Analysis and Mitigation of Recent Attacks on Mobile Communication Backend

Total Page:16

File Type:pdf, Size:1020Kb

Analysis and Mitigation of Recent Attacks on Mobile Communication Backend Aalto University School of Science Master’s Degree Programme in Security and Mobile Computing Siddharth Prakash Rao Analysis and Mitigation of Recent Attacks on Mobile Communication Backend Master’s Thesis Espoo, 25 June 2015 Supervisors: Dr. Tuomas Aura, Aalto University Dr. Dominique Unruh, University of Tartu Co-supervisors: Dr. Silke Holtmanns, Nokia Networks Dr. Ian Oliver, Nokia Networks Aalto University ABSTRACT OF THE MASTER’S THESIS School of Science Degree Programme in Security and Mobile Computing Author: Siddharth Prakash Rao Title: Analysis and Mitigation of Recent Attacks on Mobile Communication Backend Number of pages: 95+9 Date: 25.06.2015 Language: English Professorship: Data Communications Code: T-110 Software Supervisors: Dr. Tuomas Aura, Aalto University Dr. Dominique Unruh, University of Tartu Co-supervisors: Dr. Silke Holtmanns, Nokia Networks Dr. Ian Oliver, Nokia Networks In the last quarter of 2014, several successful attacks against mobile networks were demonstrated. They are based on misuse of one of the key signaling protocol, SS7, which is extensively used in the mobile communication backend for signaling tasks such as call and mobility management. The attackers were able to locate the mobile users and intercept voice calls and text messages. While most attacks in the public eye are those which exploits weaknesses in the end-device software or radio access links, these recently demonstrated vulnerabilities exploit weaknesses of the mobile core networks themselves. Understandably, there is a scramble in the mobile telecommunications industry to understand the attacks and the underlying vulnerabilities. This thesis is part of that effort. This thesis presents a broad and thorough overview and analysis of the known attacks against mobile network signaling protocols and the possible mitigation strategies. The attacks are presented in a uniform way, in relation to the mobile network protocol standards and signaling scenarios. Moreover, this thesis also presents a new attack that enables a malicious party with access to the signaling network to remove lost or stolen phones from the blacklist that is intended to prevent their use. Both the known and new attacks have been confirmed by implementing them in a controlled test environment. The attacks are serious because SS7, despite its age, remains the main signaling protocol in the mobile networks and will still long be required for interoperability and background compatibility in international roaming. Moreover, the number of entities with access to the core network, and hence the number of potential attackers, has increased significantly because of changes in regulation and opening of the networks to competition. The analysis and new results of this thesis will help mobile network providers and operators to assess the vulnerabilities in their infrastructure and to make security-aware decisions regarding their future investments and standardization. The results will be presented to the operators, network-equipment vendors, and to the 3GPP standards body. Keywords: Signaling Protocols, SS7, Mobile Core Network, Security CONTENTS LIST OF FIGURES ................................................................................................................ iv LIST OF ABBREVIATIONS ................................................................................................ vi 1 INTRODUCTION................................................................................................................. 1 1.1 Motivation .............................................................................................................................................. 2 1.2 Goals ........................................................................................................................................................ 3 1.3 Brief summary of results .................................................................................................................... 4 1.4 Scope of the thesis and the author’s contribution ....................................................................... 4 1.5 Structure of Thesis ............................................................................................................................... 5 2 BACKGROUND ................................................................................................................... 7 2.1 Introduction to SS7 .............................................................................................................................. 7 2.2 Application of SS7............................................................................................................................... 7 2.3 SS7 Network.......................................................................................................................................... 8 2.3.1 Signaling Network Architecture .............................................................................................. 8 2.3.2 Signaling Architecture ............................................................................................................. 11 2.4 SS7 Protocol Stack ............................................................................................................................ 14 2.5 Overview of core network entities ................................................................................................ 16 2.6 Identifiers and Addressing Schemes ............................................................................................ 18 3 SS7 ATTACK SCENARIO ................................................................................................ 21 3.1 Overview of entry points to core network .................................................................................. 21 3.2 Mapping the SS7 periphery ............................................................................................................. 23 3.3 Current status of SS7 vulnerabilities ............................................................................................ 26 4 ANALYSIS OF ATTACKS ............................................................................................... 28 4.1 Analysis paradigm ............................................................................................................................. 28 4.2 Location privacy breach ................................................................................................................... 30 4.2.1 Regular Location Disclosure scenarios ............................................................................... 31 4.2.2 Overview of Location Proximity .......................................................................................... 31 4.2.3 Location disclosure using call setup messages ................................................................. 32 4.2.4 Location disclosure using SMS protocol messages ......................................................... 35 4.2.5 Location disclosure using CAMEL Location Management Function Messages .... 37 4.2.6 Location disclosure using emergency location service (LCS) messages .................. 40 4.3 Call interception and eavesdropping attacks .............................................................................. 43 4.3.1 Basic call setup workflow during roaming ........................................................................ 43 4.3.2 Call interception using subscriber profile manipulation ................................................ 46 4.3.3 GSM/UMTS authentication mechanism ............................................................................. 49 4.4 SMS based attacks ............................................................................................................................. 52 4.4.1 SMS interception using fake MSC ....................................................................................... 52 4.4.2 Illegitimate SMS messages ..................................................................................................... 54 5 NEW ATTACK TO UNBLOCK STOLEN MOBILE DEVICES ................................. 58 5.1 Current status of mobile thefts ....................................................................................................... 58 5.2 Working principle of EIR ................................................................................................................ 59 5.3 Attack to unblock stolen mobile devices .................................................................................... 60 5.4 Potential countermeasures ............................................................................................................... 64 6 MITIGATION OF ATTACKS .......................................................................................... 66 6.1 Generic approach for mitigation .................................................................................................... 66 6.2 SMS Home Routing .......................................................................................................................... 68 6.3 STP firewalls ....................................................................................................................................... 70 6.4 Best Practices ...................................................................................................................................... 70 7 FUTURE RELEVENCE OF THE ATTACKS ................................................................ 72 7.1 3G, 4G and
Recommended publications
  • INAP); Part 1: Protocol Specification for Camel Phase 2 2 Draft ETSI EN 301 668-1 V1.1.1 (1999-07
    Draft ETSI EN 301 668-1 V1.1.1 (1999-07) European Standard (Telecommunications series) Intelligent Network (IN); Intelligent Network Capability Set 1 (CS1) extension; Intelligent Network Application Protocol (INAP); Part 1: Protocol specification for Camel Phase 2 2 Draft ETSI EN 301 668-1 V1.1.1 (1999-07) Reference DEN/SPS-03053-1 (fg090ico.PDF) Keywords IN, INAP, ISDN, mobile, protocol ETSI Postal address F-06921 Sophia Antipolis Cedex - FRANCE Office address 650 Route des Lucioles - Sophia Antipolis Valbonne - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Internet [email protected] Individual copies of this ETSI deliverable can be downloaded from http://www.etsi.org If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute 1999. All rights reserved. ETSI 3 Draft ETSI EN 301 668-1 V1.1.1 (1999-07) Contents Intellectual Property Rights ............................................................................................................................... 6 Foreword............................................................................................................................................................ 6 1 Scope.......................................................................................................................................................
    [Show full text]
  • Release Notes Release 10.3.0.2 E98788-01
    Oracle® Communications Performance Intelligence Center Oracle Communications Performance Intelligence Center Release Notes Release 10.3.0.2 E98788-01 November 2019 Oracle® Communications Performance Intelligence Center Oracle Communications Performance Intelligence Center Release Notes, Release 10.3.0.2 Copyright © 2003, 2019 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notices are applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • N2SCP CAMEL/INAP Conformance
    N-Squared Software N2SCP CAP/INAP Protocol Conformance Statement Version 2020-08 N2SCP CAP/INAP Protocol Conformance Statement Version 2020-08 1 Document Information 1.1 Scope and Purpose This document describes the implementation of the CAMEL (including INAP variants) protocol for real- time SCP flows for voice interaction control using the N-Squared Service Control Point (N2SCP) family of applications. The N2SCP family of applications includes: • N2DSG-SCP (CAMEL/Diameter Signalling Gateway) • N2NP-SCP (Number Portability translation application) • N2ACD-SCP (Advanced Call Distribution application for Toll-Free and other routing services) • …plus other custom SCP services that may be developed. All of these applications use the N2SCP framework. They do not typically use all of the framework. Please refer to the relevant technical guide ([R-N2-DSG-TG], [R-N2-NP-TG], [R-N2-ACD-TG]) for application-specific scenarios and configuration parameters. This document assumes a working knowledge of the relevant CAP/INAP and other telephony concepts, including the standard CAP/INAP interactions between an SCP, an SSP, and an SRP (or Intelligent Peripheral). 1.2 Definitions, Acronyms, and Abbreviations Term Meaning AC Apply Charging ACR Apply Charging Report ARI Assist Request Instructions ASN.1 Abstract Syntax Notation One AT Activity Test BCSM Basic Call State Model CAMEL Customized Applications for Mobile Network Enhanced Logic CAP CAMEL Application Part CIR Call Information Request/Report CTR Connect To Resource CWA Continue With Argument DFC
    [Show full text]
  • CAMEL User's Guide Contains the Following Information: No Title Description 1 Introduction to CAMEL Overview of CAMEL Protocols
    Document Part Number: P_EXCL_CAMEL_UG_2.5 COPYRIGHT Copyright © 2003 IntelliNet Technologies, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the reader’s personal use without the written permission of IntelliNet Technologies, Inc. Information in this document is subject to change without notice. IntelliNet Technologies 1990 W. New Haven Ave., Suite 307 Melbourne, FL 32904 U.S.A. Phone: +1 321 726 0686 Fax: +1 321 726 0683 Web site: www.intellinet-tech.com TRADEMARKS IntelliNet Technologies and the IntelliNet Technologies logo are trademarks of IntelliNet Technologies, Inc. Other brands and their products are registered trademarks or trademarks of their respective owners. 2 CAMEL User’s Guide Revision History Revision Date Notes Rev. 1.0 7-9-2003 Begin document modification for Lucent Excel (P. Arteaga) Rev. 2.0 7-30-2003 Contents of the document reorganized per Gururaj and Santanu (Shobha). Rev. 2.1 9-10-2003 Added details of every message (Invoke and Response) along with the associated parameters and the header files in Chapter 3 (Shobha). Rev. 2.2 9-11-2003 Updated Chapter 5 (Shobha). Rev. 2.3 9-15-2003 Added licensing section (Shobha). Rev. 2.4 11-07-2003 Added section Building and Running CAMEL Application on HP-UX (Shobha). Rev. 2.5 11-10-2003 Added section Building and Running CAMEL Application on Linux (Shobha). 3 CAMEL User’s Guide Contents Revision
    [Show full text]
  • TS 101 530 V7.8.0 (2004-05) Technical Specification
    ETSI TS 101 530 V7.8.0 (2004-05) Technical Specification Digital cellular telecommunications system (Phase 2+); Location Services (LCS); Base Station System Application Part LCS Extension (BSSAP-LE) (3GPP TS 09.31 version 7.8.0 Release 1998) R GLOBAL SYSTEM FOR MOBILE COMMUNICATIONS 3GPP TS 09.31 version 7.8.0 Release 1998 1 ETSI TS 101 530 V7.8.0 (2004-05) Reference RTS/TSGG-020931v780 Keywords GSM ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • MAPS™ Brochure from Brochures.Html Website, Or Refer to Webpage
    Message Automation & Protocol Simulation (MAPS™) Multi-Interface, Multi-Protocol Simulator - TDM, IP, 2G, 3G, 4G, 5G Overview GL's Message Automation & Protocol Simulation (MAPS™) is a protocol simulation/ emulation and conformance test tool that supports a variety of protocols such as MGCP, SIP, MEGACO, SS7, ISDN, GSM, CAS, MC- MLPPP, MAP, LTE, UMTS, SS7 SIGTRAN, ISDN SIGTRAN, SIP I, Diameter, MAP IP, 5G N1 N2, N4 and others. This protocol emulation tool covers solutions for both protocol simulation and analysis. The product also supports RTP, TDM, TRAU GSM, and Mobile traffic simulation over various network. The application includes various test plans and test cases to support the testing of real- time entities. Along with automation capability, the application gives users the unlimited ability to edit messages and control call scenarios (message sequences). "Call Scenarios" are generated through scripts. MAPS™ is designed to work on TDM interfaces as well as on the Ethernet interfaces. TDM signaling protocols such as SS7, ISDN, CAS, MC-MLPPP, MAP, IUP, CAP, INAP, GSM, and FXO/FXS operate over TDM networks, whereas SIP, MEGACO, and MGCP operate over IP networks. MAPS™ supports 3G & 4G mobile protocol simulation such as LTE (S1, eGTP) interfaces, LTE Diameter [S6a, S6d, S13, Cx/Dx, Gx, Rx, SLg, SLh], INAP IP (ANSI, ITU), CAP IP (ANSI, ITU), GSM A over IP, SKINNY, MAP IP, BICC IP, GPRS, and UMTS (IuCS, IuPS, IuH) over IP. MAPS™ architecture supports both Binary and Text Based Protocol Simulation. MAPS™ also supports Location Services (LCS) simulation for positioning mobile devices. Simulates SLg, SLh interfaces (GMLC, MME, HSS), Lg, Lh interfaces (GMLC, MSC, SGSN, HLR), SLs interface (MME, E-SMLC) and Lb interface (MME, SMLC) and interfaces implementing positioning functionality in a cellular network.
    [Show full text]
  • Testing the UMTS Iu Interface Testing the UMTS Iu Interface ▲ ▲ Application Note Application Note
    ▲ Application Note COMPUTING TELECOM Testing the UMTS Iu Interface VIDEO ▲ Protocol Testing in the 3G Wireless Network This application note describes protocol tests for the UMTS Iu interface between the Radio Network Controller (RNC) and the Core Network (CN). It is the first in a series of documents on third-generation (3G) wireless networks. Each note addresses one of the new network interfaces and provides guidelines for equipment designers, manufacturers, operators and maintenance personnel to meet the measurement challenges with testing solutions. Examples are given in this document for testing: • Messaging and procedures on the Radio Access Network (RANAP) • Mobile Radio Interface Layer 3 (CC/MM/GPRS MM/GPRS SM) • Traffic channel signaling (AAL2 layer3) • Tunneling (GTP-U). Due to space limitations, only brief descriptions are presented here. Complete detailed information needed to perform these and other tests can be found in the user handbooks for the K1297 and K1205 Protocol Testers and in other training materials. Please contact Tektronix sales support to obtain the most recent information. Testing the UMTS Iu Interface Testing the UMTS Iu Interface ▲ ▲ Application Note Application Note Table of Contents 1. Introduction – The Iu Interface and All traffic over the Iu interface uses the Asynchronous Transfer Mode (ATM) as Protocols 1. INTRODUCTION – THE Iu INTERFACE AND PROTOCOLS ..................................................................................................................................................3 the physical transport technology, regardless of the data source. As a result, all data will be segmented into 53-byte ATM-cells and transported 1.1. TRANSPORT PROTOCOLS FOR THE CONTROL PLANE ........................................................................................................................................3 asynchronously. This document describes test applications for the Iu interface as it was defined 1.2.
    [Show full text]
  • IDP and Analyzed Information Features 910-5805-001 Revision a December 2009
    Tekelec EAGLE® 5 Integrated Signaling System Feature Manual - IDP and Analyzed Information Features 910-5805-001 Revision A December 2009 Copyright 2009 Tekelec. All Rights Reserved. Printed in USA. Legal Information can be accessed from the Main Menu of the optical disc or on the Tekelec Customer Support web site in the Legal Information folder of the Product Support tab. Table of Contents Chapter 1: Introduction.......................................................................9 Introduction.............................................................................................................................10 Scope and Audience...............................................................................................................10 Manual Organization..............................................................................................................10 Related Publications...............................................................................................................11 Documentation Availability, Packaging, and Updates.....................................................11 Documentation Admonishments..........................................................................................12 Customer Care Center............................................................................................................12 Emergency Response..............................................................................................................14 Locate Product Documentation on the Customer
    [Show full text]
  • SS7 Signalling in Mobile Networks – 3 Days
    SS7 Signalling in Mobile Networks – 3 days CONTENTS The SS7 Signalling in Mobile Networks course explains and describes the world’s most widespread inter-exchange signalling system used in fixed and mobile telecommunication today: Signalling System No 7. It provides the basic ideas and structure of the SS7 protocol stack. Different aspects of various signalling protocols and signalling applications in the telecommunications world are covered. There are a few detailed examples from both mobile and fixed networks. The course focus is on ITU SS7 and GSM/UMTS core network protocols that are based on SS7 system. The participants will also gain a general understanding on how to interpret log files and traces taken from live networks. PREREQUISITES General telecom and basic signalling knowledge is recommended. For background knowledge, we recommend the Apis’ course 3GPP Mobile Systems Overview. SS7 Introduction • The overview of the SS7 system • The definition and structure of the SS7 signalling network: SP, STP, SL, LS, etc. • The logical division of SS7: MTP and User Parts • Use of SS7 protocol in 2G and 3G mobile networks and fixed networks • Overview of various SS7 protocols MTP - Message Transfer Part • The functions of the different MTP levels • The structure and functions of MTP signal units, signalling link states and link management functions • MTP 3 message handling – addressing, routing, load sharing, and distribution • The overview of Signalling Network Management and Testing functions ISUP - ISDN User Part • Use and functions of
    [Show full text]
  • TR 129 903 V5.0.0 (2001-12) Technical Report
    ETSI TR 129 903 V5.0.0 (2001-12) Technical Report Universal Mobile Telecommunications System (UMTS); Feasibility study on SS7 signalling transportation in the core network with SCCP-User Adaptation (SUA) (3GPP TR 29.903 version 5.0.0 Release 5) 3 GPP TR 29.903 version 5.0.0 Release 5 1 ETSI TR 129 903 V5.0.0 (2001-12) Reference DTR/TSGN-0429903v500 Keywords UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • EN 301 668-1 V1.1.2 (2000-05) European Standard (Telecommunications Series)
    Final draft ETSI EN 301 668-1 V1.1.2 (2000-05) European Standard (Telecommunications series) Intelligent Network (IN); Intelligent Network Capability Set 1 (CS1) extension; Intelligent Network Application Protocol (INAP); Part 1: Protocol specification for Camel Phase 2 2 Final draft ETSI EN 301 668-1 V1.1.2 (2000-05) Reference DEN/SPS-03053-1 Keywords IN, INAP, ISDN, mobile, protocol ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.:+33492944200 Fax:+33493654716 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://www.etsi.org/tb/status/ If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media.
    [Show full text]
  • SS7 Vulnerabilities
    Contents 1. Introduction ..................................................................................... 3 2. Market Drivers and Business Challenges ..................................5 2.1 History of SS7 ..................................................................................................................... 5 2.2 Evolution to Diameter ......................................................................................................... 6 3. SS7 Security Threats .....................................................................8 3.1 Requirements for carrying out an attack .................................................................. 8 3.2 Who is the Attacker? ........................................................................................................ 8 3.3 Types of Network / Subscriber Attacks ..................................................................... 9 3.3.1 Subscriber Identity Disclosure ......................................................................................... 9 3.3.2 Discovery of Subscribers Location .............................................................................. 13 3.3.3 Disruption of Subscribers Availability ........................................................................ 16 3.3.4 Intercepting SMS Messages ........................................................................................... 20 3.3.5 Manipulation of USSD Request ..................................................................................... 23 3.3.6 Manipulation
    [Show full text]