It is currently 23-10-2017 01:47

SS7 attack: security analysis of mobile operators in 2015

SS7 attack: security analysis of mobile operators in 2015

by sigismund » 2016-07-15 13:47:10

In 2015, the experts of Positive Technologies has implemented 16 projects for security analysis of SS7 networks of leading mobile operators in EMEA and APAC.

Eavesdropping on mobile phones is considered to be a difficult task. However, not only the secret services know this art: attack of subscribers can and hacker average, if he is familiar with the structure of signaling networks. Good old SS7 vulnerability allow eavesdropping on phone conversations to identify the caller location, intercept SMS, disconnect the phone from the network.

the Proportion of successful attacks on the SS7 network

In 2015, the experts of Positive Technologies has implemented 16 projects for security analysis of SS7 networks of leading mobile operators in EMEA and APAC. Results eight of the most informative projects included in our statistics. In this article, we consider the level of security in cellular networks, as well as all industrial and IoT devices, from ATMs to the GSM-systems of control pressure on the pipeline that are also subscribers of cellular networks. The report described the key issues, and their solutions

preamble: greetings from 70-x

Developed forty years ago system SS7 (SS7) has some shortcomings in terms of security (e.g., no encryption, and authentication service messages). For a long time it did not represent danger neither for customers nor for the operator SS7 network was a closed system, which include fixed line operators. However, the network evolved to support the needs of mobile communications and the provision of additional services. In the early 2000s was proposed specification SIGTRAN, allowing you to send service information of SS7 over IP networks. The signal network has ceased to be isolated.

Of course, direct access to the signaling network will not work, you will need an SS7 gateway. But to ensure access to it is not so difficult. You can get operator license in the country where it is condoned, or purchase access on the black market from the incumbent operator. There are ways to get into the network through compromised operator's equipment, the GGSN or the femtocell. If among the participants of the hacker group is a technician-operator, it can perform a number of attacks with a set of legitimate commands or to connect to SS7.

Attack using SS7 can be run from any location on the planet, which makes this method one of the most promising for the offender. The attacker need not be physically present next to the caller, as in the case of the fake base station, so calculate it to be almost impossible. High qualification is not required: the network is available a lot of ready applications that work with SS7. The operators can't block teams from separate units, as this has a negative impact on the whole service and violates the principles of functioning of the roaming.

For the first time the vulnerability of SS7 have been publicly demonstrated in 2008: German researcher Tobias Engel showed the spy technique mobile subscribers. In 2014, the experts of Positive Technologies made a presentation on "How to eavesdrop on a person on the other end of the globe" and provided a detailed report of the Vulnerability of mobile networks based on SS7". In 2015, experts of SR Labs in the broadcast of the Australian program 60 minutes, as in Germany, intercepted SMS messages to Australian Senator nick Xenophon, and a British journalist, and then watched the movements of the Senator on a business trip in Tokyo.

Overall outcomes

For reasons of confidentiality we do not disclose the names of the companies that participated in our study. We only note that half of the studied SS7 networks belong to the largest mobile operators by number of subscribers more than 40 million

the Volume of subscriber base

The final level of network security SS7 all investigated mobile operators was extremely low. In 2015 against the operators and their networks SS7 could be implemented attack associated with leakage data of the subscribers (77% of successful attempts), the faults in the network (80%) and fraud (67%).

Incoming SMS messages can be intercepted in the network of study participants. Nine out of ten of the attacks (89%) reached the goal, and this is a very bad result. Judge: SMS messages are often used in systems with two-factor authentication and recovery of passwords from different Internet services. The interception of communications was carried out by the method UpdateLocation. The attacker registers a subscriber with the victim to the fake network, after which all incoming SMS messages arrive to the specified address.

the Proportion of successful attacks to obtain sensitive information

Unauthorized balance inquiry was also possible almost everywhere (92% of attacks). For this attack use the message ProcessUnstructuredSS-Request, which is passed in the body of the corresponding USSD-command.

Voice calls have been protected a little better: they succeed only half of the attacks to listen to incoming and outgoing calls. But it's a huge risk for the subscribers. To intercept incoming calls technique was used in substitution of roaming numbers. Listening to the same outgoing calls was carried out using InsertSubscriberData. Then, in either case executed redirect traffic to another switch.

Methods of determining the location of the subscriber (the proportion of successful attacks)

To determine the physical location of the subscriber turned on all networks except one. Basic techniques — SendRoutingInfo and ProvideSubscriberInfo, the latter gave the result at every second attack (53%).

The most valuable information about the subscriber — IMSI. This identifier needed for most attacks. The easiest was to his method SendRoutingInfo.

Methods of theft of subscriber information (the proportion of successful attacks)

Another method of determining the IMSI — SendRoutingInfoForSM has been effective in 70% of cases. This message is used when an incoming SMS message to request routing information and localization of the calling party is the recipient. To find out the caller ID it was possible with the command SendIMSI, but with a lower probability (25%).


In each system weaknesses were identified, allowing to implement any fraudulent activity by an external intruder. Examples of such actions can serve as a call redirect, a transfer of funds from the account of the subscriber, change the subscriber's profile.

Fraud: the proportion of successful attacks

Most of the attacks to redirect incoming calls were successful (94%). This confirms the presence in networks SS7 significant problems related to architecture, protocols and systems.

An outgoing call failed to redirect only in 45% of cases. To redirect the method has been used InsertSubscriberData.
Attack to redirect incoming calls was carried out using two techniques — the substitution of roaming numbers and the manipulation of the forwarding. Substitution roaming numbers is made at the time of the incoming call on the target subscriber, which must be pre-registered in a false network. In response to the request roaming numbers the attacker sends a number to redirect the call. Fee for the connection will fall on the operator.

Manipulation of forwarding the unauthorized installation of unconditional forwarding. All incoming calls for the subscriber are routed to the specified room. To pay for the call will have the caller.

Methods of forwarding an incoming call (the proportion of successful attacks)

The change in the subscriber's profile was possible in each of the second attack, carried out by InsertSubscriberData (54%). The attacker has the ability to change the subscriber's profile so that outgoing calls will be made to bypass the billing system. This attack can be used in fraudulent schemes generate traffic to premium rate numbers and expensive areas at the expense of the operator.

DoS-attack on subscriber

To make the subscriber equipment (telephone, modem, GSM alarm or sensor) is not available for incoming transactions, an attacker could carry out targeted attacks on subscribers of the mobile network. The most studied SS7 networks are vulnerable to DoS attacks (successful was 80%).

In all cases using the method UpdateLocation; for you know the identity IMSI of the subscriber. The network operator sends a message UpdateLocation, informing the HLR that a subscriber has made the registration (fake network). After that, incoming calls to the subscriber are routed to the address specified during the attack.

the causes of the problems

Most of the attacks on the SS7 network was possible due to the lack of verification of the actual location of the subscriber. On the second and third places in the list of reasons is the inability to verify the identity of the subscriber and the network and no filtering unused alarm messages. In the fourth position — error configuration SMS Home Routing.

Average number of successful attacks in the same SS7 network (depending on fault)

What to do

Most of the shortcomings, allowing to determine the subscriber's location and steal data, can be eliminated by changing the configuration of network equipment. You need at least to impose a ban on processing and SendIMSI message AnyTimeInterrogation to the HLR.

Architectural problems protocols and systems are resolved by blocking unwanted messages. The first thing to pay attention to SendRoutingInfoForSM, SendIMSI, SendRoutungInfoForLCS, SendRoutingInfo. Filtration will help to avoid the risks associated with denial of service, interception of SMS messages, redirect calls, listening to calls, change the profile of the subscriber.

However, not all of these messages to the SS7 network can be dangerous. You need to implement the filtering in such a way as to cut off only the unwanted messages used in the attacks. It is recommended to implement additional protections, for example, the intrusion detection system. Such systems do not affect the network traffic, but allow us to identify the actions of the offender and to determine the necessary filter settings messages.

The full version of the study: .

Authors: Dmitry Kurbatov, Sergey Puzankov, the security Division of telecommunication systems, Positive Technologies
Сообщений: 788
Депозит: 0 BTC

Rating: 5

Супер защищеные VPS

by Admin » 2017-10-23 01:47:14

Супер защищеные VPS

Быстрые, анонимные VPS


SS7 attack: security analysis of mobile operators in 2015

by allmore » 2016-07-16 14:56:22

It's not possible without special equipment.
Сообщений: 73
Депозит: 0.00225899 BTC

Rating: 4