SlideShare una empresa de Scribd logo

Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

DefCamp
DefCamp

Kirill Puzankov in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Tecnología
1 de 62
Descargar para leer sin conexión
Kirill Puzankov Mobile signaling threats and vulnerabilities - real cases from our experience
Signaling System 7 (SS7) is the control plane that is used for exchanging data between network devices in telecommunications networks Call control functions: establish and release Subscriber mobility management: roaming possibilities, location- based services, seamless calls for moving subscribers Short message service Supplementary service control: call forwarding, call waiting, call hold SS7 introduces: Signaling System 7
History of Signaling Security The state of signaling security has not changed for almost 40 years Trusted ecosystem SS7 network developed. Trusted environment. No security mechanisms in the protocol stack No security Scope grows SIGTRAN (SS7 over IP) introduced. Number of operators grows. Security is still missing Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security Not trusted anymore Growing number of SS7 interconnections, increasing amount of SS7 traffic. No security policies or restrictions 1980 2018 2000 Innovations of TODAY rely on OBSOLETE technologies from YESTERDAY
Why SS7 is not secure SIGTRAN SIGTRAN IWF/DEA Diameter LTE Once a hacker connects to the SS7 network of a mobile operator, they can attack subscribers of any operator around the world
Governments and global organizations worried by SS7 security
Mobile operators and SS7 security Security assessment SS7 firewall Security monitoringSMS Home Routing Security configuration
Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report 2018 – Diameter vulnerabilities exposure report
SS7 Security Audit. Common Facts and Figures • Subscribers could be geotracked on 75% of analyzed networks • Incoming SMS messages could be intercepted in 90% of cases • Voice calls could be intercepted in 53% of cases Threat 2015 2016 2017 Subscriber information disclosure 100% 100% 100% Network information disclosure 100% 92% 63% Subscriber traffic interception 100% 100% 89% Fraud 100% 85% 78% Denial of service 100% 100% 100%
SS7 vs Diameter comparison 4G networks are nearly equally vulnerable
Signaling Monitoring. Common Facts and Figures Almost 99% of attacks are connected with disclosing confidential subscriber data
Network vulnerability statistics: SMS Home Routing 67% of installed SMS Home Routing systems have been bypassed Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection
Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly
Basic nodes and identifiers HLR — Home Location Register MSC/VLR — Mobile Switching Center and Visited Location Register SMS-C — SMS Centre MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity STP — Signaling Transfer Point GT — Global Title, address of a core node element
IMSI An IMSI identifier, by itself, is not valuable to an intruder But intruders can carry out many malicious actions against subscribers when they know the IMSI, such as:  Location tracking  Service disturbance  SMS interception  Voice call eavesdropping The IMSI is considered personal data as per GDPR.
SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
SMS Home Routing bypass
SMS delivery with no SMS Home Routing in place STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text SRI4SM — SendRoutingInfoForSM HLR SMS-C
SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
SMS Router SMS Home Routing STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
SMS Router SMS Home Routing against malefactors STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
Numbering plans Country Code (Romania) Network Destination Code Mobile Country Code (Romania) Mobile Network Code Operator HLRRule of GT Translation E.164 MSISDN and GT 40 700 1231237 E.212 IMSI 226 99 4564567894 E.214 Mobile GT 40 700 4564567894
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx SMS Router
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
SendRoutingInfoForSM message Called Party Address = MSISDN
SMS Home Routing bypass attack STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP HLR 1 HLR 2 1. SRI4SM Request • E.214 / Random IMSI • MSISDN 2. SRI4SM Request • E.214 / Random IMSI • MSISDN 3. SRI4SM Response • IMSI • MSC address The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
Another way to bypass the Home Router
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN STP
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address
SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved
TCAP Protocol TCAP Message Type Transaction IDs Dialogue Portion Component Portion Begin, Continue, End, Abort Source and/or Destination IDs Application Context Name (ACN) ACN Version Operation Code Payload Application Context Name corresponds to a respective Operation Code TCAP – Transaction Capabilities Application Part
Application Context 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed Application Context
SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside
SMS Home Routing bypass with malformed Application Context HLR SMS Router 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC Equal IMSIs means the SMS Home Routing solution is absent or not involved 1. SRI4SM Request: MSISDN Malformed ACN 2. SRI4SM Response: IMSI, MSC
Firewall bypass
SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall
SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
SS7 firewall: typical deployment scheme HLRSTP 1. SRI Request: MSISDN SS7 firewall 2. SRI Request: MSISDN The message is blocked SRI – SendRoutingInfo
Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
SS7 firewall: bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN SS7 firewall 2. SRI Request: MSISDN Malformed ACN Malformed Application Context
SS7 firewall bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN 2. SRI Request: MSISDN Malformed ACN 3. SRI Response: IMSI, …3. SRI Response: IMSI, … SS7 firewall is aside SS7 firewall
Tricky location tracking
SMS delivery HLR MSC 2SMS-CMSC 1 1. Mo-ForwardSM: A-Num, B-Num 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast
SMS spam through SS7 HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast SMS-C MSC 2MSC 1
TCAP handshake as a protection measure HLR 1. TCAP Begin: ACN = MoSMRelay 4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2 2. TCAP Continue 3. Mo-ForwardSM: A-Num, B-Num 9. ReturnResultLast 6. TCAP Begin: ACN = MtSMRelay 7. TCAP Continue 8. Mt-ForwardSM:A-Num, IMSI 9. ReturnResultLast SMS-C MSC 2MSC 1
Location retrieval for intelligent network services HLR1. AnyTimeInterrogation: MSISDN 4. AnyTimeInterrogation: CellID 2. ProvideSubscriberInfo: IMSI 3. ProvideSubscriberInfo: CellID MSC/VLRIN AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving cell in order to perform a location-based service. This message is allowed for internal operations only. It should be prohibited in external connections.
Blocking an illegitimate location request HLRSTP 1. AnyTimeInterrogation: MSISDN The message is blocked SS7 firewall 2. AnyTimeInterrogation: MSISDN
TCAP handshake exploit Is it possible to encapsulate a malformed location request into the protection mechanism and receive result?
SS7 firewall: bypass within a TCAP handshake HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation operation that responds with the serving Cell identity, which provides subscriber location to within ~100 meters SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake The incoming signaling message does not contain an operation code, so the STP does not send it to the SS7 firewall for inspection HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 2. TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. The STP routes this message to the node that is involved into the initial transaction. 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
SS7 firewall: bypass within a TCAP handshake HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR 4. ProvideSubscriberInfo Cell IDIMSI
SS7 firewall: bypass within a TCAP handshake SS7 firewall is aside HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 5. AnyTimeinterrogation: Cell ID TCAP End 5. AnyTimeInterrogation: Cell ID TCAP End 4. ProvideSubscriberInfo Cell IDIMSI 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR
Main problems Architecture flaws Configuration mistakes Software bugs
Things to remember 1. Deploying security tool does not mean the network is secure. About 67% of SMS Home Routing solutions on tested networks were bypassed. 2. Test the network. Penetration testing is a good practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them. 3. Know the perimeter. Continuous security monitoring enables a mobile operator to know which vulnerabilities are exploited and, therefore, protect the network.
Thank you! ptsecurity.com Kirill Puzankov kpuzankov@ptsecurity.com

Recomendados

Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 

Recomendados

Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX networkAlexandre De Oliveira
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBJustin MA (馬嘉昌)
 
3 g call flow
3 g call flow3 g call flow
3 g call flowAshish Aggarwal
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkPositiveTechnologies
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
VoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVikas Shokeen
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Basic GSM Call Flows
Basic GSM Call FlowsBasic GSM Call Flows
Basic GSM Call Flowsemyl97
 
3 g call flow
3 g call flow3 g call flow
3 g call flowAmit Kumar Saini
 
Srvcc overview
Srvcc overviewSrvcc overview
Srvcc overviewYau Boon
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basicsKarel Berkovec
 
Diameter Capabilities Exchange
Diameter Capabilities ExchangeDiameter Capabilities Exchange
Diameter Capabilities ExchangeArpit Prajapati
 
2 g data call flow
2 g data call flow2 g data call flow
2 g data call flowAlfred Ongere
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration FlowKent Loh
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 
Computaris SS7 Firewall
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 FirewallComputaris
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
 

Más contenido relacionado

La actualidad más candente

VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
VoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVikas Shokeen
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Basic GSM Call Flows
Basic GSM Call FlowsBasic GSM Call Flows
Basic GSM Call Flowsemyl97
 
Srvcc overview
Srvcc overviewSrvcc overview
Srvcc overviewYau Boon
 
Diameter Capabilities Exchange
Diameter Capabilities ExchangeDiameter Capabilities Exchange
Diameter Capabilities ExchangeArpit Prajapati
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration FlowKent Loh
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 

La actualidad más candente (20)

VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFB
 
3 g call flow
3 g call flow3 g call flow
3 g call flow
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
VoLTE KPI Performance Explained
VoLTE KPI Performance ExplainedVoLTE KPI Performance Explained
VoLTE KPI Performance Explained
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
 
Basic GSM Call Flows
Basic GSM Call FlowsBasic GSM Call Flows
Basic GSM Call Flows
 
3 g call flow
3 g call flow3 g call flow
3 g call flow
 
Srvcc overview
Srvcc overviewSrvcc overview
Srvcc overview
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
 
Diameter Capabilities Exchange
Diameter Capabilities ExchangeDiameter Capabilities Exchange
Diameter Capabilities Exchange
 
2 g data call flow
2 g data call flow2 g data call flow
2 g data call flow
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration Flow
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architecture
 

Similar a Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

Computaris SS7 Firewall
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 FirewallComputaris
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
 
Небезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтраНебезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтраPositive Hack Days
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm networkAzri Randy
 
Gsm.....ppt
Gsm.....pptGsm.....ppt
Gsm.....pptbalu008
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresPositiveTechnologies
 
Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...Xura
 
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPROIDEA
 
Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCBRawand Jaf
 
Fighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraudFighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraudMartyn Sukys
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...Xura
 

Similar a Mobile signaling threats and vulnerabilities - real cases and statistics from our experience (20)

Computaris SS7 Firewall
Computaris SS7 FirewallComputaris SS7 Firewall
Computaris SS7 Firewall
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
 
Небезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтраНебезопасность сотовых сетей вчера, сегодня, завтра
Небезопасность сотовых сетей вчера, сегодня, завтра
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm network
 
Rk 3 gsm network @guddu
Rk 3 gsm network @gudduRk 3 gsm network @guddu
Rk 3 gsm network @guddu
 
GSM Network
GSM NetworkGSM Network
GSM Network
 
Gsm.....ppt
Gsm.....pptGsm.....ppt
Gsm.....ppt
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
 
Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...Signaling network vulnerabilities exposed, protection strategies for operator...
Signaling network vulnerabilities exposed, protection strategies for operator...
 
Gsm
GsmGsm
Gsm
 
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowejPLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
 
Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCB
 
ppt of gsm network
ppt of gsm networkppt of gsm network
ppt of gsm network
 
Fighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraudFighting telecom fraud. Explaining SMS SS7 fraud
Fighting telecom fraud. Explaining SMS SS7 fraud
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
 
report
reportreport
report
 
Gsm1
Gsm1Gsm1
Gsm1
 
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
LTE Masterclass: “Signaling network vulnerabilities and protection strategies...
 
Introduction to GSM
Introduction to GSMIntroduction to GSM
Introduction to GSM
 
GSM
GSMGSM
GSM
 

Más de DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

Más de DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Mobile signaling threats and vulnerabilities - real cases and statistics from our experience

  • 1. Kirill Puzankov Mobile signaling threats and vulnerabilities - real cases from our experience
  • 2. Signaling System 7 (SS7) is the control plane that is used for exchanging data between network devices in telecommunications networks Call control functions: establish and release Subscriber mobility management: roaming possibilities, location- based services, seamless calls for moving subscribers Short message service Supplementary service control: call forwarding, call waiting, call hold SS7 introduces: Signaling System 7
  • 3. History of Signaling Security The state of signaling security has not changed for almost 40 years Trusted ecosystem SS7 network developed. Trusted environment. No security mechanisms in the protocol stack No security Scope grows SIGTRAN (SS7 over IP) introduced. Number of operators grows. Security is still missing Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security Not trusted anymore Growing number of SS7 interconnections, increasing amount of SS7 traffic. No security policies or restrictions 1980 2018 2000 Innovations of TODAY rely on OBSOLETE technologies from YESTERDAY
  • 4. Why SS7 is not secure SIGTRAN SIGTRAN IWF/DEA Diameter LTE Once a hacker connects to the SS7 network of a mobile operator, they can attack subscribers of any operator around the world
  • 5. Governments and global organizations worried by SS7 security
  • 6. Mobile operators and SS7 security Security assessment SS7 firewall Security monitoringSMS Home Routing Security configuration
  • 7. Research and publications 2014 – Signaling System 7 (SS7) security report 2014 – Vulnerabilities of mobile Internet (GPRS) 2016 – Primary security threats for SS7 cellular networks 2017 – Next-generation networks, next-level cybersecurity problems (Diameter vulnerabilities) 2017 – Threats to packet core security of 4G network 2018 – SS7 vulnerabilities and attack exposure report 2018 – Diameter vulnerabilities exposure report
  • 8. SS7 Security Audit. Common Facts and Figures • Subscribers could be geotracked on 75% of analyzed networks • Incoming SMS messages could be intercepted in 90% of cases • Voice calls could be intercepted in 53% of cases Threat 2015 2016 2017 Subscriber information disclosure 100% 100% 100% Network information disclosure 100% 92% 63% Subscriber traffic interception 100% 100% 89% Fraud 100% 85% 78% Denial of service 100% 100% 100%
  • 9. SS7 vs Diameter comparison 4G networks are nearly equally vulnerable
  • 10. Signaling Monitoring. Common Facts and Figures Almost 99% of attacks are connected with disclosing confidential subscriber data
  • 11. Network vulnerability statistics: SMS Home Routing 67% of installed SMS Home Routing systems have been bypassed Possibility of exploitation of some threats in networks with SMS Home Routing installed is greater than in networks without protection
  • 12. Network vulnerability statistics: SS7 firewall Penetration level of SS7 firewalls on mobile networks: 2015 — 0% 2016 — 7% 2017 — 33% Filtering system alone cannot protect the network thoroughly
  • 13. Basic nodes and identifiers HLR — Home Location Register MSC/VLR — Mobile Switching Center and Visited Location Register SMS-C — SMS Centre MSISDN — Mobile Subscriber Integrated Services Digital Number IMSI — International Mobile Subscriber Identity STP — Signaling Transfer Point GT — Global Title, address of a core node element
  • 14. IMSI An IMSI identifier, by itself, is not valuable to an intruder But intruders can carry out many malicious actions against subscribers when they know the IMSI, such as:  Location tracking  Service disturbance  SMS interception  Voice call eavesdropping The IMSI is considered personal data as per GDPR.
  • 15. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  • 17. SMS delivery with no SMS Home Routing in place STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address 3. MT-SMS • IMSI • SMS Text 3. MT-SMS • IMSI • SMS Text SRI4SM — SendRoutingInfoForSM HLR SMS-C
  • 18. SRI4SM abuse by a malefactor STP MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • IMSI • MSC Address 2. SRI4SM Response • IMSI • MSC Address HLR
  • 19. SMS Router SMS Home Routing STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 3. MT-SMS • Fake IMSI • SMS Text 3. MT-SMS • Fake IMSI • SMS Text 4. SRI4SM Request • MSISDN 6. MT-SMS • Real IMSI • SMS Text SMS-C 5. SRI4SM Response • Real IMSI • MSC Address 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 20. SMS Router SMS Home Routing against malefactors STP HLR MSC 1. SRI4SM Request • MSISDN 1. SRI4SM Request • MSISDN 2. SRI4SM Response • Fake IMSI • SMS-R Address 2. SRI4SM Response • Fake IMSI • SMS-R Address
  • 21. Numbering plans Country Code (Romania) Network Destination Code Mobile Country Code (Romania) Mobile Network Code Operator HLRRule of GT Translation E.164 MSISDN and GT 40 700 1231237 E.212 IMSI 226 99 4564567894 E.214 Mobile GT 40 700 4564567894
  • 22. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router
  • 23. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx SMS Router
  • 24. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 25. STP routing table STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP SS7 Message HLR 1 HLR 2 SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 27. SMS Home Routing bypass attack STP Routing Table … Numbering Plan = E.214 … OpCode = SRI4SM … STP HLR 1 HLR 2 1. SRI4SM Request • E.214 / Random IMSI • MSISDN 2. SRI4SM Request • E.214 / Random IMSI • MSISDN 3. SRI4SM Response • IMSI • MSC address The malefactor needs to guess any IMSI from a HLR serving the target subscriber SMS Router is aside SMS Router E.214 Global Title Translation Table 40 + 700 + 0xxxxxxxxx 40 + 700 + 4xxxxxxxxx
  • 28. Another way to bypass the Home Router
  • 29. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN STP
  • 30. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP
  • 31. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address
  • 32. SMS Home Routing definition HLR SMS Router 1. SRI4SM Request: MSISDN 2. SRI4SM Request: MSISDN STP 3. SRI4SM Response: Fake IMSI, SMS-R address Different IMSIs mean SMS Home Routing procedure is involved
  • 33. TCAP Protocol TCAP Message Type Transaction IDs Dialogue Portion Component Portion Begin, Continue, End, Abort Source and/or Destination IDs Application Context Name (ACN) ACN Version Operation Code Payload Application Context Name corresponds to a respective Operation Code TCAP – Transaction Capabilities Application Part
  • 34. Application Context 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 35. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 36. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP SMS Router Malformed Application Context
  • 37. SMS Home Routing bypass with malformed Application Context HLR1. SRI4SM Request: MSISDN Malformed ACN 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC SMS Router SMS Router is aside
  • 38. SMS Home Routing bypass with malformed Application Context HLR SMS Router 1. SRI4SM Request: MSISDN Malformed ACN STP 2. SRI4SM Response: IMSI, MSC Equal IMSIs means the SMS Home Routing solution is absent or not involved 1. SRI4SM Request: MSISDN Malformed ACN 2. SRI4SM Response: IMSI, MSC
  • 40. SS7 firewall: typical deployment scheme HLRSTP 1. SS7 message 3. SS7 message 2. SS7 message SS7 firewall
  • 41. SS7 messages for IMSI retrieval SendRoutingInfo SendIMSI SendRoutingInfoForLCS SendRoutingInfoForSM Should be blocked on the network border May be blocked on the HLR – SMS Home Routing as a protection tool
  • 42. SS7 firewall: typical deployment scheme HLRSTP 1. SRI Request: MSISDN SS7 firewall 2. SRI Request: MSISDN The message is blocked SRI – SendRoutingInfo
  • 43. Application Context change 0 – CCITT 4 – Identified Organization 0 – ETSI 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3 0 – CCITT 4 – Identified Organization x – Unknown 0 – Mobile Domain 1 – GSM/UMTS Network 0 – Application Context ID 20 – ShortMsgGateway 3 – Version 3
  • 44. SS7 firewall: bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN SS7 firewall 2. SRI Request: MSISDN Malformed ACN Malformed Application Context
  • 45. SS7 firewall bypass with malformed Application Context HLRSTP 1. SRI Request: MSISDN Malformed ACN 2. SRI Request: MSISDN Malformed ACN 3. SRI Response: IMSI, …3. SRI Response: IMSI, … SS7 firewall is aside SS7 firewall
  • 47. SMS delivery HLR MSC 2SMS-CMSC 1 1. Mo-ForwardSM: A-Num, B-Num 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast
  • 48. SMS spam through SS7 HLR 2. SRI4SM: B-Num 3. SRI4SM: IMSI, MSC2 4. Mt-ForwardSM: A-Num, IMSI 5. ReturnResultLast5. ReturnResultLast SMS-C MSC 2MSC 1
  • 49. TCAP handshake as a protection measure HLR 1. TCAP Begin: ACN = MoSMRelay 4. SRI4SM: B-Num 5. SRI4SM: IMSI, MSC2 2. TCAP Continue 3. Mo-ForwardSM: A-Num, B-Num 9. ReturnResultLast 6. TCAP Begin: ACN = MtSMRelay 7. TCAP Continue 8. Mt-ForwardSM:A-Num, IMSI 9. ReturnResultLast SMS-C MSC 2MSC 1
  • 50. Location retrieval for intelligent network services HLR1. AnyTimeInterrogation: MSISDN 4. AnyTimeInterrogation: CellID 2. ProvideSubscriberInfo: IMSI 3. ProvideSubscriberInfo: CellID MSC/VLRIN AnyTimeInterrogation message allows an Intelligent Network (IN) node to receive identity of a serving cell in order to perform a location-based service. This message is allowed for internal operations only. It should be prohibited in external connections.
  • 51. Blocking an illegitimate location request HLRSTP 1. AnyTimeInterrogation: MSISDN The message is blocked SS7 firewall 2. AnyTimeInterrogation: MSISDN
  • 52. TCAP handshake exploit Is it possible to encapsulate a malformed location request into the protection mechanism and receive result?
  • 53. SS7 firewall: bypass within a TCAP handshake HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry The AnyTimeInfoEnquiry is used in an AnyTimeInterrogation operation that responds with the serving Cell identity, which provides subscriber location to within ~100 meters SS7 firewall MSC/VLR
  • 54. SS7 firewall: bypass within a TCAP handshake The incoming signaling message does not contain an operation code, so the STP does not send it to the SS7 firewall for inspection HLRSTP1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 55. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 56. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 2. TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 57. SS7 firewall: bypass within a TCAP handshake HLRSTP 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue The AnyTimeInterrogation operation is encapsulated into TCAP Continue instead of normal TCAP Begin message. The STP routes this message to the node that is involved into the initial transaction. 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 1. TCAP Begin: ACN = AnyTimeInfoEnquiry SS7 firewall MSC/VLR
  • 58. SS7 firewall: bypass within a TCAP handshake HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR 4. ProvideSubscriberInfo Cell IDIMSI
  • 59. SS7 firewall: bypass within a TCAP handshake SS7 firewall is aside HLR1. TCAP Begin: ACN = AnyTimeInfoEnquiry STP 2. TCAP Continue 1. TCAP Begin: ACN = AnyTimeInfoEnquiry 2. TCAP Continue 5. AnyTimeinterrogation: Cell ID TCAP End 5. AnyTimeInterrogation: Cell ID TCAP End 4. ProvideSubscriberInfo Cell IDIMSI 3. AnyTimeInterrogation: MSISDN TCAP Continue 3. AnyTimeInterrogation: MSISDN TCAP Continue SS7 firewall MSC/VLR
  • 61. Things to remember 1. Deploying security tool does not mean the network is secure. About 67% of SMS Home Routing solutions on tested networks were bypassed. 2. Test the network. Penetration testing is a good practice to discover a lot of vulnerabilities. Discover and close existing vulnerabilities before hackers find and exploit them. 3. Know the perimeter. Continuous security monitoring enables a mobile operator to know which vulnerabilities are exploited and, therefore, protect the network.
  • 62. Thank you! ptsecurity.com Kirill Puzankov kpuzankov@ptsecurity.com