Signaling System no. 7 (SS7)
Signaling System No. 7 (SS7) is one of the mobile communication backend pro-
tocols mainly used for establishing the roaming interconnectivity across 2G/GSM
mobile network operators. Besides roaming, SS7 has enabled a wide range of fa-
cilities such as Short Message Services (SMS), toll-free numbers, televoting and
Download course:- https://mega.nz/folder/O6QDzCJR#EtoKmC2KcbK3gr0K_htpoQ
Local Number Portability (LNP). It was built during the time when mobile net-
work operators used to be the trusted network of government-owned organizations
and the security of the whole network were provided by denying access to external
entities. Being a four decades old protocol, SS7 have the following issues:
• Attackers can gain access to the SS7 based core network using other Internet
protocols.
Download course:- https://mega.nz/folder/O6QDzCJR#EtoKmC2KcbK3gr0K_htpoQ
• Once they are inside the core network, they can exploit the routing layer to map
the periphery of the network, scan for open ports and send hostile communica-
tion messages.
• Since there is no authentication check or any other cryptographic protection
within the network, the attackers can impersonate as the network internal
nodes and query for subscriber information from other nodes.
Location tracking attacks using SS7
As shown in figure 1, an attacker with SS7 access can track the location of the
cellphone users just by having their phone number. The accuracy of the tracked
location depends on the cellular service procedure and the core network element
queried by the attacker.
Figure 1: Impersonation of an SS7 attacker as different core network nodes to learn the location of the targeted cellphone user
• Querying the Home Location Register (HLR): By impersonating as Global
MSC (GMSC) or Short Message Service Center (SMSC), an attacker can initiate
either the call set up or SMS delivery procedures to query the HLR for the global
title of the MSC and IMSI of the target. The MSC service area indicates the
state or county in which the target is currently roaming. The attacker can also
learn about the cell area of the target by misusing the billing platform related
procedures.
Download course:- https://mega.nz/folder/O6QDzCJR#EtoKmC2KcbK3gr0K_htpoQ
• Querying the Mobile Switching Center (MSC): Once the IMSI and global
title of the MSC is known, the attacker can query the MSC by impersonating as
HLR to know the cell area of the target. It is also possible to misuse the emer-
gency call procedures to track the target to the accuracy of his geographical
coordinates.
Diameter Protocol
3GPP has standardized the use of Diameter in 4G/LTE core network communica-
tion to support mobility, IP Multimedia Subsystem (IMS) and to extend the func-
tionalities of SS7 over an all-IP network. As a relatively new protocol, Diameter
has a strong support for Authentication - Authorization - Accounting (AAA), en-
cryption of communication traffic and mechanisms to hide the internal topology.
However, the security and privacy considerations of Diameter fall short to guar-
antee the end-user from being tracked [2].
Exploiting the interoperability between SS7 and Diameter based core networks
Most mobile network operators upgrade their network from GSM to LTE gradu-
ally - to avoid service interruption and optimize the return on investment on the
infrastructure. Due to this, the current interconnection network contains inhomo-
geneous set-up of nodes that support either SS7 or Diameter. For interoperability
reasons with the partners, the edge nodes often have the ability to translate be-
tween Diameter and SS7 protocols, which is done using Interworking Functions
(IWF). In such situations, the attacker can exploit the lack of security measures in
the interconnections by tracking the location of an LTE cellphone user. Unlike the
SS7 based attacks, here the attacker can gain more fine-grained information such
as software version, IMEI number, the operating system of their devices along
with location tracking up to the granularity of cell area.
