hacking mobile network via ss7: interception, shadowing ... · hacking mobile network via ss7:...
TRANSCRIPT
![Page 1: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/1.jpg)
Hacking mobile network via SS7: interception, shadowing and more
Dmitry Kurbatov
Vladimir Kropotov
Positive Research
![Page 2: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/2.jpg)
Agenda
• Intro
• Attacks prerequisites, costs and case studies
• Official and underground market brief
• Possible Security measures
• Forecasts
![Page 3: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/3.jpg)
In Service LTE Networks
![Page 4: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/4.jpg)
VoLTE Networks
http://ltemaps.org/
![Page 5: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/5.jpg)
The most of the world performs HANGDOVER
LTE only for web browsing
To perform a call subscriber is downgraded to 3G (handover)
![Page 6: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/6.jpg)
Interconnect / roaming
SS7 E1
GRX IP
IPX IP
2G / 3G
3G / 4G
3G / 4G
![Page 7: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/7.jpg)
Kind of IPv4 vs IPv6 dilemma
![Page 8: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/8.jpg)
Mobility Call control Billing Crypto
SS7 is still most used interconnect/ roaming network
SS7
SS7
A
B
MSC VLR
Gateway MSC SMS-C
HLR
Billing
![Page 9: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/9.jpg)
2014 - year of SS7 security issues
Hackito Ergo Sum 2014
• Locating mobile phones
Positive Hack Days IV
• How to Intercept a Conversation Held on the Other Side of the Planet
Washington Post
• Secretly track cellphones
31C3
• SS7: Locate. Track. Manipulate
• Mobile self-defense
![Page 10: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/10.jpg)
SS7 for (bad) guys
Tracking
• Locating mobile phones and secretly tracking
Denial of Service
• Disrupt subscriber connectivity and service availability
Interception
• Listen to calls, intercept short messages
Threats to Operator
Threats to IoT
![Page 11: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/11.jpg)
Basic Terms
• IMSI ~ SIM Card
• IMEI ~ Device
• MSISDN ~ Your Number
• HLR ~ Subscriber DB
• MSC ~ Call Processing
![Page 12: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/12.jpg)
Tracking / 跟踪(位置)
![Page 13: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/13.jpg)
SMS-C
MSC
HLR
1
2
Common Step 0 for Any Attack
1. Attacker sends request SendRoutingInfoForSM addressing MAP message by MSISDN
2. HLR replies with: • own address • serving MSC address • IMSI
I am SMSC
Bob
![Page 14: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/14.jpg)
SMS-C
MSC
HLR
1
2
Get Cell ID
1. Attacker sends request provideSubscriberInfo addressing MAP message by IMSI and asking for subscriber location
2. MSC replies with Cell ID: • MCC - 250 • MNC - 90 • LAC 4A67 • CID 673D
I am SMSC
Bob
![Page 15: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/15.jpg)
Get Location…
MCC: 250
MNC: 90
LAC: 4A67
CID: 673D
1
Search in Internet for physical location by MCC, MNC, LAC, CID
Bob
![Page 16: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/16.jpg)
…and Track User Just Like SkyLock
http://s3.documentcloud.org/documents/1275167/skylock-product-description-2013.pdf
![Page 17: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/17.jpg)
Underground market demands
Tracking subscriber using the phone number
Yep, Even in 2010
![Page 18: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/18.jpg)
Tracking
Nobody wants to be constantly monitored.
Tracking is a violation of “Personal data protection” laws.
Very hard to stop:
• AnyTimeInterrogation
• ProvideSubscriberInfo
• ProvideSubscriberLocation
![Page 19: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/19.jpg)
DoS / 阻斷服務攻擊
To make someone unavailable
To stop data leakage
What else?
![Page 20: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/20.jpg)
SMS-C
MSC
HLR
1
2
Common Step 0 for Any Attack
1. Attacker sends request SendRoutingInfoForSM addressing MAP message by MSISDN
2. HLR replies with: • own address • serving MSC address • IMSI
Fake MSC
Bob
![Page 21: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/21.jpg)
SMS-C
MSC
HLR
Fake MSC
Bob
1
3
2
Denial of Service. Step 1
1. Attacker registers Bob on the fake MSC
2. HLR sets up new location for Bob
3. HLR asks real MSC to release a memory
![Page 22: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/22.jpg)
SMS-C
Alex
MSC
1
2
HLR
3
Fake MSC
Bob
Denial of Service. Step 2
1. Alex calls Bob 2. MSC is looking for Bob
and asks HLR to provide information
3. HLR asks fake MSC to provide Roaming Number
![Page 23: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/23.jpg)
demo
![Page 24: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/24.jpg)
Interception / 截聽
![Page 25: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/25.jpg)
How to Intercept SMS (截聽短信)
• A virus on a smartphone – and what if a certain subscriber is a target? How to infect him particularly?
• Reissue SIM? It works only once.
• Radio signal interception (GSM A5/1)? You need to be nearby.
• Via SS7 network
![Page 26: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/26.jpg)
![Page 27: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/27.jpg)
A Cheap Way For Tapping
+ +
10$ + OpenSource
![Page 28: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/28.jpg)
(f)or
$$7
![Page 29: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/29.jpg)
SMS-C
MSC
HLR
1
2
Common Step 0 for Any Attack
1. Attacker sends request SendRoutingInfoForSM addressing MAP message by MSISDN
2. HLR replies with: • own address • serving MSC address • IMSI
Fake MSC
Bob
![Page 30: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/30.jpg)
SMS-C
MSC
HLR
Fake MSC
Bob
1
3
2
SMS Interception. Step 1
1. Attacker registers Bob on the fake MSC
2. HLR sets up new location for Bob
3. HLR asks real MSC to release a memory
![Page 31: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/31.jpg)
SMS-C
Alex 2
MSC
1
3
HLR
4
5
Fake MSC
Bob
SMS Interception. Step 2
1. Alex sends SMS to Bob 2. MSC translates the SMS
to SMS-C 3. SMS-C requests HLR for
Bob`s location 4. HLR replies with a fake
MSC address 5. SMS-C translates SMS to
the fake MSC
![Page 32: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/32.jpg)
demo
![Page 33: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/33.jpg)
![Page 34: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/34.jpg)
SMS Interception, We “Really Missed” You
• Access to payment service
• Recover passwords for email and social networks
• Online banking OTP
![Page 35: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/35.jpg)
Illegal cases
― TBD
SMS Interception
Payment confirmation SMS Interception
Devices for SMS Interception
![Page 36: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/36.jpg)
Active actions and Impersonation
―Mobile balance transfer over USSD
―Premium Rate SMS Subscriptions
―Credit cards money transfers via phone
―Even fake calls from Victim number
![Page 37: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/37.jpg)
How to Get Into SS7
![Page 38: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/38.jpg)
How They Can Get Into SS7
Legal with license Semi legal without Find a guy Hack border device
![Page 39: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/39.jpg)
Find a Guy
![Page 40: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/40.jpg)
Find a Guy
![Page 41: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/41.jpg)
Find a Guy
![Page 42: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/42.jpg)
Hack border device
![Page 43: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/43.jpg)
Today: IP Connectivity
![Page 44: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/44.jpg)
Misconfiguration Example
Critical
![Page 45: Hacking mobile network via SS7: interception, shadowing ... · Hacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research](https://reader033.vdocuments.mx/reader033/viewer/2022052202/5b1840507f8b9a46258ba7ec/html5/thumbnails/45.jpg)
Research Updates • SS7 security threats
• Mobile Internet vulnerabilities (GPRS)
• SIM vulnerabilities
http://www.ptsecurity.com/library/whitepapers/
http://blog.ptsecurity.com/