CONFERENCE PROCEEDINGS
Advanced Search
Home > Proceedings > Volume 12506 > Article
Open Access Paper
28 December 2022 Analysis and application of SS7 core network threat detection
Zuobing Xu, Yu Wang, Xiaoyue Ge
Author Affiliations +
Proceedings Volume 12506, Third International Conference on Computer Science and Communication Technology (ICCSCT 2022); 125061J (2022) https://doi.org/10.1117/12.2661793
Event: International Conference on Computer Science and Communication Technology (ICCSCT 2022), 2022, Beijing, China
Abstract
Signaling System No.7 (SS7) Network was designed with a focus on reliability and efficiency, with a high degree of trust between communication entities and no encryption or defense against attacks. With the development of the network, the vulnerability of SS7 network is increasingly exposed. This paper comprehensively analyzed the security threats existing in SS7 network, and extracted the characteristics of the threats such as location tracking, interception of calls and interception of SMS. On the basis of feature extraction, threat modeling is carried out to extract threat detection rules, and the threat detection model is applied to the experimental network.

1.

INTRODUCTION

SS7 network is one of the three supporting network of modern communications, SS7 is internationalization, standardization of the general public channel signaling system, SS7 network is an important support of telecommunication network. it was designed with a focus on reliability and efficiency, with a high degree of trust between communication entities and no encryption or defense against attacks. If the network is highly closed, the possibility of being attacked is very small. However, with the development of the network, SS7 network is no longer completely closed, and the vulnerability of the SS7 is increasingly exposed. There is no authentication mechanism between elements, and any elements which is connected to the network can send message to other elements which have roaming relationships around the world. Some countries have lax supervision on the access of the network, so attackers can easily enter the network, which greatly reduces the security of the network and the threshold of attack.

This paper firstly analyzes the security threats of SS7 network, then extracts the characteristics of attacks such as location tracking, interception of calls and interception of SMS. On the basis of feature extraction, threat modeling is carried out to extract threat detection rules. Finally, the threat detection model is applied to the experimental network.

2.

THE THREATS OF SS7 NETWORK

At present, the calls and SMS services runs in 2 generation mobile communication protocol. For the non_Internet services such as voice and SMS, the service enters the network and runs on the SS7 network. Subscribers can use the service exchange of SS7 to complete the communication between GSM networks and other communication networks, and managing subscribers’ data and mobility database. Some elements of SS7 involved in this paper include Moblie Switch Center (MSC), Visitor Location Register (VLR) and Home Location Register (HLR), Short Message Center (SMSC), and International Mobile Subscriber Identity (IMSI), Mobile Station International ISDN number (MSISDN), Global Title (GT), etc. The architecture of the international SS7 network is shown in Figure 1. The SS7 network is mainly faced with potential threats such as subscriber location tracking, interception of call and interception of SMS, as shown in Figure 2.

Figure 1.

SS7 network architecture.

00077_PSISDG12506_125061J_page_2_1.jpg

Figure 2.

Threats of SS7 network.

00077_PSISDG12506_125061J_page_2_2.jpg

In view of the threats in SS7 network, this chapter conducts research and analysis from the aspects of protocol defects and elements vulnerabilities. Location tracking mainly involves message such as SRI, PRN, SRIFSM, ATI and PSI, Call interception mainly involves ISD and IDP message. SMS interception mainly involves UL and SRIFSM message. Parameters in each message involve IMSI, MSISDN, MSC, LAC, and CI (Table 1).

Table 1.

Analysis of the SS7 network threats.

Threat categoryInvolved in the messageMajor parameterCharacteristics and research status
Information disclosureSRI, PRNMSC, IMSIBased on the SS7 protocol flow, the characteristics of SRI message are analyzed. The IMSI and MSC information returned by SRI response message which leads to subscriber information disclosure1.
Information disclosureSRIFSMMSC, IMSIBecause the elements do not authenticate the initiator of the SRIFSM message, the subscriber information is leaked when the IMSI and MSC of the subscriber are contained in the return SRIFSM message2.
Location trackingATI, PSILAC, CIDue to the high degree of trust between the elements, the attacker can counterfeit gsmSCF or HLR to sends ATI or PSI message to obtain subscriber’s cell location3,4.
Interception of callsISD, IDPMSISDN, IMSI, gsmSCFTaking advantage of the defect of CAMEL protocol in international roaming, the attacker inserts false gsmSCF address by sending ISD message to achieve the purpose of call interception5.
Interception of SMSULIMSIUsing the update location mechanism of SS7 network, the attacker inserts the fake MSC address by sending UL message to the subscriber’s HLR, while sending the SRIFSM message, the HLR will return the fake MSC address, and any SMS sent to the subscriber will be intercepted through the false MSC5,6.
Denial of servicePMSIMSIThe attacker impersonates VLR to send PMS messages to HLR, which are used to mark the current subscriber unreachable in the HLR, so that the subscriber cannot make calls and receive SMS messages7.
Denial of serviceCLIMSIThe attacker impersonates HLR to send CL messages to the subscriber’s VLR, which are used to clear the current subscriber’s information in VLR. When the subscriber receives call or SMS, the VLR considers that the subscriber is unreachable and unable to provide services.

3.

THREATS DETECTION MODELLING

The SS7 network threats are mainly based on the SS7 protocol characteristics of subscribers’ home and roaming places, and the attacker’s methods of attack and technical principles are analysed. the characteristics of the threats which are extracted from the data are used to form a threat detection model. Some concepts need to be defined in threat modeling in this chapter, as shown in Table 2:

Table 2.

Definition.

NameDescriptionNameDescription
Inbound messageRoaming messageHPLMNHome network operator
OpcodeMessage typeVPLMNVisit network operator
messagetypeThe messagetype value of the request message is 98, and the messagetype value of the reply message is 100.time_messageIndicates the time when the message was sent.
imsi_ccImsi_cc means the country that imsi belongs to, for example: imsi=4600113036777 and its mcc=460 means China.ogt_ccogt_cc means the country that the original GT belongs to, for example: ogt=8613822811 and its cc=86 means China.
msisdn_ccmsisdn_cc means the country that msisdn belongs to.dgt_ccdgt_cc means the country that the destination GT belongs to.
eventtypebsm_cceventtypebsm_cc means the country that msisdn belongs to.callingpartynumber_cccallingpartynumber_cc means the country that msisdn belongs to.
gsmscf_ccgsmscf_cc means the country that msisdn belongs to.  

3.1

Location tracking

The main reason for location tracking is that the attacker sends illegal messages with MSISDN or IMSI to obtain the cell ID of the subscriber. Based on the cell ID, the attacker can track a subscriber with accuracy down to street level. The analysis of the attack is shown in Figures 3 and 4.

Figure 3.

ATI location tracking.

00077_PSISDG12506_125061J_page_3_1.jpg

Figure 4.

PSI location tracking.

00077_PSISDG12506_125061J_page_3_2.jpg

According to the message flow of location tracking, relevant characteristics and detection rules are extracted as shown in Table 3:

Table 3.

Characteristics and detection rules of location tracking.

MessageCharacteristicsDetection rules
AnyTimeInterrogation (ATI)opcode is 71. Elements that do not belong to the country of the subscriber send ATI message to subscriberFor each massage, If Opcode=‘71’and messagetype=98 and (ogt_cc<>msisdn_cc or ogt _cc<>imsi_cc) Then block
  For each massage, If Opcode=‘71’ and messagetype=100 and (dgt_cc<>msisdn_cc or dgt _cc<>imsi_cc) Then block
ProvideSubscriberInfo (PSI)opcode is 70. Elements that do not belong to the country of the subscriber send PSI message to subscriberFor each massage, If Opcode=‘70’ and messagetype=98 and (ogt_cc<>imsi_cc) Then block

3.2

Interception of calls

The main principle of call interception is that the attacker impersonates HLR to send ISD messages to subscriber and inserts fake gsmSCF addresses. When the subscriber initiates a call to the peer subscriber, the subscriber registers the calling party service and sends an IDP message to the fake gsmSCF to ask for the handling measures. After receiving the IDP message, the fake gsmSCF changes the called number to the elements which is under the control of attacker and the attacker records the content of the call as an intermediary. The analysis of the attack is shown in Figure 5.

Figure 5.

Interception of calls.

00077_PSISDG12506_125061J_page_4_1.jpg

According to the message flow of the interception of calls, relevant characteristics and detection rules are extracted as shown in Table 4:

Table 4.

Characteristics and detection rules of location tracking.

MessageCharacteristicsDetection rules
InsertSubscri berData (ISD)opcode is 7, and the gsmSCF address inserted does not belong to the subscriber’s countryFor each massage, If Opcode=‘7’ and messagetype=98 and (gsmscf_cc <> imsi_cc or gsmscf_cc <> msisdn_cc) Then block
InitialDPopcode is 0, and dgt address does not belong to the subscriber’s countryFor each massage, If Opcode=‘0’ and messagetype=98 and eventtypebsm=2 and (dgt_cc <> callingpartynumber_cc) Then block

3.3

Interception of SMS

The MAP updateLocation messages are used to inform HLR that the subscriber has moved to a new MSC area, and the interception of SMS works by using a false updateLocation message. Since SMSC sends SRIFSM to HLR which returns the attacker’s fake MSC, any SMS sent to the subscriber will be intercepted by the fake MSC. The attacker is now controlling the message and can store it, change it, and possibly forward it to the original subscriber8. Specific attack flow analysis is shown in Figure 6:

Figure 6.

Attack flow analysis of the intercepting SMS.

00077_PSISDG12506_125061J_page_5_1.jpg

According to the principle of SMS interception, relevant characteristics and detection rules are extracted as follows as shown in Table 5:

Table 5.

Characteristics and detection rules of SMS interception.

MessageCharacteristicsDetection rules
Updatelocation (UL)opcode is 2, MSCS in different countries send updatelocation messages to subscriber’s HLR in a short period of time (this method is used to extract subscriber’s position jump in a short period of time)For each massage, If Opcode=‘2’and messagetype=98 then If |time_message2- time_message1|<60min and ogt1_cc <> ogt2_cc Then block

4.

APPLICATION

4.1

The experimental network

Mobile operators must recognize the fact that SS7 is no longer secured. The SS7 network threat detection model need apply as soon as possible. Considering that the SS7 data involved subscriber privacy, the data which used in test modified based on real network, and simulated in the communication among the operate A, B, C. Each operator represents a network connected to the international SS7, the network architecture and the information of the elements are shown in Figure 7.

Figure 7.

The experimental network architecture.

00077_PSISDG12506_125061J_page_6_1.jpg

The simulated attack data are generated on the experimental network. All the simulated data are derived from real data and conformed to the MAP message specification. In addition to simulating the normal data, we also simulated the attack data which is initiated by the element of the operate C, and there are five main types : (1) SRIFSM message is used to obtain subscriber’s imsi and MSC information; (2) PSI message is used to obtain subscriber location information; (3) ATI message is used to obtain subscriber’s location information; (4) UL messages is used to Intercept SMS; (5) ISD messages and IDP message are used to Intercept calls. Msisdn and IMSI are used to uniquely represent subscribers in these data.

To test the capability of threat detection model in an SS7 network, we defined that the Person A belongs to Chinese operator A, and roaming in the Philippines operator B. In order to facilitate mobile management, mobile operators need to track the location information of mobile terminals at all times. When person A moves to a new location in startup state, it will report its MSC to HLR through updateLocation message.

4.2

Threat detection application

To detect abnormal data on the network, Tshark is used to collect and parse the original traffic. After the data is preprocessed, it will be imported to the HDFS and be loaded to the Hive warehouse. Then the abnormal attack behavior will be extracted by loading the threat detection model, and the threat alarm information is formed. The detection process is shown in Figure 8.

Figure 8.

The detection process.

00077_PSISDG12506_125061J_page_7_1.jpg

Through the application of threat detection model in SS7 original traffic, we can extract some abnormal structured messages, as shown in Figures 9-11, and the attack traffic is visualized on the map, as shown in Figure 12.

Figure 9.

The data of location tracking.

00077_PSISDG12506_125061J_page_7_2.jpg

Figure 10.

The data of call interception.

00077_PSISDG12506_125061J_page_7_3.jpg

Figure 11.

The data of SMS interception.

00077_PSISDG12506_125061J_page_7_4.jpg

Figure 12.

The visual interface displays the attack traffic information sent by the attacker.

00077_PSISDG12506_125061J_page_7_5.jpg

In the data of location tracking, we can find that the attacker (GT:3165123452) sends SRIFSM message to the subscriber to obtain the imsi of the subscriber, and then the attacker sends PSI message to the subscriber to obtain the cell-level location of the subscriber by imitating HLR.

In the data of call interception, we can find that the attacker (GT:3165123452) sends ISD message to the subscriber to insert fake gsmSCF address (GT:3165123452). When the subscriber initiates a call, the MSC asks gsmSCF for the real phone number of the called subscriber. The fake gsmSCF rewirtes the number to 3165123452 which is under the control of attacker. Both subscribers can talk to each other, while the attacker records the conversation.

In the data of SMS interception, we can find that the attacker (GT:3165123452) sends a false updateLocation message to HLR after the subscriber initiates a updateLocation message in the roaming place, telling HLR that the subscriber has moved to the current MSC (GT:3165123452), then all of the SMS messages sent to subscribers will be routed to the attacker.

5.

CONCLUSION

In this paper we have described some of the current threats towards the SS7 network, and built threat analysis and detection models for location tracking, interception of calls, interception of SMS, etc. and extracted threat features to form threat detection rules. Based on the simulated network, we generated normal traffic and attack traffic, and carried out the application of threat detection models. These models can also be applied to the real SS7 network to reduce the threat of SS7 network. In future work, we will apply machine learning and other knowledge to further discover unknown threats in SS7 network.

REFERENCES

[1] 

Tobias, E., “Locating mobile phones using signalling system #7,” 25th Chaos Communication Congress, 25C3 7 (2008). Google Scholar

[2] 

Eustratios, M., Attacks on SS7, 2 29 University of Piraeus, chapter2019). Google Scholar

[3] 

Ullah, K., Rashid, I., Afzal, H., Iqbal, W., Bangash, Y. A. and Abbas, H., “SS7 vulnerabilities—A survey & implementation of machine learning vs rule based filtering for detection of SS7 network attacks,” IEEE Communications Surveys & Tutorials, 15 (2020). Google Scholar

[4] 

Division, “Study paper on SS7 security,” Telecommunication Engineering Centre, (2019). Google Scholar

[5] 

Tobias, E., “SS7: Locate. track. Manipulate,” 31st Chaos Communication Congress, 31C3 32 –37 (2014). Google Scholar

[6] 

Sergey, P., “Stealthy SS7 attacks,” Positive Technologies, 46 –47 (2017). Google Scholar

[7] 

Kristoffer, J., Improving SS7 Security Using Machine Learning Techniques, 4 27 –28 Norwegian University of Science and Technology, chapter2016). Google Scholar

[8] 

Poornima, P. and Subrata, A., in IEEE International Conference on Advanced Networks and Telecommunications Systems, 3 (2018). Google Scholar
© (2022) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
Citation Download Citation
Zuobing Xu, Yu Wang, and Xiaoyue Ge "Analysis and application of SS7 core network threat detection", Proc. SPIE 12506, Third International Conference on Computer Science and Communication Technology (ICCSCT 2022), 125061J (28 December 2022); https://doi.org/10.1117/12.2661793
PROCEEDINGS
 8 PAGES
DOWNLOAD PAPER SAVE TO MY LIBRARY
GET CITATION
Advertisement
Advertisement
RIGHTS & PERMISSIONS
Get copyright permission  Get copyright permission on Copyright Marketplace
KEYWORDS
Data modeling
Network architectures
Telecommunications
Analytical research
Data storage
Network security
Feature extraction
RELATED CONTENT
Subscribe to Digital Library
Receive Erratum Email Alert
Back to Top