In short, the outline is like this. The attacker penetrates into the SS7 (Signaling System\’s No. 7) network and sends a Send Routing Info For SM (SRI4SM) service message to the network channel, specifying the phone number of an attacked subscriber A as a parameter. The subscriber\’s A home network sends the following technical information as a response: IMSI (International Mobile Subscriber Identity) and address of the MSC currently providing services to the subscriber.
After that, the attacker changes the billing system address in the subscriber\’s profile to the address of his own pseudo-billing system and injects the updated profile into VLR database via Insert Subscriber Data (ISD) message.
When the attacked subscriber makes an outgoing call, his switch addresses the attacker\’s system instead of the actual billing system. The attacker\’s system sends the switch a directive allowing one to redirect a call to a third party controlled by the attacker.
At a third-party location, a conference call with three subscribers is set up, two of them are real (the caller A and the called B) while the third is introduced by the attacker illegally and is able to listen and record the conversation.
I would say to skeptics straight off: this plan is not a fantasy, as you can see, and it could be practically realized. On the stage of development, the SS7 system was not provided with defense mechanisms against such attacks. It was meant that SS7 network itself is private enough and an \”outsider\” cannot access it. However, times are changing and we become witnesses of using telephony technologies with malicious intent. Unfortunately, one does not simply enable external SS7 message filtering, as far as it may affect the availability of mobile services in roaming. There is no mobile network operator who wants to lose its money.
The work of an operator providing services to a large number of subscribers always treads a fine line between Information Security and availability of services. The problem is especially acute for mobile network operators: The range of services is broad, it is different for different operators; at the same time, providing services both to their subscribers and subscribers from other networks within the operator\’s network is desirable, and in such a manner that subscribers do not face the limitations of mobile network services when traveling abroad.
What you can do
It would be good to fix the so-called \”vulnerabilities\” in the SS7 protocol stack, but any expert will tell you that it is impossible. A classic example of the \”it\’s not a bug, it\’s a feature\” thing.
Instead of being philosophical about mobile network architecture we must take action. We can do the following, for example:
- Perform a penetration test in the SS7 network.
- Set up monitoring of warning messages at the operator\’s network perimeter by all available means.
- Analyze the received information and take steps to minimize the risks.
Let\’s talk a bit about the benefits of penetration tests. As for operator\’s network, these tests play a role not only in the detection of vulnerabilities, but also in solving operational tasks. For instance, you need to perform dozens of tests considering the specifics of each particular network in order to find out the impact of enabling either one feature or the other. When testing SS7 warning messages, we consider 10 basic types of attacks on a network and mobile subscribers.
- Check for the disclosure of confidential technical parameters: subscriber\’s IMSI; MSC address where the subscriber is registered; HLR database address, where the subscriber\’s profile is stored. An attacker can conduct more complicated attacks using these parameters.
- Check for the disclosure of subscriber\’s cell data. An attacker can detect subscriber\’s location using the cell ID. In cities the location can be determined with an accuracy of about 10 meters (http://blog.ptsecurity.com/2014/04/search-and-neutralize-how-to-determine.html).
- Check for possible violation of subscriber\’s availability for incoming calls (DoS against the subscriber). In case of a successful attack, the victim subscriber no longer receives incoming calls and SMS. At the same time victim\’s mobile phone indicates the network availability. The victim subscriber will stay in this state until he/she makes an outgoing call, goes to the other switch service area or reboots the phone.
- Check for private SMS conversations disclosure. This attack is a consequence of the attack number 3. In case of a successful attack, incoming SMS messages are intercepted by the attacker\’s devices, so it will not be difficult to read them. To prevent the following delivery to the recipient, the attacker sends an SMS delivery notification to the SMS Center.
- Check for USSD commands manipulations. In case of a successful attack, the attacker is able to send USSD commands on behalf of the subscriber. The possible damage will be assessed with regard to USSD services provided by the operator (e.g, if the money transfer between accounts via USSD commands is available or not).
- Check for spoofing subscriber\’s profile in VLR. In case of a successful attack, the attacker is able to use his equipment as an intelligent platform in order to extend the capabilities of voice calls and manipulate the tariffing of mobile services.
- Check for possible outgoing calls redirection. This attack is a continuation of the attack number 6. In case of a successful attack, the attacker is able to redirect outgoing calls from the victim subscriber. Additionally, this attack allows an attacker to make an unauthorized conference call, cutting in the conversation.
- Check for possible incoming calls redirection. In case of a successful attack, the attacker is able to redirect incoming calls to the victim subscriber. Moreover, calls to high-tariff regions may be not tariffed or call charges will be billed to the victim subscriber.
- Checking the switch stability and resistance to DoS attacks. In case of a successful attack, the switch no longer handles incoming calls to subscribers located in its service area.
- Check for possible direct direct manipulations in billing. In case of a successful attack, the attacker is able to empty the subscriber\’s personal account, so that the subscriber becomes deprived of the opportunity to make calls.
How to Protect Users
Our research revealed that the overwhelming majority of attacks against SS7 networks begin with obtaining technical data about the subscriber (IMSI, MSC and HLR database addresses). These parameters can be obtained from the response to the SRI4SM message mentioned in the beginning of this article.
One of security solutions is SMS Home Routing procedure provided by 3GPP in 2007. It is sometimes called the SMS Firewall or SMS Filter.
An additional host, providing filtering of malware SRI4SM messages, is implemented to the operator\’s network. It works is as follows. When a SRI4SM message is received to the operator\’s network from another network, it is re-routed to the new filtering host. This host sends a correct response replacing MSC and HLR database addresses with its own address and IMSI with false data. If the SRI4SM message was generated by the attacker, he will not receive any useful data in the response and his attack will be interrupted in the very beginning. If the SRI4SM message was used for the authorized transaction, to send an SMS, the originator\’s network will send this message to the filtering host, which will deliver the message to the recipient within the home network.
It\’s been 7 years since this recommendation was issued, but, so far as we can see, few operators had launched this solution. By the way, SRI4SM message is not the only way to obtain the sunscriber\’s IMSI.
Mobile operator\’s network is potentially vulnerable, just like any other network. Due to the specificity of mobile networks, these attacks can be more sophisticated than the Internet attacks. We recommend that operators take measures to protect such networks using the traditional scenario: penetration tests to discover potential vulnerabilities, security audit with the recommended settings and cyclic check of security settings against a template. This minimum amount of work helps you to improve the level of your network security just above the average, still it is enough for the first step. So subscribers got nothing to worry about.
In the course of the Positive Hack Days IV, we made a report about possible attacks in mobile operators\’ network, where tapping into phone conversations from almost any place on earth was discussed.
Authors: Sergey Puzankov, Dmitry Kurbatov