User location tracking attacks for LTE networks using the Interworking Functionality (IWF)

User location tracking attacks for LTE networks using
the Interworking Functionality
Silke Holtmanns2 Siddharth Rao1 Ian Oliver2
1Aalto University, Finland 2Bell Labs - Nokia Networks, Finland
IFIP Networking 2016
17th-19th May 2016
Sid Rao (Aalto/Nokia) LTE location tracking using IWF IFIP Networking 2016 1 / 37

Overview
1 SS7 based attacks
SS7 background
SS7 attacks recap
2 LTE/ Diameter based attacks
Motivation
Interworking Functions (IWF)
LTE IMSI disclosure attack
Location disclosure
3 Countermeasures

Part 1: SS7 attacks
SS7 background
and
Location tracking attacks

Signalling System no. 7 (SS7)
A 4 decade old protocol mainly used in the era of 2G/GSM and
before.
However, 2G is still the most widely used mobile generation.
Built for trusted partner network and use/access to outsiders were
denied.
However now, almost anyone can use the telco backbone (having
money, hacking skills or strong political power).
Protocol foundation to enable roaming.
Short Message and Supplementary services.
Toll free numbers and tele-voting.
Enhanced Message Service (EMS) and Local Number Portability
(LNP).

SS7 Location based attacks
Locating Mobile Phones: First revealed in .2008 by Tobias Engel.
An attacker can locate the victim by just having phone number and
SS7 access.
Exploiting the loopholes of an outdated system i.e Signalling System
protocol.
Lack of cryptographic protection.
Since then, diﬀerent types of SS7 attacks have been demonstrated by
several security researchers.
Locate-Track-Manipulate: In 2014, Engel presented more concrete
attack which can continuously track besides locating the victim more
accurately than the previous attack.

Cellular identifiers
MSISDN - Mobile Station International Subscriber Directory
Number, the phone number.
IMSI - International Mobile Subscriber Identity, uniquely identifies a
SIM.
GT - Global Title, uniquely* identify the network elements.
Host name or Global IP address : GT :: Internet : Telecom
IMEI - International Mobile Equipment Identity, uniquely identifies
the cellphone.
Cell ID - uniquely identifies a base station within a location area.
Cell ID + LAC → uniquely identifies a base station within a network.

Network elements
HLR - Home Location Register, a central database of cellphone
subscribers.
MSC/VLR - Mobile Switching Centre/Visitor Location Register,
keeps track of location and other details of the users in its region.
SMSC - Short Message Service Centre (SMSC, handles SMS service
by storing and forwarding the messages.
gsmSCF - GSM Service control Function, responsible for handling
the subscriber billing.
GMLC - responsible for emergency and commercial location-based
services. Mainly used in the emergency calls (911) location scenarios.

GSM network architecture

Attack using call set up messages
Figure : Location disclosure attack using call set up messages [2]

Attack using SMS protocol messages
Figure : Location disclosure attack using SMS protocol messages [2]

Accuracy of the tracked location

Attack using billing platform related messages (1)
Figure : Location disclosure attack using billing platform related messages [3]

Attack using billing platform related messages (2)
Figure : Location disclosure attack using billing platform related messages [3]

Attack using emergency service related messages
Figure : Location disclosure attack using emergency service related messages [3]

Part 2: LTE/Diameter attacks
LTE
and
Diameter attacks

Motivation
Most MNO upgrade their network gradually to avoid service
interruption and optimize ROI of infrastructure.
Inhomogeneous set-up =⇒ interesting attack vectors.
For interoperability with partners, edge nodes have the ability to
translate between Diameter ⇐⇒ SS7.
Attack translation
We wanted an easy way to port SS7 attacks to Diameter.

Ideal Diameter Network
Figure : Diameter roaming architecture between two newer networks.

Inhomogeneous Network
Figure : Diﬀerent networks with diﬀerent protocol support.

Interworking functions
Technical speciﬁcation TS 29.305 [4] and non-binding report TR
29.805 [5].
Describes how Diameter and SS7-MAP messages should be translated
to each other i.e. Attribute Value Pairs (AVP) mapping.
General idea:
Attacker pretends to be an old type network or node.
It forces IPSec secured LTE Diameter network or nodes into using the
less secured SS7-MAP.
Craft SS7-like attack messages and IWF will take care of the rest.

Phase 1: Obtaining IMSI (1)
Attacker claims to be an IWF node
Typical multi-domain support scenario for roaming and routing
incoming SMS.
MAP commands have to be translated to Diameter speciﬁc commands
by the receiving IWF node.

Phase 1: Obtaining IMSI(2)
The IWF copies IMSI of the victim from username AVP from SRA to SRI
SM ACK.

Mapping of parameters from SRI SM to SRR
Attacker’s side
MSISDN of the victim
His own Calling Party Address (cgPA).
The spoofed Service Center Address(SCA).
SM-RP-PRI ﬂag - allows the attacker to get information from the
HSS even if the victim is not being served in that network.
SM-Delivery-Not-Intended ﬂag (optional).
Conversion into SRR
IWF maps the above SS7 MAP parameters into respective AVPs of
Diameter SRR.
Called Party Address (cdPA) AVP is populated before sending to HSS.

Mapping of parameters from SRA to SRI SM ACK
locationInfoWithLMSI sub-parameter AVP:
networkNode-Number contains MME address.
IMSI of the victim.
IWF also sends MAP Information Service Center message to the
attacker to conﬁrm the completion of the requested information
delivery. But this can be ignored.
Please note:
There exists several other methods of IMSI retrieval as well e.g. 4G IMSI
catchers, WLAN access point and EAP-AKA protocol. But they need the
attacker to be in the same vicinity of the target/victim.

Phase 2: Location disclosure attack

Mapping of ISD to IDR
Attacker’s side
Attacker poses as an IWF across the interconnection and sends ISD
message to the targeted network’s IWF. He uses the previously
retrieved IMSI and serving node (MME) information.
Requested Information parameter includes:
sub-parameters Active Location Retrieval requested and Location
Information in EPS supported.
Allows the attacker to get ﬁne-grained information about the victim
e.g. subscriber state, IMEI, software version.
Conversion into IDR
Target IWF sets the IDR-ﬂag value to 3 → indicates that the location
information is requested.
IDR message is then directed to MME.

Mapping of IDA to ISD Ack
Depending on the information requested:
EPS Location Information AVP → contains Cell ID.
EPS User State AVP → victim’s state.
Attack using MAP Provide Subscriber Information (PSI) works in
similar fashion.
The IMEI number and Software version retrieved are hardware speciﬁc
information of the victim, which can be used for further targeted
attacks.

LTE Location disclosure attacks summary
SS7 attack vector IWF Attack? Reason
MAP SRI No Very few operators connect
HSS directly to DEA or inter-
connection.
MAP SRI SM Yes Location upto granularity of
MME.
MAP ATI No IWF cannot directly map ATI
commands.

LTE Location disclosure attacks summary (2)
MAP PSI Yes EPS Location Info i.e. cell
ID, subscriber state, IMEI,
software version and encryp-
tion keys.
Emergency calls (PSL) No IWF cannot directly map PSL
commands.

Countermeasures
Effective SS7 filter/firewall to verify whether a message is:
Operator network internal or from the interconnection
Communicated within the global title range of the partner.
Sent to/from the MS of an outbound roaming subscriber.
Whitelist the partners and the protocols used by them.
Implement NDS/IP security over the Diameter Edge Agents.
AVP specific filtering.

Conclusion
Even if LTE offers very good security on air interface, the Diameter is
as less secure as SS7 when it comes to location disclosure attacks.
LTE attacks =⇒ It is possible to port SS7 attacks to Diameter
network using Interworking functions.
IMSI disclosure; location tracking upto MME as well as cellID level;
IMEI and OS software version disclosure.
Countermeasures include adhering to security standards (NDS/IP)
and adopting efficient filtering mechanisms.
Review of Diameter protocol
“Privacy in LTE networks” to appear in The 9th EAI International
Conference on Mobile Multimedia Communications, (IW5GS 2016).

References I
S. P. Rao, S. Holtmanns, I. Oliver, and T. Aura. (To appear)
We know where you are! Utilising the telecoms core network for user tracking.1
The 8th International Conference on Cyber Conﬂict (CyCon 2016).
Tobias Engel (2008)
Locating mobile phones using signalling system 7
25th Chaos communication congress, 2008.
Tobias Engel (2014)
SS7: Locate. track. manipulate
31st Chaos communication congress, 2014.

References II
TS 29.305
InterWorking Function (IWF) between MAP based and Diameter based interfaces
3rd Generation Partnership Project (3GPP)
TR 29.805
InterWorking Function (IWF) between MAP based and Diameter based interfaces,
3rd Generation Partnership Project (3GPP)
1
A survey article combining all SS7 location attacks

Thank you!

User location tracking attacks for LTE networks using the Interworking Functionality (IWF)

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to User location tracking attacks for LTE networks using the Interworking Functionality (IWF) (20)

Recently uploaded (20)

User location tracking attacks for LTE networks using the Interworking Functionality (IWF)