Telecommunications Infrastructure Security

SS7 Signalling Security

Philippe Langlois, P1 Security Inc.

phil@[Link]
Agenda
 SS7 Basics
 Example of SS7 protocol (ISUP) and related
attacks
 SS7 and IP: the SIGTRAN evolution and problems
 A practical SS7 attack: Disabling incoming calls
to any subscriber
 New attack perimeters: Femto cell attacks
 Getting secure

Philippe Langlois, P1 Security Inc, [Link]

SS7 Basics
Introduction to SS7 in the PSTN
SS7 links types and SS7 signal units

Philippe Langlois, P1 Security Inc, [Link]

Basic SS7 network
 Service Switching Points (SSP) are the telephone
“switches” that are interconnected to each other by SS7
links. The SSPs perform call processing on calls that
originate, tandem, or terminate at that site.
 Signal Transfer Points (STP) are “routers” that relay
messages between network switches and databases.
Their main function is to route SS7 messages to the
correct outgoing signaling link, based on information
contained in the SS7 message address fields.
 Service Control Points (SCP) contains centralized
network databases for providing enhanced services.
Examples of services include toll-free numbers and
prepaid subscriptions.

Philippe Langlois, P1 Security Inc, [Link]

SS7 basic architecture

Philippe Langlois, P1 Security Inc, [Link]

SS7 network

Philippe Langlois, P1 Security Inc, [Link]

Entry points in an SS7
 Peer relationships between operators
 STP connectivity
 SIGTRAN protocols
 VAS systems e.g. SMSC, IN
 Signalling Gateways, MGW
 SS7 Service providers
 GTT translation
 SIP encapsulation
 ISDN terminals
 LIG (pentest & message relaying madness)
 3G Femtocell
 And of course… GSM phones
Philippe Langlois, P1 Security Inc, [Link]
SS7 reliability
To meet the stringent reliability requirements of public
telecommunications networks, a number of safeguards
are built into the SS7 protocol:

 STPs and SCPs are normally provisioned in mated pairs.

On the failure of individual components, this duplication
allows signaling traffic to be automatically diverted to an
alternate resource, minimizing the impact on service.
 Signaling links are provisioned with some level of
redundancy. Signaling traffic is automatically diverted to
alternate links in the case of link failures.
 The SS7 protocol has built-in error recovery mechanisms
to ensure reliable transfer of signaling messages in the
event of a network failure.
 Management messages (Link Status Signal Units) are
constantly sent over the links to monitor its status.

Philippe Langlois, P1 Security Inc, [Link]

SS7 stack

Philippe Langlois, P1 Security Inc, [Link]

Important SS7 protocols
 MTP (Message Transfer Part) Layers 1-3: lower level functionality at
the Physical, Data Link and Network Level. They serve as a signaling
transfer point, and support multiple congestion priority, message
discrimination, distribution and routing.
 ISUP (Integrated Services Digital Network User Part): network side
protocol for the signaling functions required to support voice, data,
text and video services in ISDN. ISUP supports the call control function
for the control of analog or digital circuit switched network
connections carrying voice or data traffic.
 SCCP (Signaling Control Connection Part): supports higher protocol
layers such as TCAP with an array of data transfer services including
connection-less and connection oriented services. SCCP supports
global title translation (routing based on directory number or
application title rather than point codes), and ensures reliable data
transfer independent of the underlying hardware.
 TCAP (Transaction Capabilities Application Part): provides the
signaling function for communication with network databases. TCAP
provides non-circuit transaction based information exchange between
network entities.
 MAP (Mobile Application Part): provides inter-system connectivity
between wireless systems, and was specifically developed as part of
Philippe Langlois, P1 Security Inc, [Link]
MTP Signal Units

Philippe Langlois, P1 Security Inc, [Link]

 Message Signal Unit SIF

Scanning Vulnerability
, injection

Philippe Langlois, P1 Security Inc, [Link]

Example of SS7 protocol:
ISUP & related attacks
ISUP message types
ISUP call flows

Philippe Langlois, P1 Security Inc, [Link]

ISUP message (ITU-T)

Philippe Langlois, P1 Security Inc, [Link]

ISUP Call Initiation Flow

Philippe Langlois, P1 Security Inc, [Link]

ISUP AIM
 An initial address message (IAM)
is sent in the “forward” direction
by each switch in the circuit
between the calling party and the
destination switch of the called
party.
 An IAM contains the called party
number in the mandatory variable
part and may contain the calling
party name and number in the
optional part.
 Attack: Capacity DoS

Philippe Langlois, P1 Security Inc, [Link]

ISUP ACM
 An address complete message
(ACM) is sent in the “backward”
direction to indicate that the
remote end of a trunk circuit has
been reserved.
 The originating switch responds
to an ACM message by
connecting the calling party’s
line to the trunk to complete the
voice circuit from the calling
party to the called party.
 The calling party hears ringing
on the voice trunk.
Philippe Langlois, P1 Security Inc, [Link]
ISUP Call Release Flow

Philippe Langlois, P1 Security Inc, [Link]

ISUP REL
 A release message (REL) is sent
in either direction indicating that
the circuit is being released due
to a specified cause indicator.
 An REL is sent when either
calling or called party hangs up
the call (cause = 16).
 An REL is also sent back to the
calling party if the called party is
busy (cause = 17).
 Attack: Selective DoS
Philippe Langlois, P1 Security Inc, [Link]
ISUP RLC
 A release complete message
(RLC) is sent in the opposite
direction of an REL to
acknowledge the release of the
remote end of a trunk circuit and
to end the billing cycle, if
appropriate.

Philippe Langlois, P1 Security Inc, [Link]

 GTT example

SSN
Scanning

GTT
Scanning

DPC Scanning

Philippe Langlois, P1 Security Inc, [Link]

A Practical SS7
Information Gathering
Send Routing Info or monitoring anyone with a phone,
anywhere...

Philippe Langlois, P1 Security Inc, [Link]

Geolocation & Information
Gathering
 A phone number
 SS7 MAP message:
SendRoutingInfo (SRI)
 Sends back the MSC in charge.
Correlates to country.
 Nobody knows i’m not an HLR.
 Attack: Global track and geolocation of any
user
 Real world attacks: Identification for SPAM
Philippe Langlois, P1 Security Inc, [Link]
SS7 and IP: the SIGTRAN
evolution and problems
Basics of IP telephony
SIGTRAN protocols

Philippe Langlois, P1 Security Inc, [Link]

IP Telephony Networks
 Media Gateway (MGW) terminates voice calls on inter-
switch trunks from the PSTN, compresses and
packetizes the voice data, and delivers voice packets to
the IP network. For ISDN calls from the PSTN, Q.931
signaling information is transported from the MGW to
the media gateway controller for call processing.
 Media Gateway Controller (MGC) handles the
registration and management of resources at the media
gateways. An MGC exchanges ISUP messages with CO
switches via a signaling gateway. Sometimes called a
softswitch.
 Signaling Gateway (SGW) provides transparent
interworking of signaling between switched circuit and
IP networks. The SGW may terminate SS7 signaling or
Philippe Langlois, P1 Security Inc, [Link]
SIGTRAN network

Philippe Langlois, P1 Security Inc, [Link]

SIGTRAN evolution
 The SIGTRAN protocols specify the means by which
SS7 messages can be reliably transported over IP
networks.
 The architecture identifies two components: a
common transport protocol for the SS7 protocol
layer being carried and an adaptation module to
emulate lower layers of the protocol. For example:
 If the native protocol is MTP (Message Transport Layer) Level
3, the SIGTRAN protocols provide the equivalent
functionality of MTP Level 2.
 If the native protocol is ISUP or SCCP, the SIGTRAN protocols
provide the same functionality as MTP Levels 2 and 3.
 If the native protocol is TCAP, the SIGTRAN protocols
provide the functionality of SCCP (connectionless classes)
and MTP Levels 2 and 3.

Philippe Langlois, P1 Security Inc, [Link]

SCTPscan: Mapping SIGTRAN

 SCTPscan
 Linux, BSD, MacOS X, Solaris, ...
 IP scan, portscan, fuzzing, dummy server,
bridge
 Included in BackTrack, demo
 SCTP Tricks: port mirroring, instreams
connections
 NMAP new SCTP support (-Y), lacks tricks
 SIGTRAN usually requires peer config
 This is not the average TCP/IP app
Philippe Langlois, P1 Security Inc, [Link] 28
 SCTP scanning method
Client Server
socket(), connect() socket(), bind(), listen(),
accept()

INIT

Not TCP:
INIT-ACK
4 way
handshake

COOKIE-ECHO

not a stealth
COOKIE-ACK scan

Philippe Langlois,
33 P1 Security Inc, [Link] 29
M2PA Protocol Adaptation

Philippe Langlois, P1 Security Inc, [Link]

M3UA Protocol Adaptation
Layer

Philippe Langlois, P1 Security Inc, [Link]

SCCP User Adaptation (SUA)
Layer

Philippe Langlois, P1 Security Inc, [Link]

 SS7 Peering: attacker enemy
Legitimate Peer
M3UA Peering!
INIT
Server
INIT-
Port 2905
ACK
INITs
INIT
INIT
Attacker
INIT
Port 2904
ABORT

No answer on actual peering port: How rude!

On SS7 application attacks: hackers loose
Philippe Langlois,
46 P1 Security Inc, [Link] 33
Connecting to 7bone:
Using SS7 stacks to connect to the Security Research SS7 &
SIGTRAN VPN

Philippe Langlois, P1 Security Inc, [Link]

OpenSS7 stack
 OpenSS7 is a SS7 and SIGTRAN protocol
stack which provides GPL'ed and LGPL'ed
source.
 Open source implementation of the SS7
stack as specified by ITU-T, ETSI, ANSI, and
other standards bodies. It derives primarily
from an implementation of the ITU-T Q.700-
Series Recommendations
 ISUP and TCAP support
 Supports a variety of E1/T1 boards. Runs on
Kernel 2.4 and 2.6 (specific kernel versions!)
 Project not yet suitable for carrier-grade
implementations.
Philippe Langlois, P1 Security Inc, [Link]
Dialogic / Intel stack
 Mature commercial SS7 stack implementing most
protocols
 Supports Wintel, Linux and Solaris environments.
Standalone, virtually no dependencies
 Can handle a variety of hardware interfaces
 Can be freely downloaded and run in “trial
mode” (stack resets after 10 hours of use)
 Fully documented APIs and numerous code
examples, test programs and scripts
 Ideal for testbed development, with the ability to
scale up to carrier environments
 Actively maintained

Philippe Langlois, P1 Security Inc, [Link]

Other implementations
 SCTPscan includes its own SCTP spoof & sniff
implementation, can be used to build custom
SCTP queries and security tools
 The sctplib library is a fairly complete userland
implementation of the SCTP stack, open source
and actively maintained.
 HP OpenCall SS7. Used in several carrier
deployments, provides a well documented API but
cannot operate in trial mode.
 Telesys MACH-SS7 stack. Robust, well
documented commercial stack.
 Proprietary stacks (NSN, Alcatel, Huawei, …)
 Attack: several closed source implementations,
room for vulnerabilities
Philippe Langlois, P1 Security Inc, [Link]
A practical SS7 attack
Disabling incoming calls to any subscriber

Philippe Langlois, P1 Security Inc, [Link]

Location Update process
 The MAP updateLocation (UL) message contains
subscriber's IMSI and MSC/VLR addresses.
 Once UL reaches the HLR, it changes the serving
MSC/VLR address in subscriber's profile using
MAP insertSubscriberData messages.
 From then on the HLR will use MSC/VLR
addresses from it as addresses of real MSC/VLR.
 It's not even necessary to complete whole UL-
ISD-ISDack-ULack transaction!
 The HLR will complete the operation by sending
a MAP cancelLocation message to the serving
VLR to delete subscriber's information from it.

Philippe Langlois, P1 Security Inc, [Link]

Location Update Call Flow

Philippe Langlois, P1 Security Inc, [Link]

Attack implementation
IMSI scanning / querying needed !

Philippe Langlois, P1 Security Inc, [Link]

Attack success

Philippe Langlois, P1 Security Inc, [Link]

3G: New threat perimeters
The walled garden is opening up...

Philippe Langlois, P1 Security Inc, [Link]

Femto Cell & user control
 Node B in user home, IPsec tunnel,
SIGTRAN

 Real world example: ARM hw with RANAP

 Insecure
 Untested hw
 Unprotected IPsec
 No regular pentest Image Credit: Intomobile

 No tools! Need for Binary vulnerability audit

Philippe Langlois, P1 Security Inc, [Link] 44
Femto-cell attack vectors
 Unaudited Proprietary software from Alcatel
 Attack: Binary vulnerability audit gives 0day
 Attack: Vulnerable Linux 2.6 kernel

 Global settings for IPsec tunnels

 Attack: Border access

 Lack of SS7 and SIGTRAN filtering

 Attack: Injection of RANAP and SS7 in the
Core Network

Philippe Langlois, P1 Security Inc, [Link] 45

Injecting SS7 through SIP
New borders, new perimeters, new threats

Philippe Langlois, P1 Security Inc, [Link] 46

SIP to SS7 ?
 SIP is used to connect
two SS7 cloud

 Support to bridge SS7

context through SIP

 SIP injection of SS7 adds a header to

standard SIP headers
 New SS7 perimeter, even for non-telco
Philippe Langlois, P1 Security Inc, [Link] 47
Getting secure... again
How to secure an insecure network being more and more exposed?

Philippe Langlois, P1 Security Inc, [Link]

Tools and methods

 Pentest on all known perimeters

 SS7 interconnect, Value Added Services
 Core Network vs. Intranet
 Femto Cell access network
 SIP, Convergent services

 Reverse engineering, binary auditing,

equipment, Consumer Acceptance Testing

 P1security SIGTRANalyzer, no other known.

 Open Source and industrial developments
Philippe Langlois, P1 Security Inc, [Link] 49
Current developments
 SCTPscan
 Bridging support, instream scanning
 Open source,

 SIGTRANalyzer
 SS7 and message injection audit, information gathering,
leak analysis,
 Commercial

 CXbin
 Automated binary vulnerability auditor
 Not only for telco now, general usage security tool

Philippe Langlois, P1 Security Inc, [Link] 50

Conclusions
 SS7 is not closed anymore

 Industrializing the solution

 From pentest to continuous testing
(hardware and operations)
 Security services and products

 Mindset are changing: more open to

manage the SS7 security problem.

Philippe Langlois, P1 Security Inc, [Link]

Credits
 Key2, Emmanuel Gadaix, Telecom
Security Task Force
 Bogdan Iusukhno
 Skyper and the THC SS7 project
 All the 7bone security researchers
 CISCO SS7 fundamentals, CISCO press
 Introduction to SS7 and IP, by Lawrence Harte & David Bowler
 Signaling System No. 7 (SS7/C7) - Protocol, Architecture and
Services, by Lee Dryburgh, Jeff Hewett

Philippe Langlois, P1 Security Inc, [Link]

THANKS!

 Questions welcome

 Design Partners

 Philippe Langlois, phil@[Link]

Philippe Langlois, P1 Security Inc, [Link]

SS7 stack demo

Philippe Langlois, P1 Security Inc, [Link]