Network Security
May 2017
Solution
Obtain the target Change the direction Deny service by Make illegimate
subscriber's cell ID of call & SMS by removing records Call/SMS and disable
by accessing the SS7 manipulating SS7 from HLR or VLR usage limits
network message
More and more operators report security issues and consider the solution to reduce the security risk.
IAM(A,C)
IAM(A,B)
Conversation(A,
1. Voice/SMS chats
B)
MAP_MO_FORWARD_MESSAGE_IND(text)
4. Password recovery
MAP_MO_FORWARD_MESSAGE_RSP
HLR
HLR MSC
MSC VLR
VLR
Attacker
SRI4SM as SMSC/HLR
Input parameters SRI_SM(MSISDN)
(MSISDN-B) ISD(IMSI, MSC address, MSISDN, SCP address)
HLR HLR
MSC MSC
VLR VLR
MAP Message SRI_SM(MAP-SEND-ROUTING-INFO-FOR-SM) • the attacker connects to the SS7 network, grafts SS7 messages,
ISD (MAP-INSERT-SUBSCRIBER-DATA)
and impersonates the HLR to initiate a subscription data
Input parameters SRI_SM(MSISDN)
changing process to the subscriber of a given IMSI and change
ISD (IMSI, MSC address, MSISDN, SCP address)
the subscriber type from prepaid to post-paid.
Risk Fraud: charge
Defense HPLMN: Avoid real IMSI leaked to other networks. • As a result, the SCP will not generate CDRs, leading to a toll
Measures VPLMN: Verify the original address in SCCP layer. Only fraud.
HPLMN can send ISD message to VPLMN.
Device and HPLMN: SMS Home Routing (3GPP 23840)
Solution VPLMN: STP shield the 2nd category MAP messages. Block ISD message from other network.
Non-roaming network
Roaming partner
Keep following GSMA security guideline, and synchronize protection rules to AsiaCell
once new attack is found
Focus on SS7 security, also research Diameter security, and 5G security
Page 12 HUAWEI TECHNOLOGIES CO., LTD.
Agenda
Solution
UE UL
RegisterSS
2
1. FW receive the UL from iSTP and store the VLR address (Cg SCCP).
2. Following message (example RegisterSS) come in, FW Compare current VLR and Cg SCCP
UE UL
UK RegisterSS
Hacker
1
UE UL
1
USA RegisterSS
vMSC
2
1. FW receive the UL from iSTP and store the VLR address (Cg SCCP). Timer = 5 days.
2. If time out pass the message: from 6th day, USA hacker attack this sub, because the VLR
address lose efficacy, FW will pass it, attack succeed.
3. If time out block the message: from 6th day, the sub can’t do any service because FW will
block the message.
4. If in 3rd day, sub back to AsiaCell, Hacker can attack this sub from UK vMSC.
Page 22 HUAWEI TECHNOLOGIES CO., LTD.
Enhanced Contextual Signaling Screening (Cat 3)
Your Partners Your network
VLR FW HLR
RegisterSS AnyTimeInterogation
AnyTimeInterogation Ack
Query to HLR to get the current serving
MSC/VLR, and compares the query
RegisterSS Ack result with the network where the MAP
operations received
1. No record in FW (Cg SCCP), FW send ATI message to HLR get the last sub location.
2. The previous attack scenario will be avoid.
3. To protect HLR (avoid DoS to nSTP/HLR)
• a threshold is configured in FW, once the message overload, FW stop to sent ATI and pass the
message.
• a event/alarm will be sent (let maintenance team know this abnormal situation).
Page 23 HUAWEI TECHNOLOGIES CO., LTD.
Statistics & Report
Statistics Capacity for Firewall Log output for Firewall Screening Result
Relation Trace
cross multiple
Analysis Assist
transaction
(SANEX)
Specify query
criteria by
protocol types
Specify one or
more query
conditions
Message
explanation