Anda di halaman 1dari 26

Huawei SS7 Signaling

Network Security

May 2017

Building a Better Connected World www.huawei.com


Agenda

 Attack Scenarios Example

 Solution

Page 2 HUAWEI TECHNOLOGIES CO., LTD.


Main SS7 Attack Scenarios
Location Call & SMS Denial of Service Fraud
Tracking Intercept

Obtain the target Change the direction Deny service by Make illegimate
subscriber's cell ID of call & SMS by removing records Call/SMS and disable
by accessing the SS7 manipulating SS7 from HLR or VLR usage limits
network message

More and more operators report security issues and consider the solution to reduce the security risk.

Page 3 HUAWEI TECHNOLOGIES CO., LTD.


Location
Tracking
Location Tracking

MAP Message ATI (MAP-ANY-TIME-INTERROGATION)


Input parameters MSISDN
Risk Disclose information: Location(Cell ID)、Subscriber State、
IMSI、MSC address
To Block ATI message Configuration:
Defense HPLMN: Shield ATI messages from other networks
Measures
Device and HPLMN: STP shield the 1st category MAP messages.
Solution

Block ATI message from other network.

Page 4 HUAWEI TECHNOLOGIES CO., LTD.


Location
Tracking
Location Tracking

MAP Message SRI_SM (MAP-SEND-ROUTING-INFO-FOR-SM)


PSI (MAP-PROVIDE-SUBSCRIBER-INFO)
Input parameters MSISDN
Risk Disclose information: Location、Subscriber State、IMSI
Defense Measures HPLMN: Avoid real IMSI leaked to other networks
VPLMN: Verify the original address in SCCP layer. Only HPLMN can send PSI message to VPLMN.
Device and Solution HPLMN: SMS Home Routing (3GPP 23840)—New deploy
VPLNN: Shield the 2nd category MAP messages—in STP

Block PSI message from other network.

Page 5 HUAWEI TECHNOLOGIES CO., LTD.


Voice Call or SMS Interception
SMSC HLR SCP MSC HLR MSC/VLR
Key points:
SRI_SM(MSISDN)
-Attacker get the serving MSC number and IMSI by sending
SRI_SM_ACK(IMSI, MSC number)
SRI_SM to HPLMN.
MAP-INSERT-SUBSCRIBER-DATA_REQ(MSISDN, SCP address)
-Attacker act as HLR, and update the profile(SCP address) of the
MAP-INSERT-SUBSCRIBER-DATA_RSP
subscriber to the serving MSC.
initial call A->B
Voice Call -Attacker act as SCP to control the call process flow.
Change subscriber A
IDP(A,B)
SCP address as
hacker’s fake SCP AC,RRBE,Connect(A,C)

IAM(A,C)

IAM(A,B)

Conversation(A,
1. Voice/SMS chats
B)

2. One time passwords


SMS initial SMS A->B

IDP(A,B) 3. Confirmation codes


AC,RRBE,Connect (fake SMSC address)

MAP_MO_FORWARD_MESSAGE_IND(text)
4. Password recovery
MAP_MO_FORWARD_MESSAGE_RSP

Page 6 HUAWEI TECHNOLOGIES CO., LTD.


Voice Call or SMS Interception
Local Roaming-in SS7
SS7
Attacker ISD Attacker
SRI4SM as SMSC/HLR as HLR
(MSISDN-B) (B, SCP address)

Gateway ISD Gateway


iSTP iSTP
(B, SCP address)

HLR
HLR MSC
MSC VLR
VLR

MAP Message SRI_SM(MAP-SEND-ROUTING-INFO-FOR-SM)


Roaming-out SS7 ISD (MAP-INSERT-SUBSCRIBER-DATA)

Attacker
SRI4SM as SMSC/HLR
Input parameters SRI_SM(MSISDN)
(MSISDN-B) ISD(IMSI, MSC address, MSISDN, SCP address)

Risk: Interception: Voice


Gateway
iSTP Defense Measures Avoid real IMSI leaked to other networks

Device and HPLMN: SMS Home Routing (3GPP 23840)


Solution VPLMN: STP shield the 2nd category MAP messages.
MSC
HLR
VLR
Block ISD message from other network.
Page 7 HUAWEI TECHNOLOGIES CO., LTD.
DoS Attack to Mobile Switching Center
Collect info SS7
Make it starve SS7
provideRoamingNumber Attacker
Attacker
I am HLR.
SRI4SM as SMSC as HLR
My GT 1 321 4567801.
Provide MSRN for
PRN
Subscriber-B IMSI 15 digits.
Gateway Gateway
iSTP Large iSTP provideRoamingNumber
MSRN 0 123 4560001
We know PRN request…
B-Number 0 123 4567802 noRoamingNumberAvailable
MSC HLR 0 123 4567800 MSC
VLR MSC/VLR 0 123 4567803 VLR
HLR HLR
Subscriber-B IMSI 15 digits

Dos Real SS7


MAP Message SRI_SM(MAP-SEND-ROUTING-INFO-FOR-SM)
PRN(MAP-PROVIDE-ROAMING-NUMBER)
HLR
Attacker Input parameters SRI_SM (MSISDN)
provideRoamingNumber as HLR PRN (IMSI, MSC Address)
I am HLR.
My GT 1 321 4568701. Risk roaming number resources are exhausted
Provide MSRN for noRoamingNumberAvailable
Subscriber-ANY IMSI 15 digits Gateway Protection Roaming Number attack prevention and avoid roaming
iSTP number resources are exhausted
Deployment 1.MSC/STP
2.Deploy monitor device, SANEX. Monitor PRN
MSC No incoming throughout.
VLR
HLR calls
STP do security check with PRN from IPX.
Page 8 HUAWEI TECHNOLOGIES CO., LTD.
DoS Attacks to Dedicated Sub
Change sub profile Delete Sub SS7
SS7
Attacker Attacker
SRI4SM as SMSC/HLR
SRI4SM as SMSC/HLR
(MSISDN-B) (MSISDN-B)

Gateway ISD Gateway CANLOC


iSTP iSTP (IMSI, MSC address)
(IMSI, MSC Address, ODB)

HLR HLR
MSC MSC
VLR VLR

DoS VLR Attack SS7


MAP Message SRI_SM (MAP-SEND-ROUTING-INFO-FOR-SM)
CANLOC (CANCEL LOCATION)
ISD (MAP-INSERT-SUBSCRIBER-DATA)
Attacker PRN (MAP-PROVIDE-ROAMING-NUMBER)
SRI4SM as SMSC/HLR
(MSISDN-B) Input parameters SRI_SM (MSISDN)
CANLOC (IMSI, MSC Address)
ISD (IMSI, MSC Address, ODB)
Gateway PRN PRN (IMSI, MSC Address)
iSTP
(IMSI, MSC address) Risk VLR subscriber data has been tampered

Defense HPLMN: Avoid real IMSI leaked to other networks


Measures VPLMN: Verify the original address in SCCP layer. Only HPLMN
can send PSI message to VPLMN.
HLR MSC
VLR Device and HPLMN: SMS Home Routing (3GPP 23840)—New deploy
Solution VPLNN: Shield the 2nd category MAP messages—in STP

Page 9 HUAWEI TECHNOLOGIES CO., LTD.


Money Transfer (Bad to Subs)
Collect info SS7
Send USSD 1 SS7
processUnstructuredSS-request Attacker
sendRoutingInfoForSM Attacker
I am MSC/VLR.
I am SMSC. SRI4SM as SMSC Request how much money has
PROUNR as MSC/VLR
My GT 1 321 4567801.
subscriber with IMSI 15 digits?
Where is
We know
Subscriber-B MSISDN 0 123
4567802? Gateway Gateway HLR 0 123 4567800
iSTP iSTP Subscriber-B IMSI 15 digits
We know Account info.
B-Number 0 123 4567802 processUnstructuredSS-request
MSC HLR 0 123 4567800 MSC Subscriber’s account is $$$$$.
VLR MSC/VLR 0 123 4567803 VLR
HLR HLR
Subscriber-B IMSI 15 digits

Send USSD 2 MAP Message SRI_SM(MAP-SEND-ROUTING-INFO-FOR-SM)


SS7 PROUNR(MAP-
processUnstructuredSS-request PROCESS_UNSTRUCTUREDSS_REQUEST)
Attacker
I am MSC/VLR.
Transfer money from IMSI 15 digits as MSC/VLR Input parameters SRI_SM (MSISDN)
to my mobile account. PROUNR (MAP-
PROCESS_UNSTRUCTUREDSS_REQUEST)
Gateway processUnstructuredSS-request
iSTP OK Risk Subscribers’ money transfer
Protection Roaming Number attack prevention and avoid roaming
number resources are exhausted
MSC Subscriber B does not get SMS Deployment 1.STP/SMSC
VLR notification if Attacker combines 2.Deploy monitor device, SANEX. Monitor PROUNR
HLR this attack with the previuosone.
STP do security check with PROUNR from IPX.
throughout.

Page 10 HUAWEI TECHNOLOGIES CO., LTD.


Voice Service Toll Fraud (Bad to Operator)
Collect info SS7 Change info SS7
sendRoutingInfoForSM Attacker Attacker
I am SMSC. SRI4SM as SMSC ISD as HLR
My GT 1 321 4567801.
Where is (IMSI, Postpaid)
Subscriber-B MSISDN 0 123
4567802? Gateway Gateway
iSTP iSTP
We know
B-Number 0 123 4567802
HLR 0 123 4567800
HLR MSC MSC/VLR 0 123 4567803 HLR MSC
VLR Subscriber-B IMSI 15 digits VLR

MAP Message SRI_SM(MAP-SEND-ROUTING-INFO-FOR-SM) • the attacker connects to the SS7 network, grafts SS7 messages,
ISD (MAP-INSERT-SUBSCRIBER-DATA)
and impersonates the HLR to initiate a subscription data
Input parameters SRI_SM(MSISDN)
changing process to the subscriber of a given IMSI and change
ISD (IMSI, MSC address, MSISDN, SCP address)
the subscriber type from prepaid to post-paid.
Risk Fraud: charge
Defense HPLMN: Avoid real IMSI leaked to other networks. • As a result, the SCP will not generate CDRs, leading to a toll
Measures VPLMN: Verify the original address in SCCP layer. Only fraud.
HPLMN can send ISD message to VPLMN.
Device and HPLMN: SMS Home Routing (3GPP 23840)
Solution VPLMN: STP shield the 2nd category MAP messages. Block ISD message from other network.

Page 11 HUAWEI TECHNOLOGIES CO., LTD.


Summary
1 Network Security Risk Direction

 Non-roaming network
 Roaming partner

2 With Huawei Security Solution

 Avoid attack from other networks, reduce the range of attacks


 Record all signaling message with other network, assist post hoc analysis, fast locate
attack direction
 Easy to set firewall rules, each scenario less 3 steps.

3 Huawei Security Solution Evolution

 Keep following GSMA security guideline, and synchronize protection rules to AsiaCell
once new attack is found
 Focus on SS7 security, also research Diameter security, and 5G security
Page 12 HUAWEI TECHNOLOGIES CO., LTD.
Agenda

 Attack Scenarios Example

 Solution

Page 13 HUAWEI TECHNOLOGIES CO., LTD.


Summary (Cat1)
Message description Filtering features
Cat Msg Dest.Node Ans rq Dest. Node STP SS7 firewall
SendRoutingInfo
SendRoutingInfo for GPRS
SendRoutingInfo for LCS
MAP screening MAP screening MAP screening
1 SendIMSI HLR Y
(Op, CgGT) (Op, CgGT) (Op, CgGT)
AnyTimeInterrogation
AnyTimeSubscriberInterrogation
FailureReport
MAP screening MAP screening MAP screening
1 AnyTimeModification HLR N
(Op, CgGT) (note1) (Op, CgGT) (Op, CgGT)
SendIdentification
VLR MAP screening MAP screening MAP screening
1 SendParameters (Note 2) Y
(MSC) (Op, CgGT) (Op, CgGT) (Op, CgGT)
ResumeCallHandling
MAP screening MAP screening MAP screening
1 CheckIMEI EIR N
(Op, CgGT) (Op, CgGT) (Op, CgGT)
Gsm MAP screening MAP screening MAP screening
1 NoteSubscriberDataModified N
SCF (Op, CgGT) (Op, CgGT) (Op, CgGT)
MAP screening MAP screening MAP screening
1 SubscriberLocationReport GMLC Y
(Op, CgGT) (Op, CgGT) (Op, CgGT)
Page 14 HUAWEI TECHNOLOGIES CO.,
MAPLTD.
screening MAP screening MAP screening
1 Unknown Opcode
Summary (Cat2)
Message description Filtering features
Cat Msg Dest. Node Ans rq Dest. Node (note 3) STP SS7 firewall
MAP screening
Compare IMSI and Compare IMSI and
2.1 ProvideRoamingNumber MSC Y (Op, GT, IMSI)
HLR HLR
(note 2)
ProvideSubscriberInfo Y MAP screening
Compare IMSI and Compare IMSI and
2.1 ProvideSubscriberLocation MSC SGSN (note and (Op, GT, IMSI)
HLR HLR
(note 4) 5) (note 2)
CancelLocation MAP screening
InsertSubscriberData (Op, GT, IMSI)
Compare IMSI and Compare IMSI and
DeleteSubscriberData (note 2)
2.2 MSC SGSN N HLR HLR
RemoteUserFree Check CgGT
(note1) (note 1)
Reset UnstructuredSSNotify spoofing
UnstructuredSSRequest (note 1)
InformServiceCentre
Compare MSISDN Compare MSISDN
2.2 AlertServiceCentre MSC N
and HLR and HLR
(note 6)

Page 15 HUAWEI TECHNOLOGIES CO., LTD.


Summary (Cat3.1)
Message description Filtering features
Dest.Nod
Cat Msg Ans rq DestNode STP SS7 firewall
e
RegisterSS
ActivateSS /
DeactivateSS
RegisterPassword
Compare current VLR Compare current VLR
3.1 ProcessUnstructuredSS HLR N
and Cg SCCP (note 1) and Cg SCCP (note 1)
BeginSubscriberActivity
(USSDv1)
PurgeMS
ReportSMDeliveryStatus
RestoreData Compare current VLR Compare current VLR
3.1 HLR Y
InterrogateSS and Cg SCCP (note 1) and Cg SCCP (note 1)
Gsm Compare current VLR Compare current VLR
3.1 SsInvocationNotify N
SCF and Cg SCCP (note 1) and Cg SCCP (note 1)
Compare current VLR
Compare current VLR
3.1 ForwardSM (MO) [2] SMSC N and Cg SCCP (note
and Cg SCCP (note 1)
Page 16 HUAWEI TECHNOLOGIES CO., LTD. 1)(note 2)
Summary (Cat3.2)
Message description Filtering features
Dest.Nod
Cat Msg Ans rq DestNode STP SS7 firewall
e
UpdateLocation
3.2 HLR Y Check Location Check Location
UpdateGPRSLocation
SendAuthenticationInfo
3.2 HLR Y Check Location Check Location
SendParameters (note 3)
3.3 SendRoutingInfo for SM HLR Y SMS
MAP Home
MT-ForwardSM (note 4) MSC MAP screening screening
3.3 N Routing + SMS FW
ForwardSM SGSN (Op, GT, IMSI) (Op, GT,
(note 4)
IMSI)

Page 17 HUAWEI TECHNOLOGIES CO., LTD.


SS7 Layer-based Screening for Basic Scenarios
2. MAP Operation Code Set Configuration

Screening policy is configured on the


incoming linkset of SS7-interconnection
as below.
• Combined linkset+OpCode screening to
support category 1 in GSMA

1. Operation Code Screening

Page 18 HUAWEI TECHNOLOGIES CO., LTD.


Enhanced Contextual Signaling Screening
Regarding to Category 2 and 3, if the attacker simulates the roaming partner’s address to originate a MAP request, simple
layer-based routing does not work and the Contextual Signaling Screening is required.

Category 2 , Attack From Roaming Partners


Your Partners Your network

HLR STP The Calling GT is from the VLR


roaming partner, but the
content of the MAP-layer Associate the SCCP calling gt & MSISDN/IMSI in MAP layers
mismatch the Calling GT.
Ins. Subscriber data Req

Ins. Subscriber data Ack Illegal message block

Contextual signaling screening for Category 2 & 3:


• SCCP layer: the calling GT
• MAP/CAP layer: MAP/CAP operation code and IMSI

Page 19 HUAWEI TECHNOLOGIES CO., LTD.


Category 3 , AsiaCell sub roaming to Partners
UK AsiaCell
Operator

vMSC iSTP FW nSTP HLR

UE UL

RegisterSS
2

1. FW receive the UL from iSTP and store the VLR address (Cg SCCP).
2. Following message (example RegisterSS) come in, FW Compare current VLR and Cg SCCP

Page 20 HUAWEI TECHNOLOGIES CO., LTD.


Category 3 , AsiaCell sub back to AsiaCell
UK AsiaCell
Operator

vMSC iSTP FW vMSC nSTP HLR

UE UL

UK RegisterSS
Hacker
1

1. FW still store sub’s VLR address (Cg SCCP).


2. New UL will not come to FW, the record lose efficacy, but FW has no way to update the record.
3. Once Hacker attack from UK vMSC, FW will pass it, attack succeed

Page 21 HUAWEI TECHNOLOGIES CO., LTD.


Category 3 , a Timer in FW for VLR record?
UK AsiaCell
Operator
vMSC iSTP FW vMSC nSTP HLR

UE UL
1

USA RegisterSS
vMSC
2

1. FW receive the UL from iSTP and store the VLR address (Cg SCCP). Timer = 5 days.
2. If time out pass the message: from 6th day, USA hacker attack this sub, because the VLR
address lose efficacy, FW will pass it, attack succeed.
3. If time out block the message: from 6th day, the sub can’t do any service because FW will
block the message.
4. If in 3rd day, sub back to AsiaCell, Hacker can attack this sub from UK vMSC.
Page 22 HUAWEI TECHNOLOGIES CO., LTD.
Enhanced Contextual Signaling Screening (Cat 3)
Your Partners Your network

VLR FW HLR
RegisterSS AnyTimeInterogation
AnyTimeInterogation Ack
Query to HLR to get the current serving
MSC/VLR, and compares the query
RegisterSS Ack result with the network where the MAP
operations received

Illegal message block

1. No record in FW (Cg SCCP), FW send ATI message to HLR get the last sub location.
2. The previous attack scenario will be avoid.
3. To protect HLR (avoid DoS to nSTP/HLR)
• a threshold is configured in FW, once the message overload, FW stop to sent ATI and pass the
message.
• a event/alarm will be sent (let maintenance team know this abnormal situation).
Page 23 HUAWEI TECHNOLOGIES CO., LTD.
Statistics & Report
Statistics Capacity for Firewall Log output for Firewall Screening Result

Blocked by OPCode Statistics Name1

Blocked by CallingGT Statistics Name2

Blocked by CallingGT Statistics Name3


+ IMSI

Blocked by CallingGT Statistics Name4


+ VLR Address

Page 24 HUAWEI TECHNOLOGIES CO., LTD.


History Record for Trouble Shooting

Relation Trace
cross multiple
Analysis Assist
transaction
(SANEX)

Subscriber call AsiaCell complain Customization


“Money lost…” AsiaCell

Specify query
criteria by
protocol types
Specify one or
more query
conditions

Message
explanation

Page 25 HUAWEI TECHNOLOGIES CO., LTD.


Thank you
www.huawei.com

Copyright©2015 Huawei Technologies Co., Ltd. All Rights Reserved.


The information in this document may contain predictive statements including, without limitation, statements regarding the future
financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual
results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such
information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the
information at any time without notice.

Page 26 HUAWEI TECHNOLOGIES CO., LTD.

Anda mungkin juga menyukai