day3_Worldwide_attacks_on_SS7_network_P1security_Hackito_2014
day3_Worldwide_attacks_on_SS7_network_P1security_Hackito_2014
day3_Worldwide_attacks_on_SS7_network_P1security_Hackito_2014
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Worldwide</str<strong>on</strong>g> <str<strong>on</strong>g>attacks</str<strong>on</strong>g><br />
<strong>on</strong> <strong>SS7</strong> <strong>network</strong><br />
P1 Security – <strong>Hackito</strong> Ergo Sum 26 th April <strong>2014</strong><br />
Pierre-Olivier Vauboin (po@p1sec.com)<br />
Alexandre De Oliveira (alex@p1sec.com)<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Agenda<br />
Overall telecom architecture<br />
Architecture diagrams for 2G / 3G<br />
Most important Network Elements<br />
<strong>SS7</strong> stack and interc<strong>on</strong>necti<strong>on</strong>s<br />
Practical attack scenarios<br />
Mapping the <strong>SS7</strong> <strong>network</strong><br />
Tracking user locati<strong>on</strong><br />
Sending spoofed SMS<br />
Demo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Telecom Overview<br />
Evoluti<strong>on</strong> from 2G to 3G<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Practical Attack Scenarios<br />
<strong>SS7</strong> Attack Vectors<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Agenda<br />
Overall telecom architecture<br />
Architecture diagrams for 2G / 3G<br />
Most important Network Elements<br />
<strong>SS7</strong> stack and interc<strong>on</strong>necti<strong>on</strong>s<br />
Practical attack scenarios<br />
Mapping the <strong>SS7</strong> <strong>network</strong><br />
Tracking user locati<strong>on</strong><br />
Sending spoofed SMS<br />
Demo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
MSC<br />
Mobile Switching Center<br />
MSC: 5-50 per MNO<br />
C<strong>on</strong>nected to 20-50 BSC<br />
In charge of call establishment<br />
Interfaces the BSC toward the rest of the <strong>network</strong><br />
C<strong>on</strong>nects the calls of the mobile users<br />
UE is attached to <strong>on</strong>e MSC<br />
MAP Protocol<br />
Generates CDR (Charging Data Record)<br />
Security impact: Key compromise, c<strong>on</strong>tent<br />
compromise, regi<strong>on</strong>al DoS, locati<strong>on</strong> tracking, …<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
Siemens MSC<br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
HLR / HSS<br />
Home Locati<strong>on</strong> Register<br />
Home Subscriber Server<br />
HLR: 1-20 per MNO<br />
“Heart” of <strong>SS7</strong> / SIGTRAN<br />
Subscriber database<br />
IMSI<br />
Authenticati<strong>on</strong> (AuC) : Ki<br />
Current subscriber locati<strong>on</strong><br />
Supplementary services<br />
Queries from internati<strong>on</strong>al partners (roaming)<br />
MAP Protocol<br />
Security impact: Key compromise, global DoS<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
NSN HLR / HSS<br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
HLR / HSS<br />
Home Locati<strong>on</strong> Register<br />
Home Subscriber Server<br />
I’m Root !<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Agenda<br />
Overall telecom architecture<br />
Architecture diagrams for 2G / 3G<br />
Most important Network Elements<br />
<strong>SS7</strong> stack and interc<strong>on</strong>necti<strong>on</strong>s<br />
Practical attack scenarios<br />
Mapping the <strong>SS7</strong> <strong>network</strong><br />
Tracking user locati<strong>on</strong><br />
Sending spoofed SMS<br />
Demo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Global <strong>SS7</strong> <strong>network</strong><br />
• Private and secure <strong>SS7</strong> <strong>network</strong> ?<br />
• Interc<strong>on</strong>nects many actors<br />
• Different views depending <strong>on</strong><br />
interc<strong>on</strong>necti<strong>on</strong> point<br />
• Malicious entry point to <strong>SS7</strong> <strong>network</strong>:<br />
• Through any unsecure operator and attack other<br />
operators from there<br />
• From Network Element OAM interface exposed <strong>on</strong><br />
Internet<br />
• Through compromised Femto Cell<br />
• … and more …<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
<strong>SS7</strong> / SIGTRAN Stack<br />
Protocol Layers<br />
Applicati<strong>on</strong> Layer<br />
<strong>SS7</strong><br />
Sessi<strong>on</strong> Layer<br />
Routing Layer<br />
Adaptati<strong>on</strong> Layer<br />
SIGTRAN<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
SIGTRAN MAP Stack<br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
<strong>SS7</strong> / SIGTRAN Stack<br />
Addressing schemes<br />
In Telecom <strong>network</strong>s a multitude of addressing schemes are used to<br />
identify Network Elements, subscribers, applicati<strong>on</strong>s<br />
Internati<strong>on</strong>al Mobile<br />
Subscriber Identity (IMSI)<br />
SIM card number<br />
Internati<strong>on</strong>al Mobile<br />
Equipment Identity (IMEI)<br />
Device serial number<br />
Mobile Subscriber ISDN<br />
Number (MSISDN)<br />
Ph<strong>on</strong>e number<br />
STP<br />
SubSystem Number (SSN)<br />
Identifies applicati<strong>on</strong> or service <strong>on</strong><br />
Network Elements.<br />
Equivalent to TCP port.<br />
Global Title (GT)<br />
Length up to 15 digits.<br />
Looks like a ph<strong>on</strong>e number.<br />
Equivalent to IP address.<br />
Point Code (PC)<br />
14 or 24 bits address.<br />
Equivalent to MAC address.<br />
NE<br />
NE<br />
<strong>SS7</strong> Routing criteria:<br />
PC / GT / SSN or combo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Agenda<br />
Overall telecom architecture<br />
Architecture diagrams for 2G / 3G<br />
Most important Network Elements<br />
<strong>SS7</strong> stack and interc<strong>on</strong>necti<strong>on</strong>s<br />
Practical attack scenarios<br />
Mapping the <strong>SS7</strong> <strong>network</strong><br />
Tracking user locati<strong>on</strong><br />
Sending spoofed SMS<br />
Demo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Practical Attack Scenarios<br />
Scan methodology<br />
• Abusing legitimate messages (SRISM, SRI, ATI, …)<br />
• Sending from any internati<strong>on</strong>al <strong>SS7</strong> interc<strong>on</strong>necti<strong>on</strong><br />
• Steps:<br />
• Discovery scan and GT mapping: SCCP + TCAP<br />
• Advanced <str<strong>on</strong>g>attacks</str<strong>on</strong>g>: specific MAP messages<br />
• Targets:<br />
• Attacking operators infrastructure<br />
• Attacking subscribers<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Discovery phase<br />
Finding the first targets<br />
• Publicly available informati<strong>on</strong><br />
• Internati<strong>on</strong>al PC lists<br />
• GT prefix / country / operator<br />
• Subscriber MSISDN lists<br />
• Probing from UE<br />
• SS codes: *#61#<br />
• Send SMS to your own SMSC<br />
to find your current MSC<br />
• Changing GT prefix length<br />
• Scan around c<strong>on</strong>firmed targets<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Discovery phase<br />
TCAP scan example Scan !<br />
HLR Found!<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
2G / 3G Network Mapping<br />
Active Network Mapping<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Agenda<br />
Overall telecom architecture<br />
Architecture diagrams for 2G / 3G<br />
Most important Network Elements<br />
<strong>SS7</strong> stack and interc<strong>on</strong>necti<strong>on</strong>s<br />
Practical attack scenarios<br />
Mapping the <strong>SS7</strong> <strong>network</strong><br />
Tracking user locati<strong>on</strong><br />
Sending spoofed SMS<br />
Demo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Spying <strong>on</strong> users<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Tracking user locati<strong>on</strong><br />
• Based <strong>on</strong> n<strong>on</strong> filtered MAP messages<br />
• SRISM / SRI<br />
• PSI / PSL<br />
• ATI …<br />
• Targeted towards HLR or MSC / VLR<br />
• Accuracy:<br />
• Depending <strong>on</strong> type of message allowed<br />
• MSC GT (Accuracy: City / Regi<strong>on</strong>)<br />
• CellID (Accuracy: Street)<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Tracking user locati<strong>on</strong><br />
Get MSC / VLR / CellID from <strong>SS7</strong> (Example with MAP ATI)<br />
12345000123<br />
VLR GT<br />
$ pyth<strong>on</strong> src/p1ss7ng/mapgsm_cellid.py 02f802002c9084<br />
Mobile Country Code (MCC) : 208 (France)<br />
Mobile Network Code (MNC) : 20 (Bouygues Telecom)<br />
Locati<strong>on</strong> Area Code (LAC) : 194<br />
Cell ID : 2376<br />
12345000123<br />
MSC GT 02f802002c9084 Cell ID<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Tracking user locati<strong>on</strong><br />
Open CellID databases<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Tracking user locati<strong>on</strong><br />
Low accuracy (MSC based locati<strong>on</strong>)<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
Source: Tobias Engel (CCC)<br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Agenda<br />
Overall telecom architecture<br />
Architecture diagrams for 2G / 3G<br />
Most important Network Elements<br />
<strong>SS7</strong> stack and interc<strong>on</strong>necti<strong>on</strong>s<br />
Practical attack scenarios<br />
Mapping the <strong>SS7</strong> <strong>network</strong><br />
Tracking user locati<strong>on</strong><br />
Sending spoofed SMS<br />
Demo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Sending SMS<br />
MO / MT ForwardSM<br />
MSC<br />
SMSC<br />
MSC<br />
MAP MO<br />
ForwardSM<br />
MAP MT<br />
ForwardSM<br />
• MAP messages<br />
• MO: Mobile Originating<br />
• MT: Mobile Terminating<br />
• SMSC: SMS Center (SMSC GT list is public)<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Sending SMS<br />
Prerequisite to SMS: MAP SRISM<br />
SMSC<br />
MSC<br />
MT<br />
MT<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
SendRoutingInfoForSM<br />
<strong>SS7</strong> MAP SRISM<br />
SSN HLR<br />
SCCP Dst GT == MSISDN<br />
Destinati<strong>on</strong> ph<strong>on</strong>e number (MSISDN): 12340000001<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Answer to SRISM<br />
Answer comes from HLR<br />
Get IMSI for<br />
requested<br />
MSISDN<br />
RoutingInfoForSM-Res ::= SEQUENCE {<br />
imsi<br />
IMSI,<br />
locati<strong>on</strong>InfoWithLMSI [0] Locati<strong>on</strong>InfoWithLMSI,<br />
extensi<strong>on</strong>C<strong>on</strong>tainer [4] Extensi<strong>on</strong>C<strong>on</strong>tainer<br />
OPTIONAL,<br />
...,<br />
ip-sm-gwGuidance [5] IP-SM-GW-Guidance<br />
OPTIONAL }<br />
C<strong>on</strong>tains MSC GT<br />
• Both IMSI and MSC GT are required to send<br />
MAP MT Forward SM<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Answer to SRISM<br />
SRISM answer reveals MSC GT and IMSI<br />
IMSI<br />
MSC GT<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
SMS <str<strong>on</strong>g>attacks</str<strong>on</strong>g><br />
• Sending spam SMS<br />
• Sending spoof SMS<br />
• Bypassing SMS firewall<br />
• Anti Spam protecti<strong>on</strong>s<br />
• MT FSM directly<br />
targeting MSC<br />
• Directly sent from<br />
signalling protocol<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
SMS <str<strong>on</strong>g>attacks</str<strong>on</strong>g><br />
Based <strong>on</strong> MAP MT-FSM (Mobile Terminated Forward Short Message)<br />
12345000123<br />
MSC GT<br />
MAP MT FSM<br />
IMSI<br />
Originating ph<strong>on</strong>e number<br />
Spoof here !<br />
SMS c<strong>on</strong>tent<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Originating Address<br />
Try different encodings ! (Different screening rules)<br />
12345000001<br />
<strong>Hackito</strong><br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
SMS spoofing<br />
Spoofing police !<br />
Also works with other special numbers:<br />
• Emergency number<br />
• Voice Mail number<br />
• Operators services<br />
• Other subscribers<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Counter measures<br />
Protecting against SMS <str<strong>on</strong>g>attacks</str<strong>on</strong>g><br />
• SMS home routing<br />
• SMS firewalls<br />
• All incoming MAP MT Forward SM are routed<br />
to SMS firewall for inspecti<strong>on</strong><br />
• Prevents against SMS <str<strong>on</strong>g>attacks</str<strong>on</strong>g>:<br />
• SMS spam is detected and rejected<br />
• SMS spoofed is detected and rejected<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
SMS Home Routing<br />
Protecting users privacy / Protecting against spam SMS<br />
SMSC<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
SMS Home Routing<br />
SMS are routed to SMS firewall for inspecti<strong>on</strong><br />
SMSC<br />
SMS<br />
MSC<br />
Firewall<br />
MT<br />
MT<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Counter Counter measures ?<br />
How to bypass protecti<strong>on</strong>s<br />
• Can you actually bypass<br />
SMS firewalls ?<br />
• YES !<br />
• How ?<br />
• Directly sending MT Forward SM to MSC<br />
• Route through SMS firewall is usually not enforced !<br />
• This requires to scan and discover all available MSC prior<br />
to send SMS<br />
• Possible in a few hours<br />
• MSC number: typically < 50<br />
• Also require target IMSI (SRI / SRISM / sendIMSI)<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
SMS Firewall bypassed<br />
P1 Vulnerability Knowledge Base P1VID#112<br />
https://saas.p1sec.com/vulns/112<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Telcomap project<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
<str<strong>on</strong>g>Worldwide</str<strong>on</strong>g> discovery<br />
<strong>SS7</strong>map: Scanning the worldwide <strong>SS7</strong> <strong>network</strong><br />
• Discovery scan from internati<strong>on</strong>al <strong>SS7</strong><br />
interc<strong>on</strong>necti<strong>on</strong><br />
• Targets: all operators / all countries<br />
• Currently implemented testcases:<br />
• GT/SSN discovery scan (SCCP / TCAP)<br />
• MSISDN range scan (MAP SRI)<br />
• More to come…<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
<strong>SS7</strong> Map<br />
Telecom Networks <strong>SS7</strong> Exposure<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
GRX Map<br />
PS, GPRS, LTE<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
http://sniffmap.telcomap.org/grx/<br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Galaxy Map<br />
ShodanHQ-like but for Telco<br />
Shodan is <strong>on</strong>ly 10%<br />
coverage of Telco<br />
OAM and Signaling<br />
But useful to “prove”<br />
the seriousness:<br />
any<strong>on</strong>e can get<br />
access…<br />
from Internet<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Galaxy Map<br />
Some great banners are discovered!<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Sniffmap<br />
Map of Five Eyes intercepti<strong>on</strong><br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
http://sniffmap.telcomap.org/<br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Attack surface<br />
Telcomaps<br />
Sniff Map<br />
<strong>SS7</strong> Map<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
GRX Map<br />
Galaxy Map<br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
• MAP specificati<strong>on</strong>: 3GPP TS 29.002<br />
http://www.3gpp.org/DynaReport/29002.htm<br />
• SMS specificati<strong>on</strong>: 3GPP TS 23.040<br />
http://www.3gpp.org/DynaReport/23040.htm<br />
Going further<br />
• SMS Home routing specificati<strong>on</strong>: 3GPP TS 23.840<br />
http://www.3gpp.org/DynaReport/23840.htm<br />
• Locating mobile ph<strong>on</strong>es using MSC GT (CCC)<br />
http://events.ccc.de/c<strong>on</strong>gress/2008/Fahrplan/attachments/1262_25c3-locating-mobileph<strong>on</strong>es.pdf<br />
• Descripti<strong>on</strong> of MAP usual callflows<br />
http://www.netlab.tkk.fi/opetus/s383115/2007/kalvot/3115L7-9e.pdf<br />
• P1 Security SaaS and Vulnerability Knowledge Base<br />
https://saas.p1sec.com/<br />
• SMS Gateways<br />
http://www.vianett.com/<br />
• Open Cell ID databases / API<br />
http://opencellids.org/<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
DEMO TIME !<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Thank you !<br />
Questi<strong>on</strong>s ?<br />
Thanks to<br />
P1 Security team<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
Questi<strong>on</strong>s to:<br />
po@p1sec.com<br />
alex@p1sec.com<br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Back up demo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Back up demo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved
Back up demo<br />
P1 Security – <strong>Hackito</strong> Ergo Sum <strong>2014</strong><br />
© <strong>2014</strong> - P1 Security, All Rights Reserved