Abstract
The interconnection network (IPX) connects telecommunication networks with each other. The IPX network enables features like roaming and data access while traveling. Designed as a closed network it is now opening up and unauthorized entities now misuse the IPX network for their purposes. The majority of the IPX still runs the Signaling System No. 7 (SS7) protocol stack, while the more advanced operators now turn towards Diameter based LTE roaming. SS7 is known to suffer from many attacks. The first attacks for Diameter are known. In this article, we will show how an attacker can deduct a subscriber profile from the Home Subscriber Service (HSS). The subscriber profile contains all key information related to the users’ subscription e.g. location, billing information etc. We will close with a recommendation how to prevent such an attack.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
International Telecommunication Union (ITU) - T, Signalling System No. 7 related specifications. https://www.itu.int/rec/T-REC-Q/en
Nordsveen, A.M., Norsk Telemuseum: ‘Mobiltelefonens historie i Norge’ (2005). https://web.archive.org/web/20070213045903/http://telemuseum.no/mambo/content/view/29/1/
3rd Generation Partnership Project (3GPP), TS 29.002, ‘Mobile Application Part (MAP) specification,’ v14.3.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29002.htm
Internet Engineering Task Force, IETF RFC 6733 ‘Diameter Base Protocol’, October 2012. https://tools.ietf.org/html/rfc6733
Internet Engineering Task Force, IETF RFC 3588, ‘Diameter Base Protocol’, September 2003. https://tools.ietf.org/html/rfc3588
3rd Generation Partnership Project (3GPP), TS 33.210, ‘3G Security, Network Domain Security (NDS), IP Network Layer Security’ v 14.0.0 Release 14 (2016). http://www.3gpp.org/DynaReport/33210.htm
3rd Generation Partnership Project (3GPP), TS 29.272, ‘Evolved Packet System (EPS); Mobility Management Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol’, v 14.3.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29272.htm
3rd Generation Partnership Project (3GPP), TR 29.805, ‘InterWorking Function (IWF) between MAP based and Diameter based interfaces’, v 8.0.0, Release 8 (2008). http://www.3gpp.org/DynaReport/29805.htm
3rd Generation Partnership Project (3GPP), TS 29.305, ‘InterWorking Function (IWF) between MAP based and Diameter based interfaces’, v 14.0.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29305.htm
Holtmanns, S., Rao, S., Oliver, I.: User location tracking attacks for LTE networks using the interworking functionality. In: IFIP Networking Conference, Vienna, Austria (2016)
Engel, T.: Locating mobile phones using signaling system 7. In: 25th Chaos Communication Congress 25C3 (2008). http://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf
Engel, T.: SS7: Locate. Track. Manipulate. In: 31st Chaos Computer Congress 31C3 (2014). http://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf
Positive Technologies, SS7 Security Report (2014). https://www.ptsecurity.com/upload/ptcom/SS7_WP_A4.ENG.0036.01.DEC.28.2014.pdf
Nohl, K., SR Labs: Mobile self-defense. In: 31st Chaos Communication Congress 31C3 (2014). https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf
Nohl, K., Melette, L.: Chasing GRX and SS7 vulns, Chaos Computer Camp (2015). https://events.ccc.de/camp/2015/Fahrplan/system/attachments/2649/original/CCCamp-SRLabs-Advanced_Interconnect_Attacks.v1.pdf
Positive Technologies, Mobile Internet traffic hijacking via GTP and GRX (2015). http://blog.ptsecurity.com/2015/02/the-research-mobile-internet-traffic.html
Rao, S., Holtmanns, S., Oliver, I., Aura, T.: Unblocking stolen mobile devices using SS7-MAP vulnerabilities: exploiting the relationship between IMEI and IMSI for EIR Access. Trustcom/BigDataSE/ISPA, vol. 1. IEEE (2015)
Fox-Brewster, T., Forbes: Hackers can steal your facebook account with just a phone number (2016). http://www.forbes.com/sites/thomasbrewster/2016/06/15/hackers-steal-facebook-account-ss7/#6860b09b8fa7
Fox-Brewster, T., Forbes: Watch as hackers hijack WhatsApp accounts via critical telecoms flaw (2016). http://www.forbes.com/sites/thomasbrewster/2016/06/01/whatsapp-telegram-ss7-hacks/#7ca2999d745e
Rao, S., Holtmanns, S., Oliver, I., Aura, T.: We know where you are. In: IEEE NATO CyCon, 8th International Conference on Cyber Conflict, pp. 277–294 (2016)
Kotte, B., Holtmanns, S., Rao, S.: Detach me not - DoS attacks against 4G cellular users worldwide from your desk, Blackhat Europe (2016). https://www.blackhat.com/eu-16/briefings.html#detach-me-not-dos-attacks-against-4g-cellular-users-worldwide-from-your-desk
Holtmanns, S., Oliver, I.: SMS and one-time-password interception in LTE networks. In: IEEE ICC Conference, Paris, May 2017
3rd Generation Partnership Project (3GPP), TS 29.344, ‘Proximity-services (ProSe) function to Home Subscriber Server (HSS) aspects’ v14.1.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29344.htm
3rd Generation Partnership Project (3GPP), TS 32.422, ‘Telecommunication management; Subscriber and equipment trace; Trace control and configuration management,’ v14.0.0, Release 14 (2017). http://www.3gpp.org/DynaReport/32422.htm
3rd Generation Partnership Project (3GPP), TS 29.061, ‘Interworking between the Public Land Mobile Network (PLMN) supporting packet based services and Packet Data Networks (PDN)’ v14.3.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29061.htm
Acknowledgments
This work was made under the DIMECC Cyber Trust Program (Finland). We would also like to thank the security aware operators in GSMA which drive the improvement of the interconnection security.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Holtmanns, S., Miche, Y., Oliver, I. (2017). Subscriber Profile Extraction and Modification via Diameter Interconnection. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_45
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_45
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)