Listening Ukrainian mobile phones: how it is done and how to protect
You’ve read more than once in news feeds about how secret services of different countries monitor negotiations and data transmission of ordinary citizens. Now the new scandal with the tapping of Ukrainian subscribers, allegedly carried out from the territory of Russia, is gaining momentum.
We have already written about what threats exist in the world of mobile communications, and today we want to tell you again about one of the vectors of attacks aimed at mobile subscribers.
In short, the scheme is as follows. The attacker enters the SS7 signaling network, the channels of which send a service message Send Routing Info For SM (SRI4SM), specifying the telephone number of the attacked subscriber A as a parameter. In response, the home network of the subscriber A sends the technical information to the attacker: IMSI (international subscriber ID) and the address of the MSC switch that currently serves the subscriber.
')
Then, the attacker, using the Insert Subscriber Data (ISD) message, injects the updated subscriber profile into the VLR database, changing the address of the billing system in it to the address of its own, pseudobilling system.
Then, when the attacked subscriber makes an outgoing call, his switch addresses, instead of the actual billing system, the attacker's system, which gives the switch a directive to redirect the call to a third party, again controlled by the attacker.
On this third party, a conference call is organized from three subscribers, two of which are real (caller A and called B), and the third is introduced by the attacker unauthorized and has the ability to listen and record the conversation.
I will tell the skeptics right away: this scheme is not fantastic and, as you can see, it is completely realizable in practice. When developing the SS7 signaling system, there were no defense mechanisms against such attacks. The implication was that the SS7 network itself was rather closed, and the “alien” could not get there. However, times are changing, and we are witnessing the malicious use of telephony technology. Unfortunately, it is impossible to just and enable filtering SS7 messages from external networks, as this will affect the performance of services in roaming. And no operator wants to deprive themselves of income.
In the work of an operator providing services to a large number of subscribers, there is always a fine line between information security and the availability of services. This is especially acute for mobile operators: the range of services is huge, it is different for all operators, and we want to serve not only our own, but also foreign subscribers in our network, and that our subscribers are not limited in opportunities while traveling abroad.
It would not be bad to close the so-called “vulnerabilities” in the SS7 protocol stack, but any specialist will tell you that this is unrealistic. The classic case of "this is not a bug, this is a feature."
Instead of philosophizing about the architecture of mobile networks, you need to act. For example, do the following:
A little about the benefits of penetration tests. In the operator's network, their role is not only in identifying vulnerabilities, but also in solving operational problems. For example, to understand what the inclusion of one or another security function may affect, you need to carry out many tests taking into account the characteristics of each network. When conducting our SS7 signaling tests, we take into account 10 main types of attacks on the network and mobile subscribers.
Our research has shown that the overwhelming majority of attacks on SS7 networks begin with the receipt of technical data about the subscriber (IMSI identifier, MSC switch addresses and HLR databases). These parameters are obtained from the response to the very message SRI4SM, which is mentioned at the beginning of the article.
One of the security solutions is the SMS Home Routing procedure proposed by the 3GPP organization in 2007. Sometimes it is called SMS Firewall or SMS filter.
An additional node is introduced into the operator's network, providing filtering of malicious messages SRI4SM. The principle of its work is as follows. When the SRI4SM message from another network arrives at the operator’s network, it is rerouted to the new filtering node. This node sends a normal response, giving the address of the MSC switch and the HLR database its address, and the subscriber’s IMSI giving fake data. If the SRI4SM message was generated by an attacker, then he will not receive any useful information in the response, and his attack will drown in the first stage. If the SRI4SM message was the beginning of a legal transaction for sending an SMS message, the sender's network will transmit this SMS message to the filtering node, and he, in turn, will deliver the message to the addressee within his home network.
7 years have passed since the issuance of this recommendation, but, as we see, far from all operators have launched such a solution. And by the way, the SRI4SM message is not the only way to get an IMSI subscriber.
The network of the mobile operator, like any other, is potentially vulnerable. Due to the specificity of mobile networks, attacks in them may be more sophisticated than attacks on the Internet. We recommend taking measures to protect such networks in accordance with the traditional scenario: pentest with the identification of problem areas, security audits with the installation of recommended settings, periodically checking the security settings in accordance with the template. This is the minimum amount of work that will help raise the level of network security just above the plinth, but this is enough as a first step. Subscribers will sleep better.
PS During the Positive Hack Days IV forum, we made a report on possible attacks in the networks of mobile operators, in which we heard wiretapping of telephone conversations from almost anywhere in the world.
Video: live.digitaloctober.ru/embed/2990#time1400670335
PPS In the comments abstract, please, from political preferences, so that this post does not provoke holivar, of which there is plenty on the Internet now. The technical article is devoted to information security, not related to the nationality, country of residence, religion or gender of the reader.
Authors: Sergey Puzankov and Dmitry Kurbatov, Research Center Positive Research.
We have already written about what threats exist in the world of mobile communications, and today we want to tell you again about one of the vectors of attacks aimed at mobile subscribers.
In short, the scheme is as follows. The attacker enters the SS7 signaling network, the channels of which send a service message Send Routing Info For SM (SRI4SM), specifying the telephone number of the attacked subscriber A as a parameter. In response, the home network of the subscriber A sends the technical information to the attacker: IMSI (international subscriber ID) and the address of the MSC switch that currently serves the subscriber.
')
Then, the attacker, using the Insert Subscriber Data (ISD) message, injects the updated subscriber profile into the VLR database, changing the address of the billing system in it to the address of its own, pseudobilling system.
Then, when the attacked subscriber makes an outgoing call, his switch addresses, instead of the actual billing system, the attacker's system, which gives the switch a directive to redirect the call to a third party, again controlled by the attacker.
On this third party, a conference call is organized from three subscribers, two of which are real (caller A and called B), and the third is introduced by the attacker unauthorized and has the ability to listen and record the conversation.
I will tell the skeptics right away: this scheme is not fantastic and, as you can see, it is completely realizable in practice. When developing the SS7 signaling system, there were no defense mechanisms against such attacks. The implication was that the SS7 network itself was rather closed, and the “alien” could not get there. However, times are changing, and we are witnessing the malicious use of telephony technology. Unfortunately, it is impossible to just and enable filtering SS7 messages from external networks, as this will affect the performance of services in roaming. And no operator wants to deprive themselves of income.
In the work of an operator providing services to a large number of subscribers, there is always a fine line between information security and the availability of services. This is especially acute for mobile operators: the range of services is huge, it is different for all operators, and we want to serve not only our own, but also foreign subscribers in our network, and that our subscribers are not limited in opportunities while traveling abroad.
What to do
It would not be bad to close the so-called “vulnerabilities” in the SS7 protocol stack, but any specialist will tell you that this is unrealistic. The classic case of "this is not a bug, this is a feature."
Instead of philosophizing about the architecture of mobile networks, you need to act. For example, do the following:
- Perform SS7 penetration testing.
- At the same time organize monitoring of signaling messages on the perimeter of the operator’s network by all available means.
- Analyze the information received and take measures to minimize risks.
Penetration tests
A little about the benefits of penetration tests. In the operator's network, their role is not only in identifying vulnerabilities, but also in solving operational problems. For example, to understand what the inclusion of one or another security function may affect, you need to carry out many tests taking into account the characteristics of each network. When conducting our SS7 signaling tests, we take into account 10 main types of attacks on the network and mobile subscribers.
- Check for disclosure of confidential technical parameters: IMSI subscriber; the address of the MSC switch where the subscriber is registered; HLR DB address where the subscriber's profile is stored. Knowing these parameters, the attacker will be able to conduct more complex attacks.
- Check for disclosure of cell data serving the subscriber. Knowing the cell ID, an attacker can locate the subscriber. In terms of urban coverage, the location of the subscriber can be determined with an accuracy of tens of meters .
- Check for the possibility of violation of subscriber availability for incoming calls (DoS per subscriber) In the case of a successful attack, the victim subscriber stops receiving incoming calls and SMS. In this case, the mobile device of the victim shows the presence of the network. This state of the victim subscriber will last until the subscriber makes an outgoing call, moves into the range of another switch or restarts the phone.
- Check for the disclosure of private SMS-correspondence. This attack is a consequence of attack number 3. In the event of a successful attack, incoming SMS start to arrive at the attacker's equipment, it will not be difficult to read them. To ensure that SMS is not delivered to the recipient afterwards, a notification of receipt is sent to the SMS center.
- Checking the manipulation of USSD commands. In the case of a successful attack, the attacker is able to send USSD commands on behalf of the subscriber. Possible damage will be determined by a set of services provided by the operator for USSD (for example, whether it is possible to transfer funds between subscriber accounts using USSD commands).
- Check the possibility of substitution of the subscriber profile in the VLR. In the case of a successful attack, an attacker gets the opportunity to use his equipment as an intelligent platform to expand the capabilities of voice calls and tariffication manipulations.
- Check for the possibility of redirecting outgoing calls. It is a continuation of the attack. 6. In the event of a successful attack, the attacker is able to redirect the outgoing voice calls of the victim subscriber. In addition, the attack allows the attacker to arrange a conference call, unauthorized "wedged" in the conversation.
- Check for the possibility of redirecting incoming calls. In the case of a successful attack, the attacker gets the opportunity to redirect incoming voice calls intended to the victim subscriber. In addition, calls to destinations with high rates may either not be charged, or the call charge will be charged to the victim subscriber.
- Check the resistance of the switch to a DoS attack. In the case of a successful attack, the switch stops processing incoming calls to subscribers who are within its range.
- Checking the possibility of direct manipulations with billing. In the event of a successful attack, the attacker gets the possibility of emptying the personal account, thus depriving the subscriber of the ability to make calls.
How to protect
Our research has shown that the overwhelming majority of attacks on SS7 networks begin with the receipt of technical data about the subscriber (IMSI identifier, MSC switch addresses and HLR databases). These parameters are obtained from the response to the very message SRI4SM, which is mentioned at the beginning of the article.
One of the security solutions is the SMS Home Routing procedure proposed by the 3GPP organization in 2007. Sometimes it is called SMS Firewall or SMS filter.
An additional node is introduced into the operator's network, providing filtering of malicious messages SRI4SM. The principle of its work is as follows. When the SRI4SM message from another network arrives at the operator’s network, it is rerouted to the new filtering node. This node sends a normal response, giving the address of the MSC switch and the HLR database its address, and the subscriber’s IMSI giving fake data. If the SRI4SM message was generated by an attacker, then he will not receive any useful information in the response, and his attack will drown in the first stage. If the SRI4SM message was the beginning of a legal transaction for sending an SMS message, the sender's network will transmit this SMS message to the filtering node, and he, in turn, will deliver the message to the addressee within his home network.
7 years have passed since the issuance of this recommendation, but, as we see, far from all operators have launched such a solution. And by the way, the SRI4SM message is not the only way to get an IMSI subscriber.
Instead of conclusion
The network of the mobile operator, like any other, is potentially vulnerable. Due to the specificity of mobile networks, attacks in them may be more sophisticated than attacks on the Internet. We recommend taking measures to protect such networks in accordance with the traditional scenario: pentest with the identification of problem areas, security audits with the installation of recommended settings, periodically checking the security settings in accordance with the template. This is the minimum amount of work that will help raise the level of network security just above the plinth, but this is enough as a first step. Subscribers will sleep better.
PS During the Positive Hack Days IV forum, we made a report on possible attacks in the networks of mobile operators, in which we heard wiretapping of telephone conversations from almost anywhere in the world.
Video: live.digitaloctober.ru/embed/2990#time1400670335
PPS In the comments abstract, please, from political preferences, so that this post does not provoke holivar, of which there is plenty on the Internet now. The technical article is devoted to information security, not related to the nationality, country of residence, religion or gender of the reader.
Authors: Sergey Puzankov and Dmitry Kurbatov, Research Center Positive Research.
Source: https://habr.com/ru/post/226977/
All Articles