Search Knowledge Base Articles

A Step by Step Guide to SS7 Attacks

SS7 Attacks is a worldwide broadcast communications standard that characterizes how to arrange components in an open exchanged phone organize Public Switched Telephone Network(PSTN) trade data over a computerized Signaling System. Hubs in an SS7 organize are called flagging focuses.

Global Mobile Use and Security Threats

The widespread use of mobile devices, ranging from toddlers to professionals, has significantly increased over the years. With the advent of 5G technology, the potential for mobile cyber-attacks has grown exponentially. Legacy network protocols, such as SS7 (Signaling System No. 7), used in global telecommunications, have become particularly vulnerable to these threats.

The Problem with Aging Protocols

The combination of outdated legacy protocols and evolving hacking techniques has led to increased vulnerabilities in crowded mobile networks. For instance, SonicWall recorded an 87% increase in Internet of Things (IoT) malware in 2022, with similar trends expected to continue.

Understanding SS7 Vulnerabilities

SS7, introduced in the mid-1970s, has been a backbone for global network communication but hasn't seen significant security updates in decades. Its ubiquity makes it a prime target for attackers, providing them with surveillance capabilities similar to those of law enforcement and intelligence agencies.

How SS7 Works

SS7 is a set of telephony signaling protocols that manage the setup and termination of phone calls over a digital signaling network. This system is integral to the functioning of PSTN (Public Switched Telephone Network) and supports various services like SMS, call forwarding, local number portability, and more.

Signaling in Telephony Networks

  • SS7 Fundamentals: SS7, a cornerstone of global telephony networks, is a suite of protocols used for exchanging information within and between network operators. It operates independently from the voice channels, allowing for more efficient and varied use of network resources.
  • Layered Architecture: SS7 follows a layered architecture, akin to the OSI model, consisting of the Message Transfer Part (MTP), Signaling Connection Control Part (SCCP), Transaction Capabilities Application Part (TCAP), and various application protocols like ISUP and MAP.

Message Transfer Part (MTP)

  • MTP Level 1: Corresponds to the Physical Layer in the OSI model. It defines the physical, electrical, and functional characteristics of the digital signaling link.
  • MTP Level 2: Ensures accurate end-to-end transmission of messages through error correction, sequence checking, and flow control mechanisms, similar to the Data Link Layer.
  • MTP Level 3: Provides message routing between signaling points, network management, and message discrimination, functioning like the Network Layer in OSI.

Higher Level Protocols

  • SCCP (Signaling Connection Control Part): Extends MTP to allow for non-circuit-related signaling (e.g., database queries for mobile subscribers). It introduces the concept of subsystem numbers (SSNs) for addressing applications within a network node.
  • ISUP (ISDN User Part): Handles the setup, management, and release of voice and data calls over the network, including functions like call setup, tear-down, and handling of call-related information.
  • TCAP (Transaction Capabilities Application Part): Facilitates non-circuit-related data exchange between applications across the SS7 network, such as database queries and responses, crucial for services like mobile number portability and SMS.

Core Functions and Signal Flow

  • Call Setup: When a call is initiated, the originating SSP (Signal Switching Point) sends an ISUP Initial Address Message (IAM) to the destination SSP, carrying information like the called party number and calling party number.
  • Call Routing: The IAM is routed through the SS7 network, potentially involving STPs (Signal Transfer Points) for optimal path selection. Each node in the path utilizes MTP for reliable message delivery.
  • Database Queries: Services like mobile number portability involve querying databases (e.g., HLR or VLR in mobile networks) using TCAP messages over SCCP for the resolution of routing information.

Supporting Services

  • SMS Handling: Short Message Service (SMS) utilizes MAP (Mobile Application Part) for operations like sending, receiving, and forwarding messages. The process involves database queries (HLR, VLR) and routing SMS through the SMSC (Short Message Service Center).
  • Advanced Features: SS7 supports a range of telecommunication services and features like call forwarding, call waiting, three-way calling, and roaming capabilities for mobile users.

SS7 Attacks Explained

SS7 attacks exploit vulnerabilities in the SS7 protocol to intercept and compromise voice and SMS communications on cellular networks. These attacks resemble Man-In-The-Middle (MitM) attacks but target mobile communications instead of WiFi transmissions.

Overview of SS7 Security Weaknesses

  • Inherent Trust Model: The primary vulnerability in SS7 stems from its inherent trust model. Originally designed for a closed network of trusted operators, SS7 lacks the robust authentication mechanisms necessary to validate the legitimacy of messages passing through the network.
  • Exposure to External Networks: With the convergence of telecommunication and IP networks, SS7 is exposed to a broader range of potential attack sources, including internet-connected entities.

Types of SS7 Attacks

  • Location Tracking: By exploiting MAP (Mobile Application Part) queries, attackers can determine a subscriber's location based on the data provided by their Home Location Register (HLR) and Visitor Location Register (VLR).
  • Call Interception: Attackers can reroute calls to their own network by manipulating call routing information within ISUP (ISDN User Part) messages, effectively eavesdropping on voice communication.
  • SMS Interception and Fraud: Similar to call interception, SMS messages can be rerouted, intercepted, or even altered by exploiting weaknesses in MAP.
  • Subscriber Information Disclosure: Attackers can use TCAP (Transaction Capabilities Application Part) queries to illicitly access subscriber information stored in databases like HLR or VLR.
  • Denial of Service (DoS): By flooding signaling points with a high volume of messages or malformed packets, attackers can disrupt services, causing network outages or degradation.

Attack Mechanisms

  • Signal Manipulation: Attackers craft and inject malicious signaling messages into the SS7 network, exploiting the lack of proper validation mechanisms.
  • Message Interception and Modification: Once inside the network, attackers can intercept and alter signaling messages to reroute or monitor communications.

Exploitation Process

  • Accessing the SS7 Network: Gaining access to the SS7 network, either through a compromised node or via cooperation with a rogue operator.
  • Mapping the Network: Conducting reconnaissance to understand the network topology and identify key signaling points like STPs, HLRs, and VLRs.
  • Target Identification: Selecting targets based on their phone numbers and identifying the associated signaling points.
  • Crafting Malicious Signaling Messages: Using tools and software to create signaling messages that exploit SS7 vulnerabilities.
  • Injecting Messages into the Network: Delivering crafted messages into the network to manipulate call routing, intercept communications, or access subscriber information.
  • Monitoring and Intercepting Data: Capturing the rerouted data, which can include voice calls, SMS messages, or subscriber-specific information.

SS7 Attacks Explained: Detailed Steps



1

Understanding SS7 Protocol

Before attempting an attack, an understanding of the SS7 protocol is crucial. SS7 is a set of telephony signaling protocols that enable phone networks to exchange the information required for passing calls and text messages between each other and to ensure correct billing. It also supports various services like number translation, SMS, and other mass-market services.


Note: Deep dive into SS7 architecture, signaling processes, and message types (ISUP, SCCP, TCAP)

2

Gaining Access to SS7 Network

To carry out an SS7 attack, the attacker first needs access to the SS7 network. This can be the most challenging step, as it typically requires access from a legitimate telecom operator or the use of a compromised provider.


  • Network Access: Legitimate access can be obtained through telecom operator partnerships for authorized testing.
  • Tools for Access: Utilize tools like SigPloit or YateBTS for simulation and interaction with SS7 networks.

3

Setting Up the Necessary Equipment and Software

The attacker needs specific equipment and software to interact with the SS7 network. This includes a computer with Linux OS, SS7 SDK (Software Development Kit), and possibly additional telecommunication hardware that can interface with SS7 networks.


  • Required Equipment: A Linux-based computer, SS7 SDK, and compatible hardware for network interfacing.
  • Software Setup: Configure tools like Wireshark for SS7 packet analysis, and sctp-tools for SCTP (Stream Control Transmission Protocol) interactions.

4

Target Identification

The attacker identifies the target mobile phone number. This number is used to intercept communications.


  • Locating Targets: Use Global Title (GT) or Mobile Station Roaming Number (MSRN) for identifying targets within the network.

5

Intercepting Communication

Once connected to the SS7 network, the attacker uses specific SS7 commands to redirect or intercept calls and text messages intended for the target phone. This is achieved by manipulating the network elements that handle the routing of calls and messages.


  • Manipulating SS7 Messages: Utilize MAP (Mobile Application Part) requests to reroute or intercept SMS and voice calls.
  • SS7 Commands: Practice common SS7 commands for call interception, SMS fraud, and location tracking.

6

Eavesdropping or Data Capture

At this stage, the attacker can listen to calls, read text messages, and even track the location of the target device.


  • Capturing Data: Use TShark or similar tools for real-time data capture and analysis.
  • Analyzing Information: Focus on extracting valuable data like user locations, call details, and SMS content.

7

Maintaining Anonymity

Skilled attackers use techniques to mask their identity and location to avoid detection by law enforcement or telecommunication providers.


  • Anonymity Techniques: Employ methods to mask identity and location, using VPNs and secure proxies.

8

Data Analysis and Exploitation

The captured information, like personal details, SMS content, or call recordings, can be used for various purposes, ranging from personal espionage to blackmail or financial fraud.


  • Post-Exploitation Analysis: Utilize captured data for vulnerability assessment and security enhancement recommendations.

9

Covering Tracks

After completing the attack, the attacker typically erases traces of the intrusion to avoid detection and to leave the network configuration as it was before the attack.


  • Erasing Evidence: Ensure all traces of the pentesting activity are removed to maintain the integrity of the network.

10

Continued Monitoring (Optional)

In some cases, attackers maintain a presence in the network to continually intercept communications of the target.


  • Optional Monitoring: For ongoing assessments, establish a method for continuous monitoring.

Mechanics of SS7 Attacks

To conduct an SS7 attack, a cybercriminal requires a computer running Linux and the SS7 SDK. Once connected to an SS7 network, the attacker can intercept communications by mimicking an MSC/VLR (Mobile Switching Center/Visitor Location Register) node.

System and Software Requirements

  • Operating System: Linux is typically preferred due to its robustness, flexibility, and support for networking tools. Specific distributions of Linux may offer better compatibility with SS7 attack tools.
  • SS7 SDK (Software Development Kit): This is essential for interacting with SS7 protocols. The SDK provides libraries and tools necessary to craft and decode SS7 packets.

Accessing the SS7 Network (Network Access Methods)

  • Direct Access: Obtained through partnerships with telecommunication operators. This is a legitimate method used primarily for testing and auditing.
  • Indirect Access: Utilizing compromised nodes or rogue operators to gain unauthorized access to the SS7 network.

Examples of Tools for SS7 Exploitation

  • SigPloit: A popular tool for simulating and conducting SS7 attacks. It offers modules for tracking, interception, and fraud.
  • Wireshark with SS7 Plugins: For monitoring and analyzing SS7 traffic.
  • SCTPscan: A tool to scan the SS7 network and identify vulnerable nodes.
  • Custom Scripts and Tools: Developed using the SS7 SDK for specific attack vectors.

Attack Execution

  1. Node Impersonation: The attacker configures their system to mimic an MSC/VLR node. This is crucial for the network to recognize and accept the crafted SS7 packets.
  2. Crafting SS7 Packets: Using the SS7 SDK, attackers create malicious or modified SS7 packets designed to exploit specific vulnerabilities or perform certain actions (e.g., rerouting calls).
  3. Injecting Packets into the Network: The crafted packets are injected into the SS7 network, typically at points where the network's security measures are weakest.
  4. Intercepting Communications: Once inside the network, the attacker can intercept and manipulate voice and SMS communications, exploiting the trust model of SS7.
  5. Data Collection and Analysis: The attacker collects intercepted data for analysis, which could include sensitive personal information, call contents, or SMS messages.

Pentesting Perspective

  • Ethical Considerations: Pentesters perform these actions under authorized, controlled, and legal conditions to identify and report vulnerabilities.
  • Real-World Simulation: Pentesters may set up controlled lab environments simulating real-world SS7 networks to safely practice and refine attack techniques.

Risks to Digital Businesses and IoT

Businesses that rely on cellular connections for communication and IoT devices that transmit data over mobile networks are at increased risk of SS7 attacks. These attacks can lead to breaches of confidential information and disruption of critical services.

Author

Karim Jaber

Date

27/12/2023

Did you find this article useful?