Mobile Subscriber Profile Data Privacy Breach via 4G Diameter Interconnection

Authors

  • Silke Holtmanns Nokia Bell Labs, Security Research, Karakaari 3, 02610 Espoo, Finland
  • Ian Oliver Nokia Bell Labs, Security Research, Karakaari 3, 02610 Espoo, Finland
  • Yoan Miche Nokia Bell Labs, Security Research, Karakaari 3, 02610 Espoo, Finland

DOI:

https://doi.org/10.13052/jicts2245-800X.634

Keywords:

SS7, Diameter, IPX, security

Abstract

The interconnection network (IPX) connects telecommunication networks with each other on the globe. The IPX network enables features like voice and data roaming with your mobile device while traveling. Designed as a closed network it is now opening and unauthorized entities now misuse the IPX network for their purposes. The majority of the IPX still runs the Signalling System No 7 (SS7) protocol stack, while the more technically advanced operators roll out and deploy Diameter based LTE roaming. SS7 is known to suffer from many attacks. The first attacks using the Diameter protocol appeared. We will show how an attacker can breach the subscriber’s privacy by deducting the subscriber profile from the Home Subscriber Service (HSS) and use the obtained information. The subscriber profile contains all key information related to the users’ subscription e.g. location, billing information, MSISDN etc. We will close with a recommendation how to prevent such an attack.

Downloads

Download data is not yet available.

Author Biographies

Silke Holtmanns, Nokia Bell Labs, Security Research, Karakaari 3, 02610 Espoo, Finland

Silke Holtmanns is a security expert at Nokia Bell Labs and research new attack vectors and mitigation approaches. She holds a PhD in Mathematics and her current research area combines data analytics, penetration testing and privacy. The creation of new and the investigation of existing security attacks using SS7, Diameter and GTP protocols via the Interconnect lead to new countermeasures for 4G/5G networks. She is also actively supporting the evolution of 5G intereconnection security in 3GPP. The identfied countermeasures using techniques combine monitoring, filtering, and advanced protection with machine learning. As an expert on existing and future attack patterns for interconnection security, she provides advice to our company, customers, standard boards, and regional and national regulating governmental bodies e.g. US FCC or EU ENISA. Recently, she started investigating potential risk areas of 5G, which has a different architecture and design concept compared to the previous releases.

She serves as a regular organizer and editor for workshops and special issues. She has over 18 years experience in mobile security research and standardization with strong focus on 3GPP security and GSMA. She is rapporteur of ten 3GPP specifications and editor of the GSMA Interconnection Diameter Signalling Protection document.

Ian Oliver, Nokia Bell Labs, Security Research, Karakaari 3, 02610 Espoo, Finland

Ian Oliver works for Nokia Bell Labs as a senior security researcher specialising in high-integrity and trusted Network Function Virtualisation, and on occasion the more theoretical underpinnings of privacy and privacy engineering. He also holds a Research Fellow position at the University of Brighton working with the Visual Modelling Group on diagrammatic forms of reasoning and semantics.

Prior to that he worked as the privacy officer for Nokia Services and for eleven years at Nokia Research Centre working with Semantic Web, UML, formal methods and hardware-software co-design. He has also worked at Helsinki University of Technology and Aalto University teaching formal methods and modelling with UML. He holds over 40 patents in areas such as The Internet of Things, semantic technologies and privacy, as well as numerous papers in these areas. He is the author of the book: Privacy Engineering – A Data Flow and Ontological Approach. (www.privacyengineeringbook.net)

Ian lives in Sipoo, Finland with his wife, two children, dog and cat. https://www.bell-labs.com/usr/ian.oliver

Yoan Miche, Nokia Bell Labs, Security Research, Karakaari 3, 02610 Espoo, Finland

Yoan Miche was born in 1983 in France. He received an Engineer’s Degree from Institut National Polytechnique de Grenoble (INPG, France), and more specifically from TELECOM, INPG, on September 2006. He also graduated with a Master’s Degree in Signal, Image, Speak and Telecom from ENSERG, INPG, at the same time. He has worked in the Information and Computer Science (ICS) lab of Aalto University as a postdoc for 4 years, after obtaining his D.Sc. from INPG (France) and Aalto University (Finland). He is currently a Cybersecurity Researcher at Nokia Bell Labs, Finland.

References

International Telecommunication Union (ITU) - T, Signalling System No.7 related specifications, https://www.itu.int/rec/T-REC-Q/en

Nordsveen Arve M., Norsk Telemuseum, ‘Mobiltelefonens historie i Norge’ (2005). https://web.archive.org/web/20070213045903/http://telemuseum.no/mambo/content/view/29/1/

3rd Generation Partnership Project (3GPP), TS 29.002, ‘Mobile Application Part (MAP) specification,’ v14.3.0, Release 14, (2017). http://www.3gpp.org/DynaReport/29002.htm

Internet Engineering Task Force, IETF RFC 6733 ‘Diameter Base Protocol’, October 2012. https://tools.ietf.org/html/rfc6733

Internet Engineering Task Force, IETF RFC 3588, ‘Diameter Base Protocol’, September 2003. https://tools.ietf.org/html/rfc3588

3rd Generation Partnership Project (3GPP), TS 33.210, ‘3G Security, Network Domain Security (NDS), IP Network Layer Security’ v14.0.0 Release 14 (2016). http://www.3gpp.org/DynaReport/33210.htm

3rd Generation Partnership Project (3GPP), TS 29.272, ‘Evolved Packet System (EPS); Mobility Management Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol’, v14.3.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29272.htm

3rd Generation Partnership Project (3GPP), TR 29.805, ‘InterWorking Function (IWF) between MAP based and Diameter based interfaces’, v 8.0.0, Release 8 (2008). http://www.3gpp.org/DynaReport/29805.htm

3rd Generation Partnership Project (3GPP), TS 29.305, ‘InterWorking Function (IWF) between MAP based and Diameter based interfaces’, v 14.0.0, Release 14 (2017). http://www.3gpp.org/DynaReport/29305.htm

Holtmanns, S., Rao S., and Oliver, I. (2016). ‘User Location Tracking Attacks for LTE Networks Using the Interworking Functionality’, IFIP Networking Conference, Vienna, Austria.

Engel, T. (2008). ‘Locating Mobile Phones using Signaling System 7’, 25th Chaos Communication Congress 25C3. http://berlin.ccc.de/∼tobias/25c3-locating-mobile-phones.pdf

Engel, T. (2014). ‘SS7: Locate. Track. Manipulate’, 31st Chaos Computer Congress 31C3. http://berlin.ccc.de/∼tobias/31c3-ss7-locate-track-manipulate.pdf

Positive Technologies, ‘SS7 Security Report’, 2014. https://www.ptsecurity.com/upload/ptcom/SS7_WP_A4.ENG.0036.01.DEC.28.2014.pdf

Nohl, K. (2014). SR Labs, ‘Mobile self-defense’, 31st Chaos Communication Congress 31C3. https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf

Nohl, K., and Melette L. (2015). ‘Chasing GRX and SS7 vulns’, Chaos Computer Camp. https://events.ccc.de/camp/2015/Fahrplan/system/attachments/2649/original/CCCamp-SRLabs-Advanced_Interconnect_Attacks.v1.pdf

Positive Technologies, ‘Mobile Internet traffic hijacking via GTP and GRX’, (2015). http://blog.ptsecurity.com/2015/02/the-research-mobile-internet-traffic.html

Rao, S., Holtmanns, S., Oliver, I., and Aura, T. (2015). ‘Unblocking Stolen Mobile Devices Using SS7-MAP Vulnerabilities: Exploiting the Relationship between IMEI and IMSI for EIR Access.’ Trustcom/BigDataSE/ISPA, 2015 IEEE. Vol. 1. IEEE.

Fox-Brewster, T. (2016). Forbes, ‘Hackers can steal your facebook account with just a phone number’. http://www.forbes.com/sites/thomasbrewster/2016/06/15/hackers-steal-facebook-account-ss7/#6860b09b8fa7

Fox-Brewster, T. (2016). Forbes, ‘Watch as hackers hijack WhatsApp accounts via critical telecoms flaw’. http://www.forbes.com/sites/thomasbrewster/2016/06/01/whatsapp-telegram-ss7-hacks/#7ca2999d745e

Rao, S., Holtmanns, S., Oliver, I., and Aura, T. (2016). ‘We know where you are’, IEEE NATO CyCon, In 8th International Conference on Cyber Conflict, 277–294.

Kotte, B., Holtmanns S., and Rao, S. (2016). ‘Detach me not – DoS attacks against 4G cellular users worldwide from your desk’, Blackhat Europe. https://www.blackhat.com/eu-16/briefings.html#detach-me-not-dos-attacks-against-4g-cellular-users-worldwide-from-your-desk

Holtmanns, S., and Oliver, I. (2017). ‘SMS and One-Time-Password Interception in LTE Networks’, IEEE ICC Conference, Paris.

3rd Generation Partnership Project (3GPP), TS 29.344, ‘Proximity-services (ProSe) function to Home Subscriber Server (HSS) aspects’ v14.1.0, Release 14, (2017). http://www.3gpp.org/DynaReport/29344.htm

3rd Generation Partnership Project (3GPP), TS 32.422, ‘Telecommunication management; Subscriber and equipment trace; Trace control and configuration management,’ v14.0.0, Release 14, (2017). http://www.3gpp.org/DynaReport/32422.htm

3rd Generation Partnership Project (3GPP), TS 29.061, ‘Interworking between the Public Land Mobile Network (PLMN) supporting packet based services and Packet Data Networks (PDN)’ v14.3.0, Release 14, (2017), http://www.3gpp.org/DynaReport/29061.htm

Telecom Dictionary, SS7 Stack, http://www.telecomdictionary.com/Telecom-Dictionary-SS7-Protocol-Stack-Definition.html

Puzankov, S. (2017). Positive Technology, ‘Stealthy SS7 Attacks’, IEEE Network and Systems Security (NSS), International Workshop on 5G Security.

Mashukov, S. (2017). Positive Technology, ‘Diameter Security: An Auditors Viewpoint’, IEEE Network and Systems Security (NSS), International Workshop on 5G Security.

Holtmanns, S., Oliver, I., and Miche, Y. (2017). Nokia Bell Labs, ‘Subscriber Profile Extraction and Modification via Diameter Interconnection’, IEEE Network and Systems Security (NSS), International Workshop on 5G Security.

ETSI, (1998). SMG27, ‘Status Report from SMG10 to SMG27’, Annex D, http://www.qtc.jp/3GPP/GSM/SMG_27/tdocs/P-98-0531.pdf

3rd Generation Partnership Project (3GPP), TS 33.200, ‘3G Security; Network Domain Security (NDS); Mobile Application Part (MAP) application layer security,’ v1.0.1, Release 4, (2001). https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2275

Telecom Dictionary, ‘SS7 Protocol Stack’ http://www.telecomdictionary.com/Telecom-Dictionary-SS7-Protocol-Stack-Definition.html

Downloads

Published

2018-09-20

How to Cite

Holtmanns, S. ., Oliver, I. ., & Miche, Y. . (2018). Mobile Subscriber Profile Data Privacy Breach via 4G Diameter Interconnection. Journal of ICT Standardization, 6(3), 245–262. https://doi.org/10.13052/jicts2245-800X.634

Issue

2018: Vol 6 Iss 3

Section

Articles