![Page 1: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/1.jpg)
Sergey Puzankov
Mobile operators vs. Hackers:
new security measures for new
bypassing techniques
ptsecurity.com
![Page 2: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/2.jpg)
SS7 in the 20th century
PSTN
STP STP
STPSTP
SSP
SCP
SSP
SSP
SCP
SS7 – Signaling System #7, a set of telephony protocols, which is used to set up and tear
down telephone calls, send and receive SMS, provide subscriber mobility, and other service
![Page 3: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/3.jpg)
SS7 nowadays
SIGTRAN – Signaling Transport, an extension of the SS7 protocol family that uses IP as a transport
![Page 4: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/4.jpg)
Why SS7 is not secure
SIGTRAN
SIG
TR
AN
SS
7
SIGTRAN
IWF/DEA
Diameter
LTE
STP STP
STP
![Page 5: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/5.jpg)
Mass media highlights the SS7 security problem
![Page 6: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/6.jpg)
Governments and global organizations' concern on SS7 security
![Page 7: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/7.jpg)
Mobile operators and SS7 security
SMS Home Routing
Security monitoring
Security assessment
SS7 firewall
Security
configuration
![Page 8: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/8.jpg)
Research and publications
2014 – Signaling System 7 (SS7) security report
2014 – Vulnerabilities of mobile Internet (GPRS)
2016 – Primary security threats for SS7 cellular networks
2017 – Next-generation networks, next-level
cybersecurity problems (Diameter vulnerabilities)
2017 – Threats to packet core security of 4G network
2018 – SS7 vulnerabilities and attack exposure report
![Page 9: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/9.jpg)
Network vulnerability statistics: SMS Home Routing
67% of installed SMS Home
Routing systems have
been bypassed
Possibility of
exploitation of some
threats in networks
with SMS Home
Routing installed is
greater than in
networks without
protection
![Page 10: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/10.jpg)
Network vulnerability statistics: SS7 firewall
Penetration level of SS7
firewalls on mobile
networks:
2015 — 0%
2016 — 7%
2017 — 33%
Filtering system alone
cannot protect the network
thoroughly
![Page 11: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/11.jpg)
Basic nodes and identifiers
HLR — Home Location Register
MSC/VLR — Mobile Switching
Center alongside with Visited
Location Register
SMS-C — SMS Center
MSISDN — Mobile Subscriber
Integrated Services Digital Number
IMSI — International Mobile
Subscriber Identity
STP — Signaling Transfer Point
GT — Global Title, address of a
core node element
![Page 12: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/12.jpg)
SS7 messages for IMSI retrieving
SendRoutingInfo
SendIMSI
SendRoutingInfoForLCS
SendRoutingInfoForSM
Should be blocked on the border
May be blocked on the HLR
– SMS Home Routing as a protection tool
![Page 13: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/13.jpg)
SMS Home Routing bypass No. 1
![Page 14: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/14.jpg)
SMS Delivery with no SMS Home Routing in place
STP
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request • MSISDN
2. SRI4SM Response • IMSI
• MSC Address
2. SRI4SM Response • IMSI
• MSC Address
3. MT-SMS • IMSI
• SMS Text
3. MT-SMS • IMSI
• SMS Text
SRI4SM — SendRoutingInfoForSM
HLR
SMS-C
![Page 15: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/15.jpg)
SRI4SM abuse by a malefactor
STP
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request • MSISDN
2. SRI4SM Response • IMSI
• MSC Address
2. SRI4SM Response • IMSI
• MSC Address
HLR
![Page 16: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/16.jpg)
SMS Router
SMS Home Routing
STP
HLR
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request • MSISDN
3. MT-SMS • Fake IMSI
• SMS Text
3. MT-SMS • Fake IMSI
• SMS Text
4. SRI4SM Request • MSISDN
6. MT-SMS • Real IMSI
• SMS Text
SMS-C
5. SRI4SM Response • Real IMSI
• MSC Address
2. SRI4SM Response • Fake IMSI
• SMS-R Address
2. SRI4SM Response • Fake IMSI
• SMS-R Address
![Page 17: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/17.jpg)
SMS Router
SMS Home Routing against malefactors
STP
HLR
MSC
1. SRI4SM Request • MSISDN
1. SRI4SM Request • MSISDN
2. SRI4SM Response • Fake IMSI
• SMS-R Address
2. SRI4SM Response • Fake IMSI
• SMS-R Address
![Page 18: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/18.jpg)
Numbering plans
Country Code Network Destination Code
Mobile Country Code Mobile Network Code
E.164 MSISDN and GT 33 854 1231237
E.212 IMSI 208 80 4564567894
E.214 Mobile GT 33 854 4564567894
Operator HLR Rule of GT Translation
![Page 19: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/19.jpg)
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP SS7 Message
HLR 1
HLR 2
SMS Router
![Page 20: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/20.jpg)
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP SS7 Message
HLR 1
HLR 2
SMS Router
E.214 Global Title
Translation Table
MCC + MNC + 00xxxxxxxx
MCC + MNC + 20xxxxxxxx
![Page 21: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/21.jpg)
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP SS7 Message
HLR 1
HLR 2
SMS Router
E.214 Global Title
Translation Table
MCC + MNC + 00xxxxxxxx
MCC + MNC + 20xxxxxxxx
![Page 22: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/22.jpg)
STP routing table
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP SS7 Message
HLR 1
HLR 2
SMS Router
E.214 Global Title
Translation Table
MCC + MNC + 00xxxxxxxx
MCC + MNC + 20xxxxxxxx
![Page 23: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/23.jpg)
SendRoutingInfoForSM message
Called Party Address = MSISDN
![Page 24: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/24.jpg)
SMS Home Routing bypass attack
STP Routing Table
…
Numbering Plan = E.214
…
OpCode = SRI4SM
…
STP HLR 1
HLR 2
SMS Router
E.214 Global Title
Translation Table
MCC + MNC + 00xxxxxxxx
MCC + MNC + 20xxxxxxxx
1. SRI4SM Request • E.214 / Random IMSI
• MSISDN
2. SRI4SM Request • E.214 / Random IMSI
• MSISDN
3. SRI4SM Response
• IMSI
• MSC address
The malefactor needs to guess any IMSI
from a HLR serving the target subscriber
SMS Router is aside
![Page 25: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/25.jpg)
SMS Home Routing bypass No. 2
![Page 26: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/26.jpg)
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN STP
![Page 27: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/27.jpg)
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN
1. SRI4SM Request: MSISDN
STP
![Page 28: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/28.jpg)
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN
2. SRI4SM Request: MSISDN
STP
3. SRI4SM Response: Fake IMSI, SMS-R address
![Page 29: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/29.jpg)
SMS Home Routing definition
HLR
SMS Router
1. SRI4SM Request: MSISDN
2. SRI4SM Request: MSISDN
STP
3. SRI4SM Response: Fake IMSI, SMS-R address
Different IMSIs mean SMS Home Routing procedure is involved
![Page 30: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/30.jpg)
TCAP Protocol
TCAP Message Type
Transaction IDs
Dialogue Portion
Component Portion
Begin, Continue, End, Abort
Source and/or Designation IDs
Application Context Name (ACN)
ACN Version
Operation Code
Payload
Application Context Name
corresponds to a respective
Operation Code
TCAP – Transaction Capabilities Application Part
![Page 31: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/31.jpg)
Application Context Name
![Page 32: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/32.jpg)
Application Context Name change
![Page 33: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/33.jpg)
SMS Home Routing bypass with malformed ACN
HLR 1. SRI4SM Request: MSISDN
Malformed ACN
1. SRI4SM Request: MSISDN
Malformed ACN STP
SMS Router
Malformed ACN
![Page 34: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/34.jpg)
SMS Home Routing bypass with malformed ACN
HLR 1. SRI4SM Request: MSISDN
Malformed ACN
1. SRI4SM Request: MSISDN
Malformed ACN STP
2. SRI4SM Response: IMSI, MSC 2. SRI4SM Response: IMSI, MSC
SMS Router
SMS Router is aside
![Page 35: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/35.jpg)
SMS Home Routing bypass with malformed ACN
HLR
SMS Router
1. SRI4SM Request: MSISDN
Malformed ACN STP
2. SRI4SM Response: IMSI, MSC
Equal IMSIs means the SMS
Home Routing solution is absent
or not involved
1. SRI4SM Request: MSISDN
Malformed ACN
2. SRI4SM Response: IMSI, MSC
![Page 36: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/36.jpg)
SS7 firewall bypass
![Page 37: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/37.jpg)
SS7 firewall typical deployment scheme
HLR STP
1. SS7 message 3. SS7 message
SS7 firewall
2. SS7
message
![Page 38: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/38.jpg)
SS7 firewall typical deployment scheme
HLR STP
1. SRI Request: MSISDN
SS7 firewall
2. SRI Request: MSISDN
The message is blocked
SRI – SendRoutingInfo
![Page 39: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/39.jpg)
Application Context Name change
![Page 40: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/40.jpg)
SS7 firewall bypass with malformed ACN
HLR STP 1. SRI Request: MSISDN
Malformed ACN
SS7 firewall
2. SRI Request: MSISDN
Malformed ACN
Malformed ACN
![Page 41: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/41.jpg)
SS7 firewall bypass with malformed ACN
HLR STP 1. SRI Request: MSISDN
Malformed ACN
2. SRI Request: MSISDN
Malformed ACN
3. SRI Response: IMSI, … 3. SRI Response: IMSI, …
SS7 firewall is aside
SS7 firewall
![Page 42: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/42.jpg)
Positioning enhancement
![Page 43: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/43.jpg)
Positioning attack idea
![Page 44: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/44.jpg)
Positioning attack idea
![Page 45: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/45.jpg)
Positioning attack idea
![Page 46: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/46.jpg)
How we discovered
![Page 47: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/47.jpg)
How we discovered
![Page 48: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/48.jpg)
Recreating the position refinement attack
MSC/VLR
![Page 49: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/49.jpg)
Recreating the position refinement attack
CID 0DFB
ProvideSubscriberInfo
CID: 0DFB 1 MSC/VLR
![Page 50: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/50.jpg)
Recreating the position refinement attack
CID 0DFB
ProvideSubscriberInfo
CID: 0DFB
UnstructuredSS-Notify
1
2
MSC/VLR
![Page 51: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/51.jpg)
Recreating the position refinement attack
CID 0DFB
ProvideSubscriberInfo
CID: 0DFB
UnstructuredSS-Notify
1
2
MSC/VLR
3
Paging
![Page 52: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/52.jpg)
Recreating the position refinement attack
CID 0DFB
ProvideSubscriberInfo
CID: 0DFB
UnstructuredSS-Notify
1
2
MSC/VLR
3
Paging
![Page 53: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/53.jpg)
Recreating the position refinement attack
CID 0191
CID 0DFB
ProvideSubscriberInfo
CID: 0DFB
UnstructuredSS-Notify
1
2
MSC/VLR
3
Paging
Paging
Response
![Page 54: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/54.jpg)
Recreating the position refinement attack
CID 0191
CID 0DFB
ProvideSubscriberInfo
CID: 0DFB
UnstructuredSS-Notify
1
2
MSC/VLR
3
Paging
Paging
Response
. . . returnError
![Page 55: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/55.jpg)
Recreating the position refinement attack
CID 0191
CID 0DFB
ProvideSubscriberInfo
CID: 0DFB
UnstructuredSS-Notify
1
2 returnError
MSC/VLR
3
Paging
Paging
Response
. . . returnError
![Page 56: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/56.jpg)
Recreating the position refinement attack
ProvideSubscriberInfo
CID: 0DFB
UnstructuredSS-Notify
1
2
3
4
Paging
ProvideSubscriberInfo
CID: 0191
returnError
Paging
Response
. . .
MSC/VLR
CID 0DFB
CID 0191
returnError
![Page 57: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/57.jpg)
On the map
![Page 58: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/58.jpg)
Main problems in SS7 security
SS7 architecture flaws
Configuration mistakes
Software bugs
![Page 59: Mobile operators vs. Hackers: new security measures for ... · SS7 in the 20th century PSTN STP STP STP STP SSP SCP SSP SSP SCP SS7 – Signaling System #7, a set of telephony protocols,](https://reader030.vdocuments.site/reader030/viewer/2022041303/5e13e1d3ec4a572442459fdc/html5/thumbnails/59.jpg)
Things to remember
1. Deploying security tool does not mean the network
is secure. About 67% of SMS Home Routing solutions
in tested networks were bypassed.
2. Test the network. Penetration testing is a good
practice to discover a lot of vulnerabilities. Discover
and close existing vulnerabilities before hackers find
and exploit them.
3. Know the perimeter. The continuous security
monitoring allows a mobile operator to know which
vulnerabilities are exploited and they are able to
protect the network.