Mobile Telephony is Unsafe ptsecurity.com

Arguments backed up

by facts

Mobile Telephony is Unsafe

Sergey Puzankov

Dmitry Kurbatov

Telecommunications security expertsSPuzankov@ptsecurity.comDKurbatov@ptsecurity.com

Argumentsbacked up

by facts

Contents

ptsecurity.com

• Main Problems

• Heritage of the SS7 Design

• Unsafe Protocols

• Deployment Errors

• Demo

ptsecurity.com

Heritage of the SS7 Design

ptsecurity.com

SS7 Design: 20th Century

ptsecurity.com

Trusted environment

PSTN

STP STP

STPSTP

SSP

SCP

SSP

SSP

SCP

SS7 Evolution

ptsecurity.com

• SS7 network was developed in 1980s and was meant for a trusted environment, so no security mechanisms were provided in the protocol stack.

• SIGTRAN – SS7 over IP – was introduced in 2000. Security mechanisms are still missing.

• Growing number of operators with SS7 connection: MNO, MVNO, VAS-providers, etc.

SS7 Design: Nowadays

ptsecurity.com

PSTN

Enterprise Network

PSTN

BTS

NodeB

AuCGMSC

HLRVLRSGSNRNC

BSC

WDM

WDMWDM

MSC

SCP

SoftSwitch

WDM

GGSN

Router

PBX

MGW

STP

STP

SigGW

STP

STP

SCP

SSP

International SS7

STP

STP

SS7

SS7SS7

SS7

SS7

SS7

SS7SS7SS7

SS7

SS7SS7 SS7

SS7

IP Domain

Wireless Domain

Fixed Domain

SS7 Design Outcome

ptsecurity.com

• Growing number of participants: more than 1,000 large operators

• Growing number of SS7 interconnections: a few dozens per operator

• Growing amount of SS7 traffic: billions of messages daily

• Growing number of technical specialists

• No security policies or restrictions

No more trusted environment

Unsafe Protocols

ptsecurity.com

SS7 Protocols

ptsecurity.com

• No encryption

• No node authentication

• No strict filtering rules

SS7 Security Audits. Statistics

ptsecurity.com

• During 2015, we performed 16 SS7 security audits

• Mobile operators in EMEA and APAC regions

• Different operator size: from less than 10M to more than 50M

Conclusion: No Invulnerable Networks

SS7 Statistics. Threats

ptsecurity.com

Service Disruption

Data Leakage

Fraud

SS7 Statistics. Fraud

ptsecurity.com

Terminating Call Redirection

Money Transfer via USSD

Subscriber Profile Change

Originating Call Redirection

SS7 Statistics. Data Leakage: IMSI Disclosure

ptsecurity.com

SS7 Statistics. Data Leakage

ptsecurity.com

Subscriber’s Balance Disclosure

Terminating SMS Interception

Subscriber Location Discovery

Voice Call Interception

Subscriber’s Data Leakage

SS7 Statistics. Data Leakage

ptsecurity.com

Subscriber’s Balance Disclosure

Terminating SMS Interception

Subscriber Location Discovery

Voice Call Interception

Subscriber’s Data Leakage

Deployment Errors

ptsecurity.com

Deployment Features: RJ-45 in the BS

ptsecurity.com

Deployment Features: No Password Policy

ptsecurity.com

• Too many devices

• Equal/weak passwords

• Default accounts

Deployment Features: Subscriber Location Discovery

ptsecurity.com

Deployment Features: Subscriber Location Discovery

ptsecurity.com

…of Mobile Operator Employees only!

SMS Interception and Its Consequences

ptsecurity.com

SMS Interception and Its Consequences

ptsecurity.com

SMS Interception and Its Consequences

ptsecurity.com

• OTP for online banking

• Access to the subscriber account

• Password recovery for e-mail and social networks

• A new device registering for messengers

SMS Interception and Its Consequences

ptsecurity.com

Demo

Questions?

Sergey Puzankov

Dmitry Kurbatov

Telecommunications security expertsSPuzankov@ptsecurity.comDKurbatov@ptsecurity.com

Mobile Telephony is Unsafe

Argumentsbacked up

by facts

ptsecurity.com

Thank you!

Mobile Telephony is UnsafeArguments backed up

by facts