Skip to main content
SpringerLink
Log in
Book cover

International Conference on Network and System Security

NSS 2017: Network and System Security pp 585–594Cite as

Subscriber Profile Extraction and Modification via Diameter Interconnection

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10394))

Abstract

The interconnection network (IPX) connects telecommunication networks with each other. The IPX network enables features like roaming and data access while traveling. Designed as a closed network it is now opening up and unauthorized entities now misuse the IPX network for their purposes. The majority of the IPX still runs the Signaling System No. 7 (SS7) protocol stack, while the more advanced operators now turn towards Diameter based LTE roaming. SS7 is known to suffer from many attacks. The first attacks for Diameter are known. In this article, we will show how an attacker can deduct a subscriber profile from the Home Subscriber Service (HSS). The subscriber profile contains all key information related to the users’ subscription e.g. location, billing information etc. We will close with a recommendation how to prevent such an attack.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. International Telecommunication Union (ITU) - T, Signalling System No. 7 related specifications. https://www.itu.int/rec/T-REC-Q/en

  2. Nordsveen, A.M., Norsk Telemuseum: ‘Mobiltelefonens historie i Norge’ (2005). https://web.archive.org/web/20070213045903/http://telemuseum.no/mambo/content/view/29/1/

  3. 3rd Generation Partnership Project (3GPP), TS 29.002, ‘Mobile Application Part (MAP) specification,’ v14.3.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29002.htm

  4. Internet Engineering Task Force, IETF RFC 6733 ‘Diameter Base Protocol’, October 2012. https://tools.ietf.org/html/rfc6733

  5. Internet Engineering Task Force, IETF RFC 3588, ‘Diameter Base Protocol’, September 2003. https://tools.ietf.org/html/rfc3588

  6. 3rd Generation Partnership Project (3GPP), TS 33.210, ‘3G Security, Network Domain Security (NDS), IP Network Layer Security’ v 14.0.0 Release 14 (2016). http://www.3gpp.org/DynaReport/33210.htm

  7. 3rd Generation Partnership Project (3GPP), TS 29.272, ‘Evolved Packet System (EPS); Mobility Management Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol’, v 14.3.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29272.htm

  8. 3rd Generation Partnership Project (3GPP), TR 29.805, ‘InterWorking Function (IWF) between MAP based and Diameter based interfaces’, v 8.0.0, Release 8 (2008). http://www.3gpp.org/DynaReport/29805.htm

  9. 3rd Generation Partnership Project (3GPP), TS 29.305, ‘InterWorking Function (IWF) between MAP based and Diameter based interfaces’, v 14.0.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29305.htm

  10. Holtmanns, S., Rao, S., Oliver, I.: User location tracking attacks for LTE networks using the interworking functionality. In: IFIP Networking Conference, Vienna, Austria (2016)

    Google Scholar 

  11. Engel, T.: Locating mobile phones using signaling system 7. In: 25th Chaos Communication Congress 25C3 (2008). http://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf

  12. Engel, T.: SS7: Locate. Track. Manipulate. In: 31st Chaos Computer Congress 31C3 (2014). http://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf

  13. Positive Technologies, SS7 Security Report (2014). https://www.ptsecurity.com/upload/ptcom/SS7_WP_A4.ENG.0036.01.DEC.28.2014.pdf

  14. Nohl, K., SR Labs: Mobile self-defense. In: 31st Chaos Communication Congress 31C3 (2014). https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf

  15. Nohl, K., Melette, L.: Chasing GRX and SS7 vulns, Chaos Computer Camp (2015). https://events.ccc.de/camp/2015/Fahrplan/system/attachments/2649/original/CCCamp-SRLabs-Advanced_Interconnect_Attacks.v1.pdf

  16. Positive Technologies, Mobile Internet traffic hijacking via GTP and GRX (2015). http://blog.ptsecurity.com/2015/02/the-research-mobile-internet-traffic.html

  17. Rao, S., Holtmanns, S., Oliver, I., Aura, T.: Unblocking stolen mobile devices using SS7-MAP vulnerabilities: exploiting the relationship between IMEI and IMSI for EIR Access. Trustcom/BigDataSE/ISPA, vol. 1. IEEE (2015)

    Google Scholar 

  18. Fox-Brewster, T., Forbes: Hackers can steal your facebook account with just a phone number (2016). http://www.forbes.com/sites/thomasbrewster/2016/06/15/hackers-steal-facebook-account-ss7/#6860b09b8fa7

  19. Fox-Brewster, T., Forbes: Watch as hackers hijack WhatsApp accounts via critical telecoms flaw (2016). http://www.forbes.com/sites/thomasbrewster/2016/06/01/whatsapp-telegram-ss7-hacks/#7ca2999d745e

  20. Rao, S., Holtmanns, S., Oliver, I., Aura, T.: We know where you are. In: IEEE NATO CyCon, 8th International Conference on Cyber Conflict, pp. 277–294 (2016)

    Google Scholar 

  21. Kotte, B., Holtmanns, S., Rao, S.: Detach me not - DoS attacks against 4G cellular users worldwide from your desk, Blackhat Europe (2016). https://www.blackhat.com/eu-16/briefings.html#detach-me-not-dos-attacks-against-4g-cellular-users-worldwide-from-your-desk

  22. Holtmanns, S., Oliver, I.: SMS and one-time-password interception in LTE networks. In: IEEE ICC Conference, Paris, May 2017

    Google Scholar 

  23. 3rd Generation Partnership Project (3GPP), TS 29.344, ‘Proximity-services (ProSe) function to Home Subscriber Server (HSS) aspects’ v14.1.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29344.htm

  24. 3rd Generation Partnership Project (3GPP), TS 32.422, ‘Telecommunication management; Subscriber and equipment trace; Trace control and configuration management,’ v14.0.0, Release 14 (2017). http://www.3gpp.org/DynaReport/32422.htm

  25. 3rd Generation Partnership Project (3GPP), TS 29.061, ‘Interworking between the Public Land Mobile Network (PLMN) supporting packet based services and Packet Data Networks (PDN)’ v14.3.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29061.htm

Download references

Acknowledgments

This work was made under the DIMECC Cyber Trust Program (Finland). We would also like to thank the security aware operators in GSMA which drive the improvement of the interconnection security.

Author information

Authors and Affiliations

  1. Security Research Group, Nokia Bell Labs, Espoo, Finland

    Silke Holtmanns, Yoan Miche & Ian Oliver

Authors
  1. Silke Holtmanns
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yoan Miche
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ian Oliver
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Silke Holtmanns .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Zheng Yan

  2. Eurecom, Sophia Antipolos, Valbonne, France

    Refik Molva

  3. Warsaw University of Technology, Warsaw, Poland

    Wojciech Mazurczyk

  4. Aalto University, Espoo, Finland

    Raimo Kantola

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Holtmanns, S., Miche, Y., Oliver, I. (2017). Subscriber Profile Extraction and Modification via Diameter Interconnection. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_45

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64701-2_45

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64700-5

  • Online ISBN: 978-3-319-64701-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation