Угрозы безопасности протокола SS7

Threats to the security of the SS7 Protocol


Currently, smartphones are in the possession of almost everyone. Most often, they are used as a source of entertainment in social networks or as a device for work. In terms of its functionality, the smartphone has become close to a personal computer. And we, working with this device every day, began to think about how our gadget is protected from various attacks by an attacker. After all, we live in a time of very serious growth in technological capabilities, when it is not difficult to hack a phone. This article describes the technology of hacking a smartphone through the vulnerability SS7 (alarm system on the common channel number 7).

Many people wonder how an attacker can get sensitive data if the phone is securely protected by all known means of protection. For an attacker, this will not be a problem if he does not pass the security system on the phone, but goes through a vulnerability in the telecommunications system that allows you to hack the phone due to the vulnerability of the SS7 Protocol (Signaling System #7-Alarm System on the Common Channel # 7).

As you know, the SS7 Protocol is a tool consisting of a set of signaling telephone protocols used for exchanging information between elements of a mobile network.

As you can see in the figure, the SS7 Protocol stack is divided into levels that can be mapped to the OSI model. MTP Layer 1 is mapped to the first layer, MTP Layer 2 to the second, MTP Layer 3 to the third, and so on. MTP (Message Transfer Part) is a system that includes all the MTP levels of the SS7 stack. It is responsible for guaranteed delivery of the network signaling message between digital stations. MTP transmits messages without loss, duplication, distortion, or sequence violations.

MTP Layer 1 is a link used to transmit information by converting it to a bit stream between two signaling points.

MTP Layer 2 is a link used to check for errors and correct message sequences in case of conflicts at this level, the message is sent again.

MTP Layer 3 is a link used for message routing and forwarding traffic from faulty links.

The ISUP Protocol (ISDN User Part) is used to manage calls between devices in the telephone network.

The SCCP Protocol is used for interaction of service nodes. It provides information about the state of subsystems and relies on the MTP Layer 3 Protocol for routing and error detection.

TCAP contains information about routes and is used by the ISUP Protocol to address calls. this Protocol is also used to specify who will pay the bill for the conversation.

The SS7 Protocol was implemented in the 1970s to identify and connect landlines between networks, and is now used to determine the cost per call and SMS. The Protocol used a channel that was physically inaccessible to users and sent commands that established telephone connections. At that time, the developers believed that the Protocol was securely protected and no one except the staff would have access to it, since the physical channel was separated from the voice channel. Therefore, encryption and other security measures were not applied to signal traffic. But time is passing, technologies are developing, and in the 2000s, the SIGTRAN Protocol (Signaling Transport) was developed. It supports the same call management functions as SS7, but still has the ability to address over the Internet Protocol (IP) and transfer data over the SCTP Protocol, which belongs to the transport layer in the computer network and provides guaranteed delivery of application data over IP networks. It is possible to obtain access to the physical channel. Since encryption was not used, it is very difficult to distinguish real commands from the attacker's commands, because the hardware will correctly execute all received commands, and it does not check the sources of the packet, because the verification systems were not implemented due to the inability to penetrate the physical channel. Now it is enough to have a computer with an Internet connection and installed software to generate and send SS7 packets and an SS7 gateway for hacking. Access to the gateway is easy to provide, since in many countries it can be obtained by anyone on the black market from an existing operator or through hacked operator equipment. When all of the above is done, you can implement the "man in the middle" attack.

Implementing an attack through an SS7 vulnerability

To successfully implement this attack, you must obtain an IMSI (International Mobile Subscriber Identity) - a fifteen-digit number that is assigned individually to each SIM card and stored on it. The first three digits are allocated for the country code, the next two determine the mobile network codes, and the remaining ones are the user ID. You can get it if you know the mobile phone number MSISDN (Mobile Subscriber Integrated Services Digital Number – a Digital number with integrated mobile subscriber services), it is associated with IMSI and is located in the subscriber database of the mobile operator HLR (Home Location Register – Home location registration). MSISDN is required for receiving calls and identifying the subscriber when receiving services. To get an IMSI, you must create a fake network using a computer with the appropriate software and send an SMS to the subscriber's number (MSISDN). Usually, in order for an SMS to reach the recipient, it needs to build a route to the subscriber's location. Therefore, the HLR database, which currently maps the corresponding IMSI to the MSISDN, will send us the address of the MSC/VLR switch that the subscriber is currently using, and the IMSI of its SIM card. MSC (Mobile Switching Center – is a telephone exchange whose tasks include switching channels, tracking the subscriber's location for sending calls, SMS, and providing GSM services. In practice, this node is often combined with a VLR (Visitors Location Register – - a database that stores all information about users temporarily registered in the area of operation of this switch.


Determining the subscriber's location

As you know, the entire cellular network is divided into so – called cells-zones of operation of base stations, United by switching centers.

Since cellular communication covers almost all corners of our planet, and each person is served by a particular base station, within which it is now located, if you know the location of this station, you can approximately find out the location of a person. It is necessary to send a request to the MSC/VLR switch address that we found to determine our target by the current IMSI base station. In response, we will get the ID of the base station, which will determine its location, and therefore the subscriber.

The interception of communications of a subscriber

To do this, pass the victim's IMSI and the attacker's MSC/VLR address to the HLR. In this case, all messages received by the subscriber will be sent to the attacker. To prevent a subscriber from suspecting that they are being followed when they send a message to another subscriber, you must override the actual MSC switch, and the message will be sent to the attacker, and then to the subscriber to whom the SMS was sent.

Also, an attacker can hack various messengers, such as Telegram, WhatsApp, Vkontakte, intercepting authorization passwords via SMS.

Interception of a subscriber's conversation

To do this, the attacker must change the billing address of the subscriber in the temporarily registered VLR database and intercept the request for billing of the outgoing call (billing system (from English. billing-invoicing) - a system for calculating the cost of services). This way you can find out the number that the subscriber is accessing. Then you need to redirect the call to the attacker's MSISDN and make a conference call with the real subscriber. Now you can listen to the conversation unnoticed, since all these operations are very fast. Attacks via SS7 are promising for attackers. After all, the attacker does not need to be near the subscriber, and the attack can be made from any point on the planet. Therefore, it is almost impossible to calculate the attacker. this vulnerability can be used to hack almost any phone in the world. Eavesdropping on conversations, intercepting SMS messages, getting access to mobile banking, social networks will not be difficult because of the vulnerability in the SS7 telephone infrastructure, which transmits service commands of cellular networks.  Due to the fact that the vulnerability with the SS7 Protocol is managed by the operator, it will not be possible to protect yourself from such an attack. As long as mobile operators are not able to abandon this technology, this threat in the field of information security will remain relevant.

Bibliographic reference

  • Cellular networks: hacking is easy. – Electron. dan. – Mode of access: https://blog. kaspersky.ru/hacking-cellular-networks/9862/
  • Combining mobile and fixed-line communications: how it works from the inside. – Electron. dan. - Access mode: https://habrahabr.ru/company/ beeline/blog/138620/.
  • Fischer, D. What is "the man in the middle"? / D. Fischer. – Electron. dan. – Mode of access: https://blog.kaspersky.ru/chto-takoe-chelovek– poseredine/740/
  • The characteristics and the purpose of billing systems. – Electron. dan. - Access mode: https://studopedia.su/2_28017_harakteristika-i - naznachenie-billingovih-sistem.html