SMS interception, surveillance, etc. who does not use mobile communications.
And mobile communications are no longer limited to phone calls, SMS and the Internet. Often, a bank card, e-mail, accounts in social networks and on public service websites, as well as a subscriber's personal account on the operator's website are tied to a phone number. When talking about the security of mobile communications, they usually mention the security of the radio path and very rarely remember the SS7 signaling network. Until recently, the security of signaling channels was limited to physical security. In fact, it was almost impossible to get into the signaling network in traditional telephony technologies. But progress does not stand still, and from the beginning of the XXI century IP-telephony began to gradually replace the traditional one. Any personal computer can now have several free programs installed, and then knowledge of the SS7 protocols and programming skills multiplied by the time spent, turns this computer into a powerful criminal tool would be a fantasy.
2A bit of theory But before we let our imagination run wild, let's make a small digression and delve into the technology of mobile communications. In telephone networks, including mobile ones, subscriber (voice or data) and service traffic (for example, for establishing a connection) are clearly separated. In fact, service traffic is the very same signaling system 7, which includes a certain set of protocols, rules and messages. When communicating between operators, nodes in mobile communications are addressed not by IP addresses, but by Global Title addresses, the format of which resembles telephone numbers. The Global Title addresses must be included in the range of telephone numbers assigned to the telecom operator, and if at the national level the ranges are divided by region, then the Global Title addresses of the hosts must match the regional ranges. We will not describe the entire SS7 protocol stack here. Suffice it to say that the MAP Mobile Application Part protocol is used for the interaction of the nodes of the mobile operator's core. The MAP protocol is aimed at the implementation of functions inherent in mobile networks, such as authentication and registration of a mobile device in the network, localization of the subscriber for making an incoming call, support of a continuous voice communication channel when the subscriber moves. Each operation corresponds to a specific MAP message with its own set of parameters. Various messages are mentioned below, and by default they will all belong to the MAP protocol. We are used to using regular telephone numbers for mobile communications. In technical mobile terms, these numbers are called MSISDN Mobile Subscriber Integrated Services Digital Network Number. This number is assigned to the subscriber when concluding a contract with a mobile operator. But in the depths of the communications network, subscribers are addressed by another identifier IMSI (International Mobile Subscriber Identity), which is tied to a specific SIM card. The overwhelming majority of operations require addressing the subscriber exactly according to the IMSI, therefore, in order to carry out most attacks aimed at a specific subscriber, an attacker first needs to find out this identifier. It should also be noted that the SS7 protocols do not include capabilities for providing such functions as node authentication, filtering messages by access lists, dynamic routing of new network nodes. All this allows a potential attacker to achieve their goals. Variants of attacks Prelude So, we assume that the attacker gained access to the SS7 network and wants to carry out a series of attacks on you, the reader. We assume that the attacker knows the phone number of the victim subscriber. As mentioned earlier, the first thing an attacker needs is to
3get the IMSI corresponding to the victim's phone number. For a better understanding of the process, I propose now to distract from the attack itself and first look at how one of the simplest services in mobile communications, the Short Message Service, “SMS”, works. How SMS messages flow First of all, it should be noted that SMS messages in mobile networks "walk" through signaling channels, without affecting the voice and packet traffic channels at all. For any transaction between two subscribers, there is a source and a receiver. The subscriber, sending an SMS message, indicates the recipient's phone number and enters the text. However, the service fields of the message contain the address of the SMS center: this node is responsible for routing SMS messages (and its address is specified in each phone in the SMS settings).
SMS message flow pattern 1. Subscriber Alex sends an SMS message to subscriber Boris. This message is sent via signaling channels to the mobile switch MSC-1 serving Alex's subscriber. 2. The MSC-1 switch will understand that it is an SMS, see the SMS center address in the message and send an SMS to this address in the MO-ForwardSM MAP message. Let's dwell a little on this message. It contains the following data: MSISDN number of the sender, MSISDN number of the recipient, SMS text. And now the SMS center is faced with a daunting task. Firstly, further transmission of an SMS message requires knowledge of the IMSI of the recipient subscriber, and secondly, the SMS-center does not know anything about the location of the subscriber. Let's not forget that we are talking about mobile communications, and the subscriber may be in Moscow today, and tomorrow he will be in Oslo 3. But in fact, it's not all that bad, because the mobile network has a subscriber database HLR, where the movements of subscribers are recorded with an accuracy of the switch. It is to this database that the SMS center turns to get the IMSI of the subscriber and the address of the switch serving it. The SMS-center sends the MAP protocol SendRoutingInfoForSM message, where the MSISDN number of Boris's subscriber is specified as a parameter.
As we said, the HLR database stores the address of the switch serving.
In addition, the HLR stores the MSISDN and IMSI mappings. It is these two parameters that HLR will return in the SendRoutingInfoForSM response message. Now the SMS-center sends an MT-ForwardSM message to the received address of the switch, in which it transmits the SMS text, indicates the sender's MSISDN number (it will be displayed when receiving an SMS), and addresses the recipient subscriber using IMSI. The receiving switchboard sends an SMS message to subscriber Boris, receiving data on the exact location of the subscriber in its database. Receiving IMSI and other delights So, with the help of the SendRoutingInfoForSM message, the SMS-center receives the subscriber's IMSI and the address of the serving switch by the phone number. If we accept that Alex and Boris are subscribers of different networks in the SMS-message flow scheme, then we will find that that the SendRoutingInfoForSM message goes between networks.
Passage of SMS messages between networks In order for the SMS-center to make a request, it must "know" the HLR address of the foreign network. Although, in fact, this is not necessary. The SMS-center can send a SendRoutingInfoForSM message using the recipient subscriber's phone number as the Global Title. Since the Global Title addresses and telephone numbering are in the same range, the message will be delivered to the recipient's network, and then routed to the corresponding HLR via the telephone number. In the response message, HLR will disclose its address, and in the form of parameters, it will transmit the MSC address and IMSI of the subscriber. As a result, it turns out that an attacker who has connected to the SS7 network can initially only know the number of the attacked subscriber to carry out his attacks. By sending the SendRoutingInfoForSM message, he will receive the HLR address, MSC address and IMSI of the subscriber. Determining the location of the subscriber Now let's move on to the real attacks. The first thing that comes to mind is to determine where the subscriber is. Surely in the bowels of the mobile network there should be information about the current position of the subscriber. And in fact, it is there, although its accuracy is not always
fiveis the same. To clarify this issue, you will have to dive into communication technology again. The structure of cellular networks Everyone has seen antennas of base stations of cellular communications: in cities, they are dotted with almost all high-rise buildings. Outside urban areas, base station antennas are most often installed on special mast structures. Base stations provide radio coverage for the network, which ideally, of course, should be without blind spots. Base stations are connected to BSC (Base Station Controller) in the GSM standard and RNC (Radio Network Controller) in the UMTS standard. The controllers are connected to the MSC switch. At the base station, as a rule, several antennas are installed, each of which covers its own sector, or cell. Each cell has a CID Cell ID. Cells are grouped into groups called Location Area. and are identified by the LAC Location Area Code identifier. Often, the Location Area includes all sectors whose base stations are connected to the same controller. The identifier of the cell serving the subscriber at each moment of time is stored in the controller's database. But both BSC and RNC controllers are connected directly to the switch and have no connections to external networks. It is almost impossible to extract information from there. Each MSC also has its own VLR (Visited Location Register) base, where information about all subscribers within the coverage area of this switch is stored. There is even LAC and CID data for subscribers, but the CID value is updated only at the moment when the subscriber crosses the boundaries of the Location Area or performs any other active action. Although from a network point of view, changing information about a new LAC is just as active, like a phone call. A switch, unlike controllers, has a connection to external networks, and an attacker with access to SS7 can obtain information about the location of subscribers from its database. Three-way Now that we know how mobile networks are built, it will be easy for us to understand the attack technique. The first move absolutely repeats the steps for obtaining the IMSI of the subscriber and the address of the switch serving it. Let's repeat: this is done using the SendRoutingInfoForSM message (the attacker emulates the operation of the SMS center). At this stage, it would be possible to immediately send a request to the switch database, but in this case we risk receiving not the most accurate information, since we cannot be sure whether the phone of a known subscriber performed any active actions in the cell where he is now. To know for sure we need to force the subscriber's phone to perform similar actions, but this must be done so that the subscriber does not notice anything. The standard for SMS-messages implies the ability to form a message in such a way that it will be invisible to the subscriber, the so-called Silent SMS. The phone receives the message, but does not signal that it has been received and does not display it in the list
6received SMS. On the second move, the attacker continues to emulate the operation of the SMS center. He sends Silent SMS to the required subscriber in MT-ForwardSM message. The message itself is sent to the switch, the address of which was received in the first move, and the subscriber is addressed using IMSI. After passing this message, the information about the location of the subscriber in the switch base will be updated. It now contains information about the current LAC and CID. It remains quite a bit to send a request to the switch to obtain data on the cell serving the subscriber. This is done with the ProvideSubscriberInfo message, which is sent to the switch, the subscriber is addressed by IMSI. (As we remember, we already have the address of the commutator and the IMSI of the subscriber.) In mobile networks, this message is used to transmit information about the location of the called subscriber for online billing. If the subscriber is in roaming, the corresponding charging scheme is activated. The ProvideSubscriberInfo message returns the full set of serving cell identifiers: MCC Mobile Country Code, MNC Mobile Network Code, LAC, CID. There are many services on the Internet that allow, using these four parameters, to determine the geographical coordinates of the base station and even the approximate coverage area of the cell.
The point marks the base station, and the building where I am sitting is indeed within the indicated circle. allowing for these four parameters to determine the geographic coordinates of the base station and even the approximate area of cell coverage. In fig. 3 shows the result of determining my location at the time of this writing. The point marks the base station, and the building where I am sitting is indeed within the indicated circle. allowing for these four parameters to determine the geographic coordinates of the base station and even the approximate area of cell coverage. In fig. 3 shows the result of determining my location at the time of this writing. The point marks the base station, and the building where I am sitting is indeed within the indicated circle.
Determining the location of the author of the article Subscriber Availability Disruption (DoS) The next DoS attack on a subscriber. To understand the attack technique, let's again dive into the principles of mobile networks. Registration of a subscriber in roaming Let us consider the signal exchange and the main processes occurring in mobile networks when a subscriber leaves for another country and registers in the network of the operator's roaming partner. Registration of a subscriber in the roaming partner's network 1. Subscriber Alex from the network with the name "Home" goes on vacation at sea, leaving the plane, turns on the phone and gets into the network. The switch MSC Z will use the first digits of the IMSI to determine the country and network from which the subscriber arrived, and sends a SendAuthenticationInfo message to this network to authenticate the subscriber.
The node responsible for authentication and encryption key assignment is called AuC Authentication Center. It determines the encryption key and other service information required for authentication and sends it back. After the subscriber is authenticated, it is necessary to register it on the new MSC Z switch. The switch sends an UpdateLocation message to the “Home” network. This message goes to the HLR. Having received the UpdateLocation message, The HLR sends a CancelLocation message to MSC D (where the subscriber was previously registered), telling it to free memory from Alex's subscriber profile. The HLR then updates the current switch address to MSC Z in its database. In response to the registration request, the HLR sends a subscriber profile to MSC ZninePost InsertSubscriberData. This profile contains the subscriber's connected services and addresses of intelligent platforms, if the subscriber is subscribed to the corresponding services. Most often, the online billing system acts as an intelligent platform, among other things. After completing these actions, the subscriber Alex can make and receive calls in the Zagranitsa network. With an incoming call, the HLR will receive a request for the location of the subscriber, and he will direct the calls to the MSC Z of the "Abroad" network. Conducting an attack What is left for a malicious user to send a subscriber to DoS for incoming calls? Simply send an UpdateLocation message to the subscriber's home network on behalf of the MSC.
DoS attack 1. The message is sent to the HLR, the subscriber is addressed by the IMSI identifier (we already know how to receive the necessary data). Another parameter of the UpdateLocation message is the address of the new switch. The HLR in its database will untie the real switch. 3. HLR will send the subscriber profile to the attacker's equipment. Thus, the subscriber will be outside the network coverage area for incoming calls until one of the events occurs: the subscriber moves to the coverage area of another switch; the subscriber will reboot the phone; the subscriber will make a call or send an SMS message. Any of these actions will initiate the UpdateLocation procedure, which will update the switch address in the HLR database to the current one. SMS interception Consequence of the previous attack We have already covered all the theoretical basis required to understand the method of intercepting SMS messages. In fact, the interception of SMS is a consequence of the previous attack, if the attacker specifies the address of his equipment as a fake MSC. Let's take an example of how SMS messages are intercepted. We believe that the attacker received all the necessary subscriber IDs for Boris and carried out a successful DoS attack on him, specifying the address of his node as a fake MSC.
Interception of SMS messages 1. Subscriber Alex sends an SMS message to subscriber Boris, this message arrives at the switchboard, serving the sender. The switch forwards the message to the SMS center. As we already know, this happens in the MO-ForwardSM of the MAP protocol. The SMS center does not know where subscriber Boris is at the moment, so he sends a request to HLR in the SendRoutingInfoForSM message. Since a successful DoS attack was carried out on Boris's subscriber, the HLR database contains false information about his location. This false information the HLR database contains false information about its location. This false information the HLR database contains false information about its location. This false information elevenand will send the HLR to the SMS center in a SendRoutingInfoForSM response message.
The SMS-center, without suspecting anything, will send an SMS-message in clear text to the received address in the MT-ForwardSM message of the MAP protocol. And behind this address, as we have already said, our attacker is hiding. Opportunities for an attacker Let's assume what benefit an attacker can get by intercepting SMS messages to a subscriber. It seems that this attack is ineffective in order to invade private correspondence: now people communicate mainly in messenger applications. It is much more interesting to get a one-time password from the bank to make a payment. Criminal groups that specialize in hacking bank card accounts often lack just one-time passwords to withdraw funds. Another of the attack scenarios in which SMS interception can be used, recovery of passwords for various Internet services: for e-mail, social networks, public service portals. All of these services may contain confidential information, and its value is the higher, the louder the victim has. Almost all mobile operators request a password to access the subscriber's personal account via SMS. Having gained access to a personal account, an attacker can control services, transfer funds between accounts, and in some cases view the history of SMS messages. Summing Up In conclusion, I would like to say a few words about how mobile operators view SS7 security. First, they believe (and rightly so) that it is impossible to get completely illegal access to the SS7 network. Secondly, there are agreements between all operators for traffic transmission, and even if malicious actions are suddenly noticed from the side of some operator, it will not be difficult to block the source address. Third, there are not many known cases of abuse of SS7 funds. All three statements are perfectly valid. However, each of them has its own but. First but. It is possible to get a connection to SS7, for example, under the guise of a VAS service provider. Most likely, this will not work in Russia, but there are countries with more loyal telecommunications legislation (or with strong corruption). In addition, one should not forget that state special services for their country can also act as an attacker, naturally, on the side of good. Second but. Before stopping harmful actions, they must be noticed. An extremely small number of operators constantly monitor SS7 networks for intrusions and attacks. And even if an attack through the SS7 network is noticed and stopped, no one will be able to tell when it started or how long it lasted. Third but. Several cases of abuse related to SS7 have received widespread resonance and publicity in the media. One of them was reported by Edward Snowden, then information was published in the Washington Post. We are talking about the SkyLock service, which allows you to monitor mobile subscribers, including through SS7 networks.
How long has this service been running? How many subscribers were “under the hood” during its operation? How long would this service have lasted if it hadn't been for Snowden's messages? It is unlikely that we will ever get answers to these questions. Another notorious case of wiretapping of Ukrainian mobile subscribers from the territory. Yes, yes, this is also possible thanks to the capabilities of SS7! Several months passed from the beginning of the attacks to their detection and containment. The attacks were suppressed by administrative and technical methods, however, while the information leaks remained unnoticed, significant damage was caused to the operator and the state.
And mobile communications are no longer limited to phone calls, SMS and the Internet. Often, a bank card, e-mail, accounts in social networks and on public service websites, as well as a subscriber's personal account on the operator's website are tied to a phone number. When talking about the security of mobile communications, they usually mention the security of the radio path and very rarely remember the SS7 signaling network. Until recently, the security of signaling channels was limited to physical security. In fact, it was almost impossible to get into the signaling network in traditional telephony technologies. But progress does not stand still, and from the beginning of the XXI century IP-telephony began to gradually replace the traditional one. Any personal computer can now have several free programs installed, and then knowledge of the SS7 protocols and programming skills multiplied by the time spent, turns this computer into a powerful criminal tool would be a fantasy.
2A bit of theory But before we let our imagination run wild, let's make a small digression and delve into the technology of mobile communications. In telephone networks, including mobile ones, subscriber (voice or data) and service traffic (for example, for establishing a connection) are clearly separated. In fact, service traffic is the very same signaling system 7, which includes a certain set of protocols, rules and messages. When communicating between operators, nodes in mobile communications are addressed not by IP addresses, but by Global Title addresses, the format of which resembles telephone numbers. The Global Title addresses must be included in the range of telephone numbers assigned to the telecom operator, and if at the national level the ranges are divided by region, then the Global Title addresses of the hosts must match the regional ranges. We will not describe the entire SS7 protocol stack here. Suffice it to say that the MAP Mobile Application Part protocol is used for the interaction of the nodes of the mobile operator's core. The MAP protocol is aimed at the implementation of functions inherent in mobile networks, such as authentication and registration of a mobile device in the network, localization of the subscriber for making an incoming call, support of a continuous voice communication channel when the subscriber moves. Each operation corresponds to a specific MAP message with its own set of parameters. Various messages are mentioned below, and by default they will all belong to the MAP protocol. We are used to using regular telephone numbers for mobile communications. In technical mobile terms, these numbers are called MSISDN Mobile Subscriber Integrated Services Digital Network Number. This number is assigned to the subscriber when concluding a contract with a mobile operator. But in the depths of the communications network, subscribers are addressed by another identifier IMSI (International Mobile Subscriber Identity), which is tied to a specific SIM card. The overwhelming majority of operations require addressing the subscriber exactly according to the IMSI, therefore, in order to carry out most attacks aimed at a specific subscriber, an attacker first needs to find out this identifier. It should also be noted that the SS7 protocols do not include capabilities for providing such functions as node authentication, filtering messages by access lists, dynamic routing of new network nodes. All this allows a potential attacker to achieve their goals. Variants of attacks Prelude So, we assume that the attacker gained access to the SS7 network and wants to carry out a series of attacks on you, the reader. We assume that the attacker knows the phone number of the victim subscriber. As mentioned earlier, the first thing an attacker needs is to
3get the IMSI corresponding to the victim's phone number. For a better understanding of the process, I propose now to distract from the attack itself and first look at how one of the simplest services in mobile communications, the Short Message Service, “SMS”, works. How SMS messages flow First of all, it should be noted that SMS messages in mobile networks "walk" through signaling channels, without affecting the voice and packet traffic channels at all. For any transaction between two subscribers, there is a source and a receiver. The subscriber, sending an SMS message, indicates the recipient's phone number and enters the text. However, the service fields of the message contain the address of the SMS center: this node is responsible for routing SMS messages (and its address is specified in each phone in the SMS settings).
SMS message flow pattern 1. Subscriber Alex sends an SMS message to subscriber Boris. This message is sent via signaling channels to the mobile switch MSC-1 serving Alex's subscriber. 2. The MSC-1 switch will understand that it is an SMS, see the SMS center address in the message and send an SMS to this address in the MO-ForwardSM MAP message. Let's dwell a little on this message. It contains the following data: MSISDN number of the sender, MSISDN number of the recipient, SMS text. And now the SMS center is faced with a daunting task. Firstly, further transmission of an SMS message requires knowledge of the IMSI of the recipient subscriber, and secondly, the SMS-center does not know anything about the location of the subscriber. Let's not forget that we are talking about mobile communications, and the subscriber may be in Moscow today, and tomorrow he will be in Oslo 3. But in fact, it's not all that bad, because the mobile network has a subscriber database HLR, where the movements of subscribers are recorded with an accuracy of the switch. It is to this database that the SMS center turns to get the IMSI of the subscriber and the address of the switch serving it. The SMS-center sends the MAP protocol SendRoutingInfoForSM message, where the MSISDN number of Boris's subscriber is specified as a parameter.
As we said, the HLR database stores the address of the switch serving.
In addition, the HLR stores the MSISDN and IMSI mappings. It is these two parameters that HLR will return in the SendRoutingInfoForSM response message. Now the SMS-center sends an MT-ForwardSM message to the received address of the switch, in which it transmits the SMS text, indicates the sender's MSISDN number (it will be displayed when receiving an SMS), and addresses the recipient subscriber using IMSI. The receiving switchboard sends an SMS message to subscriber Boris, receiving data on the exact location of the subscriber in its database. Receiving IMSI and other delights So, with the help of the SendRoutingInfoForSM message, the SMS-center receives the subscriber's IMSI and the address of the serving switch by the phone number. If we accept that Alex and Boris are subscribers of different networks in the SMS-message flow scheme, then we will find that that the SendRoutingInfoForSM message goes between networks.
Passage of SMS messages between networks In order for the SMS-center to make a request, it must "know" the HLR address of the foreign network. Although, in fact, this is not necessary. The SMS-center can send a SendRoutingInfoForSM message using the recipient subscriber's phone number as the Global Title. Since the Global Title addresses and telephone numbering are in the same range, the message will be delivered to the recipient's network, and then routed to the corresponding HLR via the telephone number. In the response message, HLR will disclose its address, and in the form of parameters, it will transmit the MSC address and IMSI of the subscriber. As a result, it turns out that an attacker who has connected to the SS7 network can initially only know the number of the attacked subscriber to carry out his attacks. By sending the SendRoutingInfoForSM message, he will receive the HLR address, MSC address and IMSI of the subscriber. Determining the location of the subscriber Now let's move on to the real attacks. The first thing that comes to mind is to determine where the subscriber is. Surely in the bowels of the mobile network there should be information about the current position of the subscriber. And in fact, it is there, although its accuracy is not always
fiveis the same. To clarify this issue, you will have to dive into communication technology again. The structure of cellular networks Everyone has seen antennas of base stations of cellular communications: in cities, they are dotted with almost all high-rise buildings. Outside urban areas, base station antennas are most often installed on special mast structures. Base stations provide radio coverage for the network, which ideally, of course, should be without blind spots. Base stations are connected to BSC (Base Station Controller) in the GSM standard and RNC (Radio Network Controller) in the UMTS standard. The controllers are connected to the MSC switch. At the base station, as a rule, several antennas are installed, each of which covers its own sector, or cell. Each cell has a CID Cell ID. Cells are grouped into groups called Location Area. and are identified by the LAC Location Area Code identifier. Often, the Location Area includes all sectors whose base stations are connected to the same controller. The identifier of the cell serving the subscriber at each moment of time is stored in the controller's database. But both BSC and RNC controllers are connected directly to the switch and have no connections to external networks. It is almost impossible to extract information from there. Each MSC also has its own VLR (Visited Location Register) base, where information about all subscribers within the coverage area of this switch is stored. There is even LAC and CID data for subscribers, but the CID value is updated only at the moment when the subscriber crosses the boundaries of the Location Area or performs any other active action. Although from a network point of view, changing information about a new LAC is just as active, like a phone call. A switch, unlike controllers, has a connection to external networks, and an attacker with access to SS7 can obtain information about the location of subscribers from its database. Three-way Now that we know how mobile networks are built, it will be easy for us to understand the attack technique. The first move absolutely repeats the steps for obtaining the IMSI of the subscriber and the address of the switch serving it. Let's repeat: this is done using the SendRoutingInfoForSM message (the attacker emulates the operation of the SMS center). At this stage, it would be possible to immediately send a request to the switch database, but in this case we risk receiving not the most accurate information, since we cannot be sure whether the phone of a known subscriber performed any active actions in the cell where he is now. To know for sure we need to force the subscriber's phone to perform similar actions, but this must be done so that the subscriber does not notice anything. The standard for SMS-messages implies the ability to form a message in such a way that it will be invisible to the subscriber, the so-called Silent SMS. The phone receives the message, but does not signal that it has been received and does not display it in the list
6received SMS. On the second move, the attacker continues to emulate the operation of the SMS center. He sends Silent SMS to the required subscriber in MT-ForwardSM message. The message itself is sent to the switch, the address of which was received in the first move, and the subscriber is addressed using IMSI. After passing this message, the information about the location of the subscriber in the switch base will be updated. It now contains information about the current LAC and CID. It remains quite a bit to send a request to the switch to obtain data on the cell serving the subscriber. This is done with the ProvideSubscriberInfo message, which is sent to the switch, the subscriber is addressed by IMSI. (As we remember, we already have the address of the commutator and the IMSI of the subscriber.) In mobile networks, this message is used to transmit information about the location of the called subscriber for online billing. If the subscriber is in roaming, the corresponding charging scheme is activated. The ProvideSubscriberInfo message returns the full set of serving cell identifiers: MCC Mobile Country Code, MNC Mobile Network Code, LAC, CID. There are many services on the Internet that allow, using these four parameters, to determine the geographical coordinates of the base station and even the approximate coverage area of the cell.
The point marks the base station, and the building where I am sitting is indeed within the indicated circle. allowing for these four parameters to determine the geographic coordinates of the base station and even the approximate area of cell coverage. In fig. 3 shows the result of determining my location at the time of this writing. The point marks the base station, and the building where I am sitting is indeed within the indicated circle. allowing for these four parameters to determine the geographic coordinates of the base station and even the approximate area of cell coverage. In fig. 3 shows the result of determining my location at the time of this writing. The point marks the base station, and the building where I am sitting is indeed within the indicated circle.
Determining the location of the author of the article Subscriber Availability Disruption (DoS) The next DoS attack on a subscriber. To understand the attack technique, let's again dive into the principles of mobile networks. Registration of a subscriber in roaming Let us consider the signal exchange and the main processes occurring in mobile networks when a subscriber leaves for another country and registers in the network of the operator's roaming partner. Registration of a subscriber in the roaming partner's network 1. Subscriber Alex from the network with the name "Home" goes on vacation at sea, leaving the plane, turns on the phone and gets into the network. The switch MSC Z will use the first digits of the IMSI to determine the country and network from which the subscriber arrived, and sends a SendAuthenticationInfo message to this network to authenticate the subscriber.
The node responsible for authentication and encryption key assignment is called AuC Authentication Center. It determines the encryption key and other service information required for authentication and sends it back. After the subscriber is authenticated, it is necessary to register it on the new MSC Z switch. The switch sends an UpdateLocation message to the “Home” network. This message goes to the HLR. Having received the UpdateLocation message, The HLR sends a CancelLocation message to MSC D (where the subscriber was previously registered), telling it to free memory from Alex's subscriber profile. The HLR then updates the current switch address to MSC Z in its database. In response to the registration request, the HLR sends a subscriber profile to MSC ZninePost InsertSubscriberData. This profile contains the subscriber's connected services and addresses of intelligent platforms, if the subscriber is subscribed to the corresponding services. Most often, the online billing system acts as an intelligent platform, among other things. After completing these actions, the subscriber Alex can make and receive calls in the Zagranitsa network. With an incoming call, the HLR will receive a request for the location of the subscriber, and he will direct the calls to the MSC Z of the "Abroad" network. Conducting an attack What is left for a malicious user to send a subscriber to DoS for incoming calls? Simply send an UpdateLocation message to the subscriber's home network on behalf of the MSC.
DoS attack 1. The message is sent to the HLR, the subscriber is addressed by the IMSI identifier (we already know how to receive the necessary data). Another parameter of the UpdateLocation message is the address of the new switch. The HLR in its database will untie the real switch. 3. HLR will send the subscriber profile to the attacker's equipment. Thus, the subscriber will be outside the network coverage area for incoming calls until one of the events occurs: the subscriber moves to the coverage area of another switch; the subscriber will reboot the phone; the subscriber will make a call or send an SMS message. Any of these actions will initiate the UpdateLocation procedure, which will update the switch address in the HLR database to the current one. SMS interception Consequence of the previous attack We have already covered all the theoretical basis required to understand the method of intercepting SMS messages. In fact, the interception of SMS is a consequence of the previous attack, if the attacker specifies the address of his equipment as a fake MSC. Let's take an example of how SMS messages are intercepted. We believe that the attacker received all the necessary subscriber IDs for Boris and carried out a successful DoS attack on him, specifying the address of his node as a fake MSC.
Interception of SMS messages 1. Subscriber Alex sends an SMS message to subscriber Boris, this message arrives at the switchboard, serving the sender. The switch forwards the message to the SMS center. As we already know, this happens in the MO-ForwardSM of the MAP protocol. The SMS center does not know where subscriber Boris is at the moment, so he sends a request to HLR in the SendRoutingInfoForSM message. Since a successful DoS attack was carried out on Boris's subscriber, the HLR database contains false information about his location. This false information the HLR database contains false information about its location. This false information the HLR database contains false information about its location. This false information elevenand will send the HLR to the SMS center in a SendRoutingInfoForSM response message.
The SMS-center, without suspecting anything, will send an SMS-message in clear text to the received address in the MT-ForwardSM message of the MAP protocol. And behind this address, as we have already said, our attacker is hiding. Opportunities for an attacker Let's assume what benefit an attacker can get by intercepting SMS messages to a subscriber. It seems that this attack is ineffective in order to invade private correspondence: now people communicate mainly in messenger applications. It is much more interesting to get a one-time password from the bank to make a payment. Criminal groups that specialize in hacking bank card accounts often lack just one-time passwords to withdraw funds. Another of the attack scenarios in which SMS interception can be used, recovery of passwords for various Internet services: for e-mail, social networks, public service portals. All of these services may contain confidential information, and its value is the higher, the louder the victim has. Almost all mobile operators request a password to access the subscriber's personal account via SMS. Having gained access to a personal account, an attacker can control services, transfer funds between accounts, and in some cases view the history of SMS messages. Summing Up In conclusion, I would like to say a few words about how mobile operators view SS7 security. First, they believe (and rightly so) that it is impossible to get completely illegal access to the SS7 network. Secondly, there are agreements between all operators for traffic transmission, and even if malicious actions are suddenly noticed from the side of some operator, it will not be difficult to block the source address. Third, there are not many known cases of abuse of SS7 funds. All three statements are perfectly valid. However, each of them has its own but. First but. It is possible to get a connection to SS7, for example, under the guise of a VAS service provider. Most likely, this will not work in Russia, but there are countries with more loyal telecommunications legislation (or with strong corruption). In addition, one should not forget that state special services for their country can also act as an attacker, naturally, on the side of good. Second but. Before stopping harmful actions, they must be noticed. An extremely small number of operators constantly monitor SS7 networks for intrusions and attacks. And even if an attack through the SS7 network is noticed and stopped, no one will be able to tell when it started or how long it lasted. Third but. Several cases of abuse related to SS7 have received widespread resonance and publicity in the media. One of them was reported by Edward Snowden, then information was published in the Washington Post. We are talking about the SkyLock service, which allows you to monitor mobile subscribers, including through SS7 networks.
How long has this service been running? How many subscribers were “under the hood” during its operation? How long would this service have lasted if it hadn't been for Snowden's messages? It is unlikely that we will ever get answers to these questions. Another notorious case of wiretapping of Ukrainian mobile subscribers from the territory. Yes, yes, this is also possible thanks to the capabilities of SS7! Several months passed from the beginning of the attacks to their detection and containment. The attacks were suppressed by administrative and technical methods, however, while the information leaks remained unnoticed, significant damage was caused to the operator and the state.
