SS7 ATTACK
--
Hey amazing hackers,
welcome back to my blogpost. Today I want to write an old concept but still recognized vulnerability, which was being effectively used by the attackers.
DEFINITION
Signaling System 7(SS7) is an architecture for perfoming out-of-band signaling in support of the call-establishment, billing, routing, and information-exchange functions of the public switched telephone network (PSTN). It identifies function to be performed by a signalling-system network and a protocol to enable their perfomance
You can find more exhaustive details about signaling however, lets now talk about the attack itself. I know that this topic can be huge , but I will try to give more useful information to you.
ABSTRACT
Most mobile operators defend their SS7 perimeter by reconfiguring network equipment and implementing SMS home routing solutions.This is the right way to withstand basic SS7 attacks, but it is not enough to protect the network. Security audit practice proves that there are possibilities to perform SS7 attacks that bypass this kind of security mechanisms. Moreover, real attacks tend to be more stealthy and difficult to detect at an early stage.
OLD TECHNOLOGY, NEW VULNERABILITY
With access to SS7 and a victim’s phone number, an attacker can listen to a conversation, pinpoint a person’s location, intercept messages to gain access to mobile banking service, send a USSD(Unstructured Supplementary Service Data) command to a billable number, and conduct other attacks. It is still possible to penetrate the network directly — — it must be accessed via an SS7 gateway, but getting access to an SS7 gateway is relatively easy. An attacker can obtain the operator’s licence in countries with lax laws or purchase access through the black market from a legal operator for several thousand dollars.
SMS HOME ROUTING BYPASS
A malefactor can easily bypass most security systems if they have configuration mistakes that are not evident at first sight. Some operators believe that they have implemented SMS Home Routing solution and configured core equipment to block category 1 messages. It would be impossible for an intruder to obtain IMSI(International Mobile Subscriber Identify) and perform more dangerous attack from the SS7 network. SMS Home Routing is a hardware and software solution that supports proxy functions of confidential subscriber identifiers and equipment addresses when receiving texts from external connections.
POSITIONING ENHANCEMENT DURING LOCATION TRACKING
One of the most popular attacks on SS7 networks is location tracking. A request for subscriber location is sent via SS7 networks, the response includes the base station identify. Each base station has specific geographic coordinates and covers a particular area. Because of urban density, the coverage are in a city ranges from tens to hundreds of meters. An attacker can make use of these mobile network peculiarities to generate location requests, as well as to locate the base station by its identity using.
Normally, a mobile device chooses a base station with the best radio conditions during a transaction. Therefore, the mobile device should interchange signals with the network. The malefactor can use a so-called silent SMS to initiate a hidden transaction with the target subscriber. However, the information about these messages is available in the subscriber’s account. A more effective way to hide a transaction is to use silent USSD notifications. Although such transactions are not registered by the billing system
INVISIBLE INTERCEPTION OF SHORT MESSAGES
Short messages interception is one of the most dangerous attacks on SS7 networks. Many services still use SMS as a trusted channel. For example, banks use SMS for OTP(One Time Password) delivery, social networks — for password recovery, messengers, for access to the application.
In order to intercept an incoming SMS, the intruder must register a subscriber in a “fake” network using the necessary equipment. The attack simulates a subscriber being in roaming in a visited network. The HLR gets a record of the subscriber’s new location where terminating calls and SMS messages are routed. In case of an orginating call, the first attempt fails, as sees it and can repeat the attack to make the next call attempt fail. Morevover if the attackers control the network element, which is indicated as a new MSC, they can intercept terminating SMS messages and redirect terminating voice calls.
SUMMARY
I know, that this topic might be complicated because if you have not worked before with signaling or telecommunication or even studying telecom security You may be able to be confused and do not know how to understand this topic properly. I suggest you to check/study further with more explanations and details because I also just started to research this attack, ı was willing to share this blog with you. However was not yet ready for it. Of course I am open for any questions but as I said, I am also a beginner in this field. I will try to do my best to answer your questions in the correct order.
Many Thanks for reading this blog.
You can follow me on social media to stay tuned about hacking,malware, exploit, C/C++ programming language.
Linkedin: https://www.linkedin.com/in/ahmetgoker/
Youtube: https://www.youtube.com/TurkishHoodie
Twitter: https://twitter.com/TurkishHoodie_
And also if you want to add me as friend on tryhackme platform would be definetly fine of course.
Tryhackme: https://tryhackme.com/p/TurkishHoodie
I almost forget one thing. Do you know that FBI has been using this signal technique to locate cybercrimes? thus be alert :).
