SS7 Fraud Enablement Attacks
Attacks that facilitate financial fraud
SS7 fraud enablement attacks exploit vulnerabilities in the Signaling System No. 7 protocol to facilitate financial fraud and unauthorized service usage. These attacks target subscriber identity information, authentication data, and network configurations to enable various fraudulent activities, including SIM cloning, call hijacking, and roaming fraud. Unlike other SS7 attacks focused on surveillance or disruption, fraud enablement attacks are primarily aimed at financial gain.
Security Implications
- Financial losses for subscribers and operators
- Unauthorized service usage and billing fraud
- Identity theft and account takeover
- Bypass of billing and charging systems
- Exploitation of roaming agreements
- Reputational damage to network operators
Technical Prerequisites
- Access to SS7 network (direct or via compromised operator)
- Knowledge of target's MSISDN (phone number)
- SS7 message crafting capabilities
- Global Title (GT) spoofing ability
- Understanding of authentication procedures
- SIM card programming capabilities (for some attacks)
Fraud Enablement Techniques
Technical Details
The SendIMSI MAP operation is legitimately used by network entities to obtain a subscriber's IMSI (International Mobile Subscriber Identity) from their MSISDN (phone number). This operation is typically used for routing and billing purposes.
In this attack, the attacker sends a fraudulent SendIMSI message to the target's HLR, impersonating a legitimate network entity. The HLR responds with the subscriber's IMSI, which is a critical piece of information for SIM cloning and other fraud scenarios.
Once the attacker has obtained the IMSI, they can use it to create a duplicate SIM card or as part of more complex attacks involving authentication vector theft.
Attack Flow
- Attacker obtains target's MSISDN (phone number)
- Attacker crafts a SendIMSI message with the target MSISDN
- Attacker spoofs a legitimate network entity as the source
- Message is sent to target's home network HLR
- HLR processes the request without adequate authentication
- HLR responds with the subscriber's IMSI
- Attacker captures the IMSI for use in further attacks
- IMSI can be used for SIM cloning or other fraud scenarios
Mitigation
Restrict SendIMSI operation access
- Restrict SendIMSI operation access
- Implement strict whitelist for entities allowed to use SendIMSI
- Monitor for unusual patterns of SendIMSI requests
- Consider implementing alternative procedures that don't expose IMSI
- Implement SS7 firewall rules specific to SendIMSI operations
Technical Details
The SendAuthenticationInfo (SAI) MAP operation is legitimately used by the VLR to request authentication vectors from the HLR when a subscriber attempts to register on the network. These vectors are used to authenticate the subscriber's SIM card.
In this attack, the attacker sends a fraudulent SendAuthenticationInfo message to the target's HLR, impersonating a VLR. The HLR responds with authentication vectors (triplets or quintuplets) that contain the information needed to authenticate as the subscriber.
With these authentication vectors, the attacker can potentially clone the subscriber's SIM card or create a rogue base station that can authenticate the subscriber without actually knowing their Ki (authentication key).
Attack Flow
- Attacker obtains target's IMSI (possibly via SendIMSI attack)
- Attacker crafts a SendAuthenticationInfo message with the target IMSI
- Attacker spoofs a legitimate VLR as the source
- Message is sent to target's home network HLR/AuC
- HLR/AuC processes the request without adequate authentication
- HLR/AuC generates and responds with authentication vectors
- Attacker captures the authentication vectors
- Authentication data can be used to clone SIM or create rogue base station
- Attacker can now impersonate the legitimate subscriber
Mitigation
Implement SAI filtering and monitoring
- Implement SAI filtering and monitoring
- Verify the source GT against known legitimate VLRs
- Limit the number of authentication vectors provided in response
- Implement rate limiting for authentication requests
- Consider implementing mutual authentication between network elements
Technical Details
This attack exploits the UpdateLocation MAP operation to enable fraudulent roaming scenarios. The attacker impersonates a VLR from a roaming partner network to trick the target's HLR into believing the subscriber is roaming.
By manipulating the roaming information, the attacker can enable unauthorized usage that will be billed according to roaming agreements, potentially at premium rates. This can be used to generate revenue for compromised operators or to enable usage that bypasses normal billing controls.
This attack can be particularly damaging because it exploits the trust relationships and financial agreements between operators, potentially leading to significant financial losses and disputes.
Attack Flow
- Attacker obtains target's IMSI
- Attacker identifies a suitable roaming partner for fraud
- Attacker crafts an UpdateLocation message with the target's IMSI
- Attacker spoofs a VLR from the selected roaming partner
- Message is sent to target's home network HLR
- HLR processes the request without adequate authentication
- HLR updates its database with the new roaming location
- HLR sends InsertSubscriberData to the attacker's fake VLR
- Attacker acknowledges receipt of subscriber data
- Fraudulent usage can now be billed according to roaming agreements
Mitigation
Validate roaming partner identities
- Validate roaming partner identities
- Implement strict verification of roaming network elements
- Monitor for unusual roaming patterns
- Implement velocity checking for international location updates
- Consider implementing financial thresholds and alerts for roaming usage
Exploitation Example
from sigploit.ss7.fraud import sendIdentification
# Target TMSI (temporary identity)
target_tmsi = 'a1b2c3d4'
# Attacker's GT (Global Title)
attacker_gt = '20408999999'
# Target VLR GT
target_vlr = '20408000000'
# SS7 connection parameters
ss7_params = {
'sctp_port': 2905,
'target_ip': '10.0.0.1',
'source_ip': '10.0.0.2'
}
# Create SendIdentification request
send_id_req = sendIdentification.SendIdentificationReq(
target_tmsi=target_tmsi,
attacker_gt=attacker_gt,
target_vlr=target_vlr
)
# Execute the attack
result = send_id_req.execute(ss7_params)
# Extract IMSI from response
if result.success:
imsi = result.get_imsi()
print(f"[+] Successfully obtained IMSI: {imsi}")
print(f"[+] This IMSI can now be used for further attacks")
else:
print(f"[-] Attack failed: {result.error}")
This example demonstrates how an attacker could use the SendIdentification MAP operation to obtain a subscriber's IMSI from their TMSI. The IMSI can then be used for further attacks such as SIM cloning or authentication vector theft.
Note: This code is provided for educational purposes only. Unauthorized use against real networks is illegal and unethical.
Related Attack Vectors
These attacks focus on extracting subscriber information from the HLR/HSS, which can be used for identity theft or further attacks.
Location tracking attacks can be combined with fraud enablement to target high-value subscribers or to verify subscriber presence.
Service disruption can be used alongside fraud enablement to prevent legitimate subscribers from receiving notifications about fraudulent activity.
Standards and References
3GPP Standards
- 3GPP TS 29.002: Mobile Application Part (MAP) specification
- 3GPP TS 33.200: 3G Security; Network Domain Security (NDS); MAP application layer security
- 3GPP TS 33.204: 3G Security; Network Domain Security (NDS); Transaction Capabilities Application Part (TCAP) user security
Security Recommendations
- GSMA FS.11: SS7 Interconnect Security Monitoring and Firewall Guidelines
- GSMA FS.07: SS7 and SIGTRAN Network Security
- GSMA IR.82: SS7 Security Network Implementation Guidelines
- ENISA: Signaling Security in Telecom SS7/Diameter/5G
Research Papers
- Engel, T. (2014): "SS7: Locate. Track. Manipulate."
- Nohl, K. (2014): "Mobile self-defense"
- P1 Security (2016): "Practical attacks on SS7 networks"