Sergey Puzankov

Invisible threat in SS7 networks –attacks based on caller ID spoofing

ptsecurity.com

About Positive Technologies

É 700 people in nine offices across North America, Asia, Africa and Europe and expanding

É Portfolio securing large organizations and infrastructure providers from targeted attacks through vulnerability detection and management

É 21% group yearly revenue increase

É 60 – 70% reinvested back into research, feeding directly through to products

É Partners include Check Point, Cisco, Microsoft, Google, Oracle, Siemens and IBM

É 1,000 customers

SIGTRAN is a Time Machine

SIGTRAN

Through SIGTRAN back to 1970’s

Micro Computer as an SS7 Node

SIGTRAN – TDM

SIG

TRAN

TDM

SIGTRAN

Telecom Security in International Non-commercial Organizations

Fraud and Security Group

IR.82 SS7 Security Network Implementation GuidelinesFS.07 SS7 and SIGTRAN Network SecurityFS.11 SS7 Interconnect Security Monitoring and Firewall GuidelinesFS.19 Diameter Interconnect SecurityFS.20 GPRS Tunnelling Protocol (GTP) SecurityFS.21 Interconnect Signalling Security Recommendations

Classification: Answer Necessity

• Identity request (e.g. IMSI)• Location request• Network information request

Answer is required

Classification: Answer Necessity

Answer is not required

• Service disruption (DoS)• Data injection• Service manipulation

Caller ID spoofingis possible

Caller ID Spoofing at Position Refinement Attack

LocationRequest1

CID:1111SilentUSSDFromABC

LocationRequest2

CID:2222

1

2

3

5

Paging

MSC/VLR

CID2222

CID1111

4ABC

Caller ID Spoofing at SMS Interception Attack

UpdateLocation From ABC• Fake MSC

Fake MSC SMS-C

1

HLR

3

2

4

5

ABC

PKI in SS7 Networks: Encryption

SS7 Message• Calling Address• Encrypted payload

2

3

4

CertificationCentre

1Private Key Initiation

Public Key Request

Public Key

Thank you!

ptsecurity.com