Pages

Monday, April 21, 2014

Mobile Switching Center DoS

Mobile Services Switching Center (MSC) is a core element in GSM/UMTS network. MSC is responsible for routing voice calls, as well as other services.

Is it difficult to conduct DoS against MSC and leave mobile subscribers without connection? It depends.  We go for SS7 networks.

Modern protocols usually have embedded security features, but not including SS7/SIGTRAN stack.  Difficult connection procedures provide access control for SS7 signal networks, and at the same time, are expensive and mostly red-tape. But convergent IP networks allows us to access SS7 far easier. And this leads to a security threat as an attacker could send signal messages in SS7 networks, as well as intercept and modify the messages on his/her own way.

The results are upset for operators: troubles with hardware, unauthorized calls, subscriber data leakage and so on.

We decide to make operators nightmare come true and conduct DoS against MSC.
MSRN Flood is an appropriate name for our method.

MSRN (Mobile Station Roaming Number) is a number identical to an ordinary telephone number and is used for routing calls from Gateway Mobile Switching Centre to a certain MSC that serves a subscriber at this moment. In fact, it is a temporary subscriber number. Every MSC has a certain configured pool of MSRN numbers.

Exploiting MSRN Flood, an attacker tries to exhaust MSRN pool that make it impossible for the system to route calls.

The attack is successful if MSC pool is rather small and the system does not implement MSRN Flood protection measures.

We test Mobile Switching Center in a lab environment; MSC does not serve subscribers at this moment.


Our traffic generator sent about 6500 provideRoamingNumber MAP messages in 45 seconds.

The test switch stops responding in several seconds. It turns out to have only about 1000 configured identifiers.


As soon as MSRN pool is exhausted, MSC responds with noRaomingNumberAvailable error message. In real life, this means MSC is unable to provide service for incoming mobile calls: actually, a denial of service!

We do not manage to find public information about embedded MSRN Flood protection in MSC, and  conclude that the the attack  success depends on these reasons: the size of MSC pool and Mobile Station Roaming Number timeout.

Also, there are some more interesting facts detected. Default MSRN  timeouts differ depending on vendors (for example, 30 seconds for Ericsson, 45 seconds for Huawei). Normally, MSRN is "alive" for less than a second. Besides, the MSC assigns MSRN for the same  IMSI (International mobile Subscriber Identity) many times. It means that a single IMSI is enough to attack a switch.

That's just the results. We sincerely hope that the situation in real networks is different, and the networks are protected against DoS, but who knows it for sure...

Author: Sergey Puzankov, Positive Research

2 comments:

  1. Great work!Just to clarify, I noticed one MNO implemented a 45 sec time out (Huawei) but I wasn't able to go beyond this. Also interesting enough, yes IP convergence has made it very easy to query IMISIs.

    ReplyDelete
  2. good work. I also developed some vulnerabilities for SS7.I have payloads for approx 30 SS7 Vulnerabilities

    ReplyDelete