 Hello, DevCon. Nice to meet you. Let me introduce myself. My name is Sergei Puzhankov. I work at a positive technologies company as a telecom security expert. A couple of words about my experience. I have been working for telecom industry for more than 18 years. During this period I worked in telecom equipment vendor as a support engineer. I worked in a huge multinational mobile operator as a quality engineer and now my current position is telecom security expert where I perform security research and perform penetration tests or security assessments of mobile networks. All our findings we contribute to non-commercial organizations such as ITU and GSMA and also we share this information at security conferences. And now I'm going to share my recent research with you. The subject of this presentation is SS7. What is SS7? SS7 is a control plane of protocols. This is not one protocol but a set of protocols that is primarily intended to set up and release telephony calls. When mobile telephony appeared SS7 started processing SMS messages, subscriber mobilities and some other services. SS7 works between network elements only, not on the user side. The elementary portion of the SS7 signaling calls message. I will use this term throughout the presentation. Just remember message is similar to a packet in IP networks. Nowadays SS7 signaling is used in fixed telephony in mobile networks of 2G and 3G standards like GSMA and UMTS and for interconnection with next generation networks like LTE and 5G in the future. There is an opinion that SS7 is an absolute technology and tomorrow or the day after tomorrow all we will use only 4 and 5G mobile devices. But if we look at the official statistics from GSMA, GSMA this is association of all mobile operators, mobile operators of all standards. We could see. We are somewhere here now at this point. And the number of 2G and 3G users is about 5 billion. So each of 5 billion subscribers could be a target of the SS7 hacker. Once the hacker got access to the SS7 they are able to intercept all subscribers data like SMS and voice calls. They can receive confidential information including information about subscriber location. They could perform those attacks on single subscribers or the whole networks. Also these hackers are able to take control over the digital identity including emails, social networks, application messages like WhatsApp, Telegram and so on. And also hackers in signal networks are able to steal money for example from balances of subscribers or using some fraudulent activity against the operator at all. Why SS7 is insecure? To answer these questions we need to look at history of SS7 development. When SS7 has been developed it was the era of trusted networks. Because there were only a few telephone operators who were connected to the SS7. Just later in the early 2000s some new specification was introduced. It was called SIGTRAN. This specification allowed sending SS7 traffic via IP networks. Before this SS7 was isolated network but from this point SS7 stopped being isolated. In 80s mobile operators got widespread. So there are a lot of subscribers, a lot of new players in this market, a lot of traffic. Nowadays trusted area is over because more and more operators are connected to the SS7. Mobile operators are aware of this problem and they protect their networks. They use a lot of tools, security tools such as SS7 firewalls, SMS home routing, signaling ideas and also they can configure equipment with compliance of security. Mobile operators order external penetration testing of the signal networks in order to understand how the networks look like from external hackers point of view. So I will speak about mobile networks and I need to describe some terms, some identities and node elements of these networks. The first identity is MSISDN. Identity with this loan abbreviation is just a telephone number, all we use. The next term is GT or global title. This is address of a core node element and the global title has structure similar to MSISDN, similar to telephone numbers. The third identity is IMSI. IMSI International Mobile Subscriber Identity, this is identifier of a SIM card and nodes. STP, signal transfer point. This is a router of signal and traffic, of signal messages between core network elements. HLR, home location register. This is a database of all home subscribers of the operator. This database contains information of subscriber profiles which contain subscriber identifiers, IMSI and MSISDNs, a list of allowed and prohibited services and so on some technical information. The next element is MSC and VLR. This node performs two functions. First of them is MSC, mobile switching center. This node is responsible for voice call routing. And VLR, this is location register. This is one more database. This database contains information about active subscribers who are under the coverage area of this node. VLR receives copies of subscriber profiles from HLR and reaches them with some information of radio access part. For example, cell identity. And the last one, the last node is SMSC or SMS center. This node is responsible for SMS processing. Since the subject is SS7, I need to describe structure of this protocol. I omit some low layers of this protocol stack because they're responsible for neighboring communication. The lowest layer protocol that is used on the international communication is SCCP or signal connection control part. This layer is responsible for the routing of signal messages. It contains such information as source address, destination address and some payload. That is TICUP protocol, the next protocol. TICUP, transaction capabilities application part, is responsible for transactions and dialogues. This protocol ties single requests and responses into one transaction or one dialogue. And the top layer protocol, MAP, mobile application part, this protocol is a payload of signal and message. It contains operation itself and all the parameters of each operation. Signal networks have their own unique security tools. This is a signal transfer point. I have already mentioned this node as a router of signal traffic. But also this node is able to block some illegitimate traffic. SMS home routing. This solution is intended to prevent SMS fraud and SMS spam and also hide IMSI identifiers. And one more security tool is SSL firewall. This is the most sophisticated tool that could protect signal networks against the most of signal and attack. IMSI disclosure, location tracking, voice call interception and so on. Some details about each of signal security tools. Signal transfer point. I have already mentioned twice. This is a router of signal messages. This node is usually installed on the border of the network. And this network element receives all the external signal traffic. So it is reasonable to bring in some security mechanisms into this network element. But STP is able to block signal traffic only by some simple rules. For example, block particular operation code. Block some source of the traffic. And maybe in some cases combinations of these simple rules. The next protection tool is SMS home routing. But before I explain how it works. I would like to describe how SMS delivery process works in mobile networks. We have SMS center that should deliver SMS to the subscriber. Normally SMS center does not know where subscriber is located because all subscribers are mobile. And this subscriber could be anywhere around the world. SMS center, first of all, should request some routing information to deliver this message. It sends routing info for SMS signal message to the home network subscriber. This signal message comes to the HLAR, to the database. HLAR always knows where subscriber is located. HLAR replies with two data. They are IMSI identity and address of current MSC. After that, SMS center knows address where to deliver the SMS. And it does it. It delivers SMS to the appropriate MSC. And MSC after that delivers this SMS to the Redox system and finally to the subscriber. When intruders appear in the SS7 network. They are able to use this dialogue to retrieve IMSI identity and identity of the current MSC. This is confidential information that may be used for other sophisticated attacks. To protect network, SMS router was introduced in the network as a new network element. And now, when the word RSTP receives send routing info for SMS signal message. It should deliver this message not to the HLAR but to the SMS router. SMS router generates some random IMSI, fake IMSI, and sends this in the response. And also it uses its own address instead of MSC's one. After that, SMS comes to the SMS router. SMS router correlates this fake IMSI with MSSN number and initiates one new SMS delivery process inside the network. It sends the same send routing for SMS to the HLAR internally in the whole network. HLAR replies with correct data. After that, SMS is delivered to the right MSC and addressing right subscriber. Here we see two SMS delivery processes. First one is external and the second one is fully internal. And what we see is that no confidential information goes abroad. Only fake data. Now, if intruder appears in the SS7 network, this intruder can send routing info for SMS signal message. This message is delivered to the SMS router and SMS router replies with fake data. So the network is protected. And the third security tool, SS7 firewall. SS7 firewall usually implemented not inline but in loop mode. It looks like this. When SS7 message comes to the STP, STP routes it to the SS7 firewall. SS7 firewall has a lot of rules, smart rules to define if this signal message is illegitimate or not. The message is illegitimate or malformed, not malformed but hostile. SS7 firewall just blocks it. Otherwise, it sends it back to the STP and STP delivers the message into the network, into the home network, and it delivers to the destination node. All the SS7 firewalls relies on JSMA rules. JSMA actually has done the great work. They classified all potentially hazard signal messages into three categories. The first category contains a list of operations that may be used only for internal signal exchange. If this traffic comes from external connections, these all signal traffic should be blocked. Category two consists a list of signaling messages that should be related to inbound roamers. For example, I am inbound roamer he in China. I came from Russia. My Russian operator can send some signaling traffic to Chinese operator, and this signal traffic should be related on my identity. If the same Russian operator sends the same signal traffic to the Chinese operator that is related to Chinese subscribers, this traffic is illegitimate. And category three, the list of operations of category three is also available on the interconnection. But category three is opposite to category two. All the operations from category three are related to outbound subscribers. For example, I am outbound subscriber from my home network point of view. And if I perform some operations here, Chinese operator sends some signal traffic to my home, to Russian operator, and this traffic should be related to my subscriber identity. If Chinese operator sends the same signal traffic to the Russian operator, that is related to other subscribers who are home, this traffic is illegitimate. And now I will describe several attacks, several vulnerabilities. And to make this story more interesting, I will image some intruder who will perform illegitimate activities step by step, receiving some information from the network, and on each turn, on each step, this intruder will use different vulnerabilities, will exploit different vulnerabilities of the mobile networks. First, what intruder needs, this is IMSI identity. And to receive this identifier, our intruder will exploit vulnerability of malformed application context name. To explain what the application context is, I need to explain some details about Ticap protocol. Ticap protocol consists of several fields. The first one is Ticap message type. This is mandatory field. The second one is transaction identity 102. This is also mandatory field. The next block, not field but huge block, is a dialogue portion. This portion contains application context name. Application context name defines the operation that is coded on the upper layer, on the map layer. And map layer itself is laid inside the component portion. Two latest components, dialogue portion and component portion are optional parameters in Ticap protocol. Let's look in some details of the application context name. This is a set of numbers. Each number has its own definition. But in all the map operations, first six numbers are the constant. And let's see what happens if our intruder changes one of these constant values to some value that is not supported, that is out of range. For example, intruder changes zero, that means ETSI as identified organization to number four. That is unknown value for the standard. So intruder appears in the SS7 and sends root info for the same signal and message with malformed application context. This signal message comes to the STP and STP starts inspecting this message layer by layer. First, STP layer. STP defines the destination node. The destination node is HLR. The second, Ticap layer. And here STP faces with malformed application context. STP considers that all the message is also malformed. And what's the decision? Of course, pass this message into the network. The destination node is known. This is HLR. STP does not look inside, does not inspect other protocols that is map. And on the map protocol, STP could find operation code, send root info for SM. That means message should be routed not to the HLR but to the SMS router to implement SMS home route and procedure. STP sends this message to the HLR. It considers destination node should decide if this message malformed or not. This destination node should decide should it reply on this message with error or with normal signal message. And what happens? HLR ignores malformed application context and replies with correct data, with correct IMSI and correct MSC address. But this is not all in this attack. Normally intruder does not know if this data is correct or not. Because if SMS home routing procedure is implemented, intruder receives the same structure of data. To be sure that the SMS home routing is bypassed, intruder needs to send the same, absolutely the same signal and request, and compare IMSI identity in the response. If SMS home routing procedure works, intruder receives two different random IMSI in two responses. But if intruder sees equal IMSI, that means SMS home routing solution is bypassed. Now our intruder receives some confidential technical data about target subscriber. But this is not valuable for our intruder and they want to find where this subscriber is located. And now intruder will perform one more attack location tracking and will exploit another vulnerability that is substitution of operation code tech. But before I explain attack mechanic, I need to describe some technical information about signal networks. I have mentioned that MSSDN and global titles have the same structure. They consist of a group of digits. The first group defines country, this is country code. In this case this is China. The second group defines mobile or fixed operator, this is network destination code. I took these digits 8, 5, 4 randomly. I don't know if there is operator with this code in China. And the third group of digits defines subscriber or a node if this is a global title. The next identity type is IMSI. IMSI also consists of three groups of digits. The first group defines mobile country, this is mobile country code. The second group defines network or mobile network code. And the third group of digits defines particular subscriber. Pay attention, these codes might belong to the same operator. And if we speak about correlation of operator or comparison of operator, we do not compare digits of global title and IMSI digit by digit. But first we need to define operator by global title prefix and operator by IMSI prefix after that to do the comparison. How it works in SS7 firewalls? In this example, SS7 firewall receives some signal message. This is provide subscriber info. And it inspects this layer by layer. It defines operation. Provide subscriber info belongs to category 2 regarding JSON classification. That means that SN4 firewall needs to define source operator from this path, from the SCCP layer, and target subscriber operator from the map layer. What we see? Source operator somewhere in Switzerland, this is a Swiss operator, and subscriber is from China, from Chinese operator. These two operators are not equal. So the decision is block this incoming message. Let's look in some details more. This is ITU recommendation that describes TICAP protocol. And here we see interesting thing. TICAP operation code tag might be local or global value. They have different values, 2 and 6. Normally in all the map messages is used local operation code for both local signal traffic and international signal traffic. On the traffic dump it looks like this. O2, this is local operation tag. Then O1, this is the land of the code itself, of the operation code. And 4.6, this is hexadecimal code of this operation of the provide subscriber info request. Let's see what happens if our intruder substitutes tag of the operation code. Intruder sends provide subscriber info signal message. But they use O6 instead of O2 instead of normal value. Wiresha cannot encode this message at all. And what happens then? STP sends this message to the SSN firewall. But SSN firewall expects only local values. And it ignores all the global values. It sends this message to the STP and STP delivers it to the destination node, that is MSC and VLR. And one more surprise. MSC and VLR replies with normal message. And it codes operation with normal, with local operation code tag. Here in this message we can see identity of the sale that processes target subscriber. So the location tracking attack is done. SSN firewall bypassed. During this research we sent this kind of malicious traffic on equipment of four different vendors. And all nodes replied with normal responses that were coded in local operation code tags. So our intruder knows location of the target subscriber. But that's enough, not all. Intruder wants to intercept voice call or a lot of voice calls of this subscriber. And now intruder will use, will exploit one more vulnerability that is connected with double map or double component encoding. First of all, let's look how classical voice call or main in the middle attack works in mobile networks, in signaling networks that are not protected. First of all, intruder sends insert subscriber data. This signaling message contains IMSI of target subscriber and some information that is intended to change billing system of the subscriber in the profile, this one. This message is delivered to the MSC and VLR. This node sends OK, profile is updated. After that intruder just finalizes the transaction. And now intruder should wait for the subscriber to call. When this target subscriber who is red on the picture, when subscriber calls, information comes to the MSC and MSC should perform billing process. It sends initial DP signaling message to the billing platform, to the spoof, to the fake billing platform that is under the hackers control. After that hacker is able to send connect message with private branch exchange number. And this is direction to redirect to forward call to this number, to this new number. MSC just redirect this call to the PBX. After that hacker is able to initiate one more new call to the target operator and use this number information because initial DP signal message contains information about A and B subscriber, about calling and call subscribers. In this case intruder just make a call to correct B subscriber and spoof's address of A subscriber. This call comes to the operator. Two subscribers are able to communicate each other, but all the voice traffic goes through the hacker's controlled equipment. SS7 firewalls of course is able to block this attack. When insert subscriber data signal message from the hacker comes to the network, STP sends this signal message to the SS7 firewall, and SS7 firewall starts inspecting this message. It finds that the operation code is insert subscriber data. This operation code belongs to category two. That means SS7 firewall should compare source and target subscriber, all operators of source and target subscriber. And we know Switzerland is not China, so this message should be blocked. Attack is impossible. One more interesting thing about Ticap protocol. When I was speaking about this protocol I mentioned component portion, and I said this component portion includes map operation itself. But standards suggest that it could be more than one component within one Ticap primitive. Each component should have its own operation, and they might have different subscriber identities. When SS7 firewalls faces with these kind of signal messages, this is really unexpected message. SS7 firewalls usually inspects only first component, and it considers that the second component, this is just a long tail of the first component, and it does not look at this. Let's look how intruder can use this feature of the signal protocol. Intruder sends signal message that contains two operations, in two components. First one is insert subscriber data, and the second one is delete subscriber data. This message comes to the STP. STP routes this message to the SS7 firewall. SS7 firewall, how we know, inspects only first component. First component is without any identity. This is okay regarding the standard. So the SS7 firewall sends the message to the STP back, and STP delivers this message to the destination node. From the MSC's point of view, this combination simultaneously insert and delete, this is something wrong and unknown. This is impossible combination. That's why MSC sends some error-nosed message, return error. It looks normal from the first point of view, but this signal message with error goes into cup continue signal message. That means that MSC says something like this, I don't understand you. Please repeat your request within the same transaction. And intruder does. Intruder sends one more signal message within this transaction. That consists of two, again, of two components. Both of them are insert subscriber data operations. The first component is without subscriber identity, and the second one contains identity of the target subscriber. SS7 firewall again inspects only the first component. It sees that the first component is absolutely normal and pass this message to the network. Now MSC has two insert subscriber data requests within one tickup message. MSC sends OK for the first component and OK for the second one. So the subscriber profile is updated. After that intruder finalizes the transaction. And now they are waiting for the call. Subscriber, target subscriber calls. MSC sends initial DP signal message to the intruder's equipment. Intruder replies with connect to the PBX. Call goes to the hacker's PBX. After that hacker redirects one more. This call to the B subscriber. Subscribers are able to talk to each other, but all the traffic goes through the hacker's PBX. So, and this attack is successful, and SS7 firewall is bypassed. And what I can say is a conclusion. Really SS7 stack of SS7 protocols has some problems. First of them is architectural flaws. The second one operators usually make a lot of mistakes in the configuration. First of all in STP configuration. Some of described attacks could be impossible if STP configuration is correct. And of course now we see a lot of software bugs of telecom equipment. For example, at the last cases, last case we saw that MSC said, I don't understand, please continue, repeat your request. But insert and simultaneous delete should be rejected at all just on the first request. Message to mobile operators. Please check your security tools as soon as new vulnerability is reported. You also should use intrusion detection systems together with SS7 firewalls. Because some of attacks could not be blocked on the SS7 firewalls, but ideas are able to detect them. Block almost all double map messages. During our research and during our monitoring of signaling, we saw only one legal pair with double map components. This is begin subscriber activity and process unstructured SS data. And of course configure STP and firewalls carefully. And don't forget about application context names, malformed application context names, and operation codes, locals, and global. Thank you for your attention. Please questions? Thank you.