Analysis and Mitigation of Recent Attacks on Mobile Communication Backend
Total Page:16
File Type:pdf, Size:1020Kb
Aalto University School of Science Master’s Degree Programme in Security and Mobile Computing Siddharth Prakash Rao Analysis and Mitigation of Recent Attacks on Mobile Communication Backend Master’s Thesis Espoo, 25 June 2015 Supervisors: Dr. Tuomas Aura, Aalto University Dr. Dominique Unruh, University of Tartu Co-supervisors: Dr. Silke Holtmanns, Nokia Networks Dr. Ian Oliver, Nokia Networks Aalto University ABSTRACT OF THE MASTER’S THESIS School of Science Degree Programme in Security and Mobile Computing Author: Siddharth Prakash Rao Title: Analysis and Mitigation of Recent Attacks on Mobile Communication Backend Number of pages: 95+9 Date: 25.06.2015 Language: English Professorship: Data Communications Code: T-110 Software Supervisors: Dr. Tuomas Aura, Aalto University Dr. Dominique Unruh, University of Tartu Co-supervisors: Dr. Silke Holtmanns, Nokia Networks Dr. Ian Oliver, Nokia Networks In the last quarter of 2014, several successful attacks against mobile networks were demonstrated. They are based on misuse of one of the key signaling protocol, SS7, which is extensively used in the mobile communication backend for signaling tasks such as call and mobility management. The attackers were able to locate the mobile users and intercept voice calls and text messages. While most attacks in the public eye are those which exploits weaknesses in the end-device software or radio access links, these recently demonstrated vulnerabilities exploit weaknesses of the mobile core networks themselves. Understandably, there is a scramble in the mobile telecommunications industry to understand the attacks and the underlying vulnerabilities. This thesis is part of that effort. This thesis presents a broad and thorough overview and analysis of the known attacks against mobile network signaling protocols and the possible mitigation strategies. The attacks are presented in a uniform way, in relation to the mobile network protocol standards and signaling scenarios. Moreover, this thesis also presents a new attack that enables a malicious party with access to the signaling network to remove lost or stolen phones from the blacklist that is intended to prevent their use. Both the known and new attacks have been confirmed by implementing them in a controlled test environment. The attacks are serious because SS7, despite its age, remains the main signaling protocol in the mobile networks and will still long be required for interoperability and background compatibility in international roaming. Moreover, the number of entities with access to the core network, and hence the number of potential attackers, has increased significantly because of changes in regulation and opening of the networks to competition. The analysis and new results of this thesis will help mobile network providers and operators to assess the vulnerabilities in their infrastructure and to make security-aware decisions regarding their future investments and standardization. The results will be presented to the operators, network-equipment vendors, and to the 3GPP standards body. Keywords: Signaling Protocols, SS7, Mobile Core Network, Security CONTENTS LIST OF FIGURES ................................................................................................................ iv LIST OF ABBREVIATIONS ................................................................................................ vi 1 INTRODUCTION................................................................................................................. 1 1.1 Motivation .............................................................................................................................................. 2 1.2 Goals ........................................................................................................................................................ 3 1.3 Brief summary of results .................................................................................................................... 4 1.4 Scope of the thesis and the author’s contribution ....................................................................... 4 1.5 Structure of Thesis ............................................................................................................................... 5 2 BACKGROUND ................................................................................................................... 7 2.1 Introduction to SS7 .............................................................................................................................. 7 2.2 Application of SS7............................................................................................................................... 7 2.3 SS7 Network.......................................................................................................................................... 8 2.3.1 Signaling Network Architecture .............................................................................................. 8 2.3.2 Signaling Architecture ............................................................................................................. 11 2.4 SS7 Protocol Stack ............................................................................................................................ 14 2.5 Overview of core network entities ................................................................................................ 16 2.6 Identifiers and Addressing Schemes ............................................................................................ 18 3 SS7 ATTACK SCENARIO ................................................................................................ 21 3.1 Overview of entry points to core network .................................................................................. 21 3.2 Mapping the SS7 periphery ............................................................................................................. 23 3.3 Current status of SS7 vulnerabilities ............................................................................................ 26 4 ANALYSIS OF ATTACKS ............................................................................................... 28 4.1 Analysis paradigm ............................................................................................................................. 28 4.2 Location privacy breach ................................................................................................................... 30 4.2.1 Regular Location Disclosure scenarios ............................................................................... 31 4.2.2 Overview of Location Proximity .......................................................................................... 31 4.2.3 Location disclosure using call setup messages ................................................................. 32 4.2.4 Location disclosure using SMS protocol messages ......................................................... 35 4.2.5 Location disclosure using CAMEL Location Management Function Messages .... 37 4.2.6 Location disclosure using emergency location service (LCS) messages .................. 40 4.3 Call interception and eavesdropping attacks .............................................................................. 43 4.3.1 Basic call setup workflow during roaming ........................................................................ 43 4.3.2 Call interception using subscriber profile manipulation ................................................ 46 4.3.3 GSM/UMTS authentication mechanism ............................................................................. 49 4.4 SMS based attacks ............................................................................................................................. 52 4.4.1 SMS interception using fake MSC ....................................................................................... 52 4.4.2 Illegitimate SMS messages ..................................................................................................... 54 5 NEW ATTACK TO UNBLOCK STOLEN MOBILE DEVICES ................................. 58 5.1 Current status of mobile thefts ....................................................................................................... 58 5.2 Working principle of EIR ................................................................................................................ 59 5.3 Attack to unblock stolen mobile devices .................................................................................... 60 5.4 Potential countermeasures ............................................................................................................... 64 6 MITIGATION OF ATTACKS .......................................................................................... 66 6.1 Generic approach for mitigation .................................................................................................... 66 6.2 SMS Home Routing .......................................................................................................................... 68 6.3 STP firewalls ....................................................................................................................................... 70 6.4 Best Practices ...................................................................................................................................... 70 7 FUTURE RELEVENCE OF THE ATTACKS ................................................................ 72 7.1 3G, 4G and