UMTS Security Undermined By SS7 – The Bigger Picture

Until December 2014 I thought that the UMTS air interface was secure. After all, the air interface is much more complex than the GSM air interface and strong authentication and encryption is used. It felt good. And then, a few days before 31C3, news broke that security researches will demonstrate a way to passively intercept SMS messages sent over the UMTS air interface with cheap equipment if the attacker has access to the signaling network used by wireless networks, known as SS7 (Signaling System No. 7), anywhere in the world. And the scenario is only the tip of the iceberg as it turned out only a few days later.

Attacking UMTS Ciphering From The Inside

I never thought about such a scenario before but with the clues given in the article it only took me 5 minutes to figure out the details by having a closer look at the MAP (Mobile Application Part) specification in TS 3GPP TS 29.002. When a subscriber moves from one MSC area to another, the MSCs need to exchange subscriber information and chapter 8.1.4 details the Send Identification service which transfers, among other things, the current ciphering keys from one MSC to another. These ciphering keys can then be used to decrypt transmissions on the UMTS air interface to and from a particular subscriber. The presentation at 31C3 by Karsten Nohl of Security Research Labs a few days later then proved that my assumptions were correct. The slides can be found here and a video of the talk has been posted here.

From a psychological point I found this quick discovery quite interesting. While the message is necessary for proper mobility management in a network and I've known about it from my days as a core network programmer, it never crossed my mind before that this could be exploitable if such messages are routed across network and country borders. But when looking at this from a different angle it becomes immediately obvious. And it seems I was not the only one not to see this because it was reported that all four German cellular networks had no filters in place at network boundaries to prevent such queries. Fortunately, all four reacted quickly and put message filters in place to stop the abuse.

Re-routing Attacks

Unfortunately, the filter just stops this particular exploit. A further talk at 31C3 by Tobias Engel and a presentation by 'Positive Technologies' given earlier in 2014 at a conference in Moscow reveal several other possibilities to exploit the implicit trust between cellular networks to enable roaming between country borders. With access to the global SS7 network anywhere in the world an attacker has several ways to re-route a call to a subscriber somewhere else to record it and then forward it again to the destination. This can be done by sending fake USSD (Unstructured Supplementary Service Data) messages to the HLR (Home Location Register) to activate and deactivate immediate call forwarding. This way an incoming call can automatically be forwarded to a recording station. Once it arrives there the call forwarding is removed and another call is made from the recording station back to the subscriber. Another way described in the presentations linked above is to use the SS7 based CAMEL protocol to change the destination of a call during the establishment process without the need of changing the call forwarding settings in the HLR.

While call re-routing is probably most interesting for spy agencies for political and industrial espionage, researchers have also shown how it is possible redirect SMS messages by sending fake subscriber registration messages across international SS7 links. This way a mobile device is deregistered at its current location and seems to have traveled across international borders. Any incoming calls and SMS messages are thus re-routed to the attacker who can sit anywhere in the world. The subscriber doesn't notice the deregistration as his mobile device continues to show that it is connected to the network. This won't work for long as sooner or later the device will make a periodic location update at its current location or tries to access the Internet and as a consequence the fake registration is deleted. When timed correctly, the temporary redirection can be used for fraud. In combination with banking Trojans that collect banking website login PINs and the knowledge of a user's phone number a confirmation SMS for a transaction triggered by the fraudsters can be redirected into their lap without the user even noticing it. A scary scenario.

Ways To Stop It

The only good news is that these attacks are not passive as they leave traces in the logs of network operators. But that's about it then. In practice it is probably difficult but not impossible to get access to the international SS7 network. For intelligence 'services' around the world it should be no problem whatsoever. So what can be done?

  • The first step has already been taken by some network operators by blocking requests for the current ciphering keys from outside their networks.
  • Some of the re-routing attacks, e.g. changing call forwarding settings from abroad via USSD can be prevented by plausibility checks, i.e. the HLR or a box in front of it has to verify that the USSD message comes from the Mobile Switching Center to which the subscriber is currently attached to. To prevent spoofing of the sender's SS7 point code, a network operator's international SS7 gateway has to ensure that only messages with international point codes are allowed into the local network.
  • Check CAMEL modification messages: The service logic in MSCs must ensure that only Service Control Points (SCPs) from a predefined list of Global Titles can be informed about call establishments and other operations.
  • Encryption of national SS7 links: To prevent foreign intelligence services to tap SS7 links in other countries, all SS7 traffic between locations must be encrypted and integrity checked.
  • Monitor changing call forwarding settings: Most people don't change their call forwarding settings regularly. I'm probably an exception. A box in the network could watch out for frequent and thus  suspicious call forwarding changes and warn the operator and subscriber.
  • Plausibility check international requests for authentication material: Even after barring the exchange of the current ciphering key, networks can still request authentication and ciphering material for subscribers of other networks. This is the basis for international roaming but may also allows those with access to UMTS IMSI catchers to get valid keys. The only way to counter this is to check if an authentication vector request is likely to be valid. If a request comes in from abroad while the mobile just recently made a location update in the home country, it's unlikely that the request was valid. Exceptions are border areas to neighboring countries. That makes plausibility checks not impossible but quite complicated in practice.
  • Check international registration requests: The same checks as described in the bullet point above have to be applied to registration requests to prevent enhanced re-routing attacks. As above, preventing such fraud is not impossible but not straight forward to implement in practice.
  • Allow subscribers to toggle a "Home Network" lock: If bad comes to worse this would stop any kind of foreign attack if such a lock would block all requests for ciphering material, registrations, etc. etc. from international SS7 links. I'm sure a lot of politicians and high value espionage targets would sleep easier. I'm not sure if this is the same as just deactivating international roaming like it can be done already today… And by the way, such an approach is not novel. Some credit card companies, for example, restrict the use of their cards to countries in which EMV chip/pin authentication is used and require their customers to temporarily unlock their cards if they travel to parts of the world where the magnetic stripe is still used.
  • Name, shame and ban: Networks from which illegal SS7 messages are sent should be made public so other network operators can react and also put counter measures in place. If I were a network operator I would also think about terminating my business with that network and blocking all traffic from there. Some examples made public would probably work wonders to convince network operators to keep their back yards clean.

This list is by no means complete and just a result from some initial thinking. I'm sure there is a lot more that can and should be done. Perhaps some of these things are already done by some network operators today but I have no insight into this so I can't say.

So far, nobody has spoken about how to compromise LTE security over international links. This is probably because international LTE roaming is not based on SS7 but on the IP based DIAMETER protocol. The issues are similar however, because the principle is the same: Cellular networks have to trust each other for international roaming to work.

And finally, it's important to understand that none of the SS7 issues discovered by researches and described above require to break any kind of ciphering, to exploit implementation flaws, generate stack overflows to insert malicious code or to apply social engineering to trick someone to do something. Instead they just make use of the protocol in ways it was never intended to be used. In other words, the only way to fix this is to move away from totally trusting external networks and put checks in place that detect and prevent such attacks. Now that things are in the open I guess the industry has some work set out for it to do.