SlideShare une entreprise Scribd logo

Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois

P
P1Security

Attacking SS7 From Philippe Langlois at Hackito Ergo Sum 2010

TechnologieBusiness
1  sur  44
Télécharger pour lire hors ligne
Telecommunications Infrastructure Security Getting in the SS7 kingdom: hard technology and disturbingly easy hacks to get entry points in the walled garden. Philippe Langlois, P1 Security Inc. phil@p1sec.com
SS7 network Reliability P1 Security Inc, http://www.p1security.com
Why do we have SS7? • Thanks to hackers! Steve Jobs and Steve Wozniak in 1975 with a bluebox • CCITT#5 in-band signalling sends control messages over the speech channel, allowing trunks to be controlled • Seize trunk (2600) / KP1 or KP2 / destination / ST • Started in mid-60’s, became popular after Esquire 1971 • Sounds produced by whistles, electronics dialers, computer programs, recorded tones P1 Security Inc, http://www.p1security.com 3
How to get in? ME vuln. research External APIs to OpenBTS HLR: + crypto location, cracking IMSI OpenBSC Scanning FemtoCell and hacking Hacking SS7 CN SMS  HLR/VLR Home Location Register, Visitor Location Register injection  AuC : Authentication Center (within HLR)  EIR : Equipment Identity Register  MSC : Mobile Switching Center  Illegal : SQL Injection? Uhh?  STP : Signaling Transfer Point (i.e. Router)  Consulting : Nahh... not possible! (?)  LIG : Legal Interception Gateway?  Product : Yes please! P1 Security Inc, http://www.p1security.com
Under the hood: SS7 stack P1 Security Inc, http://www.p1security.com
Important SS7 protocols  MTP (Message Transfer Part) Layers 1-3: lower level functionality at the Physical, Data Link and Network Level. They serve as a signaling transfer point, and support multiple congestion priority, message discrimination, distribution and routing.  ISUP (Integrated Services Digital Network User Part): network side protocol for the signaling functions required to support voice, data, text and video services in ISDN. ISUP supports the call control function for the control of analog or digital circuit switched network connections carrying voice or data traffic.  SCCP (Signaling Control Connection Part): supports higher protocol layers such as TCAP with an array of data transfer services including connection- less and connection oriented services. SCCP supports global title translation (routing based on directory number or application title rather than point codes), and ensures reliable data transfer independent of the underlying hardware.  TCAP (Transaction Capabilities Application Part): provides the signaling function for communication with network databases. TCAP provides non- circuit transaction based information exchange between network entities.  MAP (Mobile Application Part): provides inter-system connectivity between wireless systems, and was specifically developed as part of the GSM standard.  INAP (Intelligent Network Application Part): runs on top of TCAP and provides high-level services interacting with SSP, SCP and SDP in an SS7 network. P1 Security Inc, http://www.p1security.com
MSU: Message Signal Unit Scanning Vulnerability, injection Reach of MSUs! P1 Security Inc, http://www.p1security.com
Entry points in an SS7 network  Peer relationships between operators  STP connectivity  SIGTRAN protocols  VAS systems e.g. SMSC, IN  Signalling Gateways, MGW  SS7 Service providers (GRX, IPX)  GTT translation  ISDN terminals  GSM phones  LIG (pentest & message relaying madness)  3G Femtocell  SIP encapsulation P1 Security Inc, http://www.p1security.com
SS7 and IP: the SIGTRAN evolution and problems Basics of IP telephony SIGTRAN protocols & SCTP scanning P1 Security Inc, http://www.p1security.com
SIGTRAN Protocol: M3UA Protocol Adaptation Layer P1 Security Inc, http://www.p1security.com
SCTP Specs & Advantages  RFC4960  SCTP: Stream Control Transmission Protocol  Advantages  Multi-homing  DoS resilient (4-way handshake, cookie)  Multi-stream  Reliable datagram mode  Some of TCP & UDP, improved P1 Security Inc, http://www.p1security.com 11
SCTP stealth scan Attacker Servers INIT ABORT Port 101 INIT Port 102 INIT-ACK Fast, positive, TCP-like P1 Security Inc, http://www.p1security.com 12
SCTPscan: Mapping SIGTRAN  SCTPscan  Linux, BSD, MacOS X, Solaris, ...  IP scan, portscan, fuzzing, dummy server, bridge  Included in BackTrack  SCTP Tricks: port mirroring, instreams connections  NMAP new SCTP support (-Y), lacks tricks  SIGTRAN usually requires peer config  This is not the average TCP/IP app P1 Security Inc, http://www.p1security.com 13
SCTPscan Usage root@gate:~/sctp# ./sctpscan --scan --autoportscan -r 203.151.1 Netscanning with Crc32 checksumed packet 203.151.1.4 SCTP present on port 2905 203.151.1.4 SCTP present on port 7551 203.151.1.4 SCTP present on port 7701 203.151.1.4 SCTP present on port 8001 203.151.1.4 SCTP present on port 2905 root@gate:~/sctp# P1 Security Inc, http://www.p1security.com 14
UA Peering Tricks Legitimate Peer M3UA Peering! Server or INIT STP INIT- Port 2905 ACK INITs INIT INIT Attacker INIT Port 1111 ABORT No answer on actual peering port: How rude! but useful P1 Security Inc, http://www.p1security.com 15
Scanning the SS7 perimeter SS7 scanning and audit strategies P1 Security Inc, http://www.p1security.com
SS7 Perimeter Boundaries P1 Security Inc, http://www.p1security.com 17
STP as SCCP Firewall  A “kind of” NAT (GTT and SSN exposure)  SubSystems allowed by STP, protection=route  SubSystem scanning & Message injection.  NI (Network Indicator) Isolation  NI=0 : International 0, outside world  NI=2 : National 0, telco Internal  NI=3 : National 1, country-specific  List of Signaling Point Code for each perimeter, automation needed. P1 Security Inc, http://www.p1security.com 18
International SPC List P1 Security Inc, http://www.p1security.com 19
Understanding SPC  Hints on the address plan and network topology  Different SPC lengths ▪ ITU : 14 bits ▪ ANSI : 24 bits  Many different SPC formats ▪ Decimal ▪ ITU: 3-8-3, 5-4-5, ▪ ANSI: 8-8-8  ss7calc  Like ipcalc, Open Source,  http://www.p1sec.com/corp/research/tools/ss7calc/ P1 Security Inc, http://www.p1security.com 20
Comparison with TCP/IP TCP/IP SS7 IPsec endpoint scan, MPLS label SCTP endpoint scan scan,VLAN tag scan Arp or Ping scan MTP3 or M3UA scanning Ping scan using TCP SYN SCCP DPC scanning TCP SYN or UDP port/service SCCP SSN (SubSystem Number) scanning scanning Application (*AP) traffic injection Service-specific attacks and abuses (e.g. MAP, INAP, CAP, OMAP...) (e.g. attacks over HTTP, SMB, RPC, ...) P1 Security Inc, http://www.p1security.com 21
STP boundary: attacking SS7 SSN Scanning GTT Scanning DPC Scanning P1 Security Inc, http://www.p1security.com
Stack de-synchronization: more exposure & attacks  Different stacks standardized by different people with different goals SubSystem scanning Topology discovery (needed for IP-based topologies)  Action available depends on State Machine’s state  Needs a special engine to inject attack at proper time/state P1 Security Inc, http://www.p1security.com 23
M3UA Finite State Machine Figure 3: ASP State Transition Diagram, per AS +--------------+ M3UA test | | +----------------------| ASP-ACTIVE | | Other +-------| |  | ASP in AS | +--------------+ SCCP tests | Overrides | ^ | | | | | ASP Active | | | ASP | Inactive  | | | v  MAP tests | | +--------------+ | | | |:ASP Inactive Ack | +------>| ASP-INACTIVE |:ASP Up Ack | +--------------+:Notify.param=status=2 ASP Down/ SCTP CDI/ SCTP RI | | | | ASP | Up ^ | | | | ASP Down / | SCTP CDI/ v SCTP RI  INAP tests | +--------------+ | +--------------------->| | ASP-DOWN |:Association loss/closed |  Each depends on configuration | | +--------------+ P1 Security Inc, http://www.p1security.com 24
SS7 Audit Strategies SCTP portscan For each M3UA, M2PA, SUA peering (internal, national, intl..) DPC scan For each DPC SSN scan For each SS7 “application” or SSN (HLR, ...) MAP tests Application INAP tests tests CAP tests ... P1 Security Inc, http://www.p1security.com 25
Example of SS7 protocol: ISUP & related attacks ISUP message types ISUP call flows P1 Security Inc, http://www.p1security.com
ISUP Call Initiation Flow IAM attack: Capacity DoS Attack Quiz! P1 Security Inc, http://www.p1security.com
ISUP Call Release Flow REL attack: Selective DoS Attack Quiz! P1 Security Inc, http://www.p1security.com
A Practical SS7 Information Gathering Send Routing Info or monitoring anyone with a phone, anywhere... P1 Security Inc, http://www.p1security.com
Geolocation & Information Gathering  SS7 MAP message: SendRoutingInfo (SRI)  Sends back the MSC in charge. Correlates to country.  Nobody knows i’m not an HLR.  Real world usage: Identification for SPAM, 150 EUR for 10k, HTTP APIs & GW  Attack: Global tracking and geolocation of any phone P1 Security Inc, http://www.p1security.com
A practical, user-targeted SS7 attack Disabling incoming calls to any subscriber P1 Security Inc, http://www.p1security.com
Location Update Call Flow P1 Security Inc, http://www.p1security.com
Attack implementation IMSI scanning / querying needed ! P1 Security Inc, http://www.p1security.com
Attack success P1 Security Inc, http://www.p1security.com
New perimeters, New threats The walled garden is opening up... P1 Security Inc, http://www.p1security.com
Femto Cell & user control  Node B in user home, IPsec tunnel, SIGTRAN  Real world example: ARM hw with RANAP  Insecure  Untested hw  Unprotected IPsec  No regular pentest Image Credit: Intomobile  No tools! Need for Binary vulnerability audit P1 Security Inc, http://www.p1security.com 36
Femto-cell attack vectors  Unaudited Proprietary software from Alcatel  Attack: Binary vulnerability audit gives 0day  Attack: Vulnerable Linux 2.6 kernel  Global settings for IPsec tunnels  Attack: Border access  Lack of SS7 and SIGTRAN filtering  Attack: Injection of RANAP and SS7 in the Core Network P1 Security Inc, http://www.p1security.com 37
SIP to SS7 ?  SIP is used to connect two SS7 cloud  Support to bridge SS7 context through SIP  SIP injection of SS7 adds a header to standard SIP headers  New SS7 perimeter, even for non-telco P1 Security Inc, http://www.p1security.com 38
Getting secure... How to secure an insecure network being more and more exposed? P1 Security Inc, http://www.p1security.com
Tools and methods  Manual SS7 audit & pentest (hard!)  Product Testing (Customer Acceptance)  telco equipment reverse engineering and binary auditing  Huawei MGW (vxWorks + FPGAs), Femtos, ...  Automated scan of SS7 perimeters  SS7 interconnect (International and National)  Core Network  Femto Cell access network  SIP & Convergent services  Hint: P1sec SIGTRANalyzer product ;-) P1 Security Inc, http://www.p1security.com 40
Current developments  SCTPscan  Bridging support, instream scanning  Open source  ss7calc - SS7 Point Code calculator  7Bone - Open Research SS7 backbone  P1sec SIGTRANalyzer  SS7 and SIGTRAN vulnerability scanning  Commercial product P1 Security Inc, http://www.p1security.com 41
Conclusions  SS7 is not closed anymore  SS7 security solution are industrializing  Pentest to continuous scanning  Security services and products  Mindset are changing: more open to manage the SS7 security problem, education still needed.  Governments put pressure on telco, National Critical Infrastructure Protection initiatives etc.. P1 Security Inc, http://www.p1security.com
Credits  Key2, Emmanuel Gadaix, Telecom Security Task Force, Fyodor Yarochkin  Bogdan Iusukhno  Skyper and the THC SS7 project  All the 7bone security researchers  CISCO SS7 fundamentals, CISCO press  Introduction to SS7 and IP, by Lawrence Harte & David Bowler  Signaling System No. 7 (SS7/C7) - Protocol, Architecture and Services, by Lee Dryburgh, Jeff Hewett P1 Security Inc, http://www.p1security.com
THANKS!  Questions welcome  Philippe Langlois, phil@p1sec.com  Slides and Tools on http://www.p1security.com P1 Security Inc, http://www.p1security.com

Recommandé

Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Alejandro Corletti Estrada
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
PositiveTechnologies
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
DefCamp
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
PositiveTechnologies
 
sigtran
sigtransigtran
sigtran
krsgowri
 

Recommandé

Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
Alexandre De Oliveira
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Alejandro Corletti Estrada
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
PositiveTechnologies
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
DefCamp
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
PositiveTechnologies
 
sigtran
sigtransigtran
sigtran
krsgowri
 
SIGTRAN - An Introduction
SIGTRAN - An IntroductionSIGTRAN - An Introduction
SIGTRAN - An Introduction
Tareque Hossain
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
mhaviv
 
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI GatewayMatrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Comsec
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
PositiveTechnologies
 
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Siddharth Rao
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
P1Security
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
Karel Berkovec
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS Stack
Vikas Shokeen
 
SS7
SS7SS7
SS7
denys.pozniak
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
PositiveTechnologies
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRAN
Stephanie Galloway-Williams
 
Ims call flow
Ims call flowIms call flow
Ims call flow
Morg
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran Workshop
Luca Matteo Ruberto
 
Sigtran protocol
Sigtran protocolSigtran protocol
Sigtran protocol
Isybel Harto
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration Flow
Kent Loh
 
3GPP IMS
3GPP IMS3GPP IMS
3GPP IMS
Chris Venteicher
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpi
Mohammed Abdallah
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
P1Security
 
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
P1Security
 

Contenu connexe

Tendances

Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Siddharth Rao
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
PositiveTechnologies
 
Ims call flow
Ims call flowIms call flow
Ims call flow
Morg
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 

Tendances (20)

SIGTRAN - An Introduction
SIGTRAN - An IntroductionSIGTRAN - An Introduction
SIGTRAN - An Introduction
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
 
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI GatewayMatrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS Stack
 
SS7
SS7SS7
SS7
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRAN
 
Ims call flow
Ims call flowIms call flow
Ims call flow
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran Workshop
 
Sigtran protocol
Sigtran protocolSigtran protocol
Sigtran protocol
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration Flow
 
3GPP IMS
3GPP IMS3GPP IMS
3GPP IMS
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpi
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
 

En vedette

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
Hackito Ergo Sum
 
Common channel Signalling System No 7 ppt
Common channel Signalling System No 7 pptCommon channel Signalling System No 7 ppt
Common channel Signalling System No 7 ppt
Srashti Vyas
 

En vedette (11)

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
 
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
 
Ss7 tutorial
Ss7 tutorialSs7 tutorial
Ss7 tutorial
 
Signaling system 7 (ss7)
Signaling system 7 (ss7)Signaling system 7 (ss7)
Signaling system 7 (ss7)
 
Signaling system 7 (ss7)
Signaling system 7 (ss7)Signaling system 7 (ss7)
Signaling system 7 (ss7)
 
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
 
SS7 Network Technology
SS7 Network TechnologySS7 Network Technology
SS7 Network Technology
 
Common channel Signalling System No 7 ppt
Common channel Signalling System No 7 pptCommon channel Signalling System No 7 ppt
Common channel Signalling System No 7 ppt
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and security
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 

Similaire à Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois

Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
DefconRussia
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
EC-Council
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Ramesh Nagappan
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
ICT PRISTINE
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
Passive ip traceback disclosing the locations
Passive ip traceback disclosing the locationsPassive ip traceback disclosing the locations
Passive ip traceback disclosing the locations
jpstudcorner
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
How does ping_work_style_1_gv
How does ping_work_style_1_gvHow does ping_work_style_1_gv
How does ping_work_style_1_gv
vgy_a
 

Similaire à Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois (20)

Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
 
Cisco ios order of operation
Cisco ios order of operationCisco ios order of operation
Cisco ios order of operation
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
Sudheer tech seminor
Sudheer tech seminorSudheer tech seminor
Sudheer tech seminor
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
The Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
The Mainframe's Role in Enterprise Security Management - Jean-Marc DareesThe Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
The Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
 
Ip sec
Ip secIp sec
Ip sec
 
Contents namp
Contents nampContents namp
Contents namp
 
Contents namp
Contents nampContents namp
Contents namp
 
Passive ip traceback disclosing the locations
Passive ip traceback disclosing the locationsPassive ip traceback disclosing the locations
Passive ip traceback disclosing the locations
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
How does ping_work_style_1_gv
How does ping_work_style_1_gvHow does ping_work_style_1_gv
How does ping_work_style_1_gv
 

Dernier

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois

  • 1. Telecommunications Infrastructure Security Getting in the SS7 kingdom: hard technology and disturbingly easy hacks to get entry points in the walled garden. Philippe Langlois, P1 Security Inc. phil@p1sec.com
  • 2. SS7 network Reliability P1 Security Inc, http://www.p1security.com
  • 3. Why do we have SS7? • Thanks to hackers! Steve Jobs and Steve Wozniak in 1975 with a bluebox • CCITT#5 in-band signalling sends control messages over the speech channel, allowing trunks to be controlled • Seize trunk (2600) / KP1 or KP2 / destination / ST • Started in mid-60’s, became popular after Esquire 1971 • Sounds produced by whistles, electronics dialers, computer programs, recorded tones P1 Security Inc, http://www.p1security.com 3
  • 4. How to get in? ME vuln. research External APIs to OpenBTS HLR: + crypto location, cracking IMSI OpenBSC Scanning FemtoCell and hacking Hacking SS7 CN SMS  HLR/VLR Home Location Register, Visitor Location Register injection  AuC : Authentication Center (within HLR)  EIR : Equipment Identity Register  MSC : Mobile Switching Center  Illegal : SQL Injection? Uhh?  STP : Signaling Transfer Point (i.e. Router)  Consulting : Nahh... not possible! (?)  LIG : Legal Interception Gateway?  Product : Yes please! P1 Security Inc, http://www.p1security.com
  • 5. Under the hood: SS7 stack P1 Security Inc, http://www.p1security.com
  • 6. Important SS7 protocols  MTP (Message Transfer Part) Layers 1-3: lower level functionality at the Physical, Data Link and Network Level. They serve as a signaling transfer point, and support multiple congestion priority, message discrimination, distribution and routing.  ISUP (Integrated Services Digital Network User Part): network side protocol for the signaling functions required to support voice, data, text and video services in ISDN. ISUP supports the call control function for the control of analog or digital circuit switched network connections carrying voice or data traffic.  SCCP (Signaling Control Connection Part): supports higher protocol layers such as TCAP with an array of data transfer services including connection- less and connection oriented services. SCCP supports global title translation (routing based on directory number or application title rather than point codes), and ensures reliable data transfer independent of the underlying hardware.  TCAP (Transaction Capabilities Application Part): provides the signaling function for communication with network databases. TCAP provides non- circuit transaction based information exchange between network entities.  MAP (Mobile Application Part): provides inter-system connectivity between wireless systems, and was specifically developed as part of the GSM standard.  INAP (Intelligent Network Application Part): runs on top of TCAP and provides high-level services interacting with SSP, SCP and SDP in an SS7 network. P1 Security Inc, http://www.p1security.com
  • 7. MSU: Message Signal Unit Scanning Vulnerability, injection Reach of MSUs! P1 Security Inc, http://www.p1security.com
  • 8. Entry points in an SS7 network  Peer relationships between operators  STP connectivity  SIGTRAN protocols  VAS systems e.g. SMSC, IN  Signalling Gateways, MGW  SS7 Service providers (GRX, IPX)  GTT translation  ISDN terminals  GSM phones  LIG (pentest & message relaying madness)  3G Femtocell  SIP encapsulation P1 Security Inc, http://www.p1security.com
  • 9. SS7 and IP: the SIGTRAN evolution and problems Basics of IP telephony SIGTRAN protocols & SCTP scanning P1 Security Inc, http://www.p1security.com
  • 10. SIGTRAN Protocol: M3UA Protocol Adaptation Layer P1 Security Inc, http://www.p1security.com
  • 11. SCTP Specs & Advantages  RFC4960  SCTP: Stream Control Transmission Protocol  Advantages  Multi-homing  DoS resilient (4-way handshake, cookie)  Multi-stream  Reliable datagram mode  Some of TCP & UDP, improved P1 Security Inc, http://www.p1security.com 11
  • 12. SCTP stealth scan Attacker Servers INIT ABORT Port 101 INIT Port 102 INIT-ACK Fast, positive, TCP-like P1 Security Inc, http://www.p1security.com 12
  • 13. SCTPscan: Mapping SIGTRAN  SCTPscan  Linux, BSD, MacOS X, Solaris, ...  IP scan, portscan, fuzzing, dummy server, bridge  Included in BackTrack  SCTP Tricks: port mirroring, instreams connections  NMAP new SCTP support (-Y), lacks tricks  SIGTRAN usually requires peer config  This is not the average TCP/IP app P1 Security Inc, http://www.p1security.com 13
  • 14. SCTPscan Usage root@gate:~/sctp# ./sctpscan --scan --autoportscan -r 203.151.1 Netscanning with Crc32 checksumed packet 203.151.1.4 SCTP present on port 2905 203.151.1.4 SCTP present on port 7551 203.151.1.4 SCTP present on port 7701 203.151.1.4 SCTP present on port 8001 203.151.1.4 SCTP present on port 2905 root@gate:~/sctp# P1 Security Inc, http://www.p1security.com 14
  • 15. UA Peering Tricks Legitimate Peer M3UA Peering! Server or INIT STP INIT- Port 2905 ACK INITs INIT INIT Attacker INIT Port 1111 ABORT No answer on actual peering port: How rude! but useful P1 Security Inc, http://www.p1security.com 15
  • 16. Scanning the SS7 perimeter SS7 scanning and audit strategies P1 Security Inc, http://www.p1security.com
  • 17. SS7 Perimeter Boundaries P1 Security Inc, http://www.p1security.com 17
  • 18. STP as SCCP Firewall  A “kind of” NAT (GTT and SSN exposure)  SubSystems allowed by STP, protection=route  SubSystem scanning & Message injection.  NI (Network Indicator) Isolation  NI=0 : International 0, outside world  NI=2 : National 0, telco Internal  NI=3 : National 1, country-specific  List of Signaling Point Code for each perimeter, automation needed. P1 Security Inc, http://www.p1security.com 18
  • 19. International SPC List P1 Security Inc, http://www.p1security.com 19
  • 20. Understanding SPC  Hints on the address plan and network topology  Different SPC lengths ▪ ITU : 14 bits ▪ ANSI : 24 bits  Many different SPC formats ▪ Decimal ▪ ITU: 3-8-3, 5-4-5, ▪ ANSI: 8-8-8  ss7calc  Like ipcalc, Open Source,  http://www.p1sec.com/corp/research/tools/ss7calc/ P1 Security Inc, http://www.p1security.com 20
  • 21. Comparison with TCP/IP TCP/IP SS7 IPsec endpoint scan, MPLS label SCTP endpoint scan scan,VLAN tag scan Arp or Ping scan MTP3 or M3UA scanning Ping scan using TCP SYN SCCP DPC scanning TCP SYN or UDP port/service SCCP SSN (SubSystem Number) scanning scanning Application (*AP) traffic injection Service-specific attacks and abuses (e.g. MAP, INAP, CAP, OMAP...) (e.g. attacks over HTTP, SMB, RPC, ...) P1 Security Inc, http://www.p1security.com 21
  • 22. STP boundary: attacking SS7 SSN Scanning GTT Scanning DPC Scanning P1 Security Inc, http://www.p1security.com
  • 23. Stack de-synchronization: more exposure & attacks  Different stacks standardized by different people with different goals SubSystem scanning Topology discovery (needed for IP-based topologies)  Action available depends on State Machine’s state  Needs a special engine to inject attack at proper time/state P1 Security Inc, http://www.p1security.com 23
  • 24. M3UA Finite State Machine Figure 3: ASP State Transition Diagram, per AS +--------------+ M3UA test | | +----------------------| ASP-ACTIVE | | Other +-------| |  | ASP in AS | +--------------+ SCCP tests | Overrides | ^ | | | | | ASP Active | | | ASP | Inactive  | | | v  MAP tests | | +--------------+ | | | |:ASP Inactive Ack | +------>| ASP-INACTIVE |:ASP Up Ack | +--------------+:Notify.param=status=2 ASP Down/ SCTP CDI/ SCTP RI | | | | ASP | Up ^ | | | | ASP Down / | SCTP CDI/ v SCTP RI  INAP tests | +--------------+ | +--------------------->| | ASP-DOWN |:Association loss/closed |  Each depends on configuration | | +--------------+ P1 Security Inc, http://www.p1security.com 24
  • 25. SS7 Audit Strategies SCTP portscan For each M3UA, M2PA, SUA peering (internal, national, intl..) DPC scan For each DPC SSN scan For each SS7 “application” or SSN (HLR, ...) MAP tests Application INAP tests tests CAP tests ... P1 Security Inc, http://www.p1security.com 25
  • 26. Example of SS7 protocol: ISUP & related attacks ISUP message types ISUP call flows P1 Security Inc, http://www.p1security.com
  • 27. ISUP Call Initiation Flow IAM attack: Capacity DoS Attack Quiz! P1 Security Inc, http://www.p1security.com
  • 28. ISUP Call Release Flow REL attack: Selective DoS Attack Quiz! P1 Security Inc, http://www.p1security.com
  • 29. A Practical SS7 Information Gathering Send Routing Info or monitoring anyone with a phone, anywhere... P1 Security Inc, http://www.p1security.com
  • 30. Geolocation & Information Gathering  SS7 MAP message: SendRoutingInfo (SRI)  Sends back the MSC in charge. Correlates to country.  Nobody knows i’m not an HLR.  Real world usage: Identification for SPAM, 150 EUR for 10k, HTTP APIs & GW  Attack: Global tracking and geolocation of any phone P1 Security Inc, http://www.p1security.com
  • 31. A practical, user-targeted SS7 attack Disabling incoming calls to any subscriber P1 Security Inc, http://www.p1security.com
  • 32. Location Update Call Flow P1 Security Inc, http://www.p1security.com
  • 33. Attack implementation IMSI scanning / querying needed ! P1 Security Inc, http://www.p1security.com
  • 34. Attack success P1 Security Inc, http://www.p1security.com
  • 35. New perimeters, New threats The walled garden is opening up... P1 Security Inc, http://www.p1security.com
  • 36. Femto Cell & user control  Node B in user home, IPsec tunnel, SIGTRAN  Real world example: ARM hw with RANAP  Insecure  Untested hw  Unprotected IPsec  No regular pentest Image Credit: Intomobile  No tools! Need for Binary vulnerability audit P1 Security Inc, http://www.p1security.com 36
  • 37. Femto-cell attack vectors  Unaudited Proprietary software from Alcatel  Attack: Binary vulnerability audit gives 0day  Attack: Vulnerable Linux 2.6 kernel  Global settings for IPsec tunnels  Attack: Border access  Lack of SS7 and SIGTRAN filtering  Attack: Injection of RANAP and SS7 in the Core Network P1 Security Inc, http://www.p1security.com 37
  • 38. SIP to SS7 ?  SIP is used to connect two SS7 cloud  Support to bridge SS7 context through SIP  SIP injection of SS7 adds a header to standard SIP headers  New SS7 perimeter, even for non-telco P1 Security Inc, http://www.p1security.com 38
  • 39. Getting secure... How to secure an insecure network being more and more exposed? P1 Security Inc, http://www.p1security.com
  • 40. Tools and methods  Manual SS7 audit & pentest (hard!)  Product Testing (Customer Acceptance)  telco equipment reverse engineering and binary auditing  Huawei MGW (vxWorks + FPGAs), Femtos, ...  Automated scan of SS7 perimeters  SS7 interconnect (International and National)  Core Network  Femto Cell access network  SIP & Convergent services  Hint: P1sec SIGTRANalyzer product ;-) P1 Security Inc, http://www.p1security.com 40
  • 41. Current developments  SCTPscan  Bridging support, instream scanning  Open source  ss7calc - SS7 Point Code calculator  7Bone - Open Research SS7 backbone  P1sec SIGTRANalyzer  SS7 and SIGTRAN vulnerability scanning  Commercial product P1 Security Inc, http://www.p1security.com 41
  • 42. Conclusions  SS7 is not closed anymore  SS7 security solution are industrializing  Pentest to continuous scanning  Security services and products  Mindset are changing: more open to manage the SS7 security problem, education still needed.  Governments put pressure on telco, National Critical Infrastructure Protection initiatives etc.. P1 Security Inc, http://www.p1security.com
  • 43. Credits  Key2, Emmanuel Gadaix, Telecom Security Task Force, Fyodor Yarochkin  Bogdan Iusukhno  Skyper and the THC SS7 project  All the 7bone security researchers  CISCO SS7 fundamentals, CISCO press  Introduction to SS7 and IP, by Lawrence Harte & David Bowler  Signaling System No. 7 (SS7/C7) - Protocol, Architecture and Services, by Lee Dryburgh, Jeff Hewett P1 Security Inc, http://www.p1security.com
  • 44. THANKS!  Questions welcome  Philippe Langlois, phil@p1sec.com  Slides and Tools on http://www.p1security.com P1 Security Inc, http://www.p1security.com