user location tracking attacks for lte networks using the interworking functionality (iwf)

User location tracking attacks for LTE networks usingthe Interworking Functionality

Silke Holtmanns2 Siddharth Rao1 Ian Oliver2

1Aalto University, Finland 2Bell Labs - Nokia Networks, Finland

IFIP Networking 201617th-19th May 2016

Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 1 / 37

Overview

1 SS7 based attacksSS7 backgroundSS7 attacks recap

2 LTE/ Diameter based attacksMotivationInterworking Functions (IWF)LTE IMSI disclosure attackLocation disclosure

3 Countermeasures


Part 1: SS7 attacks

SS7 backgroundand

Location tracking attacks


Signalling System no. 7 (SS7)

A 4 decade old protocol mainly used in the era of 2G/GSM andbefore.

However, 2G is still the most widely used mobile generation.

Built for trusted partner network and use/access to outsiders weredenied.

However now, almost anyone can use the telco backbone (havingmoney, hacking skills or strong political power).

Protocol foundation to enable roaming.

Short Message and Supplementary services.

Toll free numbers and tele-voting.

Enhanced Message Service (EMS) and Local Number Portability(LNP).


SS7 Location based attacks

Locating Mobile Phones: First revealed in .2008 by Tobias Engel.

An attacker can locate the victim by just having phone number andSS7 access.Exploiting the loopholes of an outdated system i.e Signalling Systemprotocol.Lack of cryptographic protection.

Since then, different types of SS7 attacks have been demonstrated byseveral security researchers.

Locate-Track-Manipulate: In 2014, Engel presented more concreteattack which can continuously track besides locating the victim moreaccurately than the previous attack.


Cellular identifiers

MSISDN - Mobile Station International Subscriber DirectoryNumber, the phone number.

IMSI - International Mobile Subscriber Identity, uniquely identifies aSIM.

GT - Global Title, uniquely* identify the network elements.

Host name or Global IP address : GT :: Internet : Telecom

IMEI - International Mobile Equipment Identity, uniquely identifiesthe cellphone.

Cell ID - uniquely identifies a base station within a location area.

Cell ID + LAC → uniquely identifies a base station within a network.


Network elements

HLR - Home Location Register, a central database of cellphonesubscribers.

MSC/VLR - Mobile Switching Centre/Visitor Location Register,keeps track of location and other details of the users in its region.

SMSC - Short Message Service Centre (SMSC, handles SMS serviceby storing and forwarding the messages.

gsmSCF - GSM Service control Function, responsible for handlingthe subscriber billing.

GMLC - responsible for emergency and commercial location-basedservices. Mainly used in the emergency calls (911) location scenarios.


GSM network architecture


Attack using call set up messages

Figure : Location disclosure attack using call set up messages [2]


Attack using SMS protocol messages

Figure : Location disclosure attack using SMS protocol messages [2]


Accuracy of the tracked location


Attack using billing platform related messages (1)

Figure : Location disclosure attack using billing platform related messages [3]


Attack using billing platform related messages (2)

Figure : Location disclosure attack using billing platform related messages [3]


Attack using emergency service related messages

Figure : Location disclosure attack using emergency service related messages [3]


Part 2: LTE/Diameter attacks

LTEand

Diameter attacks


Motivation

Most MNO upgrade their network gradually to avoid serviceinterruption and optimize ROI of infrastructure.

Inhomogeneous set-up =⇒ interesting attack vectors.

For interoperability with partners, edge nodes have the ability totranslate between Diameter ⇐⇒ SS7.

Attack translationWe wanted an easy way to port SS7 attacks to Diameter.


Ideal Diameter Network

Figure : Diameter roaming architecture between two newer networks.


Inhomogeneous Network

Figure : Different networks with different protocol support.


Interworking functions

Technical specification TS 29.305 [4] and non-binding report TR29.805 [5].

Describes how Diameter and SS7-MAP messages should be translatedto each other i.e. Attribute Value Pairs (AVP) mapping.

General idea:

Attacker pretends to be an old type network or node.

It forces IPSec secured LTE Diameter network or nodes into using theless secured SS7-MAP.

Craft SS7-like attack messages and IWF will take care of the rest.


Phase 1: Obtaining IMSI (1)

Attacker claims to be an IWF node

Typical multi-domain support scenario for roaming and routingincoming SMS.

MAP commands have to be translated to Diameter specific commandsby the receiving IWF node.


Phase 1: Obtaining IMSI(2)

The IWF copies IMSI of the victim from username AVP from SRA to SRISM ACK.


Mapping of parameters from SRI SM to SRR

Attacker’s side

MSISDN of the victim

His own Calling Party Address (cgPA).

The spoofed Service Center Address(SCA).

SM-RP-PRI flag - allows the attacker to get information from theHSS even if the victim is not being served in that network.

SM-Delivery-Not-Intended flag (optional).

Conversion into SRR

IWF maps the above SS7 MAP parameters into respective AVPs ofDiameter SRR.

Called Party Address (cdPA) AVP is populated before sending to HSS.


Mapping of parameters from SRA to SRI SM ACK

locationInfoWithLMSI sub-parameter AVP:

networkNode-Number contains MME address.IMSI of the victim.

IWF also sends MAP Information Service Center message to theattacker to confirm the completion of the requested informationdelivery. But this can be ignored.

Please note:

There exists several other methods of IMSI retrieval as well e.g. 4G IMSIcatchers, WLAN access point and EAP-AKA protocol. But they need theattacker to be in the same vicinity of the target/victim.


Phase 2: Location disclosure attack


Mapping of ISD to IDR

Attacker’s side

Attacker poses as an IWF across the interconnection and sends ISDmessage to the targeted network’s IWF. He uses the previouslyretrieved IMSI and serving node (MME) information.

Requested Information parameter includes:

sub-parameters Active Location Retrieval requested and LocationInformation in EPS supported.Allows the attacker to get fine-grained information about the victime.g. subscriber state, IMEI, software version.

Conversion into IDR

Target IWF sets the IDR-flag value to 3 → indicates that the locationinformation is requested.

IDR message is then directed to MME.


Mapping of IDA to ISD Ack

Depending on the information requested:

EPS Location Information AVP → contains Cell ID.EPS User State AVP → victim’s state.

Attack using MAP Provide Subscriber Information (PSI) works insimilar fashion.

The IMEI number and Software version retrieved are hardware specificinformation of the victim, which can be used for further targetedattacks.


LTE Location disclosure attacks summary

SS7 attack vector IWF Attack? Reason

MAP SRI No Very few operators connectHSS directly to DEA or inter-connection.

MAP SRI SM Yes Location upto granularity ofMME.

MAP ATI No IWF cannot directly map ATIcommands.


LTE Location disclosure attacks summary (2)

MAP PSI Yes EPS Location Info i.e. cellID, subscriber state, IMEI,software version and encryp-tion keys.

Emergency calls (PSL) No IWF cannot directly map PSLcommands.


Countermeasures

Effective SS7 filter/firewall to verify whether a message is:

Operator network internal or from the interconnectionCommunicated within the global title range of the partner.Sent to/from the MS of an outbound roaming subscriber.

Whitelist the partners and the protocols used by them.

Implement NDS/IP security over the Diameter Edge Agents.

AVP specific filtering.


Conclusion

Even if LTE offers very good security on air interface, the Diameter isas less secure as SS7 when it comes to location disclosure attacks.

LTE attacks =⇒ It is possible to port SS7 attacks to Diameternetwork using Interworking functions.

IMSI disclosure; location tracking upto MME as well as cellID level;IMEI and OS software version disclosure.

Countermeasures include adhering to security standards (NDS/IP)and adopting efficient filtering mechanisms.

Review of Diameter protocol

“Privacy in LTE networks” to appear in The 9th EAI InternationalConference on Mobile Multimedia Communications, (IW5GS 2016).


References I

S. P. Rao, S. Holtmanns, I. Oliver, and T. Aura. (To appear)

We know where you are! Utilising the telecoms core network for user tracking.1

The 8th International Conference on Cyber Conflict (CyCon 2016).

Tobias Engel (2008)

Locating mobile phones using signalling system 7

25th Chaos communication congress, 2008.

Tobias Engel (2014)

SS7: Locate. track. manipulate

31st Chaos communication congress, 2014.


References II

TS 29.305

InterWorking Function (IWF) between MAP based and Diameter based interfaces

3rd Generation Partnership Project (3GPP)

TR 29.805

InterWorking Function (IWF) between MAP based and Diameter based interfaces,

3rd Generation Partnership Project (3GPP)

1A survey article combining all SS7 location attacks


Thank you!


user location tracking attacks for lte networks using the interworking functionality (iwf)

Technology