mobile operators vs hackers
play

Mobile operators vs. Hackers: new security measures for new - PowerPoint PPT Presentation

May 06, 2023 •319 likes •937 views

Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com SS7 in the 20 th century SCP STP STP SSP SCP STP STP PSTN SSP SSP SS7 Signaling System #7, a set of telephony protocols

  1. Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

  2. SS7 in the 20 th century SCP STP STP SSP SCP STP STP PSTN SSP SSP SS7 – Signaling System #7, a set of telephony protocols , which is used to set up and tear down telephone calls, send and receive SMS, provide subscriber mobility, and other service

  3. SS7 nowadays SIGTRAN – Signaling Transport, an extension of the SS7 protocol family that uses IP as a transport

  4. Why SS7 is not secure LTE SIGTRAN SIGTRAN Diameter STP IWF/DEA SIGTRAN SS7 STP STP

  5. Mass media highlights the SS7 security problem

  6. Governments and global organizations' concern on SS7 security

  7. Mobile operators and SS7 security SMS Home Routing Security configuration Security assessment Security monitoring SS7 firewall

  8. Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report

  9. Network vulnerability statistics: SMS Home Routing Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection 67% of installed SMS Home Routing systems have been bypassed

  10. Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly

  11. Basic nodes and identifiers MSISDN — Mobile Subscriber HLR — Home Location Register Integrated Services Digital Number GT — Global Title, address of a core node element MSC/VLR — Mobile Switching Center alongside with Visited IMSI — International Mobile Location Register Subscriber Identity STP — Signaling Transfer Point SMS-C — SMS Center

  12. SS7 messages for IMSI retrieving SendRoutingInfo Should be blocked on the border SendIMSI May be blocked on the HLR SendRoutingInfoForLCS – SMS Home Routing as a protection tool SendRoutingInfoForSM

  13. SMS Home Routing bypass No. 1

  14. SMS Delivery with no SMS Home Routing in place SRI4SM — SendRoutingInfoForSM HLR 1. SRI4SM Request 1. SRI4SM Request SMS-C STP • MSISDN • MSISDN 2. SRI4SM Response 2. SRI4SM Response • IMSI • IMSI • MSC Address • MSC Address 3. MT-SMS 3. MT-SMS MSC • IMSI • IMSI • SMS Text • SMS Text

  15. SRI4SM abuse by a malefactor HLR 1. SRI4SM Request 1. SRI4SM Request STP • MSISDN • MSISDN 2. SRI4SM Response 2. SRI4SM Response • IMSI • IMSI • MSC Address • MSC Address MSC

  16. SMS Home Routing HLR 1. SRI4SM Request 4. SRI4SM Request 1. SRI4SM Request SMS Router SMS-C STP • MSISDN • MSISDN • MSISDN 2. SRI4SM Response 5. SRI4SM Response 2. SRI4SM Response • Fake IMSI • Fake IMSI • Real IMSI • SMS-R Address • MSC Address • SMS-R Address 3. MT-SMS 3. MT-SMS 6. MT-SMS MSC • Fake IMSI • Fake IMSI • Real IMSI • SMS Text • SMS Text • SMS Text

  17. SMS Home Routing against malefactors HLR 1. SRI4SM Request 1. SRI4SM Request SMS Router STP • MSISDN • MSISDN 2. SRI4SM Response 2. SRI4SM Response • Fake IMSI • Fake IMSI • SMS-R Address • SMS-R Address MSC

  18. Numbering plans E.164 MSISDN and GT 33 854 1231237 Country Code Network Destination Code E.212 IMSI 208 80 4564567894 Mobile Country Code Mobile Network Code E.214 Mobile GT 33 854 4564567894 Rule of GT Translation Operator HLR

  19. STP routing table STP HLR 1 SS7 Message STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … HLR 2 SMS Router

  20. STP routing table STP HLR 1 SS7 Message STP Routing Table … E.214 Global Title Numbering Plan = E.214 Translation Table … MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx OpCode = SRI4SM … HLR 2 SMS Router

  21. STP routing table STP HLR 1 SS7 Message STP Routing Table … E.214 Global Title Numbering Plan = E.214 Translation Table … MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx OpCode = SRI4SM … HLR 2 SMS Router

  22. STP routing table STP HLR 1 SS7 Message STP Routing Table … E.214 Global Title Numbering Plan = E.214 Translation Table … MCC + MNC + 00xxxxxxxx MCC + MNC + 20xxxxxxxx OpCode = SRI4SM … HLR 2 SMS Router

  23. SendRoutingInfoForSM message Called Party Address = MSISDN

  24. SMS Home Routing bypass attack STP HLR 1 STP Routing Table 1. SRI4SM Request … • E.214 / Random IMSI E.214 Global Title • MSISDN Numbering Plan = E.214 Translation Table … MCC + MNC + 00xxxxxxxx 2. SRI4SM Request MCC + MNC + 20xxxxxxxx OpCode = SRI4SM • E.214 / Random IMSI • MSISDN … 3. SRI4SM Response HLR 2 • IMSI • MSC address SMS Router The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside

  25. SMS Home Routing bypass No. 2

  26. SMS Home Routing definition STP HLR 1. SRI4SM Request: MSISDN SMS Router

  27. SMS Home Routing definition STP HLR 1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN SMS Router

  28. SMS Home Routing definition STP HLR 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN SMS Router 3. SRI4SM Response: Fake IMSI, SMS-R address

  29. SMS Home Routing definition STP HLR 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN SMS Router 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved

  30. TCAP Protocol TCAP – Transaction Capabilities Application Part TCAP Message Type Begin, Continue, End, Abort Transaction IDs Source and/or Designation IDs Dialogue Portion Application Context Name (ACN) ACN Version Component Portion Operation Code Payload Application Context Name corresponds to a respective Operation Code

  31. Application Context Name

  32. Application Context Name change

  33. SMS Home Routing bypass with malformed ACN 1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN STP HLR Malformed ACN Malformed ACN SMS Router Malformed ACN

  34. SMS Home Routing bypass with malformed ACN 1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN STP HLR Malformed ACN Malformed ACN 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside

  35. SMS Home Routing bypass with malformed ACN 1. SRI4SM Request: MSISDN 1. SRI4SM Request: MSISDN STP HLR Malformed ACN Malformed ACN 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router Equal IMSIs means the SMS Home Routing solution is absent or not involved

  36. SS7 firewall bypass

  37. SS7 firewall typical deployment scheme STP HLR 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall

  38. SS7 firewall typical deployment scheme SRI – SendRoutingInfo STP HLR 1. SRI Request: MSISDN 2. SRI Request: MSISDN SS7 firewall The message is blocked

  39. Application Context Name change

  40. SS7 firewall bypass with malformed ACN STP HLR 2. SRI Request: MSISDN 1. SRI Request: MSISDN Malformed ACN Malformed ACN SS7 firewall Malformed ACN

  41. SS7 firewall bypass with malformed ACN STP HLR 2. SRI Request: MSISDN 1. SRI Request: MSISDN Malformed ACN Malformed ACN 3. SRI Response: IMSI, … 3. SRI Response: IMSI, … SS7 firewall SS7 firewall is aside

  42. Positioning enhancement

  43. Positioning attack idea

  44. Positioning attack idea

  45. Positioning attack idea

  46. How we discovered

  47. How we discovered

  48. Recreating the position refinement attack MSC/VLR

  49. Recreating the position refinement attack CID 0DFB ProvideSubscriberInfo MSC/VLR 1 CID: 0DFB

  50. Recreating the position refinement attack CID 0DFB ProvideSubscriberInfo MSC/VLR 1 CID: 0DFB UnstructuredSS-Notify 2

  51. Recreating the position refinement attack CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB UnstructuredSS-Notify 2

  52. Recreating the position refinement attack CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB UnstructuredSS-Notify 2

  53. Recreating the position refinement attack CID 0191 CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB Paging UnstructuredSS-Notify Response 2

  54. Recreating the position refinement attack CID 0191 CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB Paging UnstructuredSS-Notify Response 2 . . . returnError

  55. Recreating the position refinement attack CID 0191 CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB Paging UnstructuredSS-Notify Response 2 . . . returnError returnError

  56. Recreating the position refinement attack CID 0191 CID 0DFB 3 ProvideSubscriberInfo MSC/VLR 1 Paging CID: 0DFB Paging UnstructuredSS-Notify Response 2 . . . returnError returnError ProvideSubscriberInfo 4 CID: 0191

  57. On the map

  58. Main problems in SS7 security SS7 architecture flaws Configuration mistakes Software bugs

Recommend

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser on mobile device in WiFi communication to attack victims. Hackers send

464 views • 30 slides
Mobile Network Sharing Between Operators: Between Operators A Demand Trace-Driven Study Di

Mobile Network Sharing Between Operators: Between Operators A Demand Trace-Driven Study Di

Mobile Network Sharing Mobile Network Sharing Between Operators: Between Operators A Demand Trace-Driven Study Di Francesco et al. Outline Paolo Di Francesco, Francesco Malandrino, Luiz DaSilva Introduction Data Available Data Trinity

396 views • 14 slides
SDN-based Mobile Networking for Cellular Operators Seil Jeon,

SDN-based Mobile Networking for Cellular Operators Seil Jeon,

SDN-based Mobile Networking for Cellular Operators Seil Jeon, Carlos Guimaraes, Rui L. Aguiar Background The data explosion currently were facing with has a

760 views • 35 slides
dyne.org hackers network Denis J. Roio GNU hackers meeting, Den Haag July 2010 Denis J. Roio

dyne.org hackers network Denis J. Roio GNU hackers meeting, Den Haag July 2010 Denis J. Roio

dyne.org hackers network Denis J. Roio GNU hackers meeting, Den Haag July 2010 Denis J. Roio (2010) dyne.org hackers network July 2010 1 / 14 Dyne.org hackers network Free Software Movement Started in 1984 by Richard Stallman, with help

455 views • 14 slides
IMPORTANCE OF QOE TO OPERATORS AND CONSUMERS 26 NOVEMBER 2018 ITU-T SG12 WORKSHOP ON

IMPORTANCE OF QOE TO OPERATORS AND CONSUMERS 26 NOVEMBER 2018 ITU-T SG12 WORKSHOP ON

IMPORTANCE OF QOE TO OPERATORS AND CONSUMERS 26 NOVEMBER 2018 ITU-T SG12 WORKSHOP ON TELECOMMUNICATION SERVICE REGULATORY FRAMEWORKS AND EXPERIENCE-DRIVEN NETWORKING MOBILE CONNECTIVITY LANDSCAPE IN SINGAPORE Four Mobile Network

268 views • 9 slides
its impact on mobile virtual network operators Athanasios Lioumpas, Ph.D. C y t a H e l l a s ,

its impact on mobile virtual network operators Athanasios Lioumpas, Ph.D. C y t a H e l l a s ,

Network slicing: A key technology for 5G and its impact on mobile virtual network operators Athanasios Lioumpas, Ph.D. C y t a H e l l a s , R & D d e p a r t m e n t T h e s s a l o n i k i , G r e e c e 2 0 1 7 contents mobile

323 views • 29 slides
More Self-study Operators Unary operators, sizeof, boolean operators, comma, and operators

More Self-study Operators Unary operators, sizeof, boolean operators, comma, and operators

More Self-study Operators Unary operators, sizeof, boolean operators, comma, and operators precedence... Constant value, enumerated types Control constructs selection: if/else, switch loop: while, do/while, for...

439 views • 31 slides
Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, So

Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, So

Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, So Paulo Sebastian Porst zynamics GmbH (sebastian.porst@zynamics.com) Talk Overview Necessity of new RE methods Solutions we developed

762 views • 39 slides
VHDL VHDL - Flaxer Eli Ch 5 - 1 Operators and Attributes Outline Logical Operators

VHDL VHDL - Flaxer Eli Ch 5 - 1 Operators and Attributes Outline Logical Operators

Chapter 5 Operators and Attributes VHDL VHDL - Flaxer Eli Ch 5 - 1 Operators and Attributes Outline Logical Operators Relational Operators Shift Operators Adding Operators Multiplying Operators Miscellaneous Operators

232 views • 6 slides
Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us

Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us

Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us to modify and manipulate information. They are symbols that represent a commonly used operation, such as addition 2 + 2 http://cs.mst.edu

365 views • 17 slides
Jay Ferron The Hackers CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, MCT, NSA-IAM Tool Kit

Jay Ferron The Hackers CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, MCT, NSA-IAM Tool Kit

3/4/2020 Jay Ferron The Hackers CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, MCT, NSA-IAM Tool Kit jferron@interactivesecuritytraining.com blog.mir.net 1 Nation States China North Korea Who are the hackers Russia Iraq 2

150 views • 11 slides
Operators Swisscom (Schweiz) AG Furer Christoph 19.10.2018 C1 - Public Is QoE important for

Operators Swisscom (Schweiz) AG Furer Christoph 19.10.2018 C1 - Public Is QoE important for

Importance of QoE for Swiss Mobile Network Operators Swisscom (Schweiz) AG Furer Christoph 19.10.2018 C1 - Public Is QoE important for network operators? 2 19.10.18 "Now, in the 2017/2018 season, it are even two Swiss operators

65 views • 6 slides
GSMA Uniting Mobile Operators Worldwide M4D Utilities Programme Overview Problem Mission In

GSMA Uniting Mobile Operators Worldwide M4D Utilities Programme Overview Problem Mission In

GSMA Uniting Mobile Operators Worldwide M4D Utilities Programme Overview Problem Mission In emerging markets, close to 1 billion people live To unlock commercially sustainable business without electricity, 2.1 billion people lack access

1.73k views • 16 slides
Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by

Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by

Sam Foster sfoster@mozilla.com samfosteriam sfoster Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by Mozilla + partners + contributors Why Firefox OS? Web under threat from parallel

453 views • 13 slides
Overloading operators Why overload operators? (==, =, <, >>, +=, ) notational

Overloading operators Why overload operators? (==, =, <, >>, +=, ) notational

Overloading operators Why overload operators? (==, =, <, >>, +=, ) notational convenience match user expectations because we can (except :: and . and .*) Remember, overloaded operators are just function calls

483 views • 7 slides
More Self-study Operators Unary operators, sizeof, boolean

More Self-study Operators Unary operators, sizeof, boolean

More Self-study Operators Unary operators, sizeof, boolean operators, comma, and operators precedence... Constant value, enumerated types Control

823 views • 31 slides
Social commerce in emerging markets: Understanding the landscape and opportunities for mobile

Social commerce in emerging markets: Understanding the landscape and opportunities for mobile

Social commerce in emerging markets: Understanding the landscape and opportunities for mobile money GSMA GSMA Mobile Money The GSMA represents the interests of mobile operators worldwide, The GSMAs Mobile Money programme works to uniting

645 views • 37 slides
Mobile Infrastructure Project (MIP) 1 MIP - Overview A publicly funded project to provide

Mobile Infrastructure Project (MIP) 1 MIP - Overview A publicly funded project to provide

Mobile Infrastructure Project (MIP) 1 MIP - Overview A publicly funded project to provide mobile phone coverage by all four Mobile Network Operators (MNOs) in areas that have none at present Not spots : Areas with no effective

265 views • 22 slides
Tourism in in Tajikistan AS SEEN BY TOUR OPERATORS DUSHANBE, OCTOBER 16, 2019 Tour operators su

Tourism in in Tajikistan AS SEEN BY TOUR OPERATORS DUSHANBE, OCTOBER 16, 2019 Tour operators su

Tourism in in Tajikistan AS SEEN BY TOUR OPERATORS DUSHANBE, OCTOBER 16, 2019 Tour operators su surv rvey - respondents Tour operators surveyed (2018) 21 14 10 Incumbent Incumbent Operators not Domestic International Offering Tours

219 views • 19 slides
MOBILE ADVERTISING Agenda Get off to a mobile start with Media Impact! Why mobile? MI

MOBILE ADVERTISING Agenda Get off to a mobile start with Media Impact! Why mobile? MI

MOBILE ADVERTISING Agenda Get off to a mobile start with Media Impact! Why mobile? MI Portfolio Mobile programmatic Mobile targeting Mobile formats Specials 2 Mobile Advertising @ MI WHY MOBILE? Traffic shift to the mobile web

862 views • 30 slides
UBC Virtual Physics Circle A Hackers Guide to Brownian motion David Wakeham June 25, 2020

UBC Virtual Physics Circle A Hackers Guide to Brownian motion David Wakeham June 25, 2020

UBC Virtual Physics Circle A Hackers Guide to Brownian motion David Wakeham June 25, 2020 Overview Our last topic in the hackers guide is Brownian motion. Its the other reason Einstein got a Nobel prize! We start with some

692 views • 26 slides
1 Bucking Only Jan 2018 2 Course Overview Saw Safety Course For Trainee Saw Operators

1 Bucking Only Jan 2018 2 Course Overview Saw Safety Course For Trainee Saw Operators

1 Bucking Only Jan 2018 2 Course Overview Saw Safety Course For Trainee Saw Operators and Saw Operators Saw Certification Training Bind Analysis and Cutting Sequence For Trainee Saw Operators and Saw Operators Crosscut Saw

1.24k views • 75 slides
Operators C emphasizes expressions rather than statements. Expressions are built from

Operators C emphasizes expressions rather than statements. Expressions are built from

1/28/14 Operators C emphasizes expressions rather than statements. Expressions are built from variables, constants, and Expressions operators. C has a rich collection of operators, including o arithmetic operators o relational

946 views • 6 slides
Operators of Kolmogorov type and parabolic operators associated with non-commuting vector fields:

Operators of Kolmogorov type and parabolic operators associated with non-commuting vector fields:

Operators of Kolmogorov type and parabolic operators associated with non-commuting vector fields: obstacle problems and boundary behaviour Kaj Nystrm Ume University, Sweden Operators of Kolmogorov type and parabolic operators associated

464 views • 28 slides

More recommend