Embed Size (px)
Citation preview
Мобильная связь - небезопасна по умолчанию
Дмитрий Курбатовведущий специалист по информационной безопасности
Positive Technologies
Содержание
― История вопроса
― Очень краткое введение в сигнализацию
― Угрозы для абонентов
История вопроса
Mobile Services Dynamics
Voice
Mobile Data Traffic
Yesterday: Closed Ecosystems
Today: Unified Technologies
Today: Common Interfaces
Today: IP Connectivity
Today: Widen Borders
Get your own femtocell
• Hack it
• Upload modified firmware
• Make a call/SMS interception
• Get into IPsec
• Get into Core network
Tomorrow: virtualization
SIGTRAN
Time Machine
Through SIGTRAN back to 1970’s
Очень краткое введение в сигнализацию
SS7
SS7 Network
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
SS7
HLRMSCVLR
Gateway MSC
Billing
SMS-C
Radio Part
A
B
Cell Phone
Base Transceiver Station
Base Station Controller
SS7
MSC/VLR
HLR
A
B
Gateway MSC
Billing
SMS-C
MSCVLR
Mobile Switching Center
Visitor Location Register
SS7
Gateway MSC
HLR
A
B
MSCVLR
Billing
SMS-CGateway
MSC
Gateway Mobile Switching Center
SS7
SMS-C
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
Short Message Service Center
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
Homeу Location Register
HLR
SS7
Billing
A
B
MSCVLR
Gateway MSC SMS-C
HLR
Billing
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890
SS7
IDs
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
GT – Global Title 0 123 4567890
MSISDN – A or B mobile numbers 0 123 4567890
MSRN – Mobile Subscriber Roaming Number 0 123 4567890
IMSI – International Mobile Subscriber Identity 15 digits
SS7
How to get in?
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS Core
PS Core
IMS
Core Networks
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
Access Networks
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPX
Exchange Points
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Support
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
IT IT network
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
Internet IT network
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkTraffic
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkThreats
Attacker
Attacker
Attacker
Attacker
AttackerAttacker
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkThreat
Attacker
Attacker
Attacker
Attacker
AttackerAttacker
Угрозы для абонентов
Далеко не полный список
Определение местоположения абонента
Прослушивание разговоров
Перехват СМС
Перевод денег через USSD
Уже есть прецеденты
Есть вероятность
Subscriber Location Discovery1) Collect info
2) Receive Cell ID
3) Get point on the map
Определение местоположения — популярная услуга
«Развод» Реальная услуга
SS7
Collect info
HLR
Attacker
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
A
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Get Cell ID
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits3PSIprovideSubscriberInfo
I am HLR.My GT 1 321 4567801.Provide location for theSubscriber-B.
SS7
Get Cell ID
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID
3PRN
4 provideSubscriberInfoCell ID.
provideSubscriberInfoI am HLR.My GT 1 321 4567801.Provide location for theSubscriber-B.
SS7
Get Cell ID
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID
3PRN
4 provideSubscriberInfoCell ID.
provideSubscriberInfoI am HLR.My GT 1 321 4567801.Provide location for theSubscriber-B.
MCC: 250
MNC: 90
LAC: 4A67
CID: 673D
SS7
Get Cell ID
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID
3PRN
4 provideSubscriberInfoCell ID.
provideSubscriberInfoI am HLR.My GT 1 321 4567801.Provide location for theSubscriber-B.
MCC: 250
MNC: 90
LAC: 4A67
CID: 673D
SS7
Get location
HLR
Attackeras HLR
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Cell ID5
MCC: 250
MNC: 90
LAC: 4A67
CID: 673D
Search in Internet physical location by MCC, MNC, LAC, CID
Get location
Get location
Voice Call Interception1) Collect info
2) Change subscriber profile
3) Add third party into mobile call
Прослушка телефонных разговоров
SS7
Prerequisites
HLR
Attacker
B
MSCVLR
Gateway MSCA
Billing
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
SS7
Change profile
HLR
Attackeras HLR
B
MSCVLR
Gateway MSCA
Billing
1
insertSubscriberDataI am HLR.Change profile for Subscriber-A. Billing GT 1 321 4567801.
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
SS7
Change profile
HLR
Attackeras HLR
B
MSCVLR
Gateway MSCA
Billing
1
insertSubscriberDataI am HLR.Change profile for Subscriber-A. Billing GT 1 321 4567801.
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
SS7
Change profile
HLR
Attackeras HLR
B
MSCVLR
Gateway MSCA
Billing
1
2
insertSubscriberDataOK.
insertSubscriberDataI am HLR.Change profile for Subscriber-A. Billing GT 1 321 4567801.
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
SS7
Change profile
HLR
Attackeras HLR
B
MSCVLR
Gateway MSCA
Billing
1
2
insertSubscriberDataOK.
insertSubscriberDataI am HLR.Change profile for Subscriber-A. Billing GT 1 321 4567801.
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
SS7
Change profile
HLR
Attacker
B
MSCVLR
Gateway MSCA
Billing
1
2
insertSubscriberDataOK.
insertSubscriberDataI am HLR.Change profile for Subscriber-A. Billing GT 1 321 4567801.
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
SS7
Call interception
HLR
Attackeras Billing
B
MSCVLR
Gateway MSCA
Billing
Subscriber A calls to Subscriber B.
3
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
SS7
Call interception
HLR
Attackeras Billing
B
MSCVLR
Gateway MSCA
Billing
4
InitialDPStart billing .Subscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
Subscriber A calls to Subscriber B.
3
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
SS7
Call interception
HLR
Attackeras Billing
B
MSCVLR
Gateway MSCA
Billing
4
InitialDPStart billing .Subscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
Subscriber A calls to Subscriber B.
3
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
B-Number 0 123 4567805
SS7
Call interception
HLR
Attackeras Billing
B
MSCVLR
Gateway MSCA
Billing
4
5
Proceed billingandReroute call to number1 321 4567802
InitialDPStart billing .Subscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
Subscriber A calls to Subscriber B.
3
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
B-Number 0 123 4567805
SS7
Call interception
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
Billing
6
IAMContinue call.Subscriber-A 0 123 4567802 calls toSubscriber-C 1 321 4567802
Subscriber A calls to Subscriber B.
3
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
B-Number 0 123 4567805
SS7
Call interception
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
Billing
6
Subscriber A calls to Subscriber B.
3
7
IAMContinue call.Subscriber-A 0 123 4567802 calls toSubscriber-C 1 321 4567802
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
B-Number 0 123 4567805
SS7
Call interception
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
Billing
6
8
IAMInitiate a new callSubscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
Subscriber A calls to Subscriber B.
3
7
IAMContinue call.Subscriber-A 0 123 4567802 calls toSubscriber-C 1 321 4567802
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
B-Number 0 123 4567805
SS7
Call interception
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
Billing
6
8
IAMInitiate a new callSubscriber-A 0 123 4567802 calls toSubscriber-B 0 123 4567805
3
7
9
Subscriber A calls to Subscriber B.
IAMContinue call.Subscriber-A 0 123 4567802 calls toSubscriber-C 1 321 4567802
We know
A-Number 0 123 4567802
MSC/VLR 0 123 4567803
Subscriber-A IMSI 15 digits
B-Number 0 123 4567805
SMS Interception1) Collect info
2) Spoof MSC
3) Receive incoming SMSs
Перехват входящих СМС
SS7
Collect info
HLR
Attacker
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
A
SMS-C
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SMS-C
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SMS-C
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
updateLocationI am MSC/VLR.My GT 1 321 4567801.I serve Subscriber-B IMSI 15 digits.
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
SMS-C
SS7
Spoof MSC
HLR
Attackeras MSC
B
MSCVLR
Gateway MSCA
3
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
HLR stores
Subscriber-B IMSI 15 digits
MSC/VLR 1 321 4567801
4
We serve Subscriber-B
SMS-C
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
5
Attackeras MSC
A
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
5 6
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
HLR sends Attacker address instead of real MSC!
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
8
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SMS-C routes this SMS to the received address.
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
8
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SMS-C routes this SMS to the received address.
SS7
SMS interception
HLR
B
MSCVLR
Gateway MSC
7
5 6
8
Attackeras MSC
A
sendRoutingInfoForSMI am SMSC.My GT 0 123 4567804.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 1 321 4567801Subscriber-B IMSI 15 digits
SMS-C
5
“Hi, meet at 8pm at Baker Street”
SMS-C routes this SMS to the received address.
SMS interception
1. SMS chats
2. One time passwords
3. Confirmation codes
4. Password recovery
Money Transfer Using USSD
1) Collect info
2) Request account status
3) Transfer money
Манипуляции с USSD
Ущерб абонентам возмещает оператор
Через прямые запросы к HLR и без участия абонента
SS7
Collect info
HLR
Attacker
B
MSCVLR
Gateway MSC
We know
B-Number 0 123 4567802
A
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
SRI4SM
We know
B-Number 0 123 4567802Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
SS7
Collect info
HLR
B
MSCVLR
Gateway MSC
1
1
2
2
SRI4SM
We know
B-Number 0 123 4567802
HLR 0 123 4567800
MSC/VLR 0 123 4567803
Subscriber-B IMSI 15 digits
Attackeras SMSC
A
SRI4SMsendRoutingInfoForSMI am SMSC.My GT 1 321 4567801.Where isSubscriber-B MSISDN 0 123 4567802?
sendRoutingInfoForSMI am HLR 0 123 4567800MSC/VLR 0 123 4567803Subscriber-B IMSI 15 digits
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
*100#3
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.3
4
processUnstructuredSS-RequestSubscriber’s account is $$$$$.
SS7
Send USSD 1
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
4
processUnstructuredSS-RequestSubscriber’s account is $$$$$.
processUnstructuredSS-RequestI am MSC/VLR.Request how much money has subscriber with IMSI 15 digits?
3
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
*123*01238765400*100#
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Account info.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get SMS notification if Attacker combines this attack with the previous one.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
SS7
Send USSD 2
HLR
Attackeras MSC/VLR
B
MSCVLR
Gateway MSCA
We know
HLR 0 123 4567800
Subscriber-B IMSI 15 digits
Real account info.
Subscriber B does not get SMS notification if Attacker combines this attack with the previuos one.
6
processUnstructuredSS-RequestOK.
processUnstructuredSS-RequestI am MSC/VLR.Transfer money from IMSI 15 digits to my mobile account.
5
Заключение
SS7
HLR
A
B
MSCVLR
Gateway MSC
Billing
SMS-C
CS CoreUTRAN
PS Core
IMS
LTEWi-FiWiMAXPONDSLFemto
GRX/IPXOAM
Remote support
Internet
IT networkThreat
Attacker
Attacker
Attacker
Attacker
AttackerAttacker
Conclusion
SS7 rules
Just the tip of the iceberg
The End.
Questions?
