20
1 © Nokia Solutions and Networks 2015 Check_IMEI Misusage Siddharth Rao / Silke Holtmanns / Ian Oliver / Tuomas Aura 21-08-2015 Public

Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities

Embed Size (px)

Citation preview

1 © Nokia Solutions and Networks 2015

Check_IMEI Misusage

Siddharth Rao / Silke Holtmanns / Ian Oliver / Tuomas Aura

21-08-2015

Public

2 © Nokia Solutions and Networks 2015

Agenda

Public

• Background of SS7 attacks

• Normal Check_IMEI procedure

• Assumptions

• Attack scenario description

• Summary

3 © Nokia Solutions and Networks 2015

• Telecommunication systems are vulnerable.

• Recent attacks

• Locate

• Trace/intercept

• Manipulate

Frauds

Illegitimate activities

• Core network Protocol

• Signaling System #7

Public

Motivation

4 © Nokia Solutions and Networks 2015

• Protocol foundation to enable roaming.

• Call establishment , management and release.

• Short Message Services (SMS).

• Supplementary services.

• Toll free numbers.

• Tele-voting.

• Enhanced Message Services (EMS).

• Local Number Portability (LNP).

Signaling System #7

Public

5 © Nokia Solutions and Networks 2015 Public

SS7 Attacks timeline

6 © Nokia Solutions and Networks 2015 Public

SS7 Attacks impact

7 © Nokia Solutions and Networks 2015 Public

Unblocking stolen mobile devices using SS7-MAP vulnerabilities Exploiting the relationship between IMEI and IMSI for EIR access

- Siddharth Rao, Dr. Silke Holtmanns, Dr. Ian Oliver, Dr Tuomas Aura

8 © Nokia Solutions and Networks 2015 Public

Normal IMEI (device ID) Check procedure

9 © Nokia Solutions and Networks 2015 Public

CheckIMEI ASN Structure

Contains only IMEI.

10 © Nokia Solutions and Networks 2015

• Attacker has a stolen phone which is blacklisted and he knows the IMSI (Subsriber id) which was associated with it while blocking or last use by the victim. The attacker does not need to have the original SIM as it is sufficient to have just the IMSI.

• Attacker has access to SS7 network.

• The Global Title (GT, “SS7 name of a node”) of the Equipment Identity

Register (EIR) is required.

• Mobile Switching Center (MSC) GT might be needed (depending on operator

configuration).

• Feature and IMSI check options are enabled.

Public

Assumptions

11 © Nokia Solutions and Networks 2015

Users loose their phones and find it again, easy ”recovery” in EIR wanted MSC sends IMEI (device id) along with IMSI (subscriber id) during

MAP_CHECK_IMEI. Initially the IMEI is checked to know the list it belongs to. If it is found

on the black list, an additional check of IMSI is made. If there is a match between IMSI provisioned with IMEI in the EIR database (This is the IMSI-IMEI pair in the EIR before the victim blocks his stolen device.) with the IMSI found in MAP_CHECK_IMEI message then this overrides the blacklist condition.

Phone no longer blacklisted.

Public

Feature

12 © Nokia Solutions and Networks 2015 Public

Attack Scenario

13 © Nokia Solutions and Networks 2015 Public

CheckIMEI ASN Structure

Contains IMEI and IMSI !!!!

14 © Nokia Solutions and Networks 2015

1. A CHECK_IMEI* is received with IMEI = 12345678901234, and IMSI = 495867256894125.

2. An individual IMEI match is found indicating that the IMEI is on the Black List.

3. Normally required response would be Black Listed, however; because an IMSI is present in the message, and the IMEI is on the Black List, the IMSI is compared to the IMSI entry in the database for this IMEI.

4. In this case, the IMSI in the RTDB matches the IMSI in the query, thus the Black Listed condition is cancelled/overridden.

5. EIR formulates a CHECK_IMEI* response with Equipment Status = 0 whiteListed.

Public

Example

15 © Nokia Solutions and Networks 2015

• Stolen phones would have much higher value, if they are not blacklisted and can be sold via ebay or simlar means.

Why should somebody do this?

Public

Source: http://www.wired.com/2014/12/where-stolen-smart-phones-go/

• 1 in 10 smart-phone owners are the victims of phone theft.

• In United States, 113 phones per minute are stolen or lost.

$7 million worth of smart phones on a daily basis.

16 © Nokia Solutions and Networks 2015 Public

EIR Coverage

Source: Farrell, G. (2015). Preventing phone theft and robbery: the need for government action and international coordination. Crime Science, 4(1), 1-11.

17 © Nokia Solutions and Networks 2015

• Attack has not been observed in real networks.

• Research was done on protocol level and publicly available information.

• Not all EIRs affected.

• Business case exist for the attack.

• Easy to add ”Check_IMEI*” to the filter list of network internal messages to stop this kind of attack before it appears in real.

Public

Summary

18 © Nokia Solutions and Networks 2015

THANK YOU

Public

Contact: [email protected]

19 © Nokia Solutions and Networks 2015 Public

20 © Nokia Solutions and Networks 2015

Public

Copyright and confidentiality

The contents of this document are proprietary and confidential property of Nokia Solutions and Networks. This document is provided subject to confidentiality obligations of the applicable agreement(s).

This document is intended for use of Nokia Solutions and Networks customers and collaborators only for the purpose for which this document is submitted by Nokia Solution and Networks. No part of this document may be reproduced or made available to the public or to any third party in any form or means without the prior written permission of Nokia Solutions and Networks. This document is to be used by properly trained professional personnel. Any use of the contents in this document is limited strictly to the use(s) specifically created in the applicable agreement(s) under which the document is submitted. The user of this document may voluntarily provide suggestions, comments or other feedback to Nokia Solutions and Networks in respect of the contents of this document ("Feedback"). Such Feedback may be used in Nokia Solutions and Networks

products and related specifications or other documentation. Accordingly, if the user of this document gives Nokia Solutions and Networks Feedback on the contents of this document, Nokia Solutions and Networks may freely use, disclose, reproduce, license, distribute and otherwise commercialize the feedback in any Nokia Solutions and Networks product, technology, service, specification or other documentation.

Nokia Solutions and Networks operates a policy of ongoing development. Nokia Solutions and Networks reserves the right to make changes and improvements to any of the products and/or services described in this document or withdraw this document at any time without prior notice.

The contents of this document are provided "as is". Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to

the accuracy, reliability or contents of this document. NOKIA SOLUTIONS AND NETWORKS SHALL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS DOCUMENT or for any loss of data or income or any special, incidental, consequential, indirect or direct damages howsoever caused, that might arise from the use of this document or any contents of this document.

This document and the product(s) it describes are protected by copyright according to the applicable laws.

Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of their respective owners.

© Nokia Solutions and Networks 2015