large number of network operators have stopped their equipment from responding to these messages. In the next procedure the attacker poses as a Fake Home Location Register and uses the normal MAP messages and procedures known as Provide Subscriber information. The information received from this process yields the Cell ID, the Mobile Country Code (MCC), Mobile Network Code (MNC) and the Location Area Code all related to the target subscribers current location.
There are three vulnerabilities in this category that would allow the intruder to listen to or record a subscribers conversation on incoming/outgoing calls or to intercept and or modify incoming text messages to a target subscriber. Each of these attacks could be performed without the knowledge of the target subscriber. The initial information required by the intruder is the mobile telephone number of the target subscriber, some knowledge of the target subscriber’s home network, and access to an SS7 network. The remainder of the information required can be accessed from the network using the initial information. Also the attacker can be located anywhere in the world – they do not have to be part of the target subscribers network.
This is a multi-stage attack where the attacker poses as different mobile network elements to implementing different scenarios at each stage. This threat uses the Customized Applications for Mobile networks Enhanced Logic Application Part (CAP) protocol and logic that allows network operators to define services over and above the standard Global System for Mobile communications (GSM) and Universal Mobile Telecommunication Systems (UMTS) standard services. The CAMEL logic and network is based on the SS7 Intelligent Networks (IN) used in wire-line networks. In this threat the intruder has the outgoing call routed to their bridging/monitoring/recording system and then places a second call leg to the original callED party and subsequently bridges the two call legs together with the intruder being the “Man in the Middle”.
This threat uses the SS7 MAP messaging and procedures for an everyday subscriber call forwarding feature, however, it is activated at the SS7 level without the target subscriber knowledge. This vulnerability like the one described in “Intercepting and monitoring an outgoing call” is a multi-staged attack. It also uses a bridging/monitoring/recording system to bridge two calls together. The intruder call forwards (at the SS7 MAP Message level) the target subscribers calls to their bridging/monitoring/recording system. The intruder then cancels call forwarding (at the SS7 MAP Message level) then places a second call leg to the original callED party. The intruder bridges the two call legs together with their bridging/monitoring/recording system all without the knowledge of either party involved in the call.
The premise for this attack is — the intruder will pose as an MSC/VLR and send MAP-Update-Location (UL) Request message directly to the subscribers HLR. Upon completion of this procedure SMS messages will be sent to the intruder acting as a Fake MSC serving the target subscriber. This attack can be used to obtain target subscribers passwords, reset passwords and once the passwords are reset the intruder has Carte Blanche to the target subscribers accounts.
Unstructured Supplementary Service Data (USSD) is currently being used for mobile prepaid, online banking and other financially sensitive applications. Fraud linked to USSD can cause severe financial impacts to subscribers, network operators, financial institutions and many others. In this multi-staged attack the intruder first poses as a Short Message Service Center (SMSC) to obtain the Global Title Address (GTT) of the target subscribers Home Location Register (HLR), the IMSI of the target subscriber and the current serving Mobile Switching Center (MSC). In the next stage the intruder poses as an MSC acting on behalf of the target subscriber and requests the subscriber current account balance. After receipt of the account information the intruder poses as the MSC acting on behalf of the subscriber and requests a transfer of funds from the target subscribers account to the intruders account. Normally an SMS message is sent to the subscriber indicating the transfer however if this attack is coupled with “Vulnerability 5. Intercepting a subscribers SMS (Text) Messages” then the SMS never reaches the target subscriber.
The two vulnerabilities described in this section can be used to interrupt service to any subscriber or to activate or change billing, thus enabling fraudulent calls to be made from the mobile station. Either of these scenarios can cause a significant financial impact on the mobile network operator. One for pure fraud and the other for subscriber churn due to a perceived lack of service.
In this attack the intruder will pose as an MSC/VLR and send MAP-Update-Location (UL) Request message directly to the subscribers HLR. Once the Update Location procedures are complete the Subscriber will not be able to receive incoming messages or calls until they move to another MSC/VLR or reboot the phone or place an outgoing call. These procedures are part of the normal mobility management when the subscriber moves to a new area served by different MSC. The intruder spoofs the network into believing that they are the new MSC.
Any time an intruder has access to the subscriber identity (MSIDN, IMSI) the address of the serving (MSC/VLR) and the format of the subscriber profile they can alter billing routing allowing:
In this attack, the intruder poses as an HLR and sends a fraudulent subscriber profile to the serving MSC/VLR invoking intruder desired services. These services can include:
As you can see by the examples provided in this blog – vulnerabilities and fraud within the SS7 protocol and network is a very serious issue. Some might say, “Let’s change the protocol and network” — that cannot happen for many reasons as discussed. The solution to these protocol and network issues is to place a security firewall into the network. This firewall should include the policies required to address the current defined threats and be easily modified to address future threats, as they are found. In order to accomplish these tasks the SS7 signaling firewall should have real-time monitoring capabilities to help detect defined and future threats.