One step further and mapping the phone system
SS7 is no longer the walled garden where people cannot inject traffic. SS7 was designed for reliability, with multiple systems designed to take the load of failed servers. Access to the SS7 network was originally restricted to peering partners. It is now the target for fraudsters (SMS fraud), and government agencies.
Why do we have SS7 ?
Blame Steve Jobs / Steve Wozniak and the creation of the bluebox. With inband signalling, hackers took advantage of the telephone system. Seizing a trunk without tracing was a big problem. SS7 was designed to move the signalling away from the voice network. However this is all history.
One part of the SS7 system is the LIG (Legal Interception Gateway ?) –> usually not owned by the telco. Installed by 3rd parties to give access to the system for law enforcement.
OpenBTS and OpnBSC are making research into this area possible.
Using External APIs to HLR, it has been demonstrated how it’s possible to locate IMSI within the SS7 network.
The underlying technology is moving towards IP based solutions –> This is good for us, we know IP already
Important SS7 protocols :
- MTP (Message Transfer Protocol) Layers 1-3
- ISUP (Integrated Servics Digital Network)
- SCCP (Signaling Control Connection Part)
- TCAP (Transaction Capabilities Application Part)
- MAP (Mobile Application Part)
- INAP (Intelligent Network Application Part)
Entry points in an SS7 network :
- Peer relationship between operators
- STP connectivity
- SIGTRAN protocols
- VAS systems e.g. SMSC, IN
- Signaling Gateways, MGW
- SS7 Service providers (GRX, IPX)
- GTT translation
- ISDN terminals
- GSM phones
- LIG (Legal Interception Gateway)
- 3G Femtocell
- SIP encapsulation
These entries points offer a range of access posibilities, and limitations. Without access directly into the core SS7 network, attacks will be limited depending on the provider.
SIGTRAN protocol: M3UA Protocol Adaptation Layer
SIGTRAN gives us the opportunity to work with something more familiar.
Like TCP/IP, but with slight differences, including spoofing and DoS protections –> RFC4960
By adapting typical scanning methods used in TCP/IP environments, you can scan for services. The tools SCTPscan tool is now included in many Linux distributions, including Backtrack. When sending SCTP init packets, no answer usually means a peering port has been found. Usually an ABORT reply is sent. By scanning addresses, close to the official SMSC, you can often find test systems that may not be correctly connected to systems such as billing systems !
Protections are less about filtering, and more that a valid route isn’t know. Once you have a route, you can connect to other systems.
In order to get a valid list of SPC codes, you can scan, or buy the full list from the ITU for under €30
When dealing with SPC formats, there are a variety of differing formats.
- ss7calc –> open-source tool available from p1sec.com
Attack examples :
- IAM attack: Capacity DoS –> Similar to SIP flooding
- REL attack: Targeted Call release –> Terminate a users conversation
- SRI attack: Tracking of users
- HLR attack: Fake location update –> redirect calls to another country, until phone reboot
- ….
FemtoCell
- Node B in users home. Establishes an IPsec tunnel, SIGTRAN
- Hardware based on Linux
- ARM hardware
- Very insecure
- > Unaudited software
- > Global settings for IPsec tunnel
- > Injection of RANAP and SS7 traffic into the core network
Tools and things to help
- SCTPscan – Bridging support, instream scanning
- ss7calc
- 7Bone – Open Research SS7 Backbone
- P1sec SIGTRANalyzer (SS7 and SIGTRAN vuln scanning, Commercial pruduct)
SS7 is not closed anymore !
For more information, check the following links :
Cатсн²² (in)sесuяitу / ChrisJohnRiley 
Pingback: Tweets that mention 26C3: SCCP Hacking – Attacking SS7 & SIGTRAN applications « Ramblings of the änal security guy -- Topsy.com