Mobile networks can be attacked though multiple vectors. In this article, we will consider an attack that allows detecting a cell where a subscriber is located. You see, I do not use more common measure units because the size of a cell is not permanent. In cities, a cell site may have a range of hundred meters, and in rural areas, the range is about several kilometers.
Everything should be in a right way to guarantee successful performance of an attack:
- Access to SS7 should be provided
- There’s a possibility to form any SS7 messages (the MAP protocol is required for the attack)
- There is no filtration system for incorrect or suspicious SS7 messages (almost 85% providers all over the world do not implement such system)
During an audit for one of our clients, we detected strange SS7 messages that generated originating SMS messages received every now and then. A part of the tracing is shown in figure 1. First of all, each following message contained the receiver’s node address incremented by one, which is to say that all the address range of the network was being scanned. Another odd thing was that the sender's node address was Greek (2), but the telephone number from which the SMS messages were sent was Israeli (1). And in the third place, the text of the SMS message contained an exact address of the destination node (3).
The SS7 traffic was banned, and the Greek telephone number became an object of a close analysis. We composed a Type-0 SMS message and sent it to this mobile. A Type-0 SMS message is also called a ping SMS. Such message is not displayed on a phone screen and neither is it saved in a list of received messages. Moreover, the message updates location data in the VLR database. Now VLR contains the current value of the sector, where the cellphone is located and we have an opportunity to determine subscriber's location rather accurately.
We made our first move, but we don’t have any results yet. Information about the subscriber's location is updated, but it's stored deep in the operator's equipment. So we continued our research to get the data. At the next step, we composed a signaling message sendRoutingInfoForSM (the telephone number of the subscriber serves as the parameter) and sent the message to the operator's network.
The sendRoutingInfoForSM signaling message (figure 2) has a very interesting feature: one does not need equipment addressing to send this message successfully, subscriber's number is enough for the message to reach its destination. The reply message contained confidential information: address of the Home Location Register (HLR) (1), the International Mobile Subscriber Identity (IMSI) (2), and the MSC/VLR address (3), where the subscriber is located.
So now we know the subscriber's IMSI and the commutator address where he or she is located. Moreover, we updated information about the cell that is used by the subscriber. It's high time to get information out of the operator. We sent the provideSubscriberInfo message to the MSC/VLR address that we had obtained before; the IMSI served as the parameter. We received the reply message (figure 3) and picked out the cell identifier.
Now we only have to determine the subscriber's location on a map. There are many map services available on the Internet that can show us the location of a base station according to its identifier. We can use one of them...
Not surprising at all — Greece, Athens, Nikaia (figure 4). However, we still don't not know why he or she needed to scan our network.
Author: Sergey Puzankov, Positive Research