+  Lack of subscriber actual location check +

According to the results, most attacks can be conducted by exploiting the lack of 
such checks as a subscriber's actual location and a subscriber's belonging to the 
operator network� Among the possible attacks are ones aimed at subscriber loca-
tion disclosure, call interception or redirection, SMS interception, subscriber profile or 
payment plan altering� Lack of a location check is related to signaling messages sent 
from a visited network where a roaming subscriber is registered to the subscriber's 
home network� If the signaling message is correct, it cannot be verified by using 
received parameters only� It is necessary to perform an additional check on whether 
the subscriber is located in the network from which the signaling traffic originated�
Figure 5� A subscriber's actual location is not checked
Subscriber B
of network 1
Network 1
Hacker's 
network
Legal traffic
Illegitimate traffic
Subscriber A
of network 1
Network 2
HLR
SS7
Signaling message 
related to 
subscriber A
Signaling message 
related to
subscriber A
Signaling 
message related 
to subscriber B
Inability to verify a subscriber's belonging to the network is related to signaling 
messages that are sent from the operator and directed at roaming subscribers to 
another network where those subscribers are registered at that particular moment� 
To detect illegitimate traffic it is necessary to check whether the message source 
corresponds with the subscriber's IMSI� If the source address and IMSI correspond 
to one operator, the message is valid� However, if there is no correspondence, it 
does not mean the message is fake (for example, a transit operator can alter the 
address)� Signaling traffic is most likely illegitimate if it goes from external networks 
and it is related to subscribers of the home network�
SMS Home Routing is a hardware and software package that conceals real IMSIs 
and equipment addresses� It is used in 85 percent of analyzed networks, but in case 
of incorrect network element configuration it was possible to bypass protection 
mechanisms� Without SMS Home Routing, all attempts to get IMSIs and network 
data were successful�
SS7 VULNERABILITIES
AND ATTACK EXPOSURE REPORT
8

Operators take active measures to implement signaling traffic filtering and blocking 
systems: it has already been implemented implemented in one third of the networks 
in 2017� As a result, attacks related to the lack of message filtering are now successful 
in only 10 percent of cases: that's three times better than in the previous years� 
To conduct an attack, standard service messages are used� These messages should 
be checked at the network border or in the operator's network in order to block 
illegitimate requests� One and the same attack can be conducted by using several 
different messages (methods), the efficiency of which may vary� We will take a clos-
er look at methods that attackers use to implement the listed threats�
Subscriber information disclosure
As it was mentioned above, the first step in reducing the possibility of attacks is to 
minimize the risk of IMSI disclosure� The number of successful attempts to obtain 
IMSI decreased fourfold in 2017 (as compared to 2015)�
In 75 percent of networks, it is possible to discover a subscriber's location� The share 
of successful attacks using different methods is 33 percent, which is also better 
than in previous years�
Figure 6� A subscriber's belonging to the network is not checked
SS7
Subscriber
of network 2
Network 1
Subscriber
of network 1
Hacker's 
network
Network 2
Legal traffic
Illegitimate traffic
Figure 7� Percentage of successful attacks by type of threat related to obtaining subscriber data
2015
2017
2016
0%
IMSI disclosure
Location discovery
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
90%
45%
22%
58%
39%
33%
Profile disclosure
85%
66%
77%
Balance disclosure
92%
100%
100%
9

There are four methods that allow disclosure of IMSI; successful attempts are shown 
in Figure 8�
Figure 8� Methods for obtaining a subscriber's IMSI (percentage of successful attacks)
2015
2017
2016
0%
SendRoutingInfoForLCS
SendIMSI
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0%
7%
0%
25%
26%
0%
SendRoutingInfo
76%
61%
7%
SendRoutingInfoForSM
70%
76%
71%
Figure 9� Location tracking methods (percentage of successful attacks)
2015
2017
2016
0%
SendRoutingInfo
AnyTimeInterrogation
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
60%
36%
0%
0%
4%
7%
ProvideSubscriberInfo
93%
82%
75%
The number of successful attacks by SendRoutingInfo and SendIMSI decreased due 
to the implementation of filtering tools� The message SendRoutingInfo is used to 
obtain routing information about a subscriber during an incoming voice call and 
must be transmitted only within the operator's home network� Today, the message 
SendIMSI is not used to implement mobile services; however, the message is pro-
cessed in mobile communication networks as it is required by certain standards�
SendRoutingInfoForLCS was successfully exploited in two networks only due to the 
efficiency of message filtering� The method is used by services that need subscriber 
location data�
The message SendRoutingInfoForSM is sent to obtain routing information that 
is required to deliver an incoming SMS message� In order not to disclose actual 
IMSIs and addresses of network elements, a message from the external network 
should be forwarded to SMS Home Routing and return virtual data� Although most 
networks use SMS Home Routing, incorrect configuration of boundary network 
equipment (STP/FW) is not uncommon� As a result the request is sent to HLR and 
bypasses SMS Router and returns actual IMSIs and network configuration data�
SS7 VULNERABILITIES
AND ATTACK EXPOSURE REPORT
10

ProvideSubscriberInfo was used to determine subscriber location due to SS7 archi-
tecture flaws� The message ProvideSubscriberInfo should be processed only in case 
the message source and IMSI corresponds to the same operator� But due to SS7 
architectural features, it is not possible to determine a subscriber's belonging to the 
network without additional tools� To protect against such attacks, traffic filtering 
systems are required�
In 2015, we assumed that operators are well aware of attacks that use 
AnyTimeInterrogation allowing disclosure of a subscriber's location using the 
phone number, and about protection methods, as none of our attempts was suc-
cessful� However, in the next two years we detected networks without filtering for 
this message� 
Balance or profile disclosure does not pose an immediate serious threat, so pro-
tection of these data is not of high priority� Moreover, only constant monitoring 
and filtering of signaling traffic helps to protect against most attack methods� 
Each analyzed network allowed attacks to be conducted by using the following 
methods:

Yüklə 5,08 Mb.

Dostları ilə paylaş: