Ss7 vulnerabilities and attack exposure
Yüklə 5,08 Mb. Pdf görüntüsü
|
| +
RestoreData + InterrogateSS + ProcessUnstructuredSS + UpdateLocation + AnyTimeSubscriptionInterrogation During security analysis performed in 2017, all these methods (except AnyTimeSubscriptionInterrogation) led to successful attacks� Operator information leakage During analysis, more than half of the attacks related to SMS Home Routing con- figuration flaws (which allow retrieval of network configuration data) were success- ful� However, operators significantly reduced the possibility of disclosure of such information� Figure 10� Methods for obtaining SS7 configuration data (percentage of successful attacks) 2015 2017 2016 0% SendRoutingInfoForLCS AnyTimeInterrogation 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0% 7% 0% 0% 4% 7% SendRoutingInfo 76% 61% 7% SendRoutingInfoForSM 70% 77% 53% The number of successful attacks using SendRoutingInfoForSM in 2016 increased because we analyzed several networks without SMS Home Routing� 11 Subscriber traffic interception The risk of subscriber traffic interception is still high� The vast majority of attempts to intercept subscriber SMSs was successful� Today, extremely important data are transmitted via SMS messages: passwords for two-factor authentication sent by e-banking and internet payment systems� Leakage of such information affects the operator's reputation, and might result in contract termination by customers, in- cluding companies with a large volume of traffic� Attempts to tap or redirect terminating and originating calls were successful in more than half of all cases� Redirection means transferring a call to a third-party number� Further development of this attack establishes a connection so that an attacker could tap a subscriber's conversation� The message UpdateLocation is used to inform the HLR about a change a mo- bile switch� Terminating SMSs or calls are intercepted by sending a fake request to register a subscriber in an intruder's network� When a terminating call is received, the operator's network sends a request to a fake network to obtain the subscrib- er's roaming number� An attacker can send the number of his or her telephone exchange in response, and the incoming traffic will be transmitted to the attack- er's equipment� After sending another request to register the subscriber in the real network, the attacker can redirect the call to the subscriber's number� As a result, the conversation will pass through the equipment controlled by the attacker� The same principle is used for interception of terminating calls via RegisterSS, but in this case terminating calls are unconditionally redirected to the intruder's telephone exchange� Nine out of ten SMS messages can be intercepted Figure 11� Methods for intercepting and forwarding subscriber traffic (percentage of successful attacks) 2015 2017 2016 0% Call interception and forwarding SMS interception 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 65% 61% 53% 89% 88% 90% SS7 VULNERABILITIES AND ATTACK EXPOSURE REPORT 12 |