Scribd
Upload
144 views102 pages

Toward The HLR, Attacking The SS7 & SIGTRAN Applications.: Telecommunications Infrastructure Security

The document discusses security issues related to Signaling System 7 (SS7) and SIGTRAN protocols used in telecommunications networks. It provides an overview of SS7 architecture and components, describes reliability features of SS7, and covers important SS7 protocols like ISUP, SCCP, TCAP, and MAP. It also discusses the SIGTRAN evolution to transport SS7 over IP using protocols like Stream Control Transmission Protocol (SCTP). Potential entry points for attacks on SS7 networks are identified.

Uploaded by

Oscar Daza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
144 views102 pages

Toward The HLR, Attacking The SS7 & SIGTRAN Applications.: Telecommunications Infrastructure Security

The document discusses security issues related to Signaling System 7 (SS7) and SIGTRAN protocols used in telecommunications networks. It provides an overview of SS7 architecture and components, describes reliability features of SS7, and covers important SS7 protocols like ISUP, SCCP, TCAP, and MAP. It also discusses the SIGTRAN evolution to transport SS7 over IP using protocols like Stream Control Transmission Protocol (SCTP). Potential entry points for attacks on SS7 networks are identified.

Uploaded by

Oscar Daza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 102

Telecommunications Infrastructure Security

Toward the HLR, attacking the SS7 &


SIGTRAN applications.
one step further and mapping the phone system.

Philippe Langlois, P1 Security Inc.


[email protected]
SS7 Basics
Introduction to SS7 in the Phone System

P1 Security Inc, http://www.p1security.com


Why do we have SS7?

• Thanks to hackers!
Steve Jobs and Steve Wozniak in 1975 with a bluebox
• CCITT#5 in-band signalling sends control messages
over the speech channel, allowing trunks to be
controlled
• Seize trunk (2600) / KP1 or KP2 / destination / ST
• Started in mid-60’s, became popular after Esquire 1971
• Sounds produced by whistles, electronics dialers,
computer programs, recorded tones
P1 Security Inc, http://www.p1security.com 3
SS7 basic architecture

Text

 HLR/VLR Home Location Register, Visitor Location Register


 AuC : Authentication Center (within HLR)
 EIR : Equipment Identity Register
 MSC : Mobile Switching Center
 STP : Signaling Transfer Point (i.e. Router)
P1 Security Inc, http://www.p1security.com
SS7 network

P1 Security Inc, http://www.p1security.com


Main focus: reliability
To meet the stringent reliability requirements of public
telecommunications networks, a number of safeguards
are built into the SS7 protocol:

 STPs and SCPs are normally provisioned in mated pairs.


On the failure of individual components, this duplication
allows signaling traffic to be automatically diverted to an
alternate resource, minimizing the impact on service.
 Signaling links are provisioned with some level of
redundancy. Signaling traffic is automatically diverted to
alternate links in the case of link failures.
 The SS7 protocol has built-in error recovery mechanisms
to ensure reliable transfer of signaling messages in the
event of a network failure.
 Management messages (Link Status Signal Units) are
constantly sent over the links to monitor its status.

P1 Security Inc, http://www.p1security.com


Under the hood: SS7 stack

P1 Security Inc, http://www.p1security.com


Important SS7 protocols
 MTP (Message Transfer Part) Layers 1-3: lower level functionality at the
Physical, Data Link and Network Level. They serve as a signaling transfer
point, and support multiple congestion priority, message discrimination,
distribution and routing.
 ISUP (Integrated Services Digital Network User Part): network side protocol
for the signaling functions required to support voice, data, text and video
services in ISDN. ISUP supports the call control function for the control of
analog or digital circuit switched network connections carrying voice or
data traffic.
 SCCP (Signaling Control Connection Part): supports higher protocol layers
such as TCAP with an array of data transfer services including connection-
less and connection oriented services. SCCP supports global title
translation (routing based on directory number or application title rather
than point codes), and ensures reliable data transfer independent of the
underlying hardware.
 TCAP (Transaction Capabilities Application Part): provides the signaling
function for communication with network databases. TCAP provides non-
circuit transaction based information exchange between network entities.
 MAP (Mobile Application Part): provides inter-system connectivity between
wireless systems, and was specifically developed as part of the GSM
standard.
 INAP (Intelligent Network Application Part): runs on top of TCAP and
provides high-level services interacting with SSP, SCP and SDP in an SS7
network.
P1 Security Inc, http://www.p1security.com
MSU: Message Signal Unit

Scanning Vulnerability,
injection

P1 Security Inc, http://www.p1security.com


Entry points in an SS7
 Peer relationships between operators
 STP connectivity
 SIGTRAN protocols
 VAS systems e.g. SMSC, IN
 Signalling Gateways, MGW
 SS7 Service providers (GRX, IPX)
 GTT translation
 ISDN terminals
 GSM phones
 LIG (pentest & message relaying madness)
 3G Femtocell
 SIP encapsulation
P1 Security Inc, http://www.p1security.com
SS7 and IP: the SIGTRAN
evolution and problems
Basics of IP telephony
SIGTRAN protocols & SCTP scanning

P1 Security Inc, http://www.p1security.com


SIGTRAN network

P1 Security Inc, http://www.p1security.com


SIGTRAN evolution
 The SIGTRAN protocols specify the means by which
SS7 messages can be reliably transported over IP
networks (with SCTP).
 The architecture identifies two components: a
common transport protocol for the SS7 protocol
layer being carried and an adaptation module to
emulate lower layers of the protocol. For example:
 If the native protocol is MTP (Message Transport Layer) Level
3, the SIGTRAN protocols provide the equivalent
functionality of MTP Level 2.
 If the native protocol is ISUP or SCCP, the SIGTRAN protocols
provide the same functionality as MTP Levels 2 and 3.
 If the native protocol is TCAP, the SIGTRAN protocols
provide the functionality of SCCP (connectionless classes)
and MTP Levels 2 and 3.

P1 Security Inc, http://www.p1security.com


SCTP Specs & Advantages

 RFC4960
 SCTP: Stream Control Transmission
Protocol
 Advantages
 Multi-homing
 DoS resilient (4-way handshake, cookie)
 Multi-stream
 Reliable datagram mode
 Some of TCP & UDP, improved
P1 Security Inc, http://www.p1security.com 14
SCTP association
Client Server
socket(), connect() socket(), bind(), listen(),
accept()

P1 Security Inc, http://www.p1security.com 15


SCTP association
Client Server
socket(), connect() socket(), bind(), listen(),
accept()

INIT

P1 Security Inc, http://www.p1security.com 15


SCTP association
Client Server
socket(), connect() socket(), bind(), listen(),
accept()

INIT

INIT-ACK

P1 Security Inc, http://www.p1security.com 15


SCTP association
Client Server
socket(), connect() socket(), bind(), listen(),
accept()

INIT

Not TCP:
INIT-ACK
4 way
handshake

P1 Security Inc, http://www.p1security.com 15


SCTP association
Client Server
socket(), connect() socket(), bind(), listen(),
accept()

INIT

Not TCP:
INIT-ACK
4 way
handshake

COOKIE-ECHO

P1 Security Inc, http://www.p1security.com 15


SCTP association
Client Server
socket(), connect() socket(), bind(), listen(),
accept()

INIT

Not TCP:
INIT-ACK
4 way
handshake

COOKIE-ECHO

COOKIE-ACK

P1 Security Inc, http://www.p1security.com 15


SCTP Packets
SCTP packet Format (ascii art straight from RFC4960)

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Common Header |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Chunk #1 |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| ... |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Chunk #n |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

P1 Security Inc, http://www.p1security.com 16


SCTP Chunk types
ID Value Chunk Type

----- ----------

0 - Payload Data (DATA)

1 - Initiation (INIT)

2 - Initiation Acknowledgement (INIT ACK)

3 - Selective Acknowledgement (SACK)

4 - Heartbeat Request (HEARTBEAT)

5 - Heartbeat Acknowledgement (HEARTBEAT ACK)

6 - Abort (ABORT)

7 - Shutdown (SHUTDOWN)

8 - Shutdown Acknowledgement (SHUTDOWN ACK)

9 - Operation Error (ERROR)

10 - State Cookie (COOKIE ECHO)

11 - Cookie Acknowledgement (COOKIE ACK)

12 - Reserved for Explicit Congestion Notification Echo (ECNE)

13 - Reserved for Congestion Window Reduced (CWR)

14 - Shutdown Complete (SHUTDOWN COMPLETE)

P1 Security Inc, http://www.p1security.com 17


SCTP Header
 SCTP Common Header Format

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Source Port Number | Destination Port Number |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Verification Tag |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Checksum |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

P1 Security Inc, http://www.p1security.com 18


SCTPscan: Mapping SIGTRAN

 SCTPscan
 Linux, BSD, MacOS X, Solaris, ...
 IP scan, portscan, fuzzing, dummy server,
bridge
 Included in BackTrack
 SCTP Tricks: port mirroring, instreams
connections
 NMAP new SCTP support (-Y), lacks tricks
 SIGTRAN usually requires peer config
 This is not the average TCP/IP app
P1 Security Inc, http://www.p1security.com 19
From RFC...
Attacker Servers

P1 Security Inc, http://www.p1security.com 20


From RFC...
Attacker Servers

INIT

P1 Security Inc, http://www.p1security.com 20


From RFC...
Attacker Servers

INIT

Port 100

P1 Security Inc, http://www.p1security.com 20


From RFC...
Attacker Servers

INIT

INIT Port 100

P1 Security Inc, http://www.p1security.com 20


From RFC...
Attacker Servers

INIT

INIT Port 100


Port 101

P1 Security Inc, http://www.p1security.com 20


From RFC...
Attacker Servers

INIT

INIT Port 100


Port 101
INIT

P1 Security Inc, http://www.p1security.com 20


From RFC...
Attacker Servers

INIT

INIT Port 100


Port 101
INIT

INIT-ACK

P1 Security Inc, http://www.p1security.com 20


From RFC...
Attacker Servers

INIT

INIT Port 100


Port 101
INIT

Port 102
INIT-ACK

P1 Security Inc, http://www.p1security.com 20


From RFC...
Attacker Servers

INIT

INIT Port 100


Port 101
INIT

Port 102
INIT-ACK

Closed? Packet loss? Delay? Re-xmit?


P1 Security Inc, http://www.p1security.com 20
Improved SCTPscan: stealth scan
Attacker Servers

P1 Security Inc, http://www.p1security.com 21


Improved SCTPscan: stealth scan
Attacker Servers

INIT

P1 Security Inc, http://www.p1security.com 21


Improved SCTPscan: stealth scan
Attacker Servers

INIT

ABORT

P1 Security Inc, http://www.p1security.com 21


Improved SCTPscan: stealth scan
Attacker Servers

INIT

ABORT Port 101

P1 Security Inc, http://www.p1security.com 21


Improved SCTPscan: stealth scan
Attacker Servers

INIT

ABORT Port 101


INIT

P1 Security Inc, http://www.p1security.com 21


Improved SCTPscan: stealth scan
Attacker Servers

INIT

ABORT Port 101


INIT

INIT-ACK

P1 Security Inc, http://www.p1security.com 21


Improved SCTPscan: stealth scan
Attacker Servers

INIT

ABORT Port 101


INIT

Port 102
INIT-ACK

P1 Security Inc, http://www.p1security.com 21


Improved SCTPscan: stealth scan
Attacker Servers

INIT

ABORT Port 101


INIT

Port 102
INIT-ACK

Fast, positive, TCP-like


P1 Security Inc, http://www.p1security.com 21
SCTPscan Usage

root@gate:~/sctp# ./sctpscan --scan --autoportscan


-r 203.151.1
Netscanning with Crc32 checksumed packet
203.151.1.4 SCTP present on port 2905
203.151.1.4 SCTP present on port 7551
203.151.1.4 SCTP present on port 7701
203.151.1.4 SCTP present on port 8001
203.151.1.4 SCTP present on port 2905
root@gate:~/sctp#

P1 Security Inc, http://www.p1security.com 22


What goes over SCTP?
+------------------------------------+

| Telephony Signalling Protocol |

+------------------------------------+

+------------------------------------+

| User Adaptation Layers |

+------------------------------------+

+------------------------------------+

|Stream Control Transmission Protocol|

| (SCTP) |

+------------------------------------+

+------------------------------------+

| Internet Protocol (IPv4/IPv6) |

+------------------------------------+

From RFC 4166 P1 Security Inc, http://www.p1security.com 23


What goes over SCTP?
+------------------------------------+

| Telephony Signalling Protocol |


User Adapation Layer: M2PA
+------------------------------------+

+------------------------------------+

| User Adaptation Layers |

+------------------------------------+

+------------------------------------+

|Stream Control Transmission Protocol|

| (SCTP) |

+------------------------------------+

+------------------------------------+

| Internet Protocol (IPv4/IPv6) |

+------------------------------------+

From RFC 4166 P1 Security Inc, http://www.p1security.com 23


What goes over SCTP?
+------------------------------------+

| Telephony Signalling Protocol |


User Adapation Layer: M2PA
+------------------------------------+

+------------------------------------+

| User Adaptation Layers |

+------------------------------------+

+------------------------------------+

|Stream Control Transmission Protocol|

| (SCTP) |

+------------------------------------+

+------------------------------------+

| Internet Protocol (IPv4/IPv6) |

+------------------------------------+

From RFC 4166 P1 Security Inc, http://www.p1security.com 23


M3UA Protocol Adaptation
Layer

P1 Security Inc, http://www.p1security.com


SS7 Peering: attacker enemy
Legitimate Peer
Server or
STP
Port 2905

Attacker
Port 1111

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
Server or
INIT STP
Port 2905

Attacker
Port 1111

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
M3UA Peering! Server or
INIT STP
INIT-
Port 2905
ACK

Attacker
Port 1111

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
Server or
INIT STP
INIT-
Port 2905
ACK

Attacker
Port 1111

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
Server or
INIT STP
INIT-
Port 2905
ACK

Attacker
INIT
Port 1111

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
Server or
INIT STP
INIT-
Port 2905
ACK

Attacker
INIT
Port 1111
ABORT

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
Server or
INIT STP
INIT-
Port 2905
ACK

INIT
Attacker
INIT
Port 1111
ABORT

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
Server or
INIT STP
INIT-
Port 2905
ACK

INIT
INIT
Attacker
INIT
Port 1111
ABORT

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
Server or
INIT STP
INIT-
Port 2905
ACK
INITs
INIT
INIT
Attacker
INIT
Port 1111
ABORT

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
Server or
INIT STP
INIT-
Port 2905
ACK
INITs
INIT
INIT
Attacker
INIT
Port 1111
ABORT
No answer on actual peering port: How rude!

P1 Security Inc, http://www.p1security.com 25


SS7 Peering: attacker enemy
Legitimate Peer
Server or
INIT STP
INIT-
Port 2905
ACK
INITs
INIT
INIT
Attacker
INIT
Port 1111
ABORT
No answer on actual peering port: How rude!
On SS7 application attacks: hackers loose
P1 Security Inc, http://www.p1security.com 25
SCCP User Adaptation (SUA)
Layer

P1 Security Inc, http://www.p1security.com


Scanning the SS7 perimeter
SS7 protection methods and vulnerabilities
SS7 scanning and audit strategies

P1 Security Inc, http://www.p1security.com


SS7 Perimeter Boundaries

P1 Security Inc, http://www.p1security.com 28


STP as SCCP Firewall

 A “kind of” NAT


 SubSystems allowed by STP, protection=route
 SubSystem scanning & Message injection.
 NI (Network Indicator) Isolation
 NI=0 : International 0, outside world
 NI=2 : National 0, telco Internal
 NI=3 : National 1, country-specific
 List of Signaling Point Code for each
perimeter, automation needed.
P1 Security Inc, http://www.p1security.com 29
STP boundary: attacking SS7

SSN
Scanning

GTT
Scanning

DPC Scanning

P1 Security Inc, http://www.p1security.com


Stack de-synchronization:
more exposure & attacks
 Different stacks
standardized by different
people with different goals

P1 Security Inc, http://www.p1security.com 31


Stack de-synchronization:
more exposure & attacks
 Different stacks
standardized by different
people with different goals
SubSystem scanning

P1 Security Inc, http://www.p1security.com 31


Stack de-synchronization:
more exposure & attacks
 Different stacks
standardized by different
people with different goals
SubSystem scanning

Topology discovery
(needed for IP-based
topologies)

P1 Security Inc, http://www.p1security.com 31


Stack de-synchronization:
more exposure & attacks
 Different stacks
standardized by different
people with different goals
SubSystem scanning

Topology discovery
(needed for IP-based
topologies)

 Action available depends


on State Machine’s state
 Needs a special engine to
inject attack at proper
time/state

P1 Security Inc, http://www.p1security.com 31


M3UA Finite State Machine

Figure 3: ASP State Transition Diagram, per AS

+--------------+
| |
+----------------------| ASP-ACTIVE |
| Other +-------| |
| ASP in AS | +--------------+
| Overrides | ^ |
| | ASP | | ASP
| | Active | | Inactive
| | | v
| | +--------------+
| | | |:ASP Inactive Ack
| +------>| ASP-INACTIVE |:ASP Up Ack
| +--------------+:Notify.param=status=2
| ^ |
ASP Down/ | ASP | | ASP Down /
SCTP CDI/ | Up | | SCTP CDI/
SCTP RI | | v SCTP RI
| +--------------+
| | |:Association loss/closed
+--------------------->| ASP-DOWN |
| |
+--------------+

P1 Security Inc, http://www.p1security.com 32


M3UA Finite State Machine

Figure 3: ASP State Transition Diagram, per AS

+--------------+

M3UA test
| |
+----------------------| ASP-ACTIVE |
| Other +-------| | 
| ASP in AS | +--------------+
| Overrides | ^ |
| | ASP | | ASP
| | Active | | Inactive
| | | v
| | +--------------+
| | | |:ASP Inactive Ack
| +------>| ASP-INACTIVE |:ASP Up Ack
| +--------------+:Notify.param=status=2
| ^ |
ASP Down/ | ASP | | ASP Down /
SCTP CDI/ | Up | | SCTP CDI/
SCTP RI | | v SCTP RI
| +--------------+
| | |:Association loss/closed
+--------------------->| ASP-DOWN |
| |
+--------------+

P1 Security Inc, http://www.p1security.com 32


M3UA Finite State Machine

Figure 3: ASP State Transition Diagram, per AS

+--------------+

M3UA test
| |
+----------------------| ASP-ACTIVE |
| Other +-------| | 
| ASP in AS | +--------------+

SCCP tests
| Overrides | ^ |
|
|
|
|
ASP
Active |
| | ASP
| Inactive

| | | v
| | +--------------+
| | | |:ASP Inactive Ack
| +------>| ASP-INACTIVE |:ASP Up Ack
| +--------------+:Notify.param=status=2
| ^ |
ASP Down/ | ASP | | ASP Down /
SCTP CDI/ | Up | | SCTP CDI/
SCTP RI | | v SCTP RI
| +--------------+
| | |:Association loss/closed
+--------------------->| ASP-DOWN |
| |
+--------------+

P1 Security Inc, http://www.p1security.com 32


M3UA Finite State Machine

Figure 3: ASP State Transition Diagram, per AS

+--------------+

M3UA test
| |
+----------------------| ASP-ACTIVE |
| Other +-------| | 
| ASP in AS | +--------------+

SCCP tests
| Overrides | ^ |
|
|
|
|
ASP
Active |
| | ASP
| Inactive

| | | v

 MAP tests
| | +--------------+
| | | |:ASP Inactive Ack
| +------>| ASP-INACTIVE |:ASP Up Ack
| +--------------+:Notify.param=status=2
| ^ |
ASP Down/ | ASP | | ASP Down /
SCTP CDI/ | Up | | SCTP CDI/
SCTP RI | | v SCTP RI
| +--------------+
| | |:Association loss/closed
+--------------------->| ASP-DOWN |
| |
+--------------+

P1 Security Inc, http://www.p1security.com 32


M3UA Finite State Machine

Figure 3: ASP State Transition Diagram, per AS

+--------------+

M3UA test
| |
+----------------------| ASP-ACTIVE |
| Other +-------| | 
| ASP in AS | +--------------+

SCCP tests
| Overrides | ^ |
|
|
|
|
ASP
Active |
| | ASP
| Inactive

| | | v

 MAP tests
| | +--------------+
| | | |:ASP Inactive Ack
| +------>| ASP-INACTIVE |:ASP Up Ack
| +--------------+:Notify.param=status=2

ASP Down/
SCTP CDI/
SCTP RI
|
|
|
|
ASP |
Up
^

|
|
|
| ASP Down /
| SCTP CDI/
v SCTP RI
 INAP tests
| +--------------+
| | |:Association loss/closed
+--------------------->| ASP-DOWN |
| |
+--------------+

P1 Security Inc, http://www.p1security.com 32


M3UA Finite State Machine

Figure 3: ASP State Transition Diagram, per AS

+--------------+

M3UA test
| |
+----------------------| ASP-ACTIVE |
| Other +-------| | 
| ASP in AS | +--------------+

SCCP tests
| Overrides | ^ |
|
|
|
|
ASP
Active |
| | ASP
| Inactive

| | | v

 MAP tests
| | +--------------+
| | | |:ASP Inactive Ack
| +------>| ASP-INACTIVE |:ASP Up Ack
| +--------------+:Notify.param=status=2

ASP Down/
SCTP CDI/
SCTP RI
|
|
|
|
ASP |
Up
^

|
|
|
| ASP Down /
| SCTP CDI/
v SCTP RI
 INAP tests
| +--------------+
|
+--------------------->|
|
ASP-DOWN
|:Association loss/closed
|
 Each depends
on configuration
| |
+--------------+

P1 Security Inc, http://www.p1security.com 32


SS7 Audit Strategies
SCTP
portscan
One per M3UA peering

DPC
scan

One per NI config

SSN
scan

P1 Security Inc, http://www.p1security.com 33


Example of SS7 protocol:
ISUP & related attacks
ISUP message types
ISUP call flows

P1 Security Inc, http://www.p1security.com


ISUP message (ITU-T)

P1 Security Inc, http://www.p1security.com


ISUP Call Initiation Flow

P1 Security Inc, http://www.p1security.com


ISUP AIM
 An initial address message (IAM)
is sent in the “forward” direction
by each switch in the circuit
between the calling party and the
destination switch of the called
party.
 An IAM contains the called party
number in the mandatory variable
part and may contain the calling
party name and number in the
optional part.
 Attack: Capacity DoS

P1 Security Inc, http://www.p1security.com


ISUP Call Release Flow

P1 Security Inc, http://www.p1security.com


ISUP REL
 A release message (REL) is sent
in either direction indicating that
the circuit is being released due
to a specified cause indicator.
 An REL is sent when either
calling or called party hangs up
the call (cause = 16).
 An REL is also sent back to the
calling party if the called party is
busy (cause = 17).
 Attack: Selective DoS
P1 Security Inc, http://www.p1security.com
ISUP RLC
 A release complete message
(RLC) is sent in the opposite
direction of an REL to
acknowledge the release of the
remote end of a trunk circuit and
to end the billing cycle, if
appropriate.

P1 Security Inc, http://www.p1security.com


A Practical SS7
Information Gathering
Send Routing Info or monitoring anyone with a phone,
anywhere...

P1 Security Inc, http://www.p1security.com


Geolocation & Information
Gathering
 SS7 MAP message:
SendRoutingInfo (SRI)
 Sends back the MSC in charge.
Correlates to country.
 Nobody knows i’m not an HLR.
 Real world usage: Identification for SPAM,
150 EUR for 10k, HTTP APIs & GW
 Attack: Global tracking and geolocation of
any phone

P1 Security Inc, http://www.p1security.com


A practical SS7 attack
Disabling incoming calls to any subscriber

P1 Security Inc, http://www.p1security.com


Location Update process
 The MAP updateLocation (UL) message contains
subscriber's IMSI and MSC/VLR addresses.
 Once UL reaches the HLR, it changes the serving
MSC/VLR address in subscriber's profile using
MAP insertSubscriberData messages.
 From then on the HLR will use MSC/VLR
addresses from it as addresses of real MSC/VLR.
 It's not even necessary to complete whole UL-
ISD-ISDack-ULack transaction!
 The HLR will complete the operation by sending
a MAP cancelLocation message to the serving
VLR to delete subscriber's information from it.

P1 Security Inc, http://www.p1security.com


Location Update Call Flow

P1 Security Inc, http://www.p1security.com


Attack implementation
IMSI scanning / querying needed !

P1 Security Inc, http://www.p1security.com


Attack success

P1 Security Inc, http://www.p1security.com


3G: New threat perimeters
The walled garden is opening up...

P1 Security Inc, http://www.p1security.com


Femto Cell & user control
 Node B in user home, IPsec tunnel,
SIGTRAN

 Real world example: ARM hw with RANAP

 Insecure
 Untested hw
 Unprotected IPsec
 No regular pentest Image Credit: Intomobile

 No tools! Need for Binary vulnerability audit


P1 Security Inc, http://www.p1security.com 49
Femto-cell attack vectors
 Unaudited Proprietary software from Alcatel
 Attack: Binary vulnerability audit gives 0day
 Attack: Vulnerable Linux 2.6 kernel

 Global settings for IPsec tunnels


 Attack: Border access

 Lack of SS7 and SIGTRAN filtering


 Attack: Injection of RANAP and SS7 in the
Core Network

P1 Security Inc, http://www.p1security.com 50


Injecting SS7 through SIP
New perimeters, new entry points, new threats

P1 Security Inc, http://www.p1security.com 51


SIP to SS7 ?
 SIP is used to connect
two SS7 cloud

 Support to bridge SS7


context through SIP

 SIP injection of SS7 adds a header to


standard SIP headers
 New SS7 perimeter, even for non-telco
P1 Security Inc, http://www.p1security.com 52
Getting secure...
How to secure an insecure network being more and more exposed?

P1 Security Inc, http://www.p1security.com


Tools and methods

P1 Security Inc, http://www.p1security.com 54


Tools and methods

 Manual SS7 audit & pentest (hard!)

P1 Security Inc, http://www.p1security.com 54


Tools and methods

 Manual SS7 audit & pentest (hard!)

P1 Security Inc, http://www.p1security.com 54


Tools and methods

 Manual SS7 audit & pentest (hard!)

 P1security SIGTRANalyzer to audit perimeters


 SS7 interconnect, Value Added Services
 Core Network
 Femto Cell access network
 SIP & Convergent services

P1 Security Inc, http://www.p1security.com 54


Tools and methods

 Manual SS7 audit & pentest (hard!)

 P1security SIGTRANalyzer to audit perimeters


 SS7 interconnect, Value Added Services
 Core Network
 Femto Cell access network
 SIP & Convergent services

 Customer Acceptance Testing : equipment


reverse engineering and binary auditing.

P1 Security Inc, http://www.p1security.com 54


Current developments
 SCTPscan
 Bridging support, instream scanning
 Open source

 ss7calc
 Like ipcalc (FLOSS), to understand network topology
 Complexity: ITU: 3-8-3, 5-4-5, ANSI: 8-8-8

 SIGTRANalyzer
 SS7 and message injection audit, information gathering,
leak analysis,
 Commercial product

P1 Security Inc, http://www.p1security.com 55


Conclusions
 SS7 is not closed anymore

 Industrializing the solution


 From pentest to continuous testing
(hardware and operations)
 Security services and products

 Mindset are changing: more open to


manage the SS7 security problem.

P1 Security Inc, http://www.p1security.com


Credits
 Key2, Emmanuel Gadaix, Telecom
Security Task Force, Fyodor Yarochkin
 Bogdan Iusukhno
 Skyper and the THC SS7 project
 All the 7bone security researchers

 CISCO SS7 fundamentals, CISCO press


 Introduction to SS7 and IP, by Lawrence Harte & David Bowler
 Signaling System No. 7 (SS7/C7) - Protocol, Architecture and
Services, by Lee Dryburgh, Jeff Hewett

P1 Security Inc, http://www.p1security.com


THANKS!

 Questions welcome

 Philippe Langlois, [email protected]

 More slides on
http://www.p1security.com

P1 Security Inc, http://www.p1security.com

You might also like