21 October 2019 1 Krystina Vrublevska Reputation Damage Financial Risk Risk of tensions with the regulatory Impact of SS7 vulnerabilities on telecom Home Routing SS7 Firewall SIP Firewall ID: 1046006
Download Presentation The PPT/PDF document "Mobile Attacks: abuse of SS7 vulnerabili..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Mobile Attacks:abuse of SS7 vulnerabilities21 October 20191Krystina Vrublevska
2. Reputation DamageFinancial RiskRisk of tensions with the regulatoryImpact of SS7 vulnerabilities on telecomHome Routing SS7 FirewallSIP FirewallDiameter Firewall
3. 2. Take data from SS7 FW3. Translate it into Diamond4.Get the full pictureBlocking unauthorized signalling messagesHoneypotTimestampCapabilitiesmap_opInfrastructuresccp_cgpa_addr_networkInfrastructuresccp_cgpa_addrVictimimsi13.06.2019 10:44:59map_provideSubscriberInfo[GBR**]44795****2060*********17.06.2019 06:11:43map_provideSubscriberInfo[GBR**]44782****2040*********1. Analyse data provided by SS7 FW5. Pattern recognition & rules creation
4. Statistics Sep-Oct 2019 (per day)Cat.EventsActionMin.Max.Average Total throughput 375 M517 M454 M 1All Category 1ATI, SRI, SendIMSIBlocked5603.8353.200100%2All Category 2 24,6 M30,1 M27,8 M - Home IMSIBlocked240210,75 pm - GT MismatchesStill pass10.50019.93015.300550 pm - SSN MismatchesStill pass1233322107,5 pm3.1All Category 3.1 224 K360 K294 K - No or Unexpected LocationBlocked849.7004.4001,50% - Foreign IMSIStill pass3421551 pm
5. 21 October 2019Sensitivity: Unrestricted5Malware Information Sharing Platform
6. 6Joint action: GSMA MISP
7. 7Implementation of firewalls Blocking of unauthorized signalling messagesAnalysing dataImplementation of Threat Intelligence Models Pattern recognitionIdentification of intentions behind the attacks
8. 21 October 20198Thank you for attention!Stay in touchKrystina VrublevskaKrystina.vrublevska.ext@proximus.com
9. Backup Slides21 October 2019Sensitivity: Unrestricted9
10. Example of an attack06.10.2019 15:18:58map_sendRoutingInfoForSMPASS447******8[GBR**]324*******06.10.2019 15:18:58map_sendRoutingInfoForSMResponsePASS324*******[BELTB]447******8206****906.10.2019 15:18:58map_provideSubscriberInfoDROP447******8[GBR**]324******206****906.10.2019 15:19:16map_anyTimeInterrogationDROP447******8[GBR**]324******10TimestampSignalling messageAction of SS7 FWGT of Calling PartyNetwork of the Calling PartyGT of Called PartyIMSIOrdinary traffic Ordinary traffic Legitimate signalling message used for Short Messages RoutingOur ResponseAttempt to get Victim’s LocationAnother attempt to get Victim’s Location
11. Pattern recognition
12. 21 October 2019Sensitivity: Unrestricted12
13. 21 October 2019Sensitivity: Unrestricted13Malware Information Sharing Platform
14. Statistics (per day) Category 3.2 with HLR CacheCat.EventsActionMin.Max.Average3.2All Category 3.228,4 M45,4 M35,7 M100%- Foreign IMSIStill pass2.5909.1004.700132 pm- Velocity limit exceededStill pass11.730113.34038.9700,11%- Velocity calcul-ation failedInconcl’ve128 k212 k166 k0,46%- Missing locationInconcl’ve4,8 M5,0 M4,9 M13,7% 21 October 2019Sensitivity: Unrestricted14
15. Diamond Model15Who?Whom?How?(techniques/tools)What used?Which victims are attacked in the same way?Which victims are attacked from the same country/operator?Which attackers have the same pattern of attack?Why??
16. Cat 1Cat 2Cat 3IMSI Disclosure IMSI DisclosureSendRoutingInfoForLCSSendRoutingInfoSendIMSI SendRoutingInfoForSMSubscriber information DisclosureSubscriber location/activity tracingAnyTimeInterrogationSendRoutingInfoSendRoutingInfoForLCSProvideSubscriberInfoProvidesSubscriberLocation Disclosure of subscriber profile informationAnytimeSubscriptionInterrogationInterrogateSS RestoreDataUpdateLocationNetwork reconnaissanceDiclosure of operator network informationSendRoutingInfoAnyTimeInterrogationSendRoutingInfoForLCS Denial of Service AnyTimeModificationRegisterSSInsertSubscriberDataUpdateLocationPurgeMSSubscriber traffic redirection/interceptionCall redirection with interceptionRegisterSSAnyTimeModificationInsertSubscriberDataUpdateLocationSM interception InsertSubscriberDataUpdateLocationFraud against subscribersCall redirectionAnyTimeModificationRegisterSSInsertSubscriberDataUpdateLocationFraud against operator’s changing systemsUSSD service manipulation/spoofingProcessUnstructuredSS-RequestUnstructuredSS-Request(cat1&cat2)UnstructuredSS-Notify(cat1&cat2)UnstructuredSS-Request(cat1&cat2)UnstructuredSS-Notify(cat1&cat2) SM service manipulation/spoofing MT_ForwardSMMO_ForwardSMForwardSMOnline charging platform bypassingAnyTimeModificationDeleteSubscriberDataInsertSubscriberData
17. THREAT ATTACKINPUTSMETHODDisclosure of subscriber informationIMSI disclosureMSISDNSendRoutingInfoForSMMSISDNSendRoutingInfoForLCSMSISDNSendRoutingInfoMSISDNSendIMSISubscriber location/activity tracingIMSI/MSISDNAnyTimeInterrogationVRL,IMSIProvideSubscriberInfoMSISDNSendRoutingInfoMSISDNSendRoutingInfoForLCSMSC,IMSIProvideSubscriberLocationDisclosure of subscriber profile informationIMSIRestoreDataIMSIUpdateLocationIMSIAnyTimeSubscriptionInterrogationIMSIInterrogateSSDisclosure of operator network informationDisclosure of operator network informationMSISDNSendRoutingInfoMSISDN/IMSIAnyTimeInterrogationMSISDNSendRoutingInfoForSMDenial of serviceService unavailability for subscriberIMSIUpdateLocationIMSI, MSISDN, ODB OR OSCI+Release CallInsertSubscriberDataMSISDN/IMSI, ODB OR OSCI+Release CallAnyTimeModificationIMSIRegisterSSIMSI,VLPPurgeMSSubscriber traffic redirection/interceptionCall redirection with interception Termination SMS interceptionIMSIUpdateLocationIMSIMT-ForwardSMSM interceptionIMSI, MSISDN, fake gsmSCF addressInsertSubscriberDataFake SMSCConnect SMSFake SMSCMo-ForwardSMFraud against subscribersCall redirectionIMSIUpdateLocationFake Cell Global IDProvideSubscriberInfoFraud against operator’s changing systemsUSSD service manipulation/spoofingIMSI, VLR, USSD-stringProcessUnstructuredSS-RequestIMSI, USSD-stringUnstructuredSS-NotifyIMSI, USSD-stringUnstructuredSS-RequestSM service manipulation/spoofingIMSI, MSC, Sender MSISDNMt-ForwardSMMSISDN, SMS-C, Sender numberMo-ForwardSMIMSI, MSC, Sender MSISDNForwardSMOnline charging platform bypassing 17