Upload
siddharth-rao
View
874
Download
2
Embed Size (px)
Citation preview
1 © Nokia Solutions and Networks 2015
Check_IMEI Misusage
Siddharth Rao / Silke Holtmanns / Ian Oliver / Tuomas Aura
21-08-2015
Public
2 © Nokia Solutions and Networks 2015
Agenda
Public
• Background of SS7 attacks
• Normal Check_IMEI procedure
• Assumptions
• Attack scenario description
• Summary
3 © Nokia Solutions and Networks 2015
• Telecommunication systems are vulnerable.
• Recent attacks
• Locate
• Trace/intercept
• Manipulate
Frauds
Illegitimate activities
• Core network Protocol
• Signaling System #7
Public
Motivation
4 © Nokia Solutions and Networks 2015
• Protocol foundation to enable roaming.
• Call establishment , management and release.
• Short Message Services (SMS).
• Supplementary services.
• Toll free numbers.
• Tele-voting.
• Enhanced Message Services (EMS).
• Local Number Portability (LNP).
Signaling System #7
Public
7 © Nokia Solutions and Networks 2015 Public
Unblocking stolen mobile devices using SS7-MAP vulnerabilities Exploiting the relationship between IMEI and IMSI for EIR access
- Siddharth Rao, Dr. Silke Holtmanns, Dr. Ian Oliver, Dr Tuomas Aura
10 © Nokia Solutions and Networks 2015
• Attacker has a stolen phone which is blacklisted and he knows the IMSI (Subsriber id) which was associated with it while blocking or last use by the victim. The attacker does not need to have the original SIM as it is sufficient to have just the IMSI.
• Attacker has access to SS7 network.
• The Global Title (GT, “SS7 name of a node”) of the Equipment Identity
Register (EIR) is required.
• Mobile Switching Center (MSC) GT might be needed (depending on operator
configuration).
• Feature and IMSI check options are enabled.
Public
Assumptions
11 © Nokia Solutions and Networks 2015
Users loose their phones and find it again, easy ”recovery” in EIR wanted MSC sends IMEI (device id) along with IMSI (subscriber id) during
MAP_CHECK_IMEI. Initially the IMEI is checked to know the list it belongs to. If it is found
on the black list, an additional check of IMSI is made. If there is a match between IMSI provisioned with IMEI in the EIR database (This is the IMSI-IMEI pair in the EIR before the victim blocks his stolen device.) with the IMSI found in MAP_CHECK_IMEI message then this overrides the blacklist condition.
Phone no longer blacklisted.
Public
Feature
14 © Nokia Solutions and Networks 2015
1. A CHECK_IMEI* is received with IMEI = 12345678901234, and IMSI = 495867256894125.
2. An individual IMEI match is found indicating that the IMEI is on the Black List.
3. Normally required response would be Black Listed, however; because an IMSI is present in the message, and the IMEI is on the Black List, the IMSI is compared to the IMSI entry in the database for this IMEI.
4. In this case, the IMSI in the RTDB matches the IMSI in the query, thus the Black Listed condition is cancelled/overridden.
5. EIR formulates a CHECK_IMEI* response with Equipment Status = 0 whiteListed.
Public
Example
15 © Nokia Solutions and Networks 2015
• Stolen phones would have much higher value, if they are not blacklisted and can be sold via ebay or simlar means.
Why should somebody do this?
Public
Source: http://www.wired.com/2014/12/where-stolen-smart-phones-go/
• 1 in 10 smart-phone owners are the victims of phone theft.
• In United States, 113 phones per minute are stolen or lost.
$7 million worth of smart phones on a daily basis.
16 © Nokia Solutions and Networks 2015 Public
EIR Coverage
Source: Farrell, G. (2015). Preventing phone theft and robbery: the need for government action and international coordination. Crime Science, 4(1), 1-11.
17 © Nokia Solutions and Networks 2015
• Attack has not been observed in real networks.
• Research was done on protocol level and publicly available information.
• Not all EIRs affected.
• Business case exist for the attack.
• Easy to add ”Check_IMEI*” to the filter list of network internal messages to stop this kind of attack before it appears in real.
Public
Summary
20 © Nokia Solutions and Networks 2015
Public
Copyright and confidentiality
The contents of this document are proprietary and confidential property of Nokia Solutions and Networks. This document is provided subject to confidentiality obligations of the applicable agreement(s).
This document is intended for use of Nokia Solutions and Networks customers and collaborators only for the purpose for which this document is submitted by Nokia Solution and Networks. No part of this document may be reproduced or made available to the public or to any third party in any form or means without the prior written permission of Nokia Solutions and Networks. This document is to be used by properly trained professional personnel. Any use of the contents in this document is limited strictly to the use(s) specifically created in the applicable agreement(s) under which the document is submitted. The user of this document may voluntarily provide suggestions, comments or other feedback to Nokia Solutions and Networks in respect of the contents of this document ("Feedback"). Such Feedback may be used in Nokia Solutions and Networks
products and related specifications or other documentation. Accordingly, if the user of this document gives Nokia Solutions and Networks Feedback on the contents of this document, Nokia Solutions and Networks may freely use, disclose, reproduce, license, distribute and otherwise commercialize the feedback in any Nokia Solutions and Networks product, technology, service, specification or other documentation.
Nokia Solutions and Networks operates a policy of ongoing development. Nokia Solutions and Networks reserves the right to make changes and improvements to any of the products and/or services described in this document or withdraw this document at any time without prior notice.
The contents of this document are provided "as is". Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to
the accuracy, reliability or contents of this document. NOKIA SOLUTIONS AND NETWORKS SHALL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS DOCUMENT or for any loss of data or income or any special, incidental, consequential, indirect or direct damages howsoever caused, that might arise from the use of this document or any contents of this document.
This document and the product(s) it describes are protected by copyright according to the applicable laws.
Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of their respective owners.
© Nokia Solutions and Networks 2015