CyberWarfare / ExoWarfare

5G Security: „TRacking via Paging mEssage DistributiOn“ – Torpedo

Noch vor dem Start – eine neuentdeckte Sicherheitslücke betrifft auch 5G-Netze

Forscher haben neue Sicherheitslücken in den 4G- und 5G-Mobilfunkstandards entdeckt. Die Lücken könnten dazu genutzt werden, Telefonate abzufangen und die Position eines Handy-Nutzers zu bestimmen.

Eigentlich sollte das Mobilfunknetz der fünften Generation (5G) neben höheren Geschwindigkeiten auch für mehr Sicherheit sorgen. Jetzt haben Forscher allerdings gleich mehrere neue Sicherheitslücken entdeckt, die nicht nur 4G, sondern auch 5G-Netze betreffen. Die erste neuentdeckte Sicherheitslücke nennen die Forscher „TRacking via Paging mEssage DistributiOn“ – oder kurz: Torpedo (trpedo). Dabei handelt es um eine Schwachstelle im Paging-Protokoll, das Mobiltelefonen mitteilt, dass sie einen Anruf oder eine Textnachricht erhalten.

Beim Torpedo-Angriff werden innerhalb kurzer Zeit mehrere Anrufe gestartet und wieder annuliert. Das erlaubt den Angreifern, eine Paging-Nachricht zu schicken, ohne dass das Telefon über einen eingehenden Anruf informiert wird. Dadurch, so die Forscher, lässt sich die Position des Ziels bestimmen. Außerdem öffnet die Methode die Pforten für zwei weitere Angriffe.

  • IMSI – unique account number (assigned) for account (stored in the SIM).
  • IMEI – unique serial number (unchangeable) for the mobile device.
  • ICCID – unique serial number (unchangeable) for the SIM.
  • MSISDN – dialable directory number (assigned) for account (stored in the SIM).

IMSI = International Mobile Subscriber Identity – This is a unique identifier that defines a subscriber in the wireless world, including the country and mobile network to which the subscriber belongs. It has the format MCC-MNC-MSIN. MCC = Mobile Country Code (e.g. 310 for USA); MNC = Mobile Network Code (e.g. 410 for AT&T – either 2 digits = European standard or 3 digits = North American standard), MSIN = sequential serial (identification) number (or: Mobile Subscription Identification Number  – the last 10 digits of the 15 digit long IMSI number are the MSIN). All signaling and messaging in GSM and UMTS networks uses the IMSI as the primary identifier of a subscriber. The IMSI is one of the pieces of information stored on a SIM card. The IMSI is used in any mobile network that interconnects with other networks. For GSM, UMTS and LTE networks, this number was provisioned in the SIM card and for cdmaOne and CDMA2000 networks, in the phone directly or in the R-UIM card (the CDMA equivalent of the SIM card). Both cards have been superseded by the UICC.
IMEI is short for International Mobile Equipment Identity and is a unique number given to every single mobile phone, typically found behind the battery. IMEI numbers of cellular phones connected to a GSM network are stored in a database (EIR – Equipment Identity Register) containing all valid mobile phone equipment. To identify 3GPP (i.e., GSM , UMTS and LTE) and iDEN mobile phones, as well as some satellite phones. When a phone is reported stolen (stopping a stolen phone from accessing that network) or is not type approved, the number is marked invalid. Can also be displayed on-screen on most phones by entering *#06# on the dialpad.
ICCID = Integrated Circuit Card ID. This is the identifier of the actual SIM card itself – i.e. an identifier for the SIM chip. It is possible to change the information contained on a SIM (including the IMSI), but the identify of the SIM itself remains the same. A full ICCID is 19 or 20 characters. It is possible to extract the ICCID by using the ‘AT!ICCID?’ modem command. The format of the ICCID is: MMCC IINN NNNN NNNN NN C x:
MM = Constant (ISO 7812 Major) CC = Country Code (i.e. +61) II = Issuer Identifier (AAPT) N{12} = Account ID ( “SIM number”) C = Checksum calculated from x = An extra 20th digit.
MSISDN = Mobile Station International Subscriber Directory Number. This is the full phone number of a subscriber, including the national country code (e.g. 1 for US, 44 for UK, etc.). Gives away the network you are using like IS-95, TDMA , GSM etc. The purpose of the MSISDN is simply to allow a device to be called. A subscriber can have multiple MSISDNs (e.g. one phone number for business, one for personal calls, one for fax, etc.), but generally only one IMSI. The MSISDN does not need to be stored on the SIM card. In cases where it is stored on the SIM, the main reason is so that the user can use check to see what their own MSISDN is (in case they forget). The MSISDN is never signaled to of from the device.

Einer dieser Angriffe ermöglicht es, die IMSI-Nummer eines 4G-Smartphones zu ermitteln. Ein Zweiter ermöglicht einen Brute-Force-Angriff auf 4G- und 5G-Geräte zur Ermittlung der IMSI-Nummer. Die IMSI-Nummer dient der eindeutigen Identifizierung von Mobilfunkgeräten. Damit könnten Angreifer, die entsprechende Ausrüstung vorausgesetzt, dann auch die Position eines Mobiltelefons ermitteln und unter Umständen auch Telefonate und Textnachrichten überwachen.

5G: Wann die Lücken geschlossenen werden, bleibt unklar

Die Sicherheitsforscher haben die Lücken bereits an die GSMA gemeldet. Der Industrieverband vertritt Hunderte Mobilfunkanbieter und Netzwerkinfrastrukturunternehmen. Allerdings müsste zumindest eine der Sicherheitslücken individuell von den einzelnen Mobilfunkanbietern gestopft werden. Die Entdecker der Sicherheitslücken hatten vor etwa einem Jahr bereits zehn Sicherheitslücken im 4G-Standard aufgedeckt.

https://t3n.de/news/4g-5g-mobilfunk-eine-neue-sicherheitsluecke-entdeckt-1146231/

see also: https://en.wikipedia.org/wiki/International_mobile_subscriber_identity

 

https://assets.documentcloud.org/documents/5749002/4G-5G-paper-at-NDSS-2019.pdf

local copy: https://www.bgp4.com/wp-content/uploads/2019/02/4G-5G-paper-at-NDSS-2019.pdf

 

IMSI analysis

IMSI analysis is the process of examining a subscriber’s IMSI to identify the network the IMSI belongs to, and whether subscribers from that network may use a given network (if they are not local subscribers, this requires a roaming agreement).

If the subscriber is not from the provider’s network, the IMSI must be converted to a Global Title, which can then be used for accessing the subscriber’s data in the remote HLR. This is mainly important for international mobile roaming. Outside North America, the IMSI is converted to the Mobile Global Title (MGT) format, standard E.214, which is similar to an E.164 number. E.214 provides a method to convert the IMSI into a number that can be used for routing to international SS7 switches. E.214 can be interpreted as implying that there are two separate stages of conversion; first determine the MCC and convert to E.164 country calling code then determine MNC and convert to national network code for the carrier’s network. But this process is not used in practice and the GSM numbering authority has clearly stated that a one-stage process is used.

In North America, the IMSI is directly converted to an E.212 number with no modification of its value. This can be routed directly on American SS7 networks.

After this conversion, SCCP is used to send the message to its final destination. For details, see Global Title Translation.

Example of outside World Area +1 (= North America)

This example shows the actual practice which is not clearly described in the standards.

Translation rule:

  • match numbers starting 28401 (Bulgaria mobile country code + MobilTel MNC)
  • identify this as belonging to MobilTel-Bulgaria network
  • remove first five digits (length of MCC+MNC)
  • prepend 35988 (Bulgaria E.164 country code + a Bulgarian local prefix reaching MobilTel’s network)
  • mark the number as having E.214 numbering plan.
  • route message on Global Title across SCCP network

Therefore, 284011234567890 becomes 359881234567890 under the E.214 numbering plan.

Translation rule:

  • match numbers starting 310150 (America first MCC + Cingular MNC)
  • remove first six digits (length of MCC+MNC)
  • prepend 14054 (North America E.164 country code + Network Code for Cingular)[citation needed]
  • mark the number as having E.214 numbering plan.
  • route message on Global Title across SCCP network

Therefore, 310150123456789 becomes 14054123456789 under the E.214 numbering plan.

The result is an E.214 compliant Global Title, (Numbering Plan Indicator is set to 7 in the SCCP message). This number can now be sent to Global Title Analysis.

Example inside World Area +1 (= North America)

Translation rule:

  • match number starting 28401 (Bulgaria MCC + MobilTel MNC)
  • identify this as belonging to MobilTel-Bulgaria network
  • do not alter the digits of the number
  • mark the number as having E.212 numbering plan.
  • route message on Global Title across SCCP network

Therefore, 284011234567890 becomes 284011234567890 under the E.212 numbering plan.

This number has to be converted on the ANSI to ITU boundary. For more details please see Global Title Translation.

Home Network Identity (HNI)

The Home Network Identity (HNI) is the combination of the MCC and the MNC. This is the number which fully identifies a subscriber’s home network. This combination is also known as the PLMN.

see: https://en.wikipedia.org/wiki/International_mobile_subscriber_identity

 

Global Title Translation

Global title translation (GTT) is the SS7 equivalent to IP routing. Translation examines the destination address (e.g. the number being called) and decides how to identify it over the telephone network. This process can include global title analysis, which is the act of looking up the number and finding a result address, and global title modification.

It is possible for the result of global title translation to be routed on SSN. This means that, instead of the Global Title routing, lower level MTP routing will be used for this message from this point on. Equivalently, in a system using SS7 over IP (for example, SIGTRAN), the result from Global Title Translation may be to route to an IP server, though the exact details depend greatly on which variant of SS7 over IP is being used.

Global Title Analysis

The situation in this case is somewhat complicated by the additional parameters possible in the global title. Each set of parameter values (TT=0 NP=E.164, TON=INT) can be treated separately from each other one (TT=0 NP=E.214, TON=INT). This means that, instead of one single table, we potentially need a separate table for each possible set of values.

The variable length of the global title makes certain optimisations that can be used in IP routing not so easy to use here. The number analysis of a Global Title is most often done in a tree structure. This allows reasonably efficient analysis to any depth which is chosen.

In the end, global title analysis gives some result. The exact possibilities vary from system to system, is sometimes called an “action” or is integrated into the analysis table.

The destination would typically be given as a signalling point code in an MTP network, but could also be an IP system if we are using SS7 over IP

Routing Structure

The most commonly used numbering plans for global title routing are E.164 and E.214 (although E.212 is also common in America). These simply look like telephone numbers. That is to say, in the most common, international, variant there is a country code at the start of the number and a Network Code immediately following the country code. Beyond that is the subscriber number or mobile subscriber identity number, though even that may be divided into sections. This structure allows for the use of hierarchical routing:

  • International SCCP gateways know which systems handle each of the other countries
  • The international SCCP gateway belonging to each country knows which SCCP gateways handle each network
  • The SCCP gateway of each network knows the network’s own internal structure

In America, the limitations of the North American Numbering Plan mean that the destination country is not immediately obvious from the called party address. However, the fact that there is unified administration means that this can be overcome by having complete analysis at every point where it is needed.

Global Title Modification

In global title translation, it is quite normal that at some point the global title will have to be changed. This happens, for example, as GSM mobility management messages enter and leave networks in America.

  • In America, typically most routing of mobility management messages for all mobile networks is done using the E.212 (IMSI) number.
  • In international networks, E.214 is always used.

At the boundary incoming toward America (this can mean the Signaling Transfer Point at the edge of the American operator’s network), numbers routed from European networks are converted from E.214 numbers into E.212 numbers. In the outgoing direction, from America toward the rest of the world, are converted from E.212 numbers into E.214 numbers.

Global Title Routing in Mobile Networks

In mobile networks, there are database queries such as “how can I tell if this subscriber is really who he says he is” (MAP_Send_Authentication_Info) which have to be routed back to the database which holds the subscriber’s information (the HLR, or in this case, the AUC).

Unfortunately, at the time the subscriber first arrives, we don’t know which HLR is the subscriber’s HLR. For this reason, the queries have to be routed on the subscriber’s identity (IMSI) is used to generate the called party address in the message. How this is done depends whether we are in world area 1 (North America) or somewhere else.

There are three types of GT in use in mobile networks known as E.164 (MSISDN), E.212(IMSI) and E.214(MGT):

  • E.164 (MSISDN) = CC+NDC+SN – ( Country Code+National Destination Code+Subscriber Number) e.g. 91-98-71405178
  • E.212 (IMSI) = MCC+MNC+MSIN – (Mobile Country Code+Mobile Network Code+Mobile Subscription Identification Number) e.g. 404-68-6600620186 (MTNL delhi) –
  • E.214 (MGT) = combination of E.212 and E.164 (CC+NDC+MSIN) (Exact combination is defined in the operators IR21 document)

Mobile Global Title Routing (except North America = “World Area +1”)

Everywhere in the world, except North America, the subscriber’s IMSI is converted to a Mobile Global Title (MGT) E.214 number. See the entry about the IMSI for more details. The E.214 number has a structure which is similar to the E.164 number, and, except in a mobile network it can be routed identically. This means that the same routing tables can be used for both and means considerably reduced administrative overhead in maintaining the tables.

Once a signalling message with an E.214 number enters a mobile network in its own country, the routing is dependent on the operator of that mobile network. In networks without number portability, it is normal that the MSIN has a structure and that, by analysing the first few digits we can further route the message to the right element.

IMSI Routing (North America = “World Area +1”)

In World Area 1 (corresponding to North America) ANSI SCCP is in use. In this case, due to North American standards, the routing of mobility related messages must be done with the E.212 number directly. This has the advantage that it is easier to identify to which country messages should be routed based on the mobile country code. The design of the North American Number Plan means that there is not a separate country code for each country in North America. Working with E.214 numbers would not be an insurmountable challenge, as can be seen from the fact that routing of phone calls using E.164 numbers is normal, but it would mean adding full E.164 routing tables to signalling transfer points where it has never been needed before.

Routing of mobility messages on the ANSI-ITU boundary

Where a signalling message travels from North America to the rest of the world or from the rest of the world to North America, there must be a conversion done from E.212 based global title to E.214 based global title. This conversion is reasonably simple, well defined and fully reversible.

Recommendation E.214 has been interpreted as suggesting that the analysis of the Mobile Country Code (MCC) and Mobile Network Code (MNC) should be done separately. The relationship between the MNC and the Network Code (NC), however, varies from country to country as does the length of the MNC (two or three digits). This means that the analysis of the MNC is dependent on the analysis of the MCC, or alternatively that the analysis must be done for all five or six digits at once (which is how it is done in practise across at least five separate switch vendors).

Examples

Outbound from America:

Please note the truncation of the number by one digit since E.214 numbers, as with E.164 numbers, have a maximum length of 15 digits.

Inbound toward America:

 

see: https://en.wikipedia.org/wiki/Global_title#Global_title_translation

 

GSM

GSM (Global System for Mobile communications) is a standard developed by the European Telecommunications Standards Institute (ETSI) to describe the protocols for second-generation (2G) digital cellular networks used by mobile devices such as mobile phones and tablets. It was first deployed in Finland in December 1991. As of 2014, it has become the global standard for mobile communications – with over 90% market share, operating in over 193 countries and territories.

2G networks developed as a replacement for first generation (1G) analog cellular networks, and the GSM standard originally described a digital, circuit-switched network optimized for full duplex voice telephony. This expanded over time to include data communications, first by circuit-switched transport, then by packet data transport via GPRS (General Packet Radio Services) and EDGE (Enhanced Data rates for GSM Evolution, or EGPRS).

Subsequently, the 3GPP developed third-generation (3G) UMTS standards, followed by fourth-generation (4G) LTE Advanced standards, which do not form part of the ETSI GSM standard.

see: https://en.wikipedia.org/wiki/GSM

 

Signalling System No. 7 (SS7)

Signaling System No. 7 (SS7) is a set of telephony signaling protocols developed in 1975, which is used to set up and tear down telephone calls in most parts of the world-wide public switched telephone network (PSTN). The protocol also performs number translation, local number portability, prepaid billing, Short Message Service (SMS), and other services.

In North America SS7 is often referred to as Common Channel Signaling System 7 (CCSS7). In the United Kingdom, it is called C7 (CCITT number 7), number 7 and Common Channel Interoffice Signaling 7 (CCIS7). In Germany, it is often called Zentraler ZeichengabeKanal Nummer 7 (ZZK-7).

The SS7 protocol is defined for international use by the Q.700-series recommendations of 1988 by the ITU-T.[1] Of the many national variants of the SS7 protocols, most are based on variants standardized by the American National Standards Institute (ANSI) and the European Telecommunications Standards Institute (ETSI). National variants with striking characteristics are the Chinese and Japanese Telecommunication Technology Committee (TTC) national variants.

The Internet Engineering Task Force (IETF) has defined the SIGTRAN protocol suite that implements levels 2, 3, and 4 protocols compatible with SS7. Sometimes also called Pseudo SS7, it is layered on the Stream Control Transmission Protocol (SCTP) transport mechanism for use on Internet Protocol networks, such as the Internet.

see: https://en.wikipedia.org/wiki/Signalling_System_No._7