HomeGo to P1 Security
labs@p1sec.com +33 01 40 37 17 71

  • P1 Labs Blog

    P1 Labs Blog provides the latest research and in-depth analysis of telecom security by P1 Security researchers.

Presenting QCSuper: a tool for capturing your 2G/3G/4G air traffic on Qualcomm-based phones

09 Jul 2019
6

Wide audience article
Please note that this article is written to simplify and abstract many complex technical aspects. This helps a wider audience understand these underlying technologies and experiment first hand with these networks. Contact us if you want specific details.

Lately, I have been playing with a 3G dongle – a small USB device enabling to connect to the mobile Internet. I have discovered that most USB dongles with a Qualcomm processor exposed a special diagnostic protocol, called Diag (or DM, or QCDM – for Qualcomm Diagnostic monitor).But I have also discovered that this proprietary protocol was also present inside Android phones (through a device called /dev/diag) and it allowed a couple good things, such as obtaining raw captures of network air traffic or, in older models, reading/writing at arbitrary offsets of the radio chip’s memory (!). 

Today, we are proud to present QCSuper, an open-source tool that will enable you to passively capture raw 2G/3G/4G frames produced by your rooted Qualcomm-based Android phone or dongle, and produce a PCAP analyzable using Wireshark (in addition to a couple other input/output formats).

How to use it?

Let’s say that you have a rooted Android phone (this is required for reading /dev/diag on the system), plugged in USB to your computer, and that you have downloaded QCSuper (and installed dependencies, everything is explained here). Just do:

sudo ./qcsuper.py --adb --wireshark-live

That’s… all. A Wireshark window is popping out. You can see radio frames unfolding on your screen, and you are like Neo.

You could just run the tool and try to make sense of the displayed information, but for the sake of pedagogy, let’s first analyze some traffic together!

Download the example 2G/3G/4G capture (.pcap)

This capture was realized on a Sony Xperia Z, switching manually between the 2G, 3G and 4G, generating SMS, calls and some data traffic.

What QCSuper provides to you is layer 3 and above packets. To sum up:

  • Layer 1 (physical layer) is the way your phone schedules how radio waves are sent over the air (and it is a complex dance, as some neat tricks are required to optimize the usage of the radio spectrum).
  • Layer 2 (link layer, think like Ethernet header) is the network protocol that handles, in 3G/4G:
    • fragmentation (i.e. “this chunk of radio waves is not big enough for the bytes I’ll want to put into, I’ll use another later”),
    • acknowledgment (“do you have received my important data? yes I have”)
    • tells whether what follows is encrypted and not
    • says what the layer 3 is.

In 3G/4G, the layer 2 is split up in two headers called RLC and MAC (which are typically < 10 bytes).

  • Layer 3 (network layer) is where all the interesting stuff is.
    • Your phone says “what’s up, I got that SIM card and it can do cryptography (yes!), I got that phone serial number (IMEI) also, let me send/receive SMS / calls / Internet and allocate bits of radio frequencies”.
    • And the network says “sure, let’s first authenticate with the neat crypto supported by your SIM card”. In 3G/4G the layer 3 protocol is RRC (Radio Resource Configuration Protocol), except for the user data itself.

In order to be able to provide a PCAP you can open in Wireshark, these frames are put after a GSMTAP header, a standard header that may contain 2G/3G/4G traffic (layer 2, 3 or upper, in addition to a few other possible things like SIM card communication).

Analyzing some packets in Wireshark

Near the beginning of the example capture, the first thing our phone does is switching from 4G to 3G (when the “Protocol” column of Wireshark starts to display “RRC”).

Ok, what does the stuff displayed here mean?

First, you should know that the data transmitted here is encoded using ASN.1. ASN.1 is a very old format (developed in the 80’s) that allows you to define data structures and fields using a special text language, and separately, to write code that will generate binary data that you can send on the network.

If you know about Protobuf, it’s just one of the less complex descendants of ASN.1. ASN.1 is used for a lot of things: encoding SSL certificates, encoding data in your credit card, communication between aircrafts but most importantly everywhere in telecommunication networks.

Layers, Packets and Channels

Let’s look at the first highlighted field in the packet. It says that this packet was transmitted on the Broadcast Control CHannel (BCCH). What is a channel in this context?

In telecom protocols, we generally break down traffic in two kinds: data traffic (your mobile data when browsing Internet, or your voice calls) and signalling traffic (all the rest: the exchange of information needed to authenticate your SIM, setup the channel for data, etc. and your SMS).

In 3G and 4G, signalling and data packets can be broken down into at least 5 logical channels (there are a few kinds of channels but logical ones are the highest-level, and the ones that map to individual packets):

  • Two channels that bear signalling which is broadcast to every mobile in the area (sent only downlink, i.e. from the radio antenna towards the mobiles):
    • BCCH (Broadcast Control): used by the antenna to broadcast its general characteristics (which operator it belongs to, which frequencies it supports, which area it is located in, etc.) in predefined chunks called SIBs (System information blocks)
    • PCCH (Paging Control): used by the antenna for telling an idle mobile to wake up and establish a new channel (because it receives an SMS or call for example)
  • Two channels that bear signalling exchanged between one mobile and one antenna:
    • CCCH (Common Control): used to request dedicated radio resources to exchange more signalling (unencrypted)
    • DCCH (Dedicated Control): all signalling after that (unencrypted then encrypted)
  • One channel that bears data traffic
    • DTCH (Dedicated Traffic Channel): all your data + telephony (it is commonly encrypted – except emergency calls)

A few other channels may be used only in certain cases (namely when your operator broadcasts disaster messages, provides multicast TV or uses certain extra frequencies).

Logical channels in 3G (UMTS)You will notice that whether the logical channel is BCCH/PCCH/CCCH… is not an information contained in the layer 3 packet. It is a field from layer 2 that will determine how layer 3 is decoded (here obtained through a proprietary Qualcomm structure and translated into GSMTAP).

But the way layer 2 is decoded also depends on layer 1: the precise time/frequency slot where the packet is received will attribute a physical channel and a transport channel (here, the “BCH”) to it. According to that, the layer 2 header will be decoded differently (so, there isn’t only one possible RLC/MAC header but many).

Discovering network information: the System Information Blocks

Let’s now look at the body of the message.

As said above, the BCCH is “used by the antenna to broadcast its general characteristics (which operator it belongs to, which frequencies it supports, which area it is located in, etc.) in chunks called SIBs (System information blocks)”

First, you must know an important thing: for optimization reasons, the 3G’s designers decided to do fragmentation in fragmentation. SIBs (chunks of standard info broadcasted by the antennas) are fragmented in RRC messages (the base layer 3 protocol) which are fragmented into the layer 2 packets.

That’s because layer 3 messages are scheduled at a fixed interval, and SIBs may be sent at another interval depending on the operators, and they wanted to optimize the usage of layer 3.

Let’s look to Wireshark fields from the top to the bottom:

  • “sfn” is System Frame Number, a sequence number for SIBs.
  • “completeSIBshort” means that there’s just one complete SIB, not a fragmented one.
  • “systemInformationBlockType3” means that’s SIB n°3. The SIB n°3 tells how the phone should switch from an antenna to another, just like SIB n°18 defines a list of the neighboring antennas, etc.

But… after these fields, why don’t we see the SIB contents themselves, but instead a freaky hexadecimal string in Wireshark?

That’s because Wireshark doesn’t know to reassemble SIBs yet (even when there’s no fragmentation but just one chunk of SIB). Fortunately, I have written an option for QCSuper (–reassemble-sibs) that does the reassembly, and puts the SIBs in extra GSMTAP packets that contain only the SIBs. You can find the same PCAP re-generated with this option here.

Ok, these are the actual contents of the SIB. We see that there’s for example the identifier of the RNC (Radio Network Controller – the equipment that built up this packet; this is great for network cartography), and then a lot of layer 1 related information… We’ll not sift over these fields one after one 🙂

What is important to notice is that the SIB that comes just after in the capture (called the MIB, Master Information Block) contains the identity of the operator of the antenna (its MNC – Mobile Network Code), making the phone wanting or not to attach to it.

SIBs exist in 3G as well as in 4G and 2G (where they contain variably different information, in 2G they are called “SI messages“).

How the phone attaches to the network

We have turned on our phone and it did this nice vibration sound. Now, what does it do? The phone listens to the cell tower broadcasts and it looks at the SIBs.

To choose an antenna, your phone will ask your SIM card about the operators you are authorized to connect to, and compare it with SIB information. It will also compare signal strength with other antennas.

Once this criteria has been looked upon, the connection can be initiated.

The first step is to make a layer-1 only handshake, sending a tiny bit stream that is not visible on our capture (but fortunately does not contain much information). This sent preamble is called the RACH (Random Access CHannel – a physical channel) preamble. It exists in 2G, 3G and 4G.

When the preamble is successfully received by the antenna, it replies the other way around. If the phone gets no reply, it retries a certain number of times.

If the phone gets a reply to its RACH preamble, it goes ahead and sends its first uplink RRC packet: the RRCConnectionRequest.

This packet is sent on the CCCH (Common Control channel) that, as we said above, is “used to request dedicated radio resources to exchange more signalling”.

What are radio resources? In order to allow many phones to talk at once, 3G uses code multiplexing: phones will send radio waves at the same time, but individual bits (“0” or “1”) are replaced with sequences specific to the user (for example “00101” or “11010”), which sequences are designed not to overlap too much.

These sequences are called scrambling codes, and are provided by the antenna. (Actually, some more mathematical processing is done, with another code called spreading code.)

In the packet above, the mobile gives a few basic information:

  1. When it didn’t register to the network earlier, it may send its IMSI (the number identifying your SIM card, basically). When it already did (it’s the case here), it may send a TMSI (Temporary Mobile Subscriber Identity), an anonymized IMSI provided earlier by the network, over an encrypted channel.
  2. The identity for area where the antenna is located, composed of the MNC (Mobile Network Code that we’ve seen above) and LAC (Location Area Code, also learned from the SIBs).
  3. The reason for opening this connection: here it’s “registration”, but it can also be that the phone is emitting a call, SMS, data, or has been notified to connect by the network (on the PCCH – Paging Control Channel) because it needs to receive something!

The “NonCriticalExtension” part is basically a large information tree telling about the version of the protocol supported by the mobile, and is not very interesting for us here (but could still be used for fingerprinting).

If the antenna can accept this request, an “RRCConnectionSetup” packet is sent the other way around by the antenna, and it basically contains the same fields for the most part. It additionally has a part called “CricitalExtensions” that contains a bunch of information about the layer 1 communication to be used, including two important identifiers:

  • An RNTI (Radio Network Temporary Identity) which is the primary identifier for the newly established connection,
  • A “scrambling code” which is a number used to allow multiple phones to talk at the same time, on the same frequencies, as explained above.

Using this, we have setup a connection for sending subsequent packets on the DCCH (Dedicated Control Channel). Connections on the DCCH are meant to be short-lived, so when there are a lot of mobiles in the area, you may be told by the antenna to wait a few fractions of a second before resources for the new DCCH are available (when this happens, you’ll receive an “RRCConnectionReject” instead of an “RRCConnectionSetup”).

To summarize, here is what we have seen so far:

The life on the DCCH

We’re now on our dedicated link with the antenna. The RRC handshake is terminated by the phone with a third packet, the “RRCConnectionSetupComplete”, that’s sent on the DCCH instead of the CCCH and contains miscellaneous information about the phone (the band it supports, its 2G/3G/4G capabilities, the encryption algorithms it supports, etc.).

The phone will now establish a link with equipments located further in the operator’s network.

Previously, we’ve talked about “the mobile” communicating with “the antenna”. Actually, it’s more like that: Here’s a small schema of the radio network in 2G/3G/4G, the 3G equipments to which we have talked so far are highlighted in red:

We’ve exchanged RRC frames with the RNC, on which we established a channel through the RRCConnectionRequest/RRCConnectionSetup/RRCConnectionSetupComplete handshake.

Basically, we can see that the mobile network is divided in two parts:

  • The Radio Access Network (RAN) where the RNC is located. It’s the part of the network in your city, for example, and it’s where the RRC traffic is processed.
  • The Core Network which is everything that comes after the RAN. It’s the part of the network located further in your region or country – think like the routers after your broadband line is terminated.

We’ll now send payloads to equipments located in the core network.

Here is a schema of what it looks like (I’ve highlighted the equipments we’ll talk to next in red):

Now this looks like a map to Mordor. Look at this schema for a while, it will be an important reference.

As you can see, in 3G the RAN part changes completely, but it uses the same Core Network as in 2G.

With 4G, the air interface is optimized at physical layer, and the Core Network is given a large overhaul (we don’t see that is the schema, but the 4G network relies a lot on IP routing, while the 2G/3G network uses its own kind of switching – both rely on various telecom-specific protocols).

Both parts will change deeply in 5G, as not only IP is used in 5G but also HTTP/2 and JSON instead of the telecom-specific protocols. We’ll talk about this in another episode.

Let’s get back to our packets. Right after the RRCConnectionSetupComplete, the phone sends another packet: an InitialDirectTransfer. “Direct” means that it contains a payload that goes straight from the phone, to the Core Network. This payload is called the “NAS (Non-Access Stratum)” payload.

Actually, in 3G it won’t send one InitialDirectTransfer, but two InitialDirectTransfer: one that will be sent to the CS (Circuit-Switched) domain, which is the core network for voice traffic and one to the PS (Packet-Switched) domain, which is the core network for data traffic.

That’s right: in 2G, we first had a Core Network for the voice calls, and later was added a Core Network for Internet access; so as a phone, we need to authenticate to both. The 3G reuses this part from 2G and so it’s the same thing here. Only the 4G doesn’t inherit from this oddity (as there is no notion of circuits anymore, just packets).

When it comes to SMS, they will go either through the CS domain or the PS domain – it depends of your operator.

Here, we’re highlighting the first InitialDirectTransfer that goes to the “CS (Circuit-Switched) Domain)”, so to the part handling voice calls.

The first NAS message in the CS or PS domain is uplink and is encapsulated in an “initialDirectTransfer”, subsequent messages are encapsulated either in an “uplinkDirectTransfer” or “downlinkDirectTransfer”.

Everything that’s below the “nas-Message” mention is the NAS payload. It starts with a generic header called “DTAP”.

  • In 2G, such NAS messages are sent directly on specific channels, without RRC around it.
  • NAS messages are used in 4G too, even if most of these have different contents (they have the particularity to have their own extra layer of ciphering, so that tampering data before the Core Network is made harder, offering improved resistance to compromised radio equipment in the RAN).

A nice dialogue

Basically, we’re now going to exchange a set of NAS messages to say that we will register to the network. You can scroll down in the PCAP, we’ll just give a brief summary about each:

On the Circuit-Switched domain (the context for voice traffic), the dialogue goes like that:

  • (Phone sends) Location Updating Request
    • “Hey, I’d like to attach to the Core Network, could I? Here is a few information:”
      • The identifier for the SIM card (IMSI) (or a temporary identifier for the SIM if it’s already authenticated (TMSI))
      • The mobile’s characteristics (called “capabilities” or “classmarks”)
      • The code for the area where the antenna is located (LAI: Location Area Identification made of MCC+MNC+LAC)
  • (Antenna sends) Authentication Request
    • “Sure. Just authenticate with your SIM card. Your SIM card is actually a tiny computer that can do shared-secret cryptography. Here are crypto challenges.”
      • Here’s a crypto challenge (a “nonce”) that you should sign to prove it’s you (RAND)
      • And here is my network signing it, with your secrets but using my own algorithm, to prove I’m not a rogue antenna. (AUTN)
        Note: This is not present in 2G, where the lack of mutual authentication makes it easier for an attacker to impersonate the antenna. These attacks are called “fake BTS” or “IMSI catchers”
  • (Phone sends) Authentication Response
    • “Ok, I have verified your signature (AUTN) and I have signed your crypto challenges (SRES). You can verify that I am the right subscriber like that. Additionally we know about shared secrets that we’ll use to sign and later encrypt our traffic!”
  • (Antenna sends) SecurityModeCommand
    • “Oh, great! Let’s start encrypting and signing our traffic immediately! I support these algorithms”
  • (Phone sends) SecurityModeComplete
    • “Neat, me too. We have entered the ciphered and signed zone.”
      Note: in 3G, signing packets is mandatory, but encrypting is optional.
  • (Antenna sends) Identity Request (IMEISV)
    • “By the way, can I ask you what is your IMEI? The IMEI is a kind of standardized serial number for your phone. My operator holds a large database with the IMEIs of all stolen phones – I would like to check for yours if you don’t mind.“
  • (Phone sends) Identity Response (IMEISV)
    • “Ooh, no problem, here’s my IMEI then! See by yourself that I’m not a stolen phone (neither a bad kind of 3G dongle I’ve not contracted for) ;)“
  • (Antenna sends) Location Updating Accept
    • “Absolutely neat, you’ve authenticated and will be able to send calls and SMS. Here’s a TMSI if you didn’t have one before, that’s an anonymized version of your IMSI (SIM card number) that you’ll use later, so that when you go idle, I can broadcast to everyone that you’re going to receive an SMS or a call, without other phones knowing that it’s you!
      Note: when it works well, sometimes this identity won’t be reusable very long.
  • (Phone sends) TMSI Reallocation Complete
    • “Understood. I have achieved what I originally wanted to do – that is, updating my location to the antenna and won’t bother you more for now.“
  • (Antenna sends) SignallingConnectionRelease
    • “Ok, so let’s close the dedicated DCCH channel. We’ll hand out some radio resources to other phones that need them.”

Once all these messages have been exchanged, we are done: we are registered on the network.

The NAS messages you have seen above have been exchanged with an equipment called the VLR (Visited Location Register), a regional database for subscribers.

The VLR also communicated with the HLR (Home Location Register), a national database that is the only database that knows about your SIM card crypto secrets!

The VLR and HLR are called like that because when you do roaming, the VLR is located in the country where your are (the Visited country) and the HLR is on the network of the operator you pay your subscription to (your Home network).

A similar dialogue just happened for registering to the PS domain (the context for data traffic), whose messages are quite similar.

How your phone connects to the Internet

Now, your phone needs to create an Internet connection. In the jargon of 3G, an Internet connection is called a “PDP (Packet Data Protocol) context” and you can create up to 11 – although you’ll likely need only one 😉

Thus the phone will need to reconnect to the DCCH, and send a few more messages.

  • (Phone sends) Service Request
    • “Hey, I’m the phone with this TMSI. I need Internet access, please give me some space and basic configuration for my packets.”
  • (Antenna sends) SecurityModeCommand
    • “Ok, just resume the encryption we have setup earlier.”
  • (Phone sends) SecurityModeComplete
    • “Sure.”
  • (Phone sends, now encrypted) Activate PDP Context Request
    • “Now please connect me to the Internet.
    • I would like an IPv4 address.
    • The user entered this APN, and this user/password (possibly).
    • The phone has these capabilities.”
  • (Antenna sends) Activate PDP Context Accept
    • “No problem! Here are your IP address, your DNS servers, your allocated bandwidth. Feel free now!”

Your phone will now send encrypted data on the DTCH (Data Traffic Channel), that we don’t see in this PCAP. It’s barely your IP packets, with headers slightly compressed (using Robust Header Compression) within a thin layer 2 that will handle fragmentation and such.

Additionally, your phone and antenna have sent a few RRC messages for setting up the DTCH: RadioSetupBearer/RadioSetupComplete, PhysicalChannelReconfiguration/ PhysicalChannelReconfigurationComplete. It only contains layer 1-related information.

The messages you have seen above have been exchanged with the SGSN (Service GPRS Support Node) – it’s like the VLR (the equipment the phone registered to), but for data instead of voice.

The VLR and the SGSN are separated only because Internet access (GPRS) was added to mobile networks later than voice. In 4G, signalling goes to one single equipment (the MME).

How your phone sends an SMS

Last but not least, our sample captures contain a few samples of how an SMS is sent respectively over 3G, 2G then 4G.

The payload sent to the Core Network is indeed common to 2G/3G/4G. Here are some relevant informations we can see here:

  • The SMS technology implements its own kind of routing. In the packet above, there is the part that tells how to route (the RP – Relay Protocol) and the routed data (the TP – Transfer Protocol).
    • In the “RP-Destination Address” field, the SMS contains the address of the SMS-C (SMS Center), the equipment that will perform the routing next.
      • On mobile Core Networks, packets are routed on a network distinct from the Internet, called SS7. All the equipments (it’s also the case of the VLR, HLR) are designated with a pseudo-phone number (called GT, or “Global Title”) on SS7. That’s why this address looks like a phone number 😉
    • In the “TP-Destination Address” field, there’s the phone number of the recipient of the SMS (anonymized here).
    • In the “TP-User Data” field, there are the contents of the SMS! It can be text, but also fancy binary stuff like ringtones (or SIM card upgrade).
      • Fun fact: SMS are historically packed using a 7-bit character encoding, called GSM 03.38. That’s why the historical odd 140 bytes = 160 character limit (that was improved by implementing fragmentation).
      • Unicode was introduced later with UTF-16 (hence emoji).

The general framing of SMS is described in two neat Wikipedia articles, “GSM 03.40” and “User Data Header”.

That’s all! I hope you have appreciated this short introduction to mobile networks.

The tool that produced the capture we received is open-source and you can use it with your rooted Android phone, don’t forget to try it here 😉

RAN Auditor: P1 Security network audits

In addition, we’re working with QCSuper to provide security audits of Cellular and Radio Access Networks.

If interested in RAN security and vulnerability assessment aspects as outlined below, please contact us:

  • Misconfiguration of RAN equipment (BTS, NodeB / RNC, eNodeB (and upcoming 5G gNB but here not through QCSuper 😉 )
  • Weaknesses in mobile encryption, authentication, privacy tracking and temporary identity allocation policy
  • Fingerprinting and vendor-specific information
  • Data leaks, concerning both infrastructure and subscribers applications (UE  – mobile phone, IoT, …)
  • Security vulnerabilities in the protocols and network elements
  • Geographic and regional specifics that constitute a security weakness
  • etc.

If you wish to stay tuned about QCsuper and RAN Auditor, you can sign up to our newsletter (just on the right of this page).

We’re hiring!

Did you enjoy this article? If so, we’re looking for awesome people! Come join us.

P1 Security is looking for security auditors and developers for its products. 

This includes a monitoring software for telecom attacks detection, as well as a scanner for telecom and mobile infrastructure.

To apply and view positions just come there.

SS7 Security Perimeters and INAT0 NAT0 NAT1 definitions

03 Oct 2016
0

While P1 Security professional services team are busy deploying Core Network security monitoring with PTM Signaling IDS on SS7, Diameter, GTP, SIP IMS VoLTE, and Radius, one question keeps coming back: the concept of Network Perimeter in SS7.

This recurring misunderstood aspect in SS7 shows the discrepancy of security conception between the IP-oriented domains (Diameter, GTP, Radius, SIP) and the SS7 domain.

While it’s a concept that is clearly understood from IP, it seems that in SS7 domain it is at best a fuzzy notion, and there are a couple of reason to that.

Network Indicators and regional differences

NI=Network Indicator field in MTP3 messages (same in SIGTRAN, be it transported over M2UA/M2PA or in M3UA).

NI (Network Indicator) value:

NI=0: INAT0 (The Global SCCP roaming and call delivery network between operators)

NI=1: INAT1

NI=2: NAT0

NI=3: NAT1

Now clearly, the dangerous perimeter is INAT0, as it is the group of external roaming partners, the other operators.

The Point Codes within INAT0 are assigned per country by ITU. In turn, the national regulators assign prefixes to national operators.

The Global Titles (MSISDN, phone numbers)within INAT0 are assigned per operator by ITU.

But there’s also another external perimeter, that is the national inter-operator network. Despite specifications and text, this part is much more fuzzy and unclear. In some country, NAT0 is being used for inter-operator national communications, in some other countries it’s NAT1.

These two (INAT0 and NAT0 OR NAT1) are the ones to be monitored, with the overwhelming majority of the monitoring importance and alerts coming from INAT0.

In order to prioritize security monitoring, it is vital to monitor INAT0 first, go deeper in INAT0 once one set of basic detection are mastered (for example Category 0 and 1 attacks), and then when all categories are monitored on INAt0 and that filters start to be added routinely, move to the national inter-operator network (NAT0 or NAT1) monitoring.

tektronix-umts-125-638-edit

Network Indicators and Network Appearance

Sometime also what brings doubt is that closely named fields mean two totally separate things. NI is defined globally whereas NA is defined by an operator for its own use, to recognize and separate entities and interconnection.

NI is small (4 bits used in a bytes). NI is global.

NA is large, 8 bytes, allowing a lot of room for network segmentation and organization. NA is operator local, it is only used and communicated between direct MTP3 (or M3UA) peers.

Network still seen as a walled garden

Another root cause of this difficulty to establish network perimeters for security is the old notion that SS7 was only between nice people (operators). It is definitely not the case anymore.

Conclusion

The SS7 security is still a problem, but with emerging solution. The hype around SS7 Firewall shows that there is still a lot of immature solutions and very few actual SS7 Firewall implementations.

Some operator with a mature security governance are successfully managing such SS7 Security projects by first looking (attack monitoring) and then filtering based on this monitoring. While the tools mature, it is also necessary to use these monitoring tools and security initiatives to help the SS7 SIGTRAN teams to ramp up and understand the security concepts that help them better defend their network.

Stay tuned: We will publish a follow-up blog post on P1 Security current methodology for monitoring prioritization based on perimeters and steps sequencing in monitoring depth and coverage in Signaling networks.

References

 

LTE Diameter security, filtering and message categories

18 Jan 2016
0

Abstract:

In order to properly manage LTE Diameter security, and it close variants in the IMS and VoLTE domain, we proposed in this presentation a way to categorize the Diameter message types, usage and Command Codes and ways to monitor and filter them.

Presentation will be published in February 2016 at Mobile World Congress, Barcelona, Spain.

 

SS7map: SS7 country risk ratings

28 Dec 2014
0

Mobile Network Operators rely on a network different from Internet that interconnects operators and other parties, to allow calls to work between operators especially when you are in another country (roaming).
This is what is called the “SS7 network” a.k.a. “International Roaming Infrastructure”, that by it’s nature, transmits confidential customers and operators information.

In SS7map, we are presenting the first cartography of SS7 International Roaming Infrastructure vulnerabilities, to push the industry to react, and show to all of us customers the security level of the infrastructure we are all using.

For decades the SS7 network has been used by Intelligence agencies and various entities to track location of customers and help in the interception of calls and SMS. It’s time to have visibility on which country is taking care of these issues and protecting their population. The SS7 network is obscure, and mapping it is a step towards better security.

Our first release presents SS7 Roaming Infrastructure ratings for countries worldwide. The project is still in an early stage and we have work to do to offer a precise vision, but for the first time there is a public worldwide view on the security of this vital core network.

ss7map_screenshot

SS7map Ratings

SS7map ratings are separated in 3 categories:

  • Privacy Leaks: How much the operators of a given country are leaking out subscriber privacy data such as location of their subscribers to anyone on the SS7 network.
    Any operator and many company offering location / SMS services can gather these informations.
  • Network Exposure: Network Elements exposed and security mechanism implemented by operators of a given country. It shows the attack surface of the Telecom Network of a country from the SS7 perspective.
  • Global risk: This combines Privacy Leaks and Network Exposure, giving more importance to Privacy Leaks.

 

 

The country ratings for these 3 categories are showed on the SS7map website main page by colors on the map.

On the per-country pages we show also subscores for Privacy Leaks and Network Exposure, explained below.

Privacy Leaks

In Privacy Leaks we regroup leaks of customers information of all operators in a country:

  • Subscriber location leak
  • Subscriber private informations (identifiers, cryptographic keys, postpaid/prepaid status)
  • Subscriber communications confidentiality (decryption of SMS/calls using known attacks)

 

Gathering privacy related informations on the SS7 Network is mainly done by sending SS7 Mobile Application Part (MAP) messages. They are numerous SS7 MAP messages related to privacy, as show on this diagram:

ss7map_privacyleak_diagram

The answers from the operators of a particular country are processed and then a score is attributed following this formula:

privacyleak =
  150 * leak_locationcell
+ 100 * leak_privateinfos
+  60 * net_homerouting
+  50 * leak_authvectors
+  40 * leak_subscriberplan
+  10 * net_homerouting_defeated_ati
+  10 * net_homerouting_defeated_psi
+  10 * leak_location

 

We are using the following subscores for Privacy Leaks rating:

MAP messages vulnerabilities discloses precise subscriber location (200m) (leak_locationcell)

How operators in the country are protecting subscribers precise street-level (200m) location from other countries and external parties ?

This score is based on answers to the following SS7 MAP messages:

  • ATI: Any-Time-Interrogation, to gather MSC and Cell-ID from HLR
  • PSI: Provide-Subscriber-Information, to gather Cell-ID directly from MSC

Number of different MAP messages vulnerabilities disclosing subscriber private information (leak_privateinfos)

How operators in the country are protecting subscribers private unique identifier (IMSI) ?

Gathering IMSI allows attackers to gather further informations on a subscriber.

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather IMSI from HLR
  • SRI: Send-Routing-Info, to gather IMSI from HLR

 

Number of different MAP messages vulnerabilities disclosing subscriber location (leak_location)

How operators in the country are protecting subscribers city-level (50km) location from other countries and external parties ?

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather MSC from HLR
  • SRI: Send-Routing-Info, to gather MSC from HLR
  • ATI: Any-Time-Interrogation, to gather MSC from HLR

 

Leak of subscriber keys (Network Impersonation possible) (leak_authvectors)

How operators in the country are protecting subscribers against decryption of calls and SMS by attackers ?

This score is based on answers to the following SS7 MAP messages:

  • SAI: Send-Authentication-Info, to gather Authentication vectors from HLR

 

Leak of prepaid/postpaid subscriber status (leak_subscriberplan)

How operators in the country are protecting informations about subscriber account, like the postpaid/prepaid options of the subscription ?

This score is based on answers to the following SS7 MAP messages:

  • INTSS: Interrogate-SS, to gather subscriber plan informations from MSC/VLR

 

Leak of subscriber location through Home Routing bypass (net_homerouting, net_homerouting_defeated_psi, net_homerouting_defeated_ati)

Are operators in the country using protection mechanism to hide subscriber location from other operators / third-parties ?

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather informations from HLR
  • ATI: Any-Time-Interrogation, to gather informations from HLR
  • PSI: Provide-Subscriber-Information, to gather informations from MSC

 

Network Exposure

In Network Exposure our focus is the Core Networks of operators in a country:

  • Attack surface of the Operators (network topology, identification of the network nodes (a.k.a Network Elements)
  • Network misconfigurations allowing attackers to modify data
  • Bypass of Network security mecanisms

 

We map operators Network Exposure of a country by sending SS7 Transaction Capabilites Application Part (TCAP) and SS7 Mobile Applicaiton Part (MAP) messages, as shown on this diagram:

ss7map_networkexposure_diagram

 

 

 

 

 

 

The formula for Network Exposure calculation is the following:

networkexposure = 
  200 * net_fingerprint_ne
+ 100 * net_homerouting
+ 30 * net_homerouting_defeated_ati
+ 30 * net_homerouting_defeated_psi
+ 50 * leak_location
+ 40 * leak_subscriberplan
+ 20 * leak_locationcell
+ 10 * leak_authvectors
+ 10 * net_ne
+ 5 * net_directanswer

 

We are using the following subscores for Network Exposure rating:

Network Elements fingerprint (net_fingerprint_ne)

Are the operators revealing the type of Network Elements they are using ?

This score is based on answers to the following SS7 messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather network informations from HLR
  • SRI: Send-Routing-Info, to gather network informations from HLR
  • ATI: Any-Time-Interrogation, to gather network informations from HLR
  • PSI: Provide-Subscriber-Information, to gather network informations from MSC
  • TCAP, to gather network informations from all Network Elements

SCCP discovery attack surface (net_ne)

Are the operators exposing a lot of Network Elements or disclosing there Network Topology ?

This score is based on answers to the following SS7 messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather network informations from HLR
  • SRI: Send-Routing-Info, to gather network informations from HLR
  • ATI: Any-Time-Interrogation, to gather network informations from HLR
  • PSI: Provide-Subscriber-Information, to gather network informations from MSC
  • TCAP, to gather network informations from all Network Elements

 

Potential change of prepaid/postpaid status (fraud) (net_directanswer, leak_subscriberplan)

Do the operators allow change on subscriber information from anyone, allowing potential fraud ?

This score is based on answers to the following SS7 MAP messages:

  • INTSS, REGSS: Interrogate-SS, Register-SS, to gather MSC/VLR configuration

 

Home Routing (net_homerouting)

Are the operators using protection mechanism (Home Routing) to hide customer location and private identifiers ?

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather network informations from HLR
  • SRI: Send-Routing-Info, to gather network informations from HLR
  • ATI: Any-Time-Interrogation, to gather network informations from HLR

 

Leak of internal topology through Home Routing bypass (net_homerouting, net_homerouting_defeated_psi, net_homerouting_defeated_ati)

Is Home Routing susceptible to bypass, revealing real Network Topology ?

This score is based on answers to the following SS7 MAP messages:

  • SRISM: Send-Routing-Information-for-Short-Message, to gather network informations from HLR
  • SRI: Send-Routing-Info, to gather network informations from HLR
  • ATI: Any-Time-Interrogation, to gather network informations from HLR
  • PSI: Provide-Subscriber-Information, to gather network informations from MSC

 

Global Risk

Global Risk combines Privacy Leaks and Network Exposure, using the following formula:

globalrisk =
  5 * privacyleak
+ 1 * networkexposure

 

These ratings are going to evolve as we continue our research, we will post notifications accordingly.

Register to get email news about SS7map.

[31C3] SS7map : mapping vulnerability of the international mobile roaming infrastructure at #31C3

05 Dec 2014
0

Laurent Ghigonis and Alexandre De Oliveira from P1 Security team will be presenting the work done on the global SS7 network at Chaos Computer Conference in Hambourg the 27th Dec 2014.

The conference “SS7map : mapping vulnerability of the international mobile roaming infrastructure” will focus on the method used to map the global SS7 network, what have been map the network and more in depth statistics and analysis.

Details of the conference schedule:
Start time: 2014-12-27 23:00:00 +0100
Room: Saal 6

CCC is one of the main security event in Europe, it will take place from 27th Dec to 30th Dec 2014.

See you at #31C3 !

SS7map risk rating calculation

11 Sep 2014
0

Details about SS7map risk rating calculation are coming soon after our presentation at 31C3 !

You can subscribe here to be notified: http://eepurl.com/baeFU5

[Hackito Ergo Sum 2014] Hacking Telco Equipment: The HLR/HSS

07 May 2014
0

P1 Security presented at the Hackito Ergo Sum 2014 conference in Paris (http://2014.hackitoergosum.org/) the weaknesses of Telecom Infrastructure systems, and particularly HLR/HSS equipment.

Download slides here.

Abstract:

HLR and HSS are the most important Telecom Equipment in an Operator Core Network.
We are going to see that this so-called “Critical Infrastructure” is not as robust as you could think, by exploring the some weaknesses of the HLR/HSS equipment.

Plan:
* Virtualization of HLR/HSS, for instrumentation purposes
* HLR/HSS system analysis
* SS7/Diameter network fuzzing
* HLR/HSS binaries reverse

We also did another presentation on Worldwide attacks on SS7/SIGTRAN network at HES.

 

[Hackito Ergo Sum 2014] Worldwide attacks on SS7/SIGTRAN network

02 May 2014
0

We are pleased to announce that P1 Security was present at the Hackito Ergo Sum 2014 conference in Paris (http://2014.hackitoergosum.org/).

Download slides here.

Abstract:

Mobile telecommunication networks are complex and provide a wide range of services, making them a tempting target for fraudsters and for intelligence agencies. Moreover, the architecture, equipment and protocols used on these networks were never designed with security in mind, availability being the first concern. Today, even though some telecom operators are investing money into securing their network, events confirm that for most of them maturity in term of security is yet to come, as recently shown with the example of massive traffic interception on compromised SCCP and GRX providers like Belgacom’s BICS. Here we present the most typical and legitimate telecom callflows from making a mobile phone call to sending a SMS. Then we describe the protocol layers involved and how to abuse them, which fields can be manipulated in order to attack both the operator infrastructure and its subscribers. Finally, we show a real life example of scan performed from an international SS7 interconnection and practical attacks on subscribers such as spam, spoofed SMS and user location tracking.

4G Wireshark Dissector based on Samsung USB stick

18 Aug 2013
0

After having analyzed the Samsung Stick firmware, it was time to make something useful out of it. When first plugged into a linux machine, it appears to be a usb Storage.
With the help of usb_modswitch, it is possible to activate the ttyUSB device, as well as the control device.
Here is the output of a lsusb


# lsusb 
Bus 001 Device 038: ID 04e8:689a Samsung Electronics Co., Ltd LTE Storage Driver [CMC2xx]
Bus 002 Device 002: ID 05ca:18c2 Ricoh Co., Ltd 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

The command line for the usb_modswitch would be:


usb_modeswitch -W -v 0x04e8 -p 0x689a -I -M '55534243785634120100000080000601000000000000000000000000000000'

Here is an output log:


# usb_modeswitch -W -v 0x04e8 -p 0x689a -I -M '55534243785634120100000080000601000000000000000000000000000000' 
Taking all parameters from the command line

 * usb_modeswitch: handle USB devices with multiple modes
 * Version 1.2.3 (C) Josua Dietze 2012
 * Based on libusb0 (0.1.12 and above)

 ! PLEASE REPORT NEW CONFIGURATIONS !

DefaultVendor=  0x04e8
DefaultProduct= 0x689a
TargetVendor=   not set
TargetProduct=  not set
TargetClass=    not set
TargetProductList=""

DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
MessageEndpoint=  not set
MessageContent="55534243785634120100000080000601000000000000000000000000000000"
NeedResponse=0
ResponseEndpoint= not set

InquireDevice disabled
Success check disabled
System integration mode disabled

usb_set_debug: Setting debugging level to 15 (on)
usb_os_find_busses: Found 006
usb_os_find_busses: Found 005
usb_os_find_busses: Found 004
usb_os_find_busses: Found 003
usb_os_find_busses: Found 002
usb_os_find_busses: Found 001
usb_os_find_devices: Found 001 on 006
skipping descriptor 0x30
skipped 1 class/vendor specific endpoint descriptors
usb_os_find_devices: Found 001 on 005
usb_os_find_devices: Found 001 on 004
usb_os_find_devices: Found 001 on 003
usb_os_find_devices: Found 002 on 002
skipping descriptor 0xB
skipped 1 class/vendor specific endpoint descriptors
skipped 5 class/vendor specific interface descriptors
skipping descriptor 0x25
skipped 1 class/vendor specific endpoint descriptors
skipped 18 class/vendor specific interface descriptors
usb_os_find_devices: Found 001 on 002
error obtaining child information: Inappropriate ioctl for device
usb_os_find_devices: Found 038 on 001
usb_os_find_devices: Found 001 on 001
error obtaining child information: Inappropriate ioctl for device
Looking for default devices ...
  searching devices, found USB ID 1d6b:0003
  searching devices, found USB ID 1d6b:0002
  searching devices, found USB ID 1d6b:0001
  searching devices, found USB ID 1d6b:0001
  searching devices, found USB ID 05ca:18c2
  searching devices, found USB ID 1d6b:0002
  searching devices, found USB ID 04e8:689a
   found matching vendor ID
   found matching product ID
   adding device
  searching devices, found USB ID 1d6b:0002
 Found device in default mode, class or configuration (1)
Accessing device 038 on bus 001 ...
Getting the current device configuration ...
USB error: error sending control message: Connection timed out
Error getting the current configuration (error -110). Assuming configuration 1.
Using first interface: 0x00
Using endpoints 0x06 (out) and 0x85 (in)

USB description data (for identification)
-------------------------
Manufacturer: not provided
     Product: not provided
  Serial No.: not provided
-------------------------
Looking for active driver ...
 OK, driver found ("usb-storage")
 OK, driver "usb-storage" detached
Setting up communication with interface 0
Using endpoint 0x06 for message sending ...
Trying to send message 1 to endpoint 0x06 ...
 OK, message successfully sent
Resetting response endpoint 0x85
USB error: could not clear/halt ep 133: Connection timed out
 Could not reset endpoint (probably harmless): -110
Resetting message endpoint 0x06
-> Run lsusb to note any changes. Bye.

So after that, a new lsusb would show us:


# lsusb 
Bus 001 Device 040: ID 04e8:6889 Samsung Electronics Co., Ltd GT-B3730 Composite LTE device (Commercial)
Bus 002 Device 002: ID 05ca:18c2 Ricoh Co., Ltd 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

In order to have a device descriptor for the stick, we need to modify the linux driver already available.

https://github.com/mkotsbak/linux-2.6/blob/Samsung_kalmia_driver-3.0/drivers/net/usb/kalmia.c

The new file kalmia.c is present HERE
. (Special thx to Xavier Martin for his this)
and I added the Makefile that let me compile it


obj-m += kalmia.o

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Now 2 new devices are present:


	/dev/ttyUSB0
	/dev/c2xx

Now the /dev/c2xx device will give us all the debug packet, including NAS and RRC, so we could look at them with wireshark.
In order to do that, we need a wireshark dissector that: packet-c2xx.c
As seen on the following picture, the dissector takes a packet that we named c2xx.

This packet is itself composed of a header, a HDLC flag, and a frame.

Packet containing NAS are then visible

Samsung LTE USB stick GT-B3730/B3740 hacking

05 Aug 2013
0

Samsung LTE USB stick GT-B3730/B3740

Samsung LTE USB dongles codename Kalmia

I acquired a couple of GT-B3740 800Mhz LTE Dongle, and decided to open one of them to find out what the chipset was used in it.

The very surprizing part was to see that it had a JTAG connector there and it was written JTAG !
So after looking for some documentations about it, another interesting thing came. Googling a bit let me find the Service Manual of the device !

Even more surprizing, there was a schematic in there, with the JTAG pinout description!

After some investigation, I found the connector DATASHEET: http://www3.panasonic.biz/ac/e_download/control/connector/base-fpc/catalog/con_eng_f4s.pdf?via=ok It is in fact a PANASONIC AXT512124.

One can find those at Digikey or Mouser.
So THE problem with those connector is the size. In fact, any soldering iron would melt the connector before being able to soler anything to it. So there is no other way than finding the Female connector and extending it. My first attemp was a failure. In fact, I tried to do it with a flex based copper sheet and PNPBlue. here is the result

In fact, the clearance is so low that it could only be done in a factory with a pick and place.
Looking here and there, I found on Alibaba a multiple JTAG cable that looked quite similar.

http://www.aliexpress.com/store/product/JTAG-JPin-JIG-Pinouts-by-RIFF-ORT-JPR-MEDUSA-BOX/927318_922669231.html

So I decided to buy one to give it a test. The thing is that you have to buy the whole set. At the time I’m writing, it’s price was $68.

As one can see, the result is shown here under

The interesting part about this cable is that the little adapter they give respects the JTAG pinout standard of the ARM, therefor, I could easily connect it with a Board to Board connector to a Amontek Jtag-Mini. So it was time to play with OpenOCD !
Here is the configuration file used.


telnet_port 4444
#gdb_port 0
#tcl_port 0

jtag_khz    100000000
adapter_khz 100000000
#jtag_speed 3

reset_config trst_and_srst

jtag_nsrst_delay 400
jtag_ntrst_delay 400

if { [info exists CHIPNAME] } {
  set _CHIPNAME $CHIPNAME
} else {
  set _CHIPNAME cmc220
}

#reset_config none

if { [info exists CPU_TAPID ] } {
  set _CPU_TAPID $CPU_TAPID
} else {
  set _CPU_TAPID 0x4ba00477
}
jtag newtap $_CHIPNAME tap -irlen 4 -ircapture 0x1 -irmask 0x3 -expected-id $_CPU_TAPID

set _TARGETNAME $_CHIPNAME

target create $_TARGETNAME cortex_r4 -endian little -chain-position $_TARGETNAME.tap

So I managed to dump the Memory of the chip. And I got the firmware extracted. A couple of strings on the file shows that the file is REALLY verbose. All the debug symbols are there. All the printf are still there… It’s time to play with IDA pro !
One interesting part is that I was able to tell IDA pro that the GDB Server is in fact OpenOCD. so IDA pro would go into debug mode and be able to step in the running code. Most of the time that would generate an interrupt tho. But that is quite good enough with some scripting to see what part of the Firmware is Code segment or Datasegment..

And as said earlyer, the amount of Strings debug is really big. Worth digging into it.

In the meantime, I decided to get myself some GT-B3730 that does the 2.6Ghz LTE band as well as 2.75G and 3G. Hoping that they are similar.

So Opening it showed me that it’s based on the same chip, which is connected to another chip in charge of the 2/3 G.


2 different Firmware are written in this one. mode A and B. A is LTE, B = 2/3 G. Therefor, in order to switch, it needs to reboot on its new firmware.

123

P1 Security

www.p1sec.com

Copyright 2013 P1 Security, a P1 Group Company. All Rights Reserved.