Wednesday, August 31, 2016

Attacking SS7: Mobile Operators Security Analysis

The interception of calls is quite a challenging task, but not only intelligence services can pull it off. A subscriber may become a victim of an average hacker who is familiar with the architecture of signaling networks. Commonly known SS7 vulnerabilities allow for the interception of phone calls and texts, can reveal a subscriber’s location, and can disconnect a mobile device from a network.

In 2015, Positive Technologies experts conducted 16 sets of testing involving SS7 security analysis for leading mobile EMEA and APAC operators. The results of the top three projects are included in the statistics below. In this article, we will review the security level experienced by mobile network subscribers, as well as all industrial and IoT devices — from ATMs to GSM gas pressure control systems, which are also considered mobile network subscribers. This article describes detected issues and suggests ways to counter threats.

Due to confidentiality agreements, we cannot disclose the names of companies that took part in the research, but half of the examined SS7 networks belong to large mobile operators with more than 40 million subscribers.

Subscriber database size

Hello from the 70s

The SS7 system CCS-7 which dates back to the 1970s is riddled with security vulnerabilities like the absence of any encryption or service messages validation. While for some time this did not pose any risk to subscribers or operators, as the SS7 network was a closed system available only to landline operators, now the network has evolved to meet new standards of mobile connection and service support. In the early 21st century, a set of signaling transport protocols called SIGTRAN was developed. SIGTRAN is an extension to SS7 that allows for the use of IP networks to transfer messages, and this innovation means the signaling network is not longer isolated.

It is important to note that is is still impossible to penetrate the network directly — a hacker would need an SS7 gateway. But getting access to that gateway is relatively easy, as anyone may obtain the operator’s license in countries with lax laws or purchase access through the black market from a legal operator. There are several ways to get into a network using hacked carrier equipment, GGSN or a femtoсell. If there is an engineer in a hacker group, they will be able to conduct a chain of attacks using legitimate commands or connect their equipment to SS7.

SS7 attacks may be performed from anywhere and an attacker doesn’t have to be in physical proximity to a subscriber, so it is almost impossible to pinpoint him. Additionally the hacker does not need to be a highly skilled professional either. There are many applications for SS7 on the internet, and cellular carriers are not able to block commands from separate hosts due to an unavoidable negative effect on the service and violation of roaming principles.

Originally, SS7 vulnerabilities were demonstrated in 2008. German researcher Tobias Engel showed a technique that allows someone to spy on mobile subscribers. In 2014, Positive Technologies experts presented their report “How to Intercept a Conversation Held on the Other Side of the Planet”. In 2015, Berlin hackers from SR Lab were able to intercept SMS correspondence between Australian senator Nick Xenophon and a British journalist during a live TV broadcast of the Australian program “60 Minutes”. They also managed to geo-track the politician during his business trip to Tokyo.

Espionage, Calls, and SMS Interception

The overall security level of the examined SS7 networks was far below average. In 2015, the following problems with SS7 networks of major mobile operators were found: subscriber data leakage (77% of successful attempts), network operation disruption (80%), and fraud (67%).

We were able to intercept incoming texts in each network, and almost nine out of ten attacks (89%) were successful. This presents a poor image in terms of security as SMS messages are frequently used in two-factor authentication systems and for password recovery on various websites. We employed the UpdateLocation method to test this and an adversary registers a target subscriber in a false network. Then all incoming SMS messages get transferred to the indicated address.

Successful attacks targeted to obtain sensitive information by type

It was also possible to retrieve balance data in almost every single case (92% of attacks) using the ProcessUnstructeredSS-Request message, the body of which contains the corresponding USSD command.

The security of voice calls is better as only half of interception attacks were successful, but that is still a large risk for subscribers. In order to test terminating calls, we used roaming number spoofing and for originating calls, tapping was performed using the InsertSubscriberData method. In both cases, we redirected traffic to a different switch.

Location tracking methods (ratio of successful attacks)

We managed to find out a subscriber’s geodata in all but one network. The most effective methods were SendRoutingInfo and ProvideSubscriberInfo. The latter allowed access over half of the time (53%).

The most valuable subscriber data is the IMSI, as this unique number is essential for the majority of attacks. The easiest way to obtain it is using the SendRoutingInfo method.

Information leakage methods (ratio of successful attacks)

The SendRoutingInfoSM method worked in 70% of cases. It is used for incoming texts to inquire routing data and location, and SendIMSI allows a hacker to obtain a subscriber’s identifier but it is less effective (25% success rate).

Committing Fraud

Each system has its own flaws that allow outsiders to conduct fraudulent actions like call redirection, money transfer from a subscriber’s account, and modification of a subscriber’s profile.

Ratio of successful attacks

The majority of redirection attacks for terminating calls were successful (94%) due to numerous problems related to SS7 protocols and system architecture.

We were able to forward originating calls in only 45% of cases using InsertSubscriberData.

We also performed roaming number spoofing and redirection manipulations to forward terminating calls. Roaming number spoofing is done during a terminating call to a victim who has to be registered in the fake network beforehand. As a response to a roaming number inquiry, an attacker sends a redirection number, and a cellular carrier will have to pay the expenses for all established connections.
Redirection manipulation is unauthorized unconditional forwarding when all terminating calls will be redirected to a given number at the subscriber’s expense.

Methods of terminating calls forwarding (ratio of successful attacks)

Modification of a subscriber’s profile was successful in half of attack attempts with InsertSubscriberData (54%). An attacker can change the profile so that originating calls bypass an operator’s billing system. This attack can be used to direct traffic to premium rate numbers and costly locations at the expense of a cellular carrier.

Subscriber DoS Attack

In order to make subscriber equipment (phone, modem, GSM signaling system or sensor) unavailable for incoming transactions, a hacker may conduct targeted attacks on mobile network subscribers. The majority of researched SS7 networks are vulnerable to DoS attacks (80% success rate).

In all cases, we used the UpdateLocation method, which requires prior knowledge of a subscriber's IMSI. The UpdateLocation message is sent to the operator's network informing HLR of the subscriber's registration in a false network. Then all terminating calls are routed to the address specified during the attack.

What Makes SS7 Vulnerable

Most attacks on SS7 networks were successful due to the lack of verification of an actual subscriber’s location. Other major causes are an inability to check whether a subscriber belongs to a network, an absence of a filtering mechanism for unused signaling messages, and SMS Home Routing configuration error.

Average amount of successful attacks in an SS7 network (depending on a vulnerability type)

What to Do

The majority of flaws that allow an attacker to track a subscriber’s location and steal data could be fixed if operators change network equipment configuration and prohibit the processing of AnyTimeInterrogation and SendIMSI messages via HLR.

The way to fix architecture flaws in protocols and systems is to block undesired messages. A system must consider the use of SendRoutingInfoForSM, SendIMSI, SendRoutungInfoForLCS, SendRoutingInfo. Filtering will help to avoid the risks of DoS, SMS interception, calls forwarding, subscriber’s profile modification.

Not all indicated SS7 messages are dangerous. Operators need to configure filtering to cut off only undesired messages used in attacks, and implement additional security tools, for example, intrusion detection systems. These systems do not interfere with network traffic and are capable of detecting malicious activity and determining necessary configuration for message filtering.

You may find the full research here:

No comments:

Post a Comment